advertisement
Sophos XG Firewall v 15.01.0 – Release Notes
Sophos XG Firewall
Web Interface Reference and Admin Guide v16.5
For Sophos Customers
Document Date:
July 2017
| Contents | ii
Contents
| Contents | iii
| Contents | iv
| Contents | v
Appendix B - IPS - Custom Pattern Syntax...................................................... 562
Appendix C - Default File Type Categories.......................................................569
Appendix F - Compatibility with SFMOS 15.01.0............................................ 626
| What's New in this Release | 7
What's New in this Release
Changes for v16.5 MR6
Editorial changes on
Add Web Server Protection (WAF) Rule
Editorial changes on
Removed all the help pages of Connectwise.
Updated
NAT policy
to incorporated feedback.
Changes for v16.5 MR4
Added new link for How-To Guides on page
Updated valid values for the following on page
Configure IPv6 Router Advertisement settings
• Valid Life Time
• Preferred Life Time
Editorial changes on following pages: Wireless Client List, Wireless Networks, Access Point Overview, Edit
Access Point, Add Access Point Group, Add Mesh Network, Rogue AP Scan
Changes for v16.5 MR3
Editorial changes on the following pages:
•
•
Add SSL VPN Remote Access Policy
•
on page 497
Under Email section, updated following labels for Policies > Add Policy:
MTA Mode
• Add SMTP Policy to SMTP Route & Scan
• Add POP-IMAP Scanning Policy to POP-IMAP Scan
Legacy Mode
• Add SMTP Malware Scanning Policy to SMTP Malware Scan
• Add SMTP Scanning Policy to SMTP Spam Scan
• Add POP-IMAP Scanning Policy to POP-IMAP Scan
| What's New in this Release | 8
Changes for v16.5 MR2
Editorial changes on the following pages:
•
on page 320: Added link to supported RED 3G/4G/LTE USB dongle list
• all the Certificate, Certificate Authority and Certificate Revocation List pages
• replaced word "Navigate" with "Go" in navigation path on all the pages
•
on page 493
•
on page 494
•
Add Local Service ACL Exception Rule
•
on page 485
•
•
on page 489
Removed following pages:
• Common Operation
• Tool Tips
• Notification pop-ups
Changes for v16.5 MR1
Editorial changes on the following pages:
•
on page 501
•
on page 504
•
•
•
Changes for v16.5
Added Sandstorm to provide enhanced protection against malware. View threat-detection activity on the
page. Specify settings on the
page.
Added Sandstorm protection to firewall rules. See
.
Added Sandstorm protection to email policies. See
.
Updated existing web protection exceptions that skip malware scanning to also skip Sandstorm analysis. See
Added a new report
Sandstorm
which provides an insight of enhanced protection against advanced and targeted attacks. It includes following reports:
•
Policy and Content - Sandstorm Usage
•
Sandstorm Web Category
•
Sandstorm Web Users
•
Policy and Content - Sandstorm Mail Usage
•
Sandstorm Mail Category
•
Sandstorm Mail Senders
Added Sandstorm as filter criteria for
,
Mail Spool
and
Mail Logs
pages.
Added new section for details that are displayed on hovering mouse over certain objects on
on page
50 page.
| Introduction | 9
Changes for v16.5
Removed option 30 Day Full Guard Trial from
on page 493 page.
Added option Migrate UTM 9 License on
Added feature description to force TLS 1.2 usage. See
Introduction
Sophos XG Firewall provides unprecedented visibility into your network, users, and applications directly from the allnew control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls.
Click
here
to view list of all features supported by Sophos XG Firewall.
Flavors
This section provides information about different flavors available for Sophos XG Firewall.
Sophos is available in following flavors:
• Physical Devices
• Virtual Devices
• Software
Physical Devices
Sophos provides a range of physical devices to cater the needs of all size of businesses i.e. small business to home users to enterprises.
Virtual Devices
Virtual Network Security devices can be deployed as Next-Generation Firewalls or UTMs and offer industry-leading network security to virtual data-centers, “Security-in-a-Box” set-up for MSSPs/organizations, and “Office-in-a-Box” set-up. By offering comprehensive security features available in its hardware security devices, in virtualized form, these virtual devices offer Layer 8 Identity-based security on a single virtual device, which is as strong as security for the physical networks.
Sophos offers a complete virtual security solution to organizations with its virtual network security devices (Next-
Generation Firewalls/UTMs), virtual Sophos Firewall Manager (SFM) for centralized management, and Sophos iView software for centralized logging and reporting.
Administrative Interfaces
Device can be accessed and administered through:
•
: Admin Console is a web-based application that an Administrator can use to configure, monitor,
and manage the Device.
•
: Command Line Interface (CLI) console provides a collection of tools to administer,
monitor, and control certain component(s) of the device.
•
: Distributed Sophos devices can be centrally managed using a single Sophos
Firewall Manager (SFM) Device.
| Using Admin Console | 10
Administrative Access
This section provides information on how to access Device.
An administrator can connect and access the device through HTTPS, telnet, or SSH services. Depending on the
Administrator login account profile used for access, an administrator can access number of Administrative Interfaces and Admin Console configuration pages.
The device is shipped with one administrator account and four administrator profiles.
Administrator Type Login Credentials Console Access
Super Administrator admin/admin Admin console
CLI console
Privileges
Full privileges for both the consoles. It provides read-write permission for all the configuration performed through either of the consoles.
Note: We recommend that you change the password of the user immediately on deployment.
Admin Console
Admin Console is a web-based application that an Administrator can use to configure, monitor, and manage the
Device.
You can connect to and access Admin Console of the device using HTTPS connection from any management computer using web browser:
1. HTTPS login: https://<LAN IP Address of the device>
For more details, refer to section
.
Command Line Interface (CLI) Console
CLI console provides a collection of tools to administer, monitor, and control certain component(s) of the device. The device can be accessed remotely using the following connections:
1. Remote login Utility – TELNET login
2. SSH Client (Serial Console)
Use CLI console for troubleshooting and diagnosing network problems in details.
Sophos Firewall Manager (SFM)
Distributed Sophos devices can be centrally managed using a single Sophos Firewall Manager (SFM) Device, enabling high levels of security for MSSPs and large enterprises. To monitor and manage devices through SFM device you must:
1. Configure SFM in Sophos device.
2. Integrate Sophos device with SFM.
Once you have added the Devices and organized them into groups, you can configure single device or groups of devices.
Using Admin Console
Sophos Firewall OS uses a Web 2.0 based easy-to-use graphical interface termed as Admin Console to configure and manage the device.
| Using Admin Console | 11
You can access the device for HTTPS web browser-based administration from any of the interfaces. Device when connected and powered up for the first time, it will have a following default Admin Console Access configuration for
HTTPS service.
Services
HTTPS
Interface/Zones
WAN
Default Port
TCP Port 4444
The administrator can update the default ports for HTTPS service from System > Administration > Admin Settings
Admin Console Language
The Admin Console supports multiple languages, but by default appears in English. Apart from English, Chinese-
Simplified, Chinese-Traditional, Hindi, French, German, Italian, Korean and Brazilian Portuguese languages are also supported. Administrator can choose the preferred language at the time of logging.
Listed elements of Admin Console are displayed in the configured language:
• Control Center contents
• Navigation menu
• Screen elements including field & button labels and tips
• Error messages
Administrator can also specify description for various policies, services, and various custom categories in any of the supported languages.
All the configurations done from the Admin Console take effect immediately. To assist you in configuring the device, the device includes detailed context-sensitive online help.
Log on procedure
The log on procedure authenticates the user and creates a session with the Device until the user logs-off.
To get the login window, open the browser and type LAN IP Address of the device in browser’s URL box. A dialog box appears prompting you to enter username and password.
Below are the screen elements with their description:
Username
Enter user login name.
If you are logging on for the first time after installation, use the default username.
Password
Specify user account password.
Dots are the placeholders in the password field.
If you are logging on for the first time after installation with the default username, use the default password.
Language
Select the language. The available options are:
• Chinese-Simplified
• Chinese-Traditional
• English
• French
• Hindi
• German
• Italian
• Korean
| Using Admin Console | 12
• Brazilian Portuguese
Default – English
Log on to
To administer device, select Admin Console.
To login into your account, select User Portal.
Login button
Click to log on the Admin Console.
Control Center appears as soon as you log on to the Admin Console. Control Center provides a quick and fast overview of all the important parameters of your device.
Log out procedure
To avoid un-authorized users from accessing Sophos, log off after you have finished working. This will end the session and exit from device.
To log out of the device, navigate to admin at the top right of any of the Admin Console pages and click Logout.
Supported Browsers
You can connect to Admin Console of the device using a secure HTTPS connection from any management computer using one of the following web browsers:
Latest version of Firefox (recommended), latest version of Chrome, latest version of Safari, or Microsoft Internet
Explorer 10 onwards with JavaScript enabled.
The minimum screen resolution for the management computer is 1280 X 768.
Menus
Navigation bar on the leftmost side provides access to various configuration pages. Menu consists of sub-menus and tabs. On clicking menu item in the navigation bar, related management functions are displayed as tabs. To view page associated with the tab, click the required tab.
| Using Admin Console | 13
The navigation menu includes following modules:
• Monitor & Analyze
• Protect
• Configure
• System
Note:
• Use F1 key for page specific help.
Each section in this guide shows the menu path to the configuration page. For example, to reach the High Availability page, choose System Services menu from Configure section in the navigation bar, and then choose High Availability tab. Online help mentions this path as:
Configure > System Services > High Availability
Pages
A Leaf page is a page from where all the configurations can be done. The admin tab on the upper rightmost corner of every page provides access to several commonly used functions like:
1. Support: Opens the customer login page for creating a Technical Support Ticket. It is fast, easy and puts your case right into the Technical Support queue.
2. About Product: Opens the device registration information page.
3. Wizard: Opens the Network Configuration Wizard.
4. Console: Opens the Command Line Interface (CLI) console.
5. Reboot Device: Reboots the device.
6. Shutdown Device: Shut downs the device.
| Monitor and Analyze | 14
7. Lock: Locks the Admin Console. Admin Console is automatically locked if the device is in inactive state for more than 3 minutes. To unlock the Admin Console you need to relogin. By default, Lock functionality is disabled.
Enable Admin Session Lock from System > Administration > Settings
8. Logout: Logs out from the Admin Console.
Clicking Help hyperlink on the upper rightmost corner of every page opens the content-sensitive help page.
Click How-To Guides to browse through our extensive library of how-to videos for XG Firewall.
List Navigation Controls
The Admin Console pages display information in the form of lists and many lists are spread across the multiple pages.
Page Navigation Controls at the bottom of the list provides navigation buttons for moving through list pages with large number of entries. It displays the current page and total number of pages.
Monitor and Analyze
Control Center
The Control Center appears as soon as you logon to the Admin Console.
Control Center provides a single screen snapshot of the state and health of the security system, which is easy to explore and drill.
System Panel
System panel displays the real-time state of device services, VPN connections, WAN links and performance as well as number of days since the device is up and running. Status is displayed as an icon and colored icons are used to differentiate statuses. On clicking the icon, detailed information of the services is displayed.
The icons and their various status are:
Performance Widget
IconStatus
Normal
Load Average of the Device is less than 2 units.
Warning
Load Average is between 2 to 5 units.
Alert
Load Average more than 5 units.
| Monitor and Analyze | 15
IconStatus
Unknown
On clicking the icon, the Load Average Graph of the device is displayed.
Load Average is a measure of the average number of processes waiting for execution time on a CPU. Any number greater than the number of processor cores in the system indicates that, during the time period being measured (for example, 5 minutes), there was generally more work to do than the system was capable of doing.
Services Widget
IconStatus
Normal
All the services are running.
Warning
One or more services has been explicitly stopped by the administrator. You can restart services from Monitor
& Analyze > System Services > Services.
Alert
One or more services is not running.
You can restart services from Monitor & Analyze > Services.
Unknown
On clicking the icon, the services that are stopped or dead are displayed.
Interfaces Widget
IconStatus
Normal
All the WAN links are UP.
Warning
50% or less WAN links are DOWN.
Alert
50% or more WAN links are DOWN.
Unknown
On clicking the icon, details of WAN Links are displayed.
VPN Connections Widget
IconStatus
Normal
All the VPN tunnels are UP.
Warning
50% or less VPN tunnels are DOWN.
| Monitor and Analyze | 16
IconStatus
Alert
50% or more VPN tunnels are DOWN.
Unknown
On clicking the icon, details of VPN tunnels are displayed.
CPU Widget
CPU graphs allow administrator to monitor the CPU usage by the Users and System components. Maximum and
Average CPU usage is also displayed when clicked on the widget.
X-axis –Hours/Weeks/Months/Year (depending on the option selected)
Y-axis – % use
Click the widget to view details. Clicking any of the hyperlinks under System Tools and Network Utilities will redirect you to the respective page.
Memory Widget
Memory graphs allow administrator to monitor the memory usage in percentage. Graphs displays the memory used, free memory and total memory available. In addition, shows maximum and average memory usage.
X-axis – selected)
Y-axis – % use
Click the widget to view details. Clicking any of the hyperlinks under System Tools and Network Utilities will redirect you to the respective page.
Bandwidth Widget
Graph displays total data transfer through WAN Zone. In addition, shows maximum and average data transfer.
X axis – Hours/Days/Months/Year (depending on the option selected)
Y-axis – Total data transfer in KBits/Second
Click the widget to view details. Clicking any of the hyperlinks under System Tools and Network Utilities will redirect you to the respective page.
Sessions Widget
Graph displays current sessions of the device. It also displays the maximum and average live connections.
Click the widget to view details. Clicking any of the hyperlinks under System Tools and Network Utilities will redirect you to the respective page.
High Availability (HA) Details
Displays HA mode configured as below:
A-A : When device is configured in Active-Active mode.
A-P (M) : When device is configured in Active-Passive mode and is acting as Primary Device..
A-P (S) : When device is configured in Active-Passive mode and is acting as Auxiliary Device.
Traffic Insight Panel
The section provides statistics related to network traffic processed by your device in the last 24 hours. The at a glance information helps find out who is consuming the most bandwidth, unusual traffic patterns, and most-visited websites and applications.
| Monitor and Analyze | 17
The statistics is displayed as bar graphs:
• Web Activity - The graph provides the user data transfer information over the last 24 hours, which helps in understanding the web surfing trend. It also displays the maximum and average amount of data transferred, in bytes, over the last 24 hours, which helps you spot unusual traffic patterns, if any. For example, if the graph displays a peak level at a certain point of time, it means the maximum amount of data transfer was done over that time period.
• Allowed App Categories - The graph displays the amount of data transferred, in bytes, for top five application categories. This information provides an administrator at a glance view of the most-used applications in the last 24 hours, which in turn helps you identify which applications consume the most bandwidth. Clicking on the bar of a particular application category in the graph will redirect you to the filtered application report of that category.
• Network Attacks - The graph lists top five hosts that were denied access to the network due to health reasons.
Clicking on the bar of a particular attack category in the graph will redirect you to the filtered report of that category.
• Allowed Web Categories - The graph displays the amount of data transferred, in bytes, for top five web categories.
This information provides an administrator at a glance view of the most-visited websites in the last 24 hours, which in turn helps you identify which websites consume the most bandwidth. Clicking on the bar of a particular web category in the graph will redirect you to the filtered report of that category.
• Blocked App Categories - The graph displays top five denied application categories along with number of hits per category. This way an administrator gets to know about the applications with the most number of failed access attempts. Clicking on the bar of a particular application category in the graph will redirect you to the filtered application report of that category.
User & Device Insights Panel
Security Heartbeat Widget
Security Heartbeat widget provides the health status of all endpoint devices. An endpoint device is an Internet-capable computer hardware device connected to Sophos XG Firewall via Sophos Central. The endpoint sends a heartbeat signal at regular intervals and also informs about potential threats to the Sophos XG Firewall.
If Security Heartbeat is not configured, the Configure button appears on the Control Center.
The health status of endpoint can be red, yellow, or green:
• Red labeled "At risk" - Active malware detected.
• Yellow labeled "Warning" - Inactive malware detected.
• Green (no label) - No malware detected.
• Red labeled "Missing" - Endpoints not sending health status information but causing network traffic.
Once Security Heartbeat is configured, all the endpoints are classified in either of the 4 status. The Security Heartbeat
Widget shows the total number of endpoints in each status.
Click the widget to view the list of all endpoints with information like hostname/IP of the source, user and state changed. You can select to display all or just certain endpoints based on their health status.
Sandstorm Widget
Sophos Sandstorm is a cloud-based service that provides enhanced protection against malware. You can configure the firewall to send suspicious downloads to Sandstorm for analysis. Sandstorm detonates files to check for ransomware and other advanced threats. Because the analysis takes place in the cloud, your system is never exposed to potential threats.
Sandstorm requires a subscription. Click the link to start your free 30-day evaluation.
When Sandstorm is enabled, users will be prevented from downloading files that match the firewall criteria until the analysis is complete.
The Sandstorm widget displays analysis results for web traffic and email. Click the widget to view Sandstorm activity details.
Advanced Threat Protection Widget
| Monitor and Analyze | 18
•
Advanced Threat Protection widget provides a snapshot of advanced threats detected in your network. ATP can help rapidly detect infected or compromised clients inside the network and raise an alert or drop the respective traffic.
If Security Heartbeat is not configured, the Configure button appears on the Control Center.
Once configured, the widget will have either of the two status:
- Normal - No threats detected.
•
- Alert - It displays number of sources blocked. Clicking on it gives details like hostname/IP of the source, threat and count.
User Threat Quotient Widget
Widget displays the User Threat Quotient (UTQ) status of an organization aggregated for the last 7 days. This helps an administrator to get quick visibility of risky users, if any, who are posing security threats to the organization’s network.
•
Possible UTQ statuses:
- There are no users with risky web surfing behaviour or using infected hosts that are part of botnet.
•
- There are 13 users who are accounting for 80% of overall risk posed to the organization’s network.
Note that the number 13 here is just an example and may vary from case to case. For example, there may be a case where single user is accounting for 80% of overall risk posed to the organization’s network! Click on this icon to view the User Threat Quotient (UTQ) reports for last 7 days.
RED Widget
Widget displays number of RED tunnels established and total number of RED tunnels configured in the form of 4/8.
Click the widget to view list of RED tunnels.
Wireless APs Widget
Widget displays Active APs and total number of APs configured in the form of 2/3. Pending APs, if any will be displayed separately in a bracket in red color. Clicking the widget will redirect you to the Access Points page.
Connected Remote Users Widget
Widget displays total number of users connected remotely through SSL VPN. Clicking the widget, will redirect you to the SSL VPN Users page.
Live Users Widget
Widget displays total live users count. Clicking the widget, will redirect you to the Live Users page.
Active Firewall Rules Panel
Active Firewall Rules panel displays information which can be used by the administrator to visualize and quantify
(in terms of data volume) the firewall rules configured on the device. Using this information, the administrator can fine-tune the deployed firewall rules to troubleshoot or enhance network performance. All active firewall rules will be visible irrespective of the rights pertaining to the logged-on administrator profile.
Firewall Rule Types
Active Firewall Rules widget displays the number of firewall rules which are being used to process the network traffic, based on the following rule types:
• Business - Displays the number of active Business Application Firewall Rules
| Monitor and Analyze | 19
• User - Displays the number of active User Application Firewall Rules
• Network - Displays the number of active Network Firewall Rules
Total - Displays the total number of active firewall rules.
The chart displays the volume of data (in Bytes) processed by each active firewall rule type, in the last 24 hours.
Hover over the chart area to see the volume of data processed by the active firewall rule type. Firewall Rule type is easily recognisable, based on the following legends:
Business - Represented by Green area on the chart
User - Represented by Red area on the chart
Network - Represented by Blue area on the chart
Use the information in the chart area to determine the network saturation status and identify specific firewall rule type causing this.
Firewall Rule Status
The number of firewall rules, as per their current statuses are also displayed within the same widget. This is mainly for admin housekeeping purposes, also useful, where multiple administrators are working on the same device. The current statuses are based on the following categories or filters:
• Unused - Displays the number of firewall rules which does not process any traffic on the device. The administrator may want to revise unused firewall rules or delete them completely.
• Disabled - Displays the number of firewall rules which are configured on the device, but disabled by the administrator.
• Changed - Displays the number of firewall rules which have been updated recently.
• New - Displays the number of newly created firewall rules.
Clicking any of the Firewall Rule Types or Firewall Rule Status redirects to the Firewall page displaying the relevant firewall rules.
Reports Panel
Not applicable to - CR10iNG, CR10wiNG, CR15i, CR15wi, CR15iNG, CR15wiNG, CR15iNG-LE,
CR15iNG-4P, CR15wiNG-4P, XG85 and XG85w models.
Depending on the Modules subscribed, at most five critical reports from the below mentioned table are displayed:
Report Name
High Risk Applications
Objectionable Websites
Web Users
Intrusion Attacks
Web Server Protection
Email Usage
Email Protection
Number / Data Displayed
<number of> Risky Apps seen yesterday
<number of> Objectionable websites seen yesterday
<data transfer> (in bytes) used by top
10 users yesterday
<number of> Intrusion attacks yesterday
<number of>Web server attacks yesterday
<data transfer> (in bytes) used
<number of> Spam mails yesterday
Subscription Module
Web Protection
Web Protection
Web Protection
Network Protection
Web Server Protection
Email Protection
Email Protection
| Monitor and Analyze | 20
Report Name
Traffic Dashboard
Security Dashboard
-
-
Number / Data Displayed Subscription Module
Either Web Protection or Network
Protection
Either Web Protection or Network
Protection
Prevalent Malware Panel
Applicable to CR15iNG, CR15wiNG, CR15i and CR15wi models only
Displays top five malware identified by the Device, in addition to the number of occurrence per malware.
Messages Panel
Panel displays information which allows administrator to monitor and track the system events of the device. Each message displays the date and time that the event occurred.
Displays following alerts:
1. The default password for the user "admin" has not been changed. We highly recommend you to change the password. – This alert is displayed when default password for super administrator is not changed.
2. The default Admin Console password has not been changed.
3. HTTPS, SSH based management is allowed from the WAN. This is not a secure configuration. We recommend using a good password.
4. HTTP, Telnet based management is allowed from the WAN. This is not a secure configuration. We recommend using a good password.
5. Your Device is not registered.
6. The modules expired.
Symbolic representations are used for easier identification of messages.
: Indicates Alert messages.
: Indicates warnings.
: Indicates firmware download notifications.
Connections and Interfaces
The image of the device will be displayed in this panel on the right side. For a virtual device, stack of devices will be displayed.
Interface Table
This panel displays information of Interfaces describing their Name, Type and Status, Received and Transmitted
KBits/s.
Displays following details:
1. Interface - This displays the name of the Interface configured in the system. Example Port A, Guest AP. It displays
Physical, LAG and Bridge type of Interfaces.
2. Type - This displays the zone along with the type of Interface configured. Example LAN-Physical, WAN-VLAN etc.
3. Status - This displays the status and the Interface Speed for the configured Interface. Status can be connected, unplugged, disconnected, connecting, enabled or disabled (for RED interface only).
4. Received Kbits/s - This displays the received bits through the Interface.
5. Transmitted KBits/s - This displays the transmitted bits through the Interface.
Gateway Table
| Monitor and Analyze | 21
This panel displays information of Gateways which allows administrator to monitor Active and Backup Gateways describing their Name, Interface, Type, IPv4/IPv6, Activate on Failure of, Weight and Status.
Displays following details:
1. Gateway Name - This displays the name of the Gateway.
2. Interface - This displays the name and IP address of the Interface.
3. Type - This displays the type of the Gateway in terms of load balancing. Available options are Active and Backup.
4. IPv4/IPv6 - This displays the type of the Gateway in terms of IP addressing type used. Available options are IPv4 and IPv6.
5. Activate on Failure of - This displays the action for the Gateway failure situation, i.e. whether a backup Gateway will be activated or not.
6. Weight - This displays that how much traffic will pass through a particular link in relation to the other link(s).
7. Status - This displays the status of the Gateway. Status can be Active, Deactive.
Current Activities
The Current Activity section provides information about the live IPsec, SSL, IP and wireless connections to the device.
•
: Displays a list of all the users currently connected to the device.
•
: Displays a list of all the live IPsec connections.
•
: Displays a list of all the live SSL VPN users.
•
: Displays a list of the live IPv4 connections on the device. You can forcefully disconnect the connections from the respective pages.
•
: Displays a list of the live IPv6 connections on the device. You can forcefully disconnect the connections from the respective pages.
Live Users
Live users in the device can be managed from a single page. All the active normal users, clientless users and single sign-on users are visible from the Live Users page. The administrator can disconnect these users from this page directly.
User Types:
• Normal
• Clientless
• Single Sign-On
• Thin Client
• WWAN user
A normal user has to logon to the device. It requires a client (client.exe) on the user machine or a HTTP client component can be used and all the policy-based restriction are applied.
A clientless user does not require a client component (client.exe) on the user machines.
If a user is configured for single sign-on, whenever the user logs on to Windows, he/she is automatically logged to the device.
If the user is a thin client user, whenever the user logs on, this is visible on the Live Users page.
If a wireless user is configured and connected, the user is shown on the Live Users page.
To disconnect a user:
1.
Click the Disconnect icon under the Manage column against a user.
2. Specify the message in a dialog box.
| Monitor and Analyze | 22
3. Click OK to disconnect the user. To disconnect multiple live users, select them and click Disconnect.
Note: Configured messages will not be sent to a clientless user.
Figure 1: Live Users
Related Topics
The Users page displays the list of all users added in the device.
Live Connections
Use Live Connections page to view a list of all currently active IPv4 connections.
The page displays the IPv4 live connections report and offers to get a quick real-time statistics of the network traffic.
You can use this report to check the share in network load of different protocols, computer systems (in your LAN or in the Internet), connections, or a combination of these (e.g. network connections with a certain protocol). Drill down quickly to get an in-depth view of your network.
Connections per Application
Use to determine the amount of traffic generated (bandwidth used) by application in real-time. It also displays which user is using which application currently and total data transferred using the application.
Use to view:
•
Connection Details per Application
•
Connections Details per Application and Username
For each connection the list shows:
Application
Applications running on network.
Click number in Total Connections column against application to view destination IP address-wise and destination port-wise connection details for the selected application.
Click the icon to view list of users using the respective application or click the icon to hide the list of users.
Upload Transfer
Data uploaded through the application.
Download Transfer
Data downloaded through the application.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Total Connections
Displays number of connections initiating/requesting the application.
Click the number in the Total Connections column to view the connection details for the selected application.
| Monitor and Analyze | 23
Figure 2: Live Connections based on Application
Connections per User
Used to determine the amount of traffic generated (bandwidth used) by users in real time i.e. traffic per user. It also displays which user is using a particular application currently and is consuming how much bandwidth.
Use to view:
•
•
Connections Details per User and Application
For each connection the list shows:
User
Network Users requesting various Applications.
Click to view list of applications or click icon to hide the list of applications.
Click number in Total Connections column against user to view
Click User to view Destination IP Addresses wise and Destination ports wise Connection details for selected User.
Upload Transfer
Data uploaded.
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Total Connections
Displays number of connections initiated by the User.
Click Total Connections to view the connection details for selected User.
Figure 3: Live Connections IPv4 based on Username
Connections per Source IP Address
Use to determine the amount of traffic generated (bandwidth used) by source IP addresses in real time i.e. traffic per source IP address. It also displays which user is using a particular application currently and is consuming how much bandwidth.
Use to view:
•
•
Connection per Source IP Address and Application
Source IP Address
Source IPv4 Addresses requesting various applications.
Click to view list of Source IPv4 Addresses or click to hide the list of IP Addresses.
Upload Transfer
Data uploaded.
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Total Connections
Displays number of connections initiated by the Source IP Address.
Click Total Connections to view the connection details for selected User.
| Monitor and Analyze | 24
Figure 4: Live Connections IPv6 based on Source IP
Live Connections IPv6
Use Live Connections IPv6 page to view a list of all currently active IPv6 connections.
The page displays the IPv6 live connections report and offers to get a quick real-time statistics of the network traffic.
You can use this report to check the share in network load of different protocols, computer systems (in your LAN or in the Internet), connections, or a combination of these (e.g. network connections with a certain protocol). Drill down quickly to get an in-depth view of your network.
Connections per User
Used to determine the amount of traffic generated (bandwidth used) by users in real time i.e. traffic per user. It also displays which user is using a particular application currently and is consuming how much bandwidth.
Use to view:
•
•
Connections Details per User and Application
For each connection the list shows:
User
Network users requesting various applications
Click the icon to view the list of applications used by the user or click the icon to hide the list of applications.
Click number in Total Connections column against user to view destination IP address-wise and destination port-wise connection details for the selected user.
Upload Transfer
Data uploaded.
| Monitor and Analyze | 25
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Total Connections
Displays the number of connections initiated by the user.
Click the number in the Total Connections column to view the connection details for the selected user.
Figure 5: Live Connections IPv6 based on User
Connections per Source IP Address
Use to determine the amount of traffic generated (bandwidth used) by source IP addresses in real time i.e. traffic per source IP address. It also displays which user is using a particular application currently and is consuming how much bandwidth.
Use to view:
•
•
Connection per Source IP Address and Application
Source IP Address
Source IPv6 Addresses requesting various applications.
Click to view list of Source IPv6 Addresses or click to hide the list of IP Addresses.
Upload Transfer
Data uploaded.
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Total Connections
Displays number of connections initiated by the Source IP Address.
Click Total Connections to view the connection details for selected User.
Figure 6: Live Connections IPv6 based on Source IP
| Monitor and Analyze | 26
View Live Connection Details
The page displays the connection details per application, user, and source IP address.
Connection Details for the Selected Application
Click on the Total Connections link against the application to view its connection details.
Start Time
Time when connection was established.
In Interface
Traffic incoming interface.
Out Interface
Traffic outgoing interface.
Source IP
IP address from which the connection for the application was established.
Destination IP
IP address to which the connection was established.
Protocol
Protocol used by the traffic.
Source Port
Port through which the connection was established for the application.
Destination Port
Port to which the connection was established for the application.
Rule ID
Firewall rule ID applied to the connection traffic.
Upload Transfer
Data uploaded.
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Connection Details for the Selected Application and User
Click on the Total Connections link against the user name to view the connection details of the connections established by the user for the selected application.
Start Time
Time when connection was established.
In Interface
Traffic incoming interface.
Out Interface
Traffic outgoing interface.
Source IP
IP address from which the connection for the application was established.
| Monitor and Analyze | 27
Destination IP
IP address to which the connection was established.
Protocol
Protocol used by the traffic.
Source Port
Port through which the connection was established for the application.
Destination Port
Port to which the connection was established for the application.
Rule ID
Firewall rule ID applied to the connection traffic.
Upload Transfer
Data uploaded.
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Connection Details for the Selected User and Application
Click on the Total Connections link against the application to view the connection details of the connections established by the applications for the selected user.
Start Time
Time when the connection was established.
In Interface
Traffic incoming interface.
Out Interface
Traffic outgoing interface.
Source IP
IP address from which the connection for the application was established.
Destination IP
IP address to which the connection was established.
Protocol
Protocol used by the traffic.
Source Port
Port through which the connection was established for the application.
Destination Port
Port to which the connection was established for the application.
Rule ID
Firewall rule ID applied to the connection traffic.
Upload Transfer
Data uploaded.
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Connection Details of the Selected User
Click on the Total Connections link against the user to view its connection details.
Start Time
Time when the connection was established.
In Interface
Traffic incoming interface.
Out Interface
Traffic outgoing interface.
Source IP
IP address from which the connection for the user was established.
Destination IP
IP address to which the connection was established.
Protocol
Protocol used by the traffic.
Source Port
Port through which the connection was established for the user.
Destination Port
Port to which the connection was established for the user.
Rule ID
Firewall rule ID applied to the connection traffic.
Upload Transfer
Data uploaded.
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Connection Details of the Selected Source IP Address
Click on the Total Connections link against the source IP address to view its connection details.
Start Time
Time when the connection was established.
In Interface
Traffic incoming interface.
Out Interface
Traffic outgoing interface.
Source IP
| Monitor and Analyze | 28
| Monitor and Analyze | 29
IP address from which the connection for the source IP address was established.
Destination IP
IP address to which the connection was established.
Protocol
Protocol used by the traffic.
Source Port
Port through which the connection was established for the source IP address.
Destination Port
Port to which the connection was established for the source IP address.
Rule ID
Firewall rule ID applied to the connection traffic.
Upload Transfer
Data uploaded.
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
Connection Details of the Selected Application and Source IP Address
Click on the Total Connections link against the application to view the connection details of the connections established by the application from the selected source IP address.
Start Time
Time when the connection was established.
In Interface
Traffic incoming interface.
Out Interface
Traffic outgoing interface.
Source IP
IP address from which the connection for the application was established.
Destination IP
IP address to which connection was established.
Protocol
Protocol used by the traffic.
Source Port
Port through which the connection was established for the application.
Destination Port
Port to which the connection was established for the application.
Rule ID
Firewall rule ID applied to the connection traffic.
Upload Transfer
Data uploaded.
| Monitor and Analyze | 30
Download Transfer
Data downloaded.
Upstream Bandwidth
Upstream bandwidth.
Downstream Bandwidth
Downstream bandwidth.
IPsec Connections
The page displays list of all the connected IPsec tunnels and you can filter the list based on connection name, local server name, local subnet, user name, remote server/host or remote subnet.
To view the IPsec connection, go to Monitor & Analyze > Current Activities > IPsec Connections. The administrator can disconnect any of the IPsec connection if required by clicking Disconnect or update the list by clicking Refresh.
The table IPsec Connections contains the following information:
• Name: Name of the IPsec connection.
• Local Sever: Name of the local server.
• Local Subnet: Name of the local subnet.
• Username: Name of the IPsec connection user.
• Remote Sever/Host: Name of the Remote Server/Host.
• Remote Subnet: Name of the Subnet.
Related Topics
on page 251
The IPsec menu allows you to create and manage IPsec connections and failover groups.
Remote Users
Use Remote Users page to view a list of active remote users.
To view Remote Users page, go to Monitor & Analyze > Current Activities > Remote Users.
The page displays a list of all the currently logged remote users and you can filter the connections based on the connection date, username, source IP address, or leased IP address.
The administrator can disconnect any of the remote users, if required, by clicking Disconnect.
Related Topics
Add SSL VPN Remote Access Policy
This page allows adding SSL VPN remote access policies.
Diagnostics
This menu allows checking the health of your device in a single shot. Information can be used for troubleshooting and diagnosing problems found in your device.
Use this menu to configure below details:
•
- View the statistics to diagnose the connectivity problem, network problem and test network
communication. It assists in troubleshooting issues such as hangs, packet loss, connectivity, discrepancies in the network. Also, troubleshooting reports can be generated to debug system problems.
•
- Use to view graphs pertaining to the system related activities for different time intervals.
•
- Use to search whether the URL is categorized or not.
•
- Displays packets details on the specified interface.
•
- Provides current or live connection snapshot of your device in the list form.
| Monitor and Analyze | 31
•
- Use this page to grant support staff temporary access to your device.
Tools
Using the Tools page, one can view the statistics to diagnose the connectivity problem, network problem and test network communication. It assists in troubleshooting issues such as hangs, packet loss, connectivity, discrepancies in the network. The page covers:
•
•
•
•
•
Consolidated Troubleshooting Report
Ping
Ping is the most common network administration utility used to test the reachability of a host on an Internet Protocol
(IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer.
Ping sends ICMP echo request/replies to test the connectivity to other hosts. Use standard ICMP ping to confirm that the server is responding. Ping confirms that the server can respond to an ICMP ping request.
Use Ping diagnostically to:
• Ensure that a host computer you are trying to reach is actually operating or the address is reachable or not
• Check how long it takes to get a response
• Get the IP address from the domain name
• Check for the packet loss
The parameters used are:
IP Address/Host Name
Specify the IP address (IPv4/IPv6) or fully qualified domain name to be pinged.
Ping determines the network connection between the device and a host on the network. The output shows if the response was received, packets transmitted and received, packet loss if any and the round-trip time. If a host is not responding, ping displays 100% packet loss.
IP Family
Select the type of IP family from the options available:
Available OptionsIPv4IPv6
Interface
Select the interface through which the ICMP echo requests are to be sent.
Size
Specify the ping packet size, in bytes.
Default: 32 bytes
Size Range: 1 to 65507
| Monitor and Analyze | 32
Figure 7: Ping
Traceroute
Traceroute is a useful tool to determine if a packet or communication stream is being stopped at the device, or is lost on the Internet by tracing the path taken by a packet from the source system to the destination system, over the
Internet.
Use Traceroute to:
• find any discrepancies in the network or the ISP network within milliseconds.
• trace the path taken by a packet from the source system to the destination system, over the Internet.
The parameters used are:
IP Address/Host Name
Specify the IP address (IPv4/IPv6) or fully qualified domain name.
Traceroute determines the network connection between the device and a host on the network. The output shows all the routers through which data packets pass on way from the source system to the destination system, maximum hops and total time taken by the packet to return measured in milliseconds.
IP Family
Select the type of IP family from the options available:
Available OptionsIPv4IPv6
Interface
Select the interface through which the requests are to be sent.
Figure 8: Traceroute
Name Lookup
Name Lookup is used to query the domain name service for information about domain names and IP addresses. It sends a domain name query packet to a configured domain name system (DNS) server. If a domain name is entered,
| Monitor and Analyze | 33 the return is an IP address to which it corresponds, and if an IP address is entered, then the domain name is returned to which it corresponds. In other words, Name Lookup reaches out over the Internet to do a DNS lookup from an authorized name server, and displays the information in user understandable format.
The parameters used and their descriptions are:
IP Address/Host Name
IP address (IPv4/IPv6) or fully qualified domain name that needs to be resolved.
DNS Server IP
Select the DNS server to which the query is to be sent.
Select Lookup using all Configured Servers to view all the available DNS servers configured in the device. Selecting this option will also provide information about the time taken by each DNS sever to resolve the query. Based on the response time,of each server, you can prioritize the DNS server.
Figure 9: Name Lookup
Route Lookup
If you have routable networks and wish to search through which interface the device routes the traffic then lookup the route for the IP address (IPv4/IPv6).
Figure 10: Route Lookup
Consolidated Troubleshooting Report
To help the Support team to debug the system problems, a troubleshooting report can be generated which consists of the system’s current status file and log files. The file contains details like a list of all the processes currently running on the system, resource usage etc. in encrypted form.
The administrator has to generate and mail the saved file to Support for diagnosing and troubleshooting the issue.
The file will be generated with the name: CTR_<APPKEY>__<MM_DD_YY>_<HH_MM_SS> where
• APPKEY is the device key of the device for which the report is generated
• MM_DD_YY is the date (month date year) on which the report is generated
• HH_MM_SS is the time (hour minute second) at which the report is generated
By default, the debug mode is off for all the subsystems. Before generating a log file, enable the debug mode by executing following command at the command line: console> diagnostics subsystems <subsystem name> debug on
Note: Debug mode cannot be enabled, if you only want to generate a system snapshot.
| Monitor and Analyze | 34
The parameters used are:
Generate CTR for
Enable the option(s) for which CTR should be generated.
Available Options:System Snapshot: Generates snapshots to display the issues in the system.Log
Files: Generates log files.
Reason
Specify the reason for generating CTR.
Generate
Click to generate the CTR.
Figure 11: Consolidated Troubleshooting Report
System Graphs
System Graphs page displays graphs pertaining to system related activities for different time intervals.
Monitor & Analyze > Diagnostics > System Graphs
System graphs displays following information for the selected period. These graphs are same as displayed in Utility wise graphs. They are regrouped based on the time interval.
1.
2.
3.
4.
5.
6.
Data transfer through WAN zone
7.
CPU Usage Graphs
CPU Usage graphs enable the administrator to monitor the CPU usage by the users and system components. Graphs display percentage wise minimum, maximum, average and current CPU usage for user, system, and CPU idle time.
• X-axis –Minutes/hours/days/months (depending on the period selected)
• Y-axis – % use
Legend:
• Orange color – CPU used by user
• Purple color – CPU used by system
• Green color – CPU idle time
| Monitor and Analyze | 35
Figure 12: CPU Usage
Memory Usage Graphs
Memory Usage graphs enable the administrator to monitor the memory usage in Megabytes(MB). Graph displays percentage wise minimum, maximum, average and current memory used, free memory and total memory available.
• X-axis –Minutes/hours/days/months (depending on the period selected)
• Y-axis – Memory used in MB
Legend:
• Orange color – Memory used
• Purple color – Free memory
• Green color – Total memory
Figure 13: Memory usage
Load Average Graphs
| Monitor and Analyze | 36
Load Average graphs enables the administrator to monitor the load on the system.
Graphs display the minimum, maximum, average and current load on the system at the interval of one minute, five minute, and fifteen minutes.
• X-axis –Minutes/hours/days/months (depending on the period selected)
• Y-axis – Load average index
Legend:
• Orange color – One minute
• Purple color – Five minutes
• Green color – Fifteen minutes
Figure 14: Load Average
Disk Usage Graphs
Disk Usage graphs enable the administrator to monitor the disk usage in percentage.
Graphs display the minimum, maximum, average and currently used disk space in percentage by Signatures, Config,
Reports and Temp files.
• X-axis –Minutes/hours/days/months (depending on the period selected)
• Y-axis – % use
Legend
• Orange color – Disk space used by signatures
• Purple color – Disk space used by config files
• Green color – Disk space used by reports
• Blue color – Disk space used by temp
| Monitor and Analyze | 37
Figure 15: Disk Usage
Live Users Graphs
Live Users graphs enable the administrator to monitor the number of live users for the selected time duration.
Graphs display the number of users currently connected to the Internet. In addition, it shows the minimum, maximum and average number of users connected during the selected period.
This helps the administrator in determining the peak hour of the day.
• X-axis –Minutes/hours/days/months (depending on the period selected)
• Y-axis – Numbers of users
Legend
• Orange color – Number of live connected users
Figure 16: Live Users
Data Transfer through WAN Zone Graphs
| Monitor and Analyze | 38
Data Transfer for WAN zone graphs is subdivided into three (3) graphs providing various information about data transfer via WAN zone.
1. Total upload/download data transfer of the selected period – Graph displays combined graph of upload & download data transfer. Colors differentiate upload & download data traffic. In addition, it shows the minimum, maximum and average data transfer for upload & download traffic individually.
• X-axis –Minutes/hours/days/months (depending on the period selected)
• Y-axis – Upload/download in KBits/second
Legend
• Orange Color - Upload traffic
2. Total data transfer of the selected period - Graph displays the total data transfer from the WAN zone. In addition, it shows the minimum, maximum and average data transfer.
• X-axis –Minutes/hours/days/months (depending on the period selected)
• Y-axis – Upload/download in KBits/second
Legend
• Orange Color - Total (upload + download) traffic
• Purple Color - Download traffic
3. Gateway wise total data transfer of the selected period - Graph displays the gateway-wise data transfer from the WAN zone. In addition, it shows the minimum, maximum and average data transfer of each gateway.
• X-axis –Minutes/hours/days/months (depending on the period selected)
• Y-axis – Upload/download in KBits/second
Legend
• Different color for each gateway
Figure 17: WAN Data Transfer
Interface Info Graphs
Interface Info graph displays following traffic statistics for all the interfaces - physical interfaces, VLAN interfaces, wireless LAN and WAN interfaces:
1. Bits received and transmitted through the interface
2. Errors occurred while transmitting and receiving packets through the interface
3. Packets dropped while transmitting and receiving packets through the interface
4. Collisions occurred while transmitting and receiving packets through the interface
The graph shows
• X-axis – Minutes/hours/days/months (depending on the period selected)
• Y-axis – KBits/sec
Legend
• Orange color – Bits received (kbits/sec)
• Purple color – Bits transmitted (kbits/sec)
• Light Green color – Received Errors (kbits/sec)
• Blue color – Bits transmitted but dropped
• Pink color – Collisions
• Red color – Transmitted errors
• Dark Green color – Bits received but dropped
| Monitor and Analyze | 39
Figure 18: Interface Graph
Note:
• Today and Yesterday graphs are plotted at the average of 5 minutes.
• Weekly graph is plotted at the average of 15 minutes.
• Monthly graph is plotted at the average of 6 hours
• Yearly graph is plotted at the average of 1 day
URL Category Lookup
Use URL Category Lookup to search whether the URL is categorized or not. It searches the specified URL and displays the category name under which the URL is categorized along with the category description.
If domain/URL is categorized under both a Custom Category and a Default Category, then name of the Custom
Category will be displayed in the search result.
| Monitor and Analyze | 40
To search a URL:
1. Go to Monitor & Analyze > Diagnostics > URL Category Lookup.
2. Enter URL to be searched in Search URL.
3. Click Search.
Figure 19: URL Category Lookup
Packet Capture
This page displays packets details on the specified interface. It will provide connection details and details of the packets processed by each module packets e.g. firewall, IPS along with information like firewall rule number, user, web and application filter policy number etc. This will help administrators to troubleshoot errant firewall rules.
You can:
•
– Configure filter settings for capturing the packets.
•
– View the packet information.
•
– Specify the filter conditions for the packets.
• Start/Stop – Start and stop packet capturing.
• Refresh – Refresh the list.
• Clear – Clear the details of the packets captured.
Packet Capture
Trace On/Off
Click the slider to enable/disable packet capturing.
The status, the buffer size and buffer used for capturing is displayed:
• Trace On - packet capturing is on.
• Trace Off - packet capturing is off.
• Buffer Size: 2048 KB
• Buffer used: 0 to 2048 KB
Captured packets fill the buffer up to a size of 2048 KB. While packet capturing is on, if the buffer used exceeds the stipulated buffer size, packet capturing stops automatically. In such a case, you would have to clear the buffer for further use manually.
Note: Packet capture details are displayed in a new window from
only after enabling packet capture.
Figure 20: Packet Capture
| Monitor and Analyze | 41
Configure
Click to configure packet capturing feature.
Capture filter can be configured through following parameters:Number of Bytes to Capture(per packet)Wrap Capture Buffer Once FullBPF String
There are various filter conditions for capturing the packets. The BPF string is used for filtering the packet capture. For example, host 192.168.1.2 and port 137.
Captured Packet
The Captured Packet section displays a list of all captured packets. For each packet the list shows:
Time
Packet capture time.
In Interface
Interface from which packet is coming.
Out Interface
Interface to which packet is sent.
Ethernet Type
Ether Type: IPv4 or IPv6 or ARP
Ether Type is a field in an Ethernet frame. It is used to indicate the protocol encapsulated in the
Ethernet frame.
Source IP
Source IP address (IPv4/IPv6) of the packet.
Destination IP
Destination IP address (IPv4/IPv6) of the packet.
Packet Type
Type of packet: ARP request or UDP.
Ports [src, dst]
Source and destination ports.
Rule ID
Firewall rule ID.
Status
Possible Packet Status:
• Incoming: Packets received on WAN or LAN interface.
• Forwarded: Packet forwarded to Out Interface.
• Consumed: Packets designated for or used by the device .
• Generated: Packets generated by the device.
• Violation: In case of any policy violation, the device will drop the packet and show the status
Violation.
Reason
Reason for a packet being dropped, if it is dropped.
Connection Status
Displays state of connection.
Served By
Specifies if connection is Established, TIME_WAIT or NONE.
| Monitor and Analyze | 42
Web Filter ID
Web filter policy ID applied on the connection traffic.
Connection Flags
System flags
Application ID
Application ID applied on the connection traffic.
Application Category ID
Application category ID applied on the connection traffic.
Connection ID
Unique ID assigned to a connection.
Gateway ID
Gateway ID through which the connection traffic is routed.
Remote Access Policy ID
Remote Access policy ID applied on the connection traffic.
Bandwidth Policy ID
Bandwidth policy ID applied on the connection traffic.
User Group
User group membership.
IPS Policy ID
IPS policy ID applied on the connection traffic.
Application Filter ID
Application filter policy ID applied on the connection traffic.
Web Category ID
Web category ID applied on the connection traffic.
Master Connection ID
Master connection ID of current connection.
Username
Name of the user establishing connection.
Display Filter
Click to set the filter criteria.
Packet Capture can be filtered as per the following criteria: interface name, ether type, packet type, source IP, source port, destination IP and destination port, reason, status, rule ID, user, and connection ID.
Packet Information
Packet Information
Packet information including header details and entities including firewall rules & policies.
Figure 21: Packet Information
| Monitor and Analyze | 43
Hex & ASCII Detail
Hex & ASCII Detail
Packet Information in Hex & ASCII values.
Figure 22: HEX And ASCII Details
Configuring Capture Filter
The Configuring Capture Filter page allows configuration of number of bytes to be captured per packet.
1. Go to Monitor & Analyze > Diagnostics > Packet Capture and click Configure.
2. Enter details to configure the capture filter.
Number of Bytes To Capture (Per Packet)
Specify the number of bytes to be captured per packet.
Wrap Capture Buffer Once Full
Enable to continue capturing the packets even after the buffer is full.
When the checkbox is enabled, the packet capturing starts again from the beginning of the buffer.
Enter BPF String
Specify a BPF string.
BPF (Berkeley Packet Filter) sits between link-level driver and the user space. BPF is protocol independent and use a filter-before-buffering approach. It includes a machine abstraction to make the filtering efficient. For example, host 192.168.1.2 and port 137.
Refer to BPF String Parameters for filtering specific packets.
BPF String Parameters
How to check packets of the
specific host specific source host specific destination host specific network specific source network specific destination network specific port specific source port specific destination port specific host for the particular port the specific host for all the ports except SSH specific protocol
Example
host 10.10.10.1
src host 10.10.10.1
dst host 10.10.10.1
net 10.10.10.0
src net 10.10.10.0
dst net 10.10.10.0
Port 20 or port 21 src port 21 dst port 21 host 10.10.10.1 and port 21 host 10.10.10.1 and port not 22 proto ICMP, proto UDP , proto TCP
| Monitor and Analyze | 44
Figure 23: Configure Packet
3. Click Save.
Display Filter
This page restricts the packet capturing to specific types of packets. There are further filtering conditions such as the type of interface, ether type, source IP address & destination IP Address.
1. Go to Monitor & Analyze > Diagnostics > Packet Capture and click Display Filter.
2. Enter details to configure the display filter
Interface Name
From the list, select the physical interface used for filtering packets logs.
Ethernet Type
Select the Ethernet type: IPv4 or IPv6 or ARP.
Ethernet Type is a field in an Ethernet frame. It is used to indicate the protocol encapsulated in the
Ethernet frame.
Packet Type
From the list, select the packet type used for filtering packets.
Source IP
Specify source IP address (IPv4/IPv6).
Source Port
Specify source port number.
Destination IP
Specify destination IP address (IPv4/IPv6).
Destination Port
Specify destination port number.
Reason
Select the reason to display the filter from the available options.
Available
Options:FirewallLOCAL_ACLDOS_ATTACKINVALID_TRAFFICINVALID_FRAGMENTED_TRAFFICICMP_REDIRECTSOURCE_ROUTED_PACKETFRAGMENTED_TRAFFICAPPLICATION
FILTERUSER_IDENTITYIPSMAC_FILTERIPMAC_FILTERIP_SPOOFNEIGHBOR_POISONINGSSL_VPN_ACL_VIOLATIONVIRTUAL_HOSTICMP_ERROR_MESSAGE
Status
Select the status of the filter from available options.
Available Options:AllowedViolationConsumedGeneratedIncomingForwarded
Rule ID
Specify ID for the rule.
User
Select a user from the list of already existing users.
Connection ID
Specify a connection ID.
Clear
Click to remove the filter settings.
| Monitor and Analyze | 45
Figure 24: Display Filter
3. Click Save.
Connection List
This page provides a current or live connection snapshot of your device in list form. Apart from the connection details, the list also provides information like firewall rule ID, user ID, and connection ID per connection. It is
| Monitor and Analyze | 46 possible to filter the connection list as per the requirement. Click the Connection ID hyperlink to view the live snapshot of a specific connection in a new window.
The administrator can set the refresh interval to automatically refresh the list at the configured time interval or
manually refresh the list by clicking the Refresh button. To filter the connection list click the
specify the parameters.
Connection List
Time
Connection establishment time in the format HH:MM:SS.
Connection ID
Unique ID assigned to a connection.
In Interface
Port used for the incoming connection.
Out Interface
Port used by the outgoing connection.
Source IP
Source IP address (IPV4/IPv6) of the connection.
Destination IP
Destination IP address (IPV4/IPv6) of the connection.
Protocol
Protocol used by the connection, like TCP or UDP.
Application Name
Name of the application that has opened the connection.
Name is displayed for the applications identified by SF-OS. If Security Heartbeat is enabled under
Protect > Advanced Threat > Security Heartbeat then for applications that remain unidentified,
Resolve Application Info link is displayed. Click the link to retrieve application information from the Endpoint.
If Security Heartbeat is not enabled or Endpoint devices are not connected, then No Information
Available is displayed.
Source Port
Source port of the connection.
Destination Port
Destination port of the connection.
Master Connection ID
Master connection ID of the current connection.
Rule ID
Firewall rule ID that allows the session.
Username
Name of the user establishing a connection.
Connection Status
Displays the status of the connection.
Flags
User Group
System flag
User group membership.
Web Filter ID
Web filter policy ID applied on the connection traffic.
Application Filter ID
Application filter policy ID applied on the connection traffic.
IPS Policy ID
IPS policy ID applied on the connection traffic.
Traffic Shaping Policy ID
QoS policy ID applied on the connection traffic.
Remote Access Policy ID
Remote access policy ID applied on the connection traffic.
Gateway ID
Gateway ID through which the connection traffic is routed.
Web Category ID
Web category ID applied on the connection traffic.
Application ID
Application ID applied on the connection traffic.
Application Category ID
Application category ID applied on the connection traffic.
Connection Served By
Device serving the connection.
Translated Source
Translated source IP Address for outgoing traffic.
Translated Destination
Translated source IP Address for outgoing traffic.
Expiry (second)
Connection will expire in displayed seconds if idle.
Rx Bytes
The amount of data in bytes received in this session.
Tx Bytes
The amount of data in bytes sent in this session.
Rx Packets
Number of packets received in this session.
Tx Packets
Number of packets sent in this session.
Connection State
Displays state of connection.
| Monitor and Analyze | 47
Figure 25: Connection List
Display Filter
Use Display Filter page to set filtering criteria for displaying the connection list.
1. Go to Monitor & Analyze > Diagnostics > Connection List and click Display Filter.
2. Enter filter parameters
In Interface
Interface used by the incoming connection.
Out Interface
Interface used by the outgoing connection.
User
Name of the user establishing a connection.
Network Protocol
Select the network protocol used to establish a connection.
Available Options:IPv4IPv6
Source IP
IP address (IPv4/IPv6) from which the connection was established.
Destination IP
IP address (IPv4/IPv6) on which connection is established.
Packet Type
Select the type of packet used for the connection.
Source Port
Source port of the connection.
Destination Port
Destination port for the connection.
Rule ID
Firewall rule ID.
Clear
Click to remove the filter settings.
| Monitor and Analyze | 48
| Monitor and Analyze | 49
Figure 26: Display Filter
Related connections
This page displays the live snapshot of the selected connection. Apart from the connection details, the list also provides information like firewall rule ID, user ID, connection ID, Web Filter ID and so on. for the selected connection.
Support Access
Use the Support Access page to allow Sophos Support to temporarily access your Device.
Support Access enables Sophos Support to connect to the Admin console of your Device without sharing the admin credentials. When the feature is enabled, an Access ID is generated using which the Support can access your device.
The admin needs to convey this ID to the support.
When Support Access is enabled, Support can access your Device over HTTPS on TCP port 22 from the WAN. All connections between the Device and Support are initiated by your Device.
Specify the following:
1. Enable the Support Access on Sophos XG Firewall under Diagnostics > Support Access and click the toggle switch.
2. Confirm the enable message with OK.
3. From the drop-down menu Grant Access for select the time the access is valid.
4. Click Apply to update the settings.
5. Click OK.
Sophos XG Firewall establishes a secure control connection to APU (Access Proxy for UTM) and negotiates a unique access ID.
6. Communicate the Access ID to the support.
The support uses this access ID to login to your Device. The control connection remains established until the specified time, which is displayed next to Access Until.
You can disable the connection manually any time by clicking the toggle switch and confirming the disable message with OK.
Protect
Firewall
Firewall rules are security rule-sets to implement control over users, applications or network objects in an organization. Using the firewall rule, you can create blanket or specialized traffic transit rules based on the requirement. This page provides centralized management for the entire set of device firewall rules. Sophos XG
Firewall implements a single pane of management to secure all enterprise applications using configuration templates for various rule types.
Following sections provide more information on the Firewall section.
•
•
•
•
•
Understanding List of Firewall Rules
Introduction
Firewall rules are based on the following configurable templates:
1.
2.
Managing Firewall Rules
You can see the entire list of added firewall rules from the Firewall page. Using the same page, you can update existing firewall rules or add new firewall rules. To change the processing order, you can re-order firewall rules by drag and drop action.
Note: All custom firewall rules can be re-ordered. The order of processing is top to bottom.
On the Firewall page, the following action buttons can be found.
• IPv4: Select to filter only IPv4 rules
• IPv6: Select to filter only IPv6 rules
• Enable Filter: Select to open filter view and apply the following filters for IPv4 or IPv6 rules:
1. Rule Type - Select to filter rules based on Business, User or Network
2. Source Zone - Select to filter rules based on LAN, WAN, DMZ, LOCAL, VPN or WiFi
3. Destination Zone - Select to filter rules based on LAN, WAN, DMZ, LOCAL, VPN or WiFi
4. State - Select to filter rules based on Unused, Disabled, Changed, New
5. Rule ID - Specify Rule ID to see the specific rule.
| Protect | 50
• Reset Filter (Available if filter is enabled) - Select to reset all filters
• Disable Filter (Available if filter is enabled) - Select to close filter view
• + Add Firewall Rule - Select to add a new rule among Business Application Rule, or User/Network Rule.
Default Firewall Rules
At the time of deployment, Network Configuration Wizard provides option to enable User/Network Rule for LAN to WAN traffic and automatically creates default firewall rule Default_Network_Policy. You can apply Web filter,
App filter and IPS policy through this default policy from the Wizard itself or from Web Admin console whenever required.
Understanding Icons
There are various action icons as well as symbolic icons on the Firewall page. Meanings and associated actions of all icons are shown below.
Icons
Icons in Collapsed view
Meaning
Business Application Rule
User Rule
Network Rule
Rule ID
Traffic Shaping
Schedule
IPS
Security Heartbeat inactive
Security Heartbeat Red required. No restriction on endpoints.
Firewall Rule enabled. Click to disable the rule.
Firewall Rule disabled. Click to enable the rule.
Expand the rule for more information
Icons in Expanded view
Rule ID
Edit rule
| Protect | 51
Icons Meaning
Delete rule (not applicable for default rules)
Insert a new rule above
Insert a new rule below
Move rule. To move the rule, click the icon and drag-and-drop at the required position (not applicable for default rules).
Collapse rule
Understanding the List of Firewall Rules
All added rules are available in the form of a list. Each rule in the list presents a quick snapshot of the rule. To view rule details, click to expand the view. Which items are available in the collapsed or expanded view is shown below.
Items in collapsed view:
• Rule Name: name of the rule
• In/Out: amount of traffic (in bytes) coming in or going out using the particular rule
• Firewall Rule features: status of Schedule, heartbeat, IPS and traffic shaping
• Source: source zone
• Destination: destination zone
• What: shows protected domains/services
• Action: status of protected servers, status of web and application protection for user
Additional items in expanded view:
• ID: rule ID
• User's Policy Applied: status of application filter, web policy, AV and AS scanning, NAT policy and route through gateway, if configured
• Firewall Rule Summary: summary of the added rule
While configuring any Firewall Rule, hover mouse over the following objects to see additonal details of it:
• Source/Destination Zones
• Schedule
• Services
• Source/Destination Networks
• Hosted Address
• Allowed/Blocked Client Networks
• Protected Server(s)
• Protected Zone
User / Network Rule
User/Network Rule is used to define access rights and protection to the network objects/hosts. In a nutshell, if you want to control traffic by source, service, destination, zone, then use a Network Rule. Additionally, the administrator has the option to attach user identity to a rule in order to customize access of assorted hosts/servers. Such an identity based rule is considered a User Rule.
You can view or add a User/Network Rule for IPv4 and IPv6 traffic.
| Protect | 52
1.
Add User / Network Rule (IPv4)
2.
Add User / Network Rule (IPv6)
Add User/Network Rule (IPv4)
This page allows you to create firewall rules to control traffic that uses the IPv4 protocol. The firewall rules control traffic between internal and external networks and protect the network from unauthorized access. The device determines the rule to be applied based on the source and destination zone you configure in the firewall rule. Use this page to create identity-based firewall rules by applying them to users.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and User/Network Rule.
3. Enter the rule introduction details.
Rule Name
Enter a name for the rule.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule from the available options.
Available Options:
Top Bottom
Action
Specify an action for the rule traffic from the available options. Accept – Allow accessDrop –
Silently discardReject – Deny access (“ICMP port unreachable” message is sent to the source)
When sending a response it might be possible that the response is sent using a different interface than the one on which the request was received. This may happen depending on the routing configuration done on the device.
For example: If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and no specific route is defined, the device will send a response to these hosts using the default route. Hence, the response will be sent through the WAN port.
| Protect | 53
Figure 27: About This Rule
4. Enter the Source details.
Source Zones
Select the source zones allowed to the user.
A new zone can be created directly from this page itself or from Configure > Network > Zones page.
Source Networks and Devices
Select the source networks/devices allowed to the user.
A new network host can be created directly from this page itself or from System > Hosts and
Services.
During Scheduled Time
Select the schedule allowed to the user.
A new schedule can be created directly from this page itself or from the System > Profiles >
Schedule page.
Figure 28: Source
5. Enter the Destination and Services details.
Destination Zones
Select the destination zones allowed to the user.
Destination Networks
Select the destination networks allowed to the user.
A new network host can be created directly from this page itself or from System > Hosts and
Services.
Services
Select the services allowed to the user.
A new service can be created directly from this page itself or from the System > Hosts and
Services > Services page.
| Protect | 54
Figure 29: Destination
6. Enter Identity details. Follow this step if you want to configure a User Rule.
Match known users
Select to enable a rule based on the user identity.
Show captive portal to unknown users (available only if Match known users is selected)
Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
Clear the check box to drop traffic from unknown users.
User or Groups(available only if Match known users is selected)
Select the user(s) or group(s) from the list of available options.
Exclude this user activity from data accounting. (only available if Match known users is selected)
Select to exclude user traffic activity from data accounting. In other words, the traffic allowed through this rule will not be accounted towards data transfer for the user.
By default, user’s network traffic is considered in data accounting.
Figure 30: Identity
7. Enter Malware Scanning details (available only if Action selected for the traffic is Accept).
Scan HTTP
Enable HTTP traffic scanning.
Decrypt & Scan HTTPS
Enable HTTPS traffic decryption and scanning.
Detect zero-day threats with Sandstorm
Send files downloaded using HTTP or HTTPS for analysis by Sandstorm. Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).
Scan FTP
Enable FTP traffic scanning.
8. Enter Advanced settings details (available only if Action selected for the traffic is Accept).
a) Specify policies for User Applications.
Intrusion Prevention
Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from Protect > Intrusion Prevention > IPS Policies page.
Traffic Shaping Policy
User's traffic shaping policy will be applied automatically if Match known users is selected.
You need to select traffic shaping policy for the rule if Match known users is not selected.
Web Policy
Select a web policy for the rule.
A new web policy can be created directly from this page itself or from the Protect > Web > Policies page.
Apply Web Category based Traffic Shaping Policy
Click to restrict bandwidth for the URLs categorized under the Web category.
A three step configuration is required as follows:
1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Web Categories.
2. Now, on this page assign the created policy to Web Policy.
3. Select Apply Web Category based Traffic Shaping Policy to apply the rule.
Application Control
Select an application filter policy for the rule. A new application filter policy can be created directly from this page itself or from the Protect > Applications > Application Filter page.
Apply Application-based Traffic Shaping Policy
Click to restrict bandwidth for the applications categorized under the Application category.
| Protect | 55
A three step configuration is required as follows:
1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Applications.
2. Now, on this page assign the created policy to Application Control.
3. Select Apply Application-based Traffic Shaping Policy to apply the rule.
| Protect | 56
Figure 31: User Applications
b) Configure Synchronized Security settings.
Minimum Source HB Permitted
Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Block clients with no heartbeat
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can restrict a source device's access to certain services and networks.
Enable/disable the option to require the sending of heartbeats.
Minimum Destination HB Permitted (not available if the only Destination Zone selected is WAN)
Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Note: You can use the option if you have selected multiple zones along with WAN.
Block request to destination with no heartbeat (not available if the only Destination Zone selected is
WAN)
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can block requests to destinations not sending heartbeat.
Enable/disable the option to require the sending of heartbeats.
Note: You can use the option if you have selected multiple zones along with WAN.
| Protect | 57
Figure 32: Synchronized Security
c) Enter NAT and Routing details.
Rewrite source address (Masquerading)
Select if you want to re-write the source address or specify a NAT policy.
Default: Disabled
Use Gateway Specific Default NAT Policy (available only if Masquerading is selected)
Select to override the default NAT policy with a gateway specific policy.
Override default NAT policy for specific Gateway (available only if Use Gateway Specific Default
NAT Policy is selected)
Select to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.
Use Outbound Address (available only if Rewrite source address is selected)
Select the NAT policy to be applied from the list of available NAT policies.
A new NAT policy can be created directly from this page itself or from the System > Profiles >
Network Address Translation page.
Default: MASQ.
MASQ (Interface Default IP)
• IP Address of the Destination Zone as configured in Configure > Network > Interfaces will be displayed instead of (Interface Default IP) when single Destination Zone is selected.
• (Interface Default IP) will be displayed when multiple Destination Zones are selected.
Primary Gateway
Specify the Primary Gateway. This is applicable only if more than one gateway is defined.
Note: On deletion of the gateway, Primary Gateway will display WAN Link Load
Balance for WAN Destination Zone and None for other zones. In such case, firewall rule will not make routing decisions.
Backup Gateway
Specify the Backup Gateway. This is applicable only if more than one gateway is defined.
Note: On deletion of the gateway, Backup Gateway will display None.
DSCP Marking
Select the DSCP Marking.
DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; source IP address, destination IP address, source port, destination port and the transport protocol.
For available options, refer to
| Protect | 58
Figure 33: NAT & Routing
9. Define logging option for the user application traffic.
Log Firewall Traffic
Select to enable logging of permitted and denied traffic.
Figure 34: Log Traffic
10. Click Save.
Add User / Network Rule (IPv6)
This page allows you to create firewall rules to control traffic that uses the IPv6 protocol. The firewall rules control traffic between internal and external networks and protect the network from unauthorized access. The device determines the rule to be applied based on the source and destination zone you configure in the firewall rule. Use this page to create identity-based firewall rules by applying them to users.
1. Go to Protect > Firewall and select IPv6. using the filter switch.
2. Click +Add Firewall Rule and User / Network Rule.
3. Specify the policy introduction details.
Rule Name
Enter a name for the rule.
Description
Specify a description for the rule.
Rule Position
Specify the position of the rule from the available options.
Available Options:
Top Bottom
Action
Specify an action for the rule traffic from the available options. Accept – Allow accessDrop –
Silently discardReject – Deny access (“ICMP port unreachable” message is sent to the source)
When sending a response it might be possible that the response is sent using a different interface than the one on which the request was received. This may happen depending on the routing configuration done on the device.
For example: If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and no specific route is defined, the device will send a response to these hosts using the default route. Hence, the response will be sent through the WAN port.
| Protect | 59
Figure 35: About This Rule
4. Specify Source details.
Source Zones
Select the source zones allowed to the user.
Source Networks and Devices
Select the source networks/devices allowed to the user.
A new network host can be created directly from this page itself by clicking Create new or from
System > Hosts and Services.
During Scheduled Time
Select the schedule allowed to the user.
A new schedule can be created directly from this page itself or from the System > Profiles >
Schedule page.
Figure 36: Source
5. Specify Destination and Services details.
Destination Zones
Select the destination zones allowed to the user.
Destination Networks
Select the destination networks allowed to the user.
A new network host can be created directly from this page itself by clicking Create new or from
System > Hosts and Services.
Services
Select the services(s) allowed to the user.
A new service can be created directly from this page itself or from the System > Hosts and
Services > Services page.
Figure 37: Destination
6. Specify Identity details.
Match known users
Select to enable a rule based on the user identity.
Show Captive Portal to unknown users
Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
Clear the check box to drop traffic from unknown users.
User or Groups(available only if Match known users is selected)
Select the user(s) or group(s) from the list of available options.
Exclude this user activity from data accounting (only available if Match known users is selected)
Select to enable/disable user traffic activity from data accounting.
By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic user data accounting. The traffic allowed through this rule will not be accounted towards data transfer for the user.
Figure 38: Identity
7. Specify Malware Scanning details. (available only if Action for the traffic is Accept)
Scan HTTP
Enable HTTP traffic scanning.
Decrypt & Scan HTTPS
Enable HTTPS traffic decryption and scanning.
Detect zero-day threats with Sandstorm
Send files downloaded using HTTP or HTTPS for analysis by Sandstorm. Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).
8. Specify Advanced settings details (available only if Action for the traffic is Accept) a) Specify policies for user applications.
Intrusion Prevention (IPS)
Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from Protect > Intrusion Prevention > IPS Policies page.
Traffic Shaping Policy
User's traffic shaping policy will be applied automatically if Match known users is selected.
| Protect | 60
You need to select traffic shaping policy for the rule if Match known users is not selected.
Web Policy
Select a web policy for the rule.
A new web policy can be created directly from this page itself or from the Protect > Web > Policies page.
Apply Web Category based Traffic Shaping Policy
Click to restrict bandwidth for the URLs categorized under the Web category.
A three step configuration is required as follows:
1. Create a traffic shaping policy on the System > Profiles > Traffic Shapingpage. Here, specify the Policy Association as Web Categories.
2. Now, on this page assign the created policy to Web Policy .
3. Select Apply Web Category based Traffic Shaping Policy to apply the policy.
Application Control
Select an application filter policy for the rule. A new application filter policy can be created directly from this page itself or from the Protect > Applications > Application Filter page.
Apply Application-based Traffic Shaping Policy
Click to restrict bandwidth for the applications categorized under the Application category.
A three step configuration is required as follows:
1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Applications.
2. Now, on this page assign the created policy to Application Control.
3. Select Apply Web based Traffic Shaping Policy to apply the policy.
| Protect | 61
Figure 39: User Applications
b) Specify Routing details.
Rewrite source address (Masquerading)
Disable if you do not want to re-write the source address or specify a NAT policy.
Default - Enabled
Use Gateway Specific Default NAT Policy (only if Masquerading is selected)
Click to override the default NAT policy with a gateway specific policy.
Override default NAT policy for specific Gateway (only if Use Gateway Specific Default NAT Policy
is selected )
Enable to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.
Use Outbound Address (only if Rewrite source address is selected)
Select the NAT policy to be applied from the list of available NAT policies.
A new NAT policy can be created directly from this page itself or from the System > Profiles >
Network Address Translation page.
Default: MASQ.
MASQ (Interface Default IP)
• IP Address of the Destination Zone as configured in Configure > Network > Interfaces will be displayed instead of (Interface Default IP) when single Destination Zone is selected.
• (Interface Default IP) will be displayed when multiple Destination Zones are selected.
Primary Gateway
Specify the primary gateway. This is applicable only if more than one gateway is defined.
Note: On deletion of the gateway, Primary Gateway will display WAN Link Load
Balance for WAN Destination Zone and None for other zones. In such case, firewall rule will not make routing decisions.
Backup Gateway
Specify the backup gateway. This is applicable only if more than one gateway is defined.
Note: On deletion of the gateway, Backup Gateway will display None.
DSCP Marking
Select the DSCP Marking.
DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; Source IP Address, Destination IP Address, Source port,
Destination port and the transport protocol.
For available options, refer to
| Protect | 62
Figure 40: NAT & Routing
9. Define logging option for the user application traffic.
Log Firewall Traffic
Click to enable logging of permitted and denied traffic.
Figure 41: Log Traffic
10. Click Save.
DSCP Value
DiffServ Code Point (DSCP) uses the 6 bits, thereby giving 2^6 = 64 different values (0 to 63). describes the standard
DSCP values. Remaining DSCP values can be customized as per the QoS requirement.
Decimal
22
24
26
28
30
32
14
16
18
20
0
8
10
12
DSCP
AF23
CS3
AF31
AF32
AF33
CS4
Default
CS1
AF11
AF12
AF13
CS2
AF21
AF22
Description
Best Effort
Class 1 (CS1)
Class 1, Gold (AF11)
Class 1, Silver (AF12)
Class 1, Bronze (AF13)
Class 2 (CS2)
Class 2, Gold (AF21)
Class 2, Silver (AF22)
Class 2, Bronze (AF23)
Class 3 (CS3)
Class 3, Gold (AF31)
Class 3, Silver (AF32)
Class 3, Bronze (AF33)
Class 4 (CS4)
| Protect | 63
Decimal
46
48
56
34
36
38
40
DSCP
AF41
AF42
AF43
CS5
EF
CS6
CS7
Description
Class 4, Gold (AF41)
Class 4, Silver (AF42)
Class 4, Bronze (AF43)
Class 5 (CS5)
Expedited Forwarding (EF)
Control (CS6)
Control (CS7)
Business Application Rule
Business Application Rule is used to protect internally or publicly hosted business applications or servers like
SalesForce, Sharepoint etc.
Using Business Application Rule, the administrator can configure protection of the http and non-http web servers from unauthorized access over the Internet. You can also control access of protected server or services through a
Business Application Rule.
Several templates are available that cover protection configuration for a variety of different types of http and non-http web servers and application. A list of these application templates appear on the Business Application Rule page.
Adding a Business Application Rule
Go to Protect > Firewall and select IPv4. using the filter switch. Now, click on +Add Firewall Rule and select
Business Application Rule. You can then select the Application Template from the list of available templates.
The application template allows you to choose the rule which suits the configuration of the required business application. Once you select the template, you can see the configuration page with few fields pre-populated. The prepopulated values eliminate the need to manually specify the configuration for securing your business application, but you may customize the settings according to your network setup or other requirements.
1.
DNAT/Full NAT/Load Balancing rule
- It is used to protect Non-Web servers, like mail or other servers hosted
inside the network (LAN or DMZ). Using this template, you can define access rights of such servers to users who require access over the WAN or Internet. Additionally, you can use the following Non-web application template:
2.
: Email Server (SMTP) rule is used to protect mail servers which are hosted internally in a
network and require protection.
3.
- Email Clients (POP and IMAP) rule is used to protect mail servers which are
hosted publicly (WAN) and require protection.
Note:
If you delete Email Clients rule, the Emails which are under process by this rule will be queued but will not be delivered.
We recommend to follow below given steps so that you do not lose all the emails processed by this rule:
1. Before deleting this rule, clone this rule by choosing Clone Above option and change the Action to
Drop. This cloned rule will hold all the incoming emails.
2. Go to Email > Mail Spool and check if spool is empty.
3. Once the spool is empty, delete both the firewall rules.
Application Protection Templates for common HTTP-based Applications
SF-OS offers several pre-configured templates to create a protection rule for commonly used HTTP-based applications. You can use a pre-configured template to create a rule for the web application that is close to your configuration, then modify it to fit your needs.
Pre-configured templates for common HTTP applications include:
| Protect | 64
1.
- Web Server Protection is used to protect HTTP or generic web application servers
hosted in the network. This template is essentially WAF implementation but with additional benefit of defining
WAF objects, rules, exceptions from the same page.
2.
3.
4.
5.
6.
Microsoft Remote Desktop Gateway 2008 and R2
7.
Microsoft Remote Desktop Web 2008 and R2
8.
Microsoft Sharepoint 2010 and 2013
Add Web Server Protection (WAF) Rule
This page allows you to control HTTP traffic flowing to and from a web application. Use this page to create Web
Server Protection (WAF) rule for traffic that uses IPv4 protocol.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and Business Application Rule.
3. Enter the general rule details.
Application Template
Select Web Server Protection (WAF) to define an application filter policy for HTTP based applications.
Rule Name
Enter a name for the rule.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options:
• Top
• Bottom
| Protect | 65
Figure 42: About this Rule
4. Enter Hosted Server details.
Hosted Address
Select the interface of the hosted server to which the rule applies. It is the public IP address through which Internet users access the internal server/host.
Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header
Listening Port
Enter a port number on which the hosted web server can be reached externally over the Internet.
Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication
(HTTPS).
HTTPS
Select to enable or disable scanning of HTTPS traffic.
HTTPS Certificate (available only if HTTPS is selected)
Select the HTTPS certificate to be used.
Redirect HTTP (available only if HTTPS is selected)
Select to redirect HTTP requests. Thus, users entering the URL without “https://” will be redirected automatically to the hosted server.
Note: An HTTP request requires a host header if Redirect HTTP is enabled.
Domains
(if HTTPS is disabled): Enter the domains the web server is responsible for as FQDN, e.g.
shop.example.com.
(if HTTPS is enabled): Depending on the HTTPS certificate you select, some domains may be preselected. You can edit or delete these domains or add new ones.
| Protect | 66
Figure 43: Hosted Server
5. Specify Protected Server(s) details.
Path-specific routing
You can enable path-specific routing to define (a path) to which web servers incoming requests are forwarded.
You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
Add New Path (available only if Path-specific routing is selected)
Click Add Path to define a new path.
Note: Add New Path will only be active after at least one web server and one hosted web server have been created.
Web Server (not available if Path-specific routing is selected)
With this option, you select the web servers that are to be protected. Select a web server from Web
Server list. The selected web server is displayed on the right side of the table under Selected Web
Server(s).
A new web server can be created on the Protect > Web Server > Web Servers page.
| Protect | 67
Figure 44: Protected Server(s)
6. Specify Access Permission details (not available if Path-specific routing is selected).
Allowed Client Networks
Select or add the allowed networks that should be able to connect to the hosted web server.
Blocked Client Networks
Select or add the denied networks that should be blocked to your hosted web server.
Authentication
Select a web app authentication profile or click Create new to create a new authentication profile.
You can also create an authentication profile from the Protect > Web Server > Authentication
Policies page.
on page 242
Figure 45: Access Permission
7. Add path Exceptions for the web servers.
Click Add New Exception to specify a new exception.
Figure 46: Exceptions
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Protection
Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >
Protection Policies page. You can also choose to have None application protection.
Intrusion Prevention
Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.
You can also choose to have None intrusion prevention.
Traffic Shaping
The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.
| Protect | 68
Figure 47: Policies for Business Applications
b) Specify Additional Options for the added server.
Disable Compression Support
By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the
WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local
but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like
[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.
Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.
Rewrite cookies (available only if Rewrite HTML is selected)
Select this option to have the device rewrite cookies of the returned web pages.
Pass Host Header
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
Figure 48: Advanced
9. Click Save.
Note: As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The business application rule has been created and appears on the Firewall page when the IPv4 filter is set.
Add Rule for Exchange Autodiscover
(Only available for IPv4 policy) This page describes how to configure a rule for Exchange Autodiscover.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and Business Application Rule.
3. Specify the general rule details.
Application Template
Select Exchange Autodiscover to configure a policy for an Exchange Autodiscover environment.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options:
• Top
• Bottom
Rule Name
Specify a name for the rule.
Figure 49: About This Rule
4. Specify Hosted Server details.
Hosted Address
Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access an internal server/host.
Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header
Listening Port
| Protect | 69
Enter a port number on which the hosted web server can be reached externally over the Internet.
Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication
(HTTPS).
HTTPS
Select this option to enable or disable HTTPS traffic.
HTTPS Certificate (available only if HTTPS is selected)
Select the HTTPS certificate to be used.
Redirect HTTP (available only if HTTPS is selected)
Select this option to redirect HTTP requests.
Domains
Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.
| Protect | 70
Figure 50: Hosted Server
5. Specify Protected Server(s) details.
Path-specific routing
You can enable path-specific routing to define (the path) to which web servers incoming requests are forwarded.
You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
Default: Enabled
Add New Path (available only if Path-specific routing is selected)
Click Add New Path to define a new path.
Note: Add New Path will only be active only after at least one web server and one hosted web server have been created.
Default: /autodiscover, /Autodiscover, /AutoDiscover
Web Server (not available if Path-specific routing is selected)
Web servers are the application servers to be protected. Select a web server from the list of web servers or enter a web server and click Create to add a web server.
A new web server can be created directly from this page or from the Protect > Web Server > Web
Servers page.
| Protect | 71
Figure 51: Protected Server(s)
6. Specify Access Permission details (not available if Path-specific routing is selected).
Allowed Client Networks
Select the allowed host(s)/network(s).
Blocked Client Networks
Select the blocked host(s)/network(s).
Authentication
Select the web application authentication profile from the list of available profiles.
You can also create a new authentication profile on this page or on the Protect > Web Server >
Authentication Policies page.
Figure 52: Access Permission
7. Add path Exceptions for the web servers.
Click Add New Exception to specify new exception.
Default: /autodiscover/*,/Autodiscover/*
Figure 53: Exceptions
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Protection
Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >
Protection Policies page. You can also choose to have None application protection.
Intrusion Prevention
Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.
You can also choose to have None intrusion prevention.
Traffic Shaping
The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.
| Protect | 72
Figure 54: Policies for Business Applications
b) Specify Additional Options for the added server.
Disable Compression Support
By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the
WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local
but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like
[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.
Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.
Rewrite cookies (available only if Rewrite HTML is selected)
Select this option to have the device rewrite cookies of the returned web pages.
Pass Host Header
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
| Protect | 73
Figure 55: Advanced
9. Click Save.
Note: As soon as a new HTTP based policy configuration has been created and saved or an existing
HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The firewall rule for Microsoft Remote Desktop Gateway 2008 and R2 has been created and appears on the Firewall page when the IPv4 filter is set.
Add Rule for Exchange Outlook Anywhere
(only available for IPv4 policy) This page describes how to configure a rule for Exchange Outlook Anywhere.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and Business Application Rule.
3. Specify the general policy details.
Application Template
Select Exchange Outlook Anywhere to configure rule for Exchange Outlook Anywhere.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options: TopBottom
Rule Name
Specify a name for the rule.
Figure 56: About This Rule
4. Specify Hosted Server details.
Hosted Address
Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access an internal server/host.
Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header
Listening Port
Enter a port number on which the hosted web server can be reached externally over the Internet.
Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication
(HTTPS).
HTTPS
Select to enable or disable of HTTPS traffic.
HTTPS Certificate (available only if HTTPS is selected)
Select the HTTPS certificate to be used.
Redirect HTTP (available only if HTTPS is selected)
Select to redirect HTTP requests.
Domains
Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.
| Protect | 74
Figure 57: Hosted Server
5. Specify Protected Server(s) details.
Path-specific routing
You can enable path-specific routing to define (path) to which web servers incoming requests are forwarded.
You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
Add New Path (available only if Path-specific routing is selected)
Click Add New Path to define a new path.
Note: Add New Path will only be active after at least one web server and one hosted web server have been created.
Default: /rpc, /RPC
Web Server (not available if Path-specific routing is selected)
Web servers are the application servers that are to be protected. Select a web server from the list of web servers or click Add New Item to add a web server.
A new web server can be created directly from this page or from the Protect > Web Server > Web
Servers page.
| Protect | 75
Figure 58: Protected Server(s)
6. Specify Access Permission details. (not available if Path-specific routing is selected).
Allowed Client Networks
Select the allowed host(s)/network(s).
Blocked Client Networks
Select the blocked host(s)/network(s).
Authentication
Select the web application authentication profile from the list of available profiles. You can also create a new authentication profile from this page or from the Protect > Web Server >
Authentication Policies page.
Figure 59: Access Permission
7. Add path Exceptions for the web servers.
Click Add New Exception to specify new exception.
Default: /rpc/*,/RPC/*.
Figure 60: Exceptions
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Protection
Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >
Protection Policies page. You can also choose to have None application protection.
Intrusion Prevention
Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.
You can also choose to have None intrusion prevention.
Traffic Shaping
The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.
| Protect | 76
Figure 61: Policies for Business Applications
b) Specify Additional Options for the added server.
Disable Compression Support
By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the
WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local
but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like
[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.
Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.
Rewrite cookies (available only if Rewrite HTML is selected)
Select this option to have the device rewrite cookies of the returned web pages.
Pass Host Header
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
| Protect | 77
Figure 62: Advanced
9. Click Save.
Note: As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The Exchange Outlook Anywhere rule has been created and appears on the Firewall page when the IPv4 filter is set.
Add Rule for Exchange General
(only available for IPv4 policy) This page describes how to configure a rule for Exchange General.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and Business Application Rule.
3. Specify the general policy details.
Application Template
Select Exchange General to configure a rule for Exchange General.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options: TopBottom
Rule Name
Specify a name for the rule.
Figure 63: About This Rule
4. Specify Hosted Server details.
Hosted Address
Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access an internal server/host.
Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header
Listening Port
Enter a port number on which the hosted web server can be reached externally over the Internet.
Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication
(HTTPS).
HTTPS
Select to enable or disable of HTTPS traffic.
HTTPS Certificate (available only if HTTPS is selected)
Select the HTTPS certificate to be used.
Redirect HTTP (available only if HTTPS is selected)
Select to redirect HTTP requests.
Domains
Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.
| Protect | 78
Figure 64: Hosted Server
5. Specify Protected Server(s) details.
Path-specific routing
You can enable path-specific routing to define (path) to which web servers incoming requests are forwarded.
You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
Add New Path (available only if Path-specific routing is selected)
Click Add New Path to define a new path.
Note: Add New Path will only be active after at least one web server and one hosted web server have been created.
Default: /owa, /OWA, /ecp, /ECP, /oab, /OAB, /ews, /EWS, /oma, /OMA, /Microsoft-Server-
ActiveSync
Web Servers (not available if Path-specific routing is selected)
Web servers are the application servers that are to be protected. Select a web server from the list of web servers or click Add New Item to add a web server.
A new web server can be created directly from this page or from the Protect > Web Server > Web
Servers page.
| Protect | 79
Figure 65: Protected Server(s)
6. Specify Access Permission details. (not available if Path-specific routing is selected)
Allowed Client Networks
Select the allowed host(s)/network(s).
Blocked Client Networks
Select the blocked host(s)/network(s).
Authentication
Select the web application authentication profile from the list of available profiles. You can also create new authentication profile on this page or on the Protect > Web Server > Authentication
Policies page.
Figure 66: Access Permission
7. Add path Exceptions for the web servers.
Click Add New Exception to specify a new exception.
Default: /owa/*,/OWA/*,/ews/*,/EWS/*,/ecp/*,/ECP/*,/oab/*,/OAB/*,/oma/*,/OMA/*,/Microsoft-Server-
ActiveSync?*, /owa/ev.owa*
Figure 67: Exceptions
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Protection
Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >
Protection Policies page. You can also choose to have None application protection.
Intrusion Prevention
Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.
You can also choose to have None intrusion prevention.
Traffic Shaping
The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.
| Protect | 80
Figure 68: Policies for Business Applications
b) Specify Additional Options for the added server.
Disable Compression Support
By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the
WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local
but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like
[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.
Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.
Rewrite cookies (available only if Rewrite HTML is selected)
Select this option to have the device rewrite cookies of the returned web pages.
Pass Host Header
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
| Protect | 81
Figure 69: Advanced
9. Click Save.
Note: As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The Exchange General rule has been created and appears on the Firewall page when the IPv4 filter is set.
Add Rule for Microsoft Lync
(only available for IPv4 policy) This page describes how to configure a rule for Microsoft Lync.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and Business Application Rule.
3. Specify the general rule details.
Application Template
Select Microsoft Lync to define Application filter policy for HTTP based applications.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options:
• Top
• Bottom
Rule Name
Specify a name to identify the rule.
Figure 70: About This Rule
4. Specify Hosted Server details.
Hosted Address
Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access internal server/host.
Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header
Listening Port
| Protect | 82
Enter a port number on which the hosted web server can be reached externally over the Internet.
Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication
(HTTPS).
HTTPS
Click to enable or disable of HTTPS traffic.
HTTPS Certificate (available if HTTPS is enabled)
Select the HTTPS certificate to be used.
Redirect HTTP (available if HTTPS is enabled)
Click to redirect HTTP requests.
Domains
Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.
| Protect | 83
Figure 71: Hosted Server
5. Specify Protected Server(s) details.
Path-specific routing
You can enable path-specific routing to define (the path) to which web servers incoming requests are forwarded.
You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
Add New Path (available if Path-specific routing is enabled)
Click Add Path to define a new path.
Note: Add New Path will only be active after at least one web server and one hosted web server have been created.
Web Server (available if Path-specific routing is disabled)
Hosts are the web servers that are to be protected. Select a web server from the list of web servers or click Add New Item to add a web server.
A new web server can be created directly from this page or from the Protect > Web Server > Web
Servers page.
| Protect | 84
Figure 72: Protected Application Server(s)
6. Specify Access Permission details (not available if Path-specific routing is selected).
Allowed Client Networks
Select the allowed host(s)/network(s).
Blocked Client Networks
Select the blocked host(s)/network(s).
Authentication
Select the web application authentication profile from the list of available profiles.
You can also create a new authentication profile on this page or on the Protect > Web Server >
Authentication Policies page.
Figure 73: Access Permission
7. Specify path Exceptions for the web servers.
Click Add New Exception to specify a new exception.
Figure 74: Exceptions
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Protection
Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >
Protection Policies page. You can also choose to have None application protection.
Intrusion Prevention
Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.
You can also choose to have None intrusion prevention.
Traffic Shaping
The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.
| Protect | 85
Figure 75: Policies for Business Applications
b) Specify Additional Options for the added server.
Disable Compression Support
By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the
WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local
but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like
[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.
Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.
Rewrite cookies (available only if Rewrite HTML is selected)
Select this option to have the device rewrite cookies of the returned web pages.
Pass Host Header
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
Figure 76: Advanced
9. Click Save.
Note: As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The Microsoft Lync rule has been created and appears on the Firewall page when the IPv4 filter is set.
Add Rule for Microsoft Remote Desktop Gateway 2008 and R2
(only available for IPv4 policy) This page describes how to configure a rule for Microsoft Remote Desktop Gateway
2008 and R2.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and Business Application Rule.
3. Specify the general rule details.
Application Template
Select Microsoft Remote Desktop Gateway 2008 and R2 to configure a rule for Microsoft
Remote Desktop Gateway 2008 and R2.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options:
• Top
• Bottom
Rule Name
Specify a name to identify the rule.
Figure 77: About This Rule
4. Specify Hosted Server details.
Hosted Address
Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access an internal server/host.
Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header
| Protect | 86
Listening Port
Enter a port number on which the hosted web server can be reached externally, over the Internet.
Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication
(HTTPS).
HTTPS
Click to enable or disable of HTTPS traffic.
HTTPS Certificate (available if HTTPS is enabled)
Select the HTTPS certificate to be used.
Redirect HTTP (available if HTTPS is enabled)
Click to redirect HTTP requests.
Domains
Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.
| Protect | 87
Figure 78: Hosted Server
5. Specify Protected Server(s) details.
Path-specific routing
You can enable path-specific routing to define (a path) to which web servers incoming requests are forwarded.
You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
Add New Path (available if Path-specific routing is enabled)
Click Add New Path to define a new path.
Note: Add New Path will only be active after at least one web server and one hosted web server have been created.
Web Server (available if Path-specific routing is disabled)
Web servers are the application servers that are to be protected. Select from the list of web servers or click Add New Item to add a web server.
A new web server can be created directly from this page or from the Protect > Web Server > Web
Servers page.
| Protect | 88
Figure 79: Protected Server(s)
6. Specify access permission details. (Available if Path-specific routing is disabled)
Allowed Client Networks
Select the allowed host(s)/network(s).
Blocked Client Networks
Select the blocked host(s)/network(s).
Authentication
Select the web application authentication profile from the list of available profiles. You can also create a new authentication profile from this page or from the Protect > Web Server >
Authentication Policies page.
Figure 80: Access Permission
7. Specify path Exceptions for the web servers.
Click Add New Exception to specify new exception.
Figure 81: Exceptions
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Protection
Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >
Protection Policies page. You can also choose to have None application protection.
Intrusion Prevention
Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.
You can also choose to have None intrusion prevention.
Traffic Shaping
The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.
| Protect | 89
Figure 82: Policies for Business Applications
b) Specify Additional Options for the added server.
Disable Compression Support
By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the
WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local
but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like
[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.
Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.
Rewrite cookies (available only if Rewrite HTML is selected)
Select this option to have the device rewrite cookies of the returned web pages.
Pass Host Header
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
Figure 83: Advanced
9. Click Save.
Note: As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The rule for Microsoft Remote Desktop Gateway 2008 and R2 has been created and appears on the Firewall page when the IPv4 filter is set.
Add Rule for Microsoft Remote Desktop Web 2008 and R2
(only available for IPv4 policy) This page describes how to configure a rule for Microsoft Remote Desktop Web 2008 and R2.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and Business Application Rule.
3. Specify the general rule details.
Application Template
Select Microsoft Remote Desktop Web 2008 and R2 to configure a rule for Microsoft Remote
Desktop Web 2008 and R2.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options: TopBottom
Rule Name
Specify a name to identify the rule.
Figure 84: About This Rule
4. Specify Hosted Server details.
Hosted Address
Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access an internal server/host.
Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header
Listening Port
| Protect | 90
Enter a port number on which the hosted web server can be reached externally over the Internet.
Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication
(HTTPS).
HTTPS
Click to enable or disable of HTTPS traffic.
HTTPS Certificate (available if HTTPS is enabled)
Select the HTTPS certificate to be used.
Redirect HTTP (available if HTTPS is enabled)
Click to redirect HTTP requests.
Domains
Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.
| Protect | 91
Figure 85: Hosted Server
5. Specify Protected Server(s) details.
Path-specific routing
You can enable path-specific routing to define (the path) to which web servers incoming requests are forwarded.
You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
Add New Path (available if Path-specific routing is enabled)
Click Add New Path to define a new path.
Note: Add New Path will only be active after at least one web server and one hosted web server have been created.
Web Server (available if Path-specific routing is disabled)
Web servers are the application servers that are to be protected. Select a web server from the list of web servers or click Add New Item to add a web server.
A new web server can be created directly on this page or on the Protect > Web Server > Web
Servers page.
| Protect | 92
Figure 86: Protected Server(s)
6. Specify Access Permission details (available if Path-specific routing is disabled).
Allowed Client Networks
Select the allowed host(s)/network(s).
Blocked Client Networks
Select the blocked host(s)/network(s).
Authentication
Select the web application authentication profile from the list of available profiles.
You can also create new authentication profile on this page or on the Protect > Web Server >
Authentication Policies page.
Figure 87: Access Permission
7. Add path Exceptions for the web servers.
Click Add New Exception to specify new exception.
Figure 88: Exceptions
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Protection
Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >
Protection Policies page. You can also choose to have None application protection.
Intrusion Prevention
Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.
You can also choose to have None intrusion prevention.
Traffic Shaping
The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.
| Protect | 93
Figure 89: Policies for Business Applications
b) Specify Additional Options for the added server.
Disable Compression Support
By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the
WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local
but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like
[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.
Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.
Rewrite cookies (available only if Rewrite HTML is selected)
Select this option to have the device rewrite cookies of the returned web pages.
Pass Host Header
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
Figure 90: Advanced
9. Click Save.
Note: As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The rule for Microsoft Remote Desktop Web 2008 and R2 has been created and appears on the Firewall page when the IPv4 filter is set.
Add Rule for Microsoft Sharepoint 2010 and 2013
(only available for IPv4 policy) This page describes how to configure a rule for Microsoft SharePoint 2010 and 2013.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and Business Application Rule.
3. Specify the general rule details.
Application Template
Select Microsoft Sharepoint 2010 and 2013 to configure a rule for Microsoft Sharepoint 2010 and
2013.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options:
• Top
• Bottom
Rule Name
Specify a name to identify the rule.
Figure 91: About This Rule
4. Specify Hosted Server details.
Hosted Address
Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access an internal server/host.
Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header
| Protect | 94
Listening Port
Enter a port number on which the hosted web server can be reached externally over the Internet.
Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication
(HTTPS).
HTTPS
Click to enable or disable of HTTPS traffic.
HTTPS Certificate (available if HTTPS is enabled)
Select the HTTPS certificate to be used.
Redirect HTTP (available if HTTPS is enabled)
Click to redirect HTTP requests.
Domains
Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.
| Protect | 95
Figure 92: Hosted Server
5. Specify Protected Server(s) details.
Path-specific routing
You can enable path-specific routing to define (a path) to which web servers incoming requests are forwarded.
You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
Add New Path (available if Path-specific routing is enabled)
Click Add New Path to define a new path.
Note: Add New Path will only be active after at least one web server and one hosted web server have been created.
Web Server (available if Path-specific routing is disabled)
Web servers are the application servers that are to be protected. Select a web server from the list of web servers or click Add New Item to add a web server.
A new web server can be created directly from this page or from the Protect > Web Server > Web
Servers page.
| Protect | 96
Figure 93: Protected Application Server(s)
6. Specify Access Permission details (available if Path-specific routing is disabled).
Allowed Client Networks
Select the allowed host(s)/network(s).
Blocked Client Networks
Select the blocked host(s)/network(s).
Authentication
Select the web application authentication profile from the list of available profiles.
You can also create new authentication profile from this page or from the Protect > Web Server >
Authentication Policies page.
Figure 94: Access Permission
7. Add path Exceptions for the web servers.
Click Add New Exception to specify new exception.
Figure 95: Exceptions
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Protection
Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >
Protection Policies page. You can also choose to have None application protection.
Intrusion Prevention
Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.
You can also choose to have None intrusion prevention.
Traffic Shaping
The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.
| Protect | 97
Figure 96: Policies for Business Applications
b) Specify Additional Options for the added server.
Disable Compression Support
By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the
WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML
Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local
but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like
[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.
Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.
Rewrite cookies (available only if Rewrite HTML is selected)
Select this option to have the device rewrite cookies of the returned web pages.
Pass Host Header
When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.
Figure 97: Advanced
9. Click Save.
Note: As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The rule for Microsoft Sharepoint 2010 and 2013 has been created and appears on the Firewall page when the IPv4 filter is set.
Add Path
(only available for the HTTP based business application rules) This page describes how to define (a path) to which real web servers incoming requests are forwarded.
1. Enable path-specific routing and click Add New Path.
2. Specify the path details.
Path
Enter the path for which you want to create the site path route.
Example: /products/.
Web Server
Select the web servers which are to be used for the specified path.
Authentication
Select the web app authentication profile. Select Create new to create a new authentication profile.
You can also create an authentication profile from the Protect > Web Server > Authentication
Policies page.
on page 242
Allowed Client Networks
Select or add the allowed networks that should be able to connect to the hosted web server.
Blocked Client Networks
Select or add the denied networks that should be blocked to your hosted web server.
Sticky session cookie
Click the toggle switch to ensure that each session is bound to one web server. If enabled, a cookie is passed to the user's browser, which causes Sophos XG Firewall to route all requests from this browser to the same real web server. If the server is not available, the cookie will be updated, and the session will switch to another web server.
Hot-standby mode
Click the toggle switch if you want to send all requests to the first selected web server, and use the other web servers only as a backup. The backup servers are only used in case the main server fails.
As soon as the main server starts functioning, the sessions will switch back - unless you have selected the Sticky session cookie option.
| Protect | 98
Figure 98: Add New Path
3. Click Save.
Add Exception
(only available for the HTTP based business application rules) This page describes how to specify path exceptions for the web servers.
1. Click Add New Exception.
2. Specify exception details.
Path
Specify the path which you want to exclude.
Operation
Select the operation among AND or OR for Path and Source.
Source
Specify the source networks where the client request comes from and which are to be exempted from the selected check(s).
| Protect | 99
Skip these Checks
Cookie Signing
Click to skip cookie signing. Cookie signing protects a web server against manipulated cookies.
When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built of the primary cookie's name, its value and a secret, where the secret is only known by the WAF. Thus, if a request cannot provide a correct cookie pair, there has been some sort of manipulation and the cookie will be dropped.
Static URL Hardening
Protects against URL rewriting. When a client requests a website, all static URLs of the website are signed. The signing uses a similar procedure as with cookie signing. Additionally the response from the web server is analyzed in respect to the links that can be validly requested next.
Form Hardening
Click to skip form hardening. Form hardening protects against web form rewriting. Form hardening saves the original structure of a web form and signs it. Therefore, if the structure of a form has changed when it is submitted the WAF rejects the request.
Anti-virus
Select this option to protect a web server against viruses.
Block clients with bad reputation
Based on GeoIPClosed and RBLClosed information you can block clients which have a bad reputation according to their classification.
Skip these categories
Protocol Violations
Enforces adherence to the RFC standard specification of the HTTP protocol. Violating these standards usually indicates malicious intent.
Protocol Anomalies
Searches for common usage patterns. Lack of such patterns often indicates malicious requests.
These patterns include, among other things, HTTP headers like 'Host' and 'User-Agent'.
Request Limits
Enforces reasonable limits on the amount and ranges of request arguments. Overloading request arguments is a typical attack vector.
HTTP Policy
Narrows down the allowed usage of the HTTP protocol. Web browsers typically use only a limited subset of all possible HTTP options. Disallowing the rarely used options protects against attackers aiming at these often less well supported options.
Bad Robots
Checks for usage patterns characteristic of bots and crawlers. By denying them access, possible vulnerabilities on your web servers are less likely to be discovered.
Generic Attacks
Searches for attempted command executions common to most attacks. After having breached a web server, an attacker usually tries to execute commands on the server like expanding privileges or manipulating data stores. By searching for these post-breach execution attempts, attacks can be detected that might otherwise have gone unnoticed, for example because they targeted a vulnerable service by the means of legitimate access.
SQL Injection Attacks
Checks for embedded SQL commands and escape characters in request arguments. Most attacks on web servers target input fields that can be used to direct embedded SQL commands to the database.
XSS Attacks
| Protect | 100
Checks for embedded script tags and code in request arguments. Typical cross-site scripting attacks aim at injecting script code into input fields on a target web server, often in a legitimate way.
Tight Security
Performs tight security checks on requests, like checking for prohibited path traversal attempts.
Trojans
Checks for usage patterns characteristic of trojans, thus searching for requests indicating trojan activity. It does not, however, prevent the installation of such trojans as this is covered by the antivirus scanners.
Outbound
Prevents web servers from leaking information to the client. This includes, among other things, error messages sent by servers which attackers can use to gather sensitive information or detect specific vulnerabilities.
Advanced
Never change HTML during static URL hardening or form hardening
If selected, no data matching the defined exception settings will be modified by the WAF engine.
With this option, e.g., binary data wrongly supplied with a text/html content type by the web server will not be corrupted. On the other hand, web requests may be blocked due to activated URL hardening, HTML rewriting, or form hardening. Those three features use an HTML parser and therefore to some extent depend on the modification of web page content. To prevent undesired blocking, skip URL hardening and/or form hardening for requests affected by blocking; you might need to do this in another/new exception to reflect dependencies between web servers and/or web pages.
Accept unhardened form data
Even though having an exception for form hardening, it is possible that form data will not be accepted if the form hardening signature is missing. With this option, unhardened form data will be accepted anyway.
| Protect | 101
Figure 99: Add New Exception
| Protect | 102
| Protect | 103
3. Click Save.
Application Protection Templates for common non-HTTP Applications
SF-OS offers several pre-configured templates to create a protection rule for commonly used non-HTTP applications and services. You can use these templates to create a rule for the web application, that is close to your configuration, then modify it to fit your needs.
Pre-defined templates include:
1.
2.
Add DNAT/Full NAT/Load Balancing Rule
This page describes how to configure a DNAT/Full NAT/Load Balancing (Non-web) rule.
A DNAT/Full NAT/Load Balancing based rule is used to protect non-web servers, like mail or other servers hosted inside the network (LAN or DMZ). Using this rule, you can define access rights of such servers to users who require access over the WAN or Internet.
1. Go to Protect > Firewall and select between IPv4 or IPv6 using the default filter.
2. Now, click +Add Firewall Rule and select Business Application Rule.
3. Specify the general rule details.
Application Template
Select DNAT/Full NAT/Load Balancing to configure a rule for generic Non-Web based applications.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule.
Available Options: TopBottom
Rule Name
Specify a name to identify the rule.
Figure 100: About This Rule
4. Specify Source details.
Source Zones
Select a source zone or click Add New Item to define a new LAN or DMZ zone.
Allowed Client Networks
Select the allowed host(s) or add a new one by clicking Add New Item.
Blocked Client Networks
Select the blocked host(s)/network(s).
Figure 101: Source
5. Specify Destination & Service details.
Destination Host/Network
Select the destination host/network to apply rule. It is the public IP address through which users access an internal server/host over the Internet.
Available Options: IP Address: Specified IP address is mapped to a corresponding mapped single
IP address or a range of IP addresses. If a single IP address is mapped to a range of IP addresses, the device uses a round robin algorithm to load balance the requests.IP Range (only available for
IPv4): Specified IP address range is mapped to a corresponding range of mapped IP addresses. The
IP range defines the start and end of an address range. The start of the range must be lower than the end of the IP. Select when any of the device port, alias or virtual LAN (VLAN) sub-interface is required to be mapped to the destination host or network.
Forward Type
Select the type of external port from the available options.
Available Options: PortPort RangePort List Everything
When Everything is selected, all ports are forwarded. Select other options to enable custom port forwarding and specify port forwarding details.
Service Port(s) Forwarded (not available if Forward Type selected is Everything)
Specify the public port number for which you want to configure port forwarding.
Protocol (not available if Forward Type selected is Everything)
Select the protocol TCP or UDP to be used by forwarding packets.
| Protect | 104
Figure 102: Destination and Service
6. Specify Forward To details.
Protected Server(s)
From the available options, select the application server(s) on which the web server is to be hosted.
Available options: IP Address – External IP address is mapped to the specified IP address.IP
Range – External IP address range is mapped to the specified IP address range.IP List – External
IP address is mapped to the specified IP list.FQDN – External IP address is mapped to the specified
FQDN. Internal mapped server can be accessed by FQDN. This option is only available for IPv4
Virtual hosts.
Mapped Port Type (available only if Change Destination Port(s) is selected)
Select the type of mapped port from the available options.
Available Options:PortPort RangePort List
Mapped Port (available only if Change Destination Port(s) is selected)
Specify the mapped port number on the destination network to which the public port number is mapped.
Protected Zone
Select the zone to apply web server rule.
Change Destination Port(s)
Select the check box to specify different mapped port. Clear the check box to use the same Service
Port(s) Forwarded as mapped port.
Figure 103: Forward To
7. Specify Load balancing details.
Load Balancing (available only if selected Protected Server is IP Range or IP List or selected Destination
Host/Network is IP Address)
Select the method for load balancing from the available options.
Available Options:Round Robin - In this method, requests are served in a sequential manner where the first request is forwarded to the first server, second request to the second server and so on. When a request is received, the device checks to see which was the last server that was assigned a request.
It then assigns this new request to the next available server. This method can be used when equal distribution of traffic is required and there is no need for session-persistence.First Alive - In this method, all incoming requests are served by the first server (the first IP address that is configured in the IP range). This server is considered as the primary server and all others are considered as backup. Only when the first server fails, the requests are forwarded to the next server in line. This method is used for failover scenarios. Random - In this method, the requests are forwarded to the servers randomly. Nevertheless, the device makes sure that all configured servers receive equally distributed load. Hence, this method is also called uniform random distribution. This method can be used when equal distribution of traffic is required and there is no need for session-persistence or order of distribution.Sticky IP - In this method, along with the Round Robin distribution of traffic, the device forwards incoming traffic according to the source IP address. All traffic from a particular source is forwarded only to its mapped server. This means that all requests for a given source IP are sent to the same application server instance. This method is useful in cases where all requests or sessions are required to be processed by the same server. For example: banking websites, E-
Commerce websites.
Health Check (available only if Load Balancing is enabled)
Click to enable a health check for failover and specify the parameters based on the description shown below.
Port (available only if selected Health Check Method is TCP Probe)
Specify the port number on the server health is monitored.
Acceptable range: 1 to 65535
Interval
Specify the time interval in seconds after which the health will be monitored.
Acceptable range: 5 to 65535 seconds
Default: 60
Probe Method
Select the probe method to check the health of the server from the available options.
Available Options:ICMP TCP
Timeout
Specify the time interval in seconds within which the server must respond.
Acceptable range: 1 to 10 seconds
Default: 2
Retries
| Protect | 105
Specify the number of tries to probe the health of the server, after which the server will be declared unreachable.
Acceptable range: 1 to 10
Default: 3
| Protect | 106
Figure 104: Load Balancing
8. Specify Identity details.
Match known users
Match rule based on user identity allows you to check whether the specified user/user group from the selected zone is allowed to access the selected service or not.
Click to attach the user identity.
Enable check identity to apply the following policies per user.
Show Captive Portal to unknown users
Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
Clear the check box to drop traffic from unknown users.
User or Groups (available if Match known users is selected)
Select the user(s) or group(s) from the list of available options.
Exclude this user activity from data accounting (available if Match known users is selected)
Click to enable/disable user traffic activity from data accounting.
By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this firewall rule will not be accounted towards data transfer for the user.
Figure 105: Identity
9. Specify Advanced settings details.
a) Specify Polices for Business Applications.
Intrusion Prevention
Select the required IPS policy. If Match rule based on user identity is enabled, user’s IPS policy will be applied automatically, but will not be effective till the respective module is subscribed. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention >
IPS Policies page.
Traffic Shaping Policy
Select the required traffic shaping policy. If Match rule based on user identity is enabled, user’s traffic shaping policy will be applied automatically.
You need to select traffic shaping policy for the rule if Match known users is not selected.
A new traffic shaping policy can be created directly from this page or from the System > Profiles >
Traffic Shaping page.
| Protect | 107
Figure 106: Policies for Business Applications
b) Specify Security Heartbeat details (available only if IPv4 is selected).
Minimum Source HB Permitted
Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Block clients with no heartbeat
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can restrict a source device's access to certain services and networks.
Enable the option to require the sending of heartbeats.
Block request to destination with no heartbeat (not available if Protected Zone selected is WAN)
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can block requests to destinations not sending heartbeat.
Enable/disable the option to require the sending of heartbeats.
Figure 107: Synchronized Security
c) Specify Routing details.
Rewrite source address (Masquerading)
Enable/disable to re-write the source address or specify a NAT policy.
Use Outbound Address (available only if Rewrite source address is enabled)
Select the NAT policy to be applied from the list of available NAT policies.
A new NAT policy can be created directly from this page or from the System > Profiles > Network
Address Translation page.
The default NAT policy is Masquerade.
MASQ (Interface Default IP): IP Address of the selected Protected Zone as configured in
Configure > Network > Interfaces will be displayed instead of (Interface Default IP).
Create Reflexive Rule
Enable to automatically create a reflexive firewall rule for the protected host.
A reflexive rule has the same policies as those rules configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone.
By default, the reflexive rule is not created.
Figure 108: Routing
10. Specify the logging option for the user application traffic.
Log Firewall Traffic
Click to enable logging of permitted and denied traffic.
Figure 109: Log Traffic
11. Click Save.
The non-web based rule has been created and appears on the Firewall page when the appropriate filter is set.
| Protect | 108
| Protect | 109
Add Rule for Email Clients (POP and IMAP)
Email Clients (POP and IMAP) rule is used to protect mail servers which are hosted publicly (WAN). This page describes how to configure a protection rule and control access of mail servers using application template - Email
Clients .
Note:
If you delete Email Clients rule, the Emails which are under process by this rule will be queued but will not be delivered.
We recommend to follow below given steps so that you do not lose all the emails processed by this rule:
1. Before deleting this rule, clone this rule by choosing Clone Above option and change the Action to Drop.
This cloned rule will hold all the incoming emails.
2. Go to Email > Mail Spool and check if spool is empty.
3. Once the spool is empty, delete both the firewall rules.
1. Go to Protect > Firewall and select between IPv4 or IPv6 using the default filter.
2. Now, click +Add Firewall Rule and select Business Application Rule.
3. Specify the general rule details.
Application Template
Select Email Clients (POP & IMAP) to define a application filter policy for POP and IMAP based email clients.
Description
Specify the rule description.
Rule Position
Specify the position of the rule.
Available Options:TopBottom
Rule Name
Specify a name to identify the rule.
Figure 110: About This Rule
4. Specify Source details.
Zone
Select the allowed source zone(s).
Networks
Select the allowed source network(s) . A new network host can be created directly from this page or from the System > Hosts and Services > IP Host page.
Figure 111: Source
5. Specify Destination details.
Zone
Select the zone to which the rule applies.
Networks
Select the network(s) to be protected.
A new network host can be created directly from this page or from the System > Hosts and
Services > IP Host page.
| Protect | 110
Figure 112: Destination
6. Specify Identity details.
Match rule based on user identity
Click to enable a rule based on the user identity.
Show Captive Portal to unknown users
Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
Clear the check box to drop traffic from unknown users.
User or Groups (available only if Match rule based on user identity is enabled)
Select the user(s) or group(s) from the list of available options.
Exclude this user activity from data accounting (only available if Match rule based on user identity is
enabled)
Click to enable/disable user traffic activity from data accounting.
By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this rule will not be accounted towards data transfer for the user.
Figure 113: Identity
7. Specify Malware Scanning details.
Scan IMAP/IMAPS/POP3/POP3S/SMTP/SMTPS
Click to enable/disable scanning of IMAP/IMAPS/POP3/POP3S/SMTP/SMTPS traffic.
Figure 114: Malware Scanning
8. Specify Advanced settings.
a) Specify Policies for Business Applications.
Intrusion Prevention
Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from the Protect > Intrusion Prevention > IPS Policies page.
Traffic Shaping (Not available if Match rule based on user identity is selected)
Select a traffic shaping policy for the rule.
A traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
A new traffic shaping policy can be created directly from this page or from the System > Profiles >
Traffic Shaping page.
| Protect | 111
Figure 115: Policies for Business Applications
b) SpecifySecurity Heartbeat settings (available only if IPv4 is selected).
Minimum Source HB Permitted
Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Block clients with no heartbeat
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can restrict a source device's access to certain services and networks.
Enable/disable the option to require the sending of heartbeats.
Minimum Destination HB Permitted (Not available if the only Destination Zone selected is WAN)
Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this policy will not be granted to the user.
Note: You can use the option if you have selected multiple zones along with WAN.
Block request to destination with no heartbeat (Not available if the only Destination Zone selected is WAN)
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can block requests to destinations not sending heartbeat.
Enable/disable the option to require the sending of heartbeats.
Note: You can use the option if you have selected multiple zones along with WAN.
| Protect | 112
Figure 116: Security Heartbeat
c) Specify Routing details.
Rewrite source address (Masquerading)
Enable/disable to re-write the source address or specify a NAT policy.
Use Gateway Specific Default NAT Policy (only if Masquerading is selected)
Select to override the default NAT policy with a gateway specific policy.
Override default NAT policy for specific Gateway (only if Use Gateway Specific Default NAT Policy
is selected )
Select to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.
Use Outbound Address (available only if Rewrite source address is enabled and Use Gateway
Specific Default NAT Policy is disabled )
Select the NAT policy to be applied the list or available NAT policies.
A new NAT policy can be created directly from this page or from the System > Profiles > Network
Address Translation page.
The default NAT policy is Masquerade.
MASQ (Interface Default IP)
• IP Address of the Destination Zone as configured in Configure > Network > Interfaces will be displayed instead of (Interface Default IP) when single Destination Zone is selected.
• (Interface Default IP) will be displayed when multiple Destination Zones are selected.
Primary Gateway
Select the primary gateway to route the request. You can create new gateway from this page itself or from Configure > Routing > Gateways.
Note: On deletion of the gateway, Primary Gateway will display WAN Link Load
Balance for WAN Destination Zone and None for other zones. In such case, firewall rule will not make routing decisions.
Backup Gateway
Select the backup gateway to route the request. You can create new gateway from this page itself or from Configure > Routing > Gateways.
Note: On deletion of the gateway, Backup Gateway will display None.
Figure 117: Routing
9. Specify logging option for the user application traffic.
Log Firewall Traffic
Click to enable logging of permitted and denied traffic.
Figure 118: Log Traffic
Add Rule for Email Servers (SMTP)
This page describes how to configure a rule for email servers (SMTP).
1. Go to Protect > Firewall and select between IPv4 or IPv6 using the default filter.
2. Now, click +Add Firewall Rule and select Business Application Rule.
3. Specify the general rule details.
Application Template
Select Email Servers (SMTP) to configure a rule for SMTP based email applications.
Description
Specify the policy description.
Rule Position
Specify the position of the rule.
Available Options: TopBottom
Rule Name
Specify a name to identify the policy.
Figure 119: About This Rule
4. Specify Source details.
Source Zones
Click to select the source zone. Click Add New Item to define a new LAN or DMZ zone.
Allowed Client Networks
Select the allowed host(s) or add a new one by clicking Add New Item.
Blocked Client Networks
| Protect | 113
Select the blocked host(s)/network(s).
Figure 120: Source
5. Specify Destination & Service details.
Destination Host/Network
Select the destination host/network to apply rule. It is the public IP address through which users access internal server/host over the Internet.
Available Options:IP Address – Specified IP address is mapped to a corresponding mapped single or range of IP addresses. If a single IP address is mapped to a range of IP addresses, the device uses a round robin algorithm to load balance the requests.IP Range – Specified IP address range is mapped to a corresponding range of mapped IP addresses. The IP range defines the start and end of an address range. The start of the range must be lower than the end of the range.Interface IP (only
available for IPv4) – Select when any of the device port, alias or virtual LAN (VLAN) sub interface is required to be mapped to the destination host or network.
Forward Type
Select the type of external port from the available options.
Available Options: PortPort RangePort List Everything
When Everything is selected, all ports are forwarded. Select other options to enable custom port forwarding and specify port forwarding details.
Service Port(s) Forwarded (not available if Forward Type selected is Everything)
Specify the public port number for which you want to configure port forwarding.
Protocol (not available if Forward Type selected is Everything)
Select the protocol TCP or UDP to be used by forwarded packets.
| Protect | 114
Figure 121: Destination and Service
6. Specify Forward To details.
Protected Server(s)
Select from the available options on which the email server is to be hosted.
Available options: IP Address – External IP address is mapped to the specified IP address.IP Range
– External IP address range is mapped to the specified IP address range.IP List – External IP address is mapped to the specified IP list.FQDN (available only for IPv4 virtual hosts) – External IP address is mapped to the specified FQDN. Internal mapped server can be accessed by FQDN.
Mapped Port Type (available only if Change Destination Port(s) is selected)
Select the type of mapped port from the available options.
Available Options:PortPort RangePort List
Mapped Port (available only if Change Destination Port(s) is selected)
Specify mapped port number on the destination network to which the public port number is mapped.
Protected Zone
Select the zone to which the email server rule applies.
Change Destination Port(s)
Select the check box to specify different mapped port. Clear the check box to use the same Service
Port(s) Forwarded as mapped port.
| Protect | 115
Figure 122: Forward To
7. Specify Load balancing details.
Load Balancing (available only if selected Protected Server is IP Range or IP List and selected
Destination Host/Network is IP Address)
Select the method for load balancing from the available options.
Available Options:Round Robin - In this method, requests are served in a sequential manner where the first request is forwarded to the first server, second request to the second server and so on. When a request is received, the device checks to see which the last server that was assigned a request was.
It then assigns this new request to the next available server. This method is can be used when equal distribution of traffic is required and there is no need for session-persistence.First Alive - In this method, all incoming requests are served by the first server (the first IP address that is configured in the IP range). This server is considered as the primary server and all others are considered as backup. Only when the first server fails, the requests are forwarded to the next server in line. This method is used for failover scenarios. Random -In this method, the requests are forwarded to the servers randomly. Although, the device makes sure that all configured servers receive equally distributed load. Hence, this method is also called uniform random distribution. This method can be used when equal distribution of traffic is required and there is no need for session-persistence or order of distribution.Sticky IP - In this method, along with Round Robin distribution of traffic, the device forwards incoming traffic according to the source IP address. All traffic from a particular source is forwarded only to its mapped server. This means that all requests for a given source IP are sent to the same application server instance. This method is useful in cases where all requests or sessions are required to be processed by the same server. For example: Banking websites, E-
Commerce websites.
Health Check (available only if Load Balancing is enabled)
Click to enable health check for failover and specify the parameters based on the description shown below.
Port (available only if selected health check method is TCP Probe)
Specify the port number on the server health is monitored.
Acceptable range: 1 to 65535
Interval
Specify the time interval in seconds after which the health will be monitored.
Acceptable range: 5 to 65535 seconds
Default: 60
Probe Method
Select the probe method to check the health of the server from the available options.
Available Options:ICMP TCP
Timeout
Specify the time interval in seconds within which the server must respond.
Acceptable range: 1 to 10 seconds
Default: 2
Retries
Specify the number of tries to probe the health of the server, after which the server will be declared unreachable
Acceptable range: 1 to 10
Default: 3
| Protect | 116
Figure 123: Load Balancing
8. Specify Identity details.
Match known users
Match known users allows you to check whether the specified user/user group from the selected zone is allowed to access the selected service or not.
Click to attach the user identity.
Show Captive Portal to unknown users
Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
Clear the check box to drop traffic from unknown users.
User or Groups (available only if Match known users is enabled)
Select the user(s) or group(s) from the list of available options.
Exclude this user activity from data accounting (available only if Match known users is enabled)
Click to enable/disable user traffic activity from data accounting.
By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this firewall rule will not be accounted towards data transfer for the user.
Figure 124: Identity
9. Specify Malware Scanning details.
Scan SMTP
Click to enable/disable scanning of SMTP traffic.
Scan SMTPS
Click to enable/disable scanning of SMTPS traffic.
Figure 125: Malware Scanning
10. Specify Advanced settings details.
a) Specify Polices for Business Applications.
Intrusion Prevention
Select the required IPS policy. If Match rule based on user identity is enabled, user’s IPS policy will be applied automatically, but will not be effective till the respective module is subscribed.
A new IPS policy can be created directly from this page or from the Protect > Intrusion
Prevention > IPS Policies page.
Traffic Shaping Policy (not available if Match known users is selected)
Select the required IPS policy. If Match rule based on user identity is enabled, user’s QoS policy will be applied automatically.
A new traffic shaping policy can be created directly from this page or from the System > Profiles >
Traffic Shaping page.
Figure 126: Policies for Business Applications
b) Specify Security Heartbeat settings (available only if IPv4 is selected).
Minimum Source HB Permitted
| Protect | 117
Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Block clients with no heartbeat
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can restrict a source device's access to certain services and networks.
Enable/disable the option to require the sending of heartbeats.
Minimum Destination HB Permitted (not available if Protected Zone selected is WAN)
Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Block request to destination with no heartbeat (not available if Protected Zone selected is WAN)
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can block requests to destinations not sending heartbeat.
Enable/disable the option to require the sending of heartbeats.
| Protect | 118
Figure 127: Security Heartbeat
c) Specify Routing details.
Rewrite source address (Masquerading)
Enable/disable to re-write the source address or specify a NAT policy.
Use Outbound Address (available only if Rewrite source address is enabled)
Select the NAT policy to be applied from the list of available NAT policies.
A new NAT policy can be created directly from this page or from the System > Profiles > Network
Address Translation page.
The default NAT policy is Masquerade.
MASQ (Interface Default IP): IP Address of the selected Protected Zone as configured in
Configure > Network > Interfaces will be displayed instead of (Interface Default IP).
Create Reflexive Rule
Select ON to automatically create a reflexive firewall rule for the protected host.
The reflexive rule has the same policies as those configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone.
By default, the reflexive rule is not created.
Figure 128: Routing
11. Specify the logging option for the user application traffic.
Log Firewall Traffic
Click to enable logging of permitted and denied traffic.
Figure 129: Log Traffic
Related information
Protect Internal Email Server - Legacy Mode
Intrusion Prevention
This section covers the following topics:
•
: Provides information about DoS attacks.
•
: Allows you to configure IPS policies.
•
: Allows you to add custom IPS signatures.
•
: Allows you to configure DoS settings to identify DoS attacks.
DoS Attacks
The page provides information about DoS attacks. The list shows:
Attack Type
Displays the attack type: SYN Flood, UDP Flood, TCP Flood, ICMP Flood and IP Flood.
Source
Displays whether source packet control is applied or not. If applied, it indicates the number of packets dropped.
Destination
Displays whether destination packet control is applied or not. If applied, it indicates the number of packets dropped.
Click the name of the attack type you want to view to get real time updates on flooding.
| Protect | 119
| Protect | 120
Figure 130: DoS Attacks
IPS Policies
This page displays the list of all the pre-defined and custom IPS policies.
The device is a real time Intrusion Prevention System (IPS) system that protects your network from known and unknown attacks by worms and viruses, hackers and other Internet risks.
The device at the perimeter of your network analyzes entire traffic and prevents attacks from reaching your network.
Whether it is a worm, a suspicious web request, a hacker targeting your mail server or any other attack - it simply does not get through.
Note: Intrusion Prevention System module is a subscription module that needs to be subscribed before use.
Note: You can also view and manage the IPS status on the Monitor & Analyze > Diagnostics > Services page.
IPS consists of a signature engine with a predefined set of signatures. Signatures are the patterns that are known to be harmful. IPS compares traffic to these signatures and responds at a high rate of speed if it finds a match. Signatures included within the device are not editable.
As per your network requirements, device allows you to define multiple policies instead of one global policy, to decrease packet latency and reduce the false positives.
IPS policy allows you to view predefined signatures and customize the intrusion prevention configuration at the category as well as individual signature level. Categories are signatures grouped together based on the application and protocol vulnerabilities.
The device instead of providing only a single policy (global) for managing multiple networks/hosts, allows to tailor policy per network/host i.e. allows to define multiple policies for managing multiple networks/hosts.
To enable the Intrusion Prevention System, apply IPS policy from Security Policies. You can create rule to apply:
• single policy for all the users/networks
• different policies for different users/networks or hosts
As Security Policies control all traffic passing through the device and decide whether to allow or drop the connection,
IPS rule will be applied to only that traffic/packet which passes through Firewall.
Category
Signatures are organized in categories such as DNS, Finger, P2P, DDOS, and others. These signature categories are listed in the policy. You can configure these categories to change the prevention and/or detection settings. To perform
Intrusion Prevention, you need to enable IPS services for each category i.e. you will be able to configure attack threats for individual signature only if an IPS service for the category is “Enabled”.
Each IPS policy contains a set of signatures that device searches for, logs, blocks and allows to:
• Enable or disable category from IPS protection.
• Enable or disable individual signature in a category to tailor IPS protection based on your network environment.
| Protect | 121
• Define an action to be taken when the matching traffic pattern is found. Device can either detect or drop the connection. In either of the case, device generates the log and alerts the Network Administrator.
IPS provides six actions for managing attack threats: (action if signature matches)
• Allow Packet - Allows the packet to its intended destination.
• Drop Packet - Drops packets if detects any traffic that matches the signature.
• Disable - Disables the signature, if it detects any traffic that matches the signature.
• Drop Session - Drops the entire session if detects any traffic that matches the signature.
• Reset - Resets entire session if detects any traffic that matches the signature.
• Bypass Session - Allows the entire session if detects any traffic that matches the signature.
In packet-based actions, the device checks each packet before taking an action while for session-based action, only the first packet is checked and an action is taken. In case of Reset, TCP reset packet is sent to the originator. In all the cases, the device generates the log and alerts the Network Administrator.
To save resources and avoid latency, set action as “Bypass Session” as in this, if the initial packets match the signature then the rest of the session packets will not be scanned at all.
To avoid getting high number of Alerts and save resources, set action as “Drop session” as in this, if the device identifies attack in the initial packets then it will terminate the entire session instead of scanning all the session packets.
The page provides option to add a new policy, configure the handling of signatures by category or on a signature-bysignature basis, or delete the policy.
The device provides following pre-defined policies. You can directly use policies 1 to 6 without any modifications while policies 7 to 10 can either be used directly or, can be modified as per your requirements:
1. DMZ TO LAN
2. DMZ TO WAN
3. LAN TO DMZ
4. LAN TO WAN
5. WAN TO DMZ
6. WAN TO LAN
7. generalpolicy
8. lantowan strict policy
9. lantowan general policy
10. dmzpolicy
Create an IPS Policy
This page describes how to quickly configure a new IPS policy.
1. Go to Protect > Intrusion Prevention > IPS Policies and click Add.
2. Specify the following:
Name
Enter a unique name for the IPS policy.
Description
Enter a description for the IPS policy.
Clone Rules
Select the IPS policy to be used as a template from the available list.
Available Options:
• generalpolicy
• lantowan_strict
• lantowan_general
• dmzpolicy
| Protect | 122
• LAN to WAN
• LAN to DMZ
• WAN to DMZ
• WAN to LAN
• DMZ to WAN
• DMZ to LAN
Figure 131: Details
3. Click Save.
Once the policy is created, policy rules can be added to take appropriate action for signatures in the policy. Define a rule to configure an action to be taken when the matching traffic pattern is found. If the rules are already added, a list of rules is displayed along with its details like signature filtering criteria, action.
IPS Policy Rules
This page describes how to quickly configure IPS policy rules.
Once the policy is created, policy rules can be added to take appropriate action for signatures in the policy. Define a rule to configure an action to be taken when the matching traffic pattern is found. If the rules are already added, a list of rules is displayed along with its details like signature filtering criteria, action.
1. Go to Protect > Intrusion Prevention > IPS Policies .
2.
Click on the icon under the Manage column for the IPS policy for which you want to add the policy rule.
3. Click Add.
4. Specify the following:
Rule Name
Enter a unique name for the IPS policy rule.
Figure 132: Rule Detail
5. Enter the Sgnature Criteria.
Default
Select to view a list of default signatures.
Custom Signature
Select to view a list of custom signatures.
Category
Select IPS signature category from the list of available categories.
Severity
Platform
Platform is the OS affected by the attack. Select the platform from the available options:
Available Options:
• Select All
• Windows
• Linux
• Unix
• MAC
• Solaris
• BSD
• Other
Target
Severity is the level of threat posed by the attack. Select the type of severity from the available options.
Available Options:
• Select All
• 1 - Critical
• 2 - Major
• 3 - Moderate
• 4 - Minor
• 5 - Warning
Target is the type of device targeted by the attack. Select the target from available options:
Available Options:
• Select All
• Client
• Server
| Protect | 123
Figure 133: Signature Criteria
6. Manage the list of Matching Signatures.
Select All
Select to choose all the signatures listed for the selected criteria.
Based on the signature criteria the signatures are made available.
Select Individual Signature
Select to customize the choice of signatures list for the selected criteria.
Based on the signature criteria the signatures are made available.
Search
Specify the signature name in the textbox to search a signature.
This option is available, only if the option Select Individual Signature is selected.
| Protect | 124
Figure 134: List of Matching Signatures
7. Specify the Action details.
Action
Select an action to be taken from the available options:
Available Options:Recommended: This action means that you want the OS to handle this alert level according to best-fit recommendations.Allow Packet: Allows the packet to its intended destination.Drop Packet: Drops packets if it detects any traffic that matches the signature. Disable:
Disables the signature, if it detects any traffic that matches the signature. Drop Session: Drops the entire session if detects any traffic that matches the signature. Reset: Resets entire session if detects any traffic that matches the signature.Bypass Session: Allows the entire session if detects any traffic that matches the signature.
Figure 135: Action
8. Click Save.
Custom IPS Signatures
This page displays the list of all the custom IPS patterns.
Custom IPS Patterns provide the flexibility to customize IPS for diverse network environments. Predefined IPS patterns included in the device cover common attacks while Custom IPS Patterns protect your network from uncommon attacks that are due to the use of proprietary server, custom protocol, or specialized applications used in the corporate network.
Note: Administrator can create Custom IPS Pattern and configure policies using them. However, the IPS scanning will be effective only if Network Protection module is subscribed.
Add IPS Pattern
1. Go to to Protect > Intrusion Prevention > Custom IPS Signatures and click Add.
2. Enter the IPS Signature details.
| Protect | 125
Name
Enter a name to identify the Custom IPS Signature.
Protocol
Select IPS protocol from the list.
Available Options:TCPUDPICMPALL
Custom Rule
Specify IPS Signature definition.
Signature definition must begin with a keyword followed by the value enclosed between the double quotes and must end with semicolon (;)
Format: Keyword: "value";
For example, content: "USER JOHN";
If traffic with the content USER JOHN is detected, action defined in the policy will be taken.
Refer to Appendix B – IPS - Custom IPS Pattern Syntax for more details on creating IPS Pattern.
Severity
Select the level of severity from the available options.CriticalMajorModerateMinorWarning
Recommended Action
Specify action to be taken on the selected policy when matching pattern is found.
Available Actions:
Allow Packet - Check each packet before taking action. Drop Packet - Drop packets. Drop Session
- Terminate entire session instead of scanning all the session packets to save resources and avoid getting high number of alerts. Reset - Send TCP reset packet to the originator. Bypass Session -
Scan initial packets only. If the initial packets match the pattern then the rest of the session packets are not scanned and the traffic is allowed to pass.
In all the cases, device generates the log and alerts the Network Administrator.
| Protect | 126
Figure 136: Add Custom IPS Signature
3. Click Save.
DoS & Spoof Prevention
The device provides several security options that cannot be defined by the security policies. This includes protection from several kinds of “Denial of Service attacks”. These attacks disable computers and circumvent security.
A Denial of Service (DoS) attack is a method that hackers use to prevent or deny legitimate users access to a service.
| Protect | 127
DoS attacks are typically executed by sending many request packets to a targeted server (usually Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Their goal is not to steal the information but disable or deprive a device or network so that users no longer have access to the network services/resources.
All servers can handle a traffic volume up to a maximum, beyond which they become disabled. Hence, attackers send a very high volume of redundant traffic to a system so it cannot examine and allow permitted network traffic. Best way to protect against the DoS attack is to identify and block such redundant traffic. Below are some DoS settings which can be used for identifying DoS attack:
Packet rate per Source
Total number of connections or packets allowed to a particular user.
Burst rate per Source
Maximum number of packets allowed to a particular user at a given time.
Packet rate per Destination
Total number of connections or packets allowed from a particular user.
Burst rate per Destination
Maximum of packets allowed from a particular user at a given time.
How it works
When the burst rate is crossed, the device considers it as an attack. The device provides DoS attack protection by dropping all the excess packets from the particular source/destination. The device will continue to drop the packets till the attack subsides. Because the device applies threshold value per IP address, traffic from the particular source/ destination will only be dropped while the rest of the network traffic will not be dropped at all.
Time taken to re-allow traffic from the blocked source/destination = time taken to subside the attack + 30 seconds
For example:
Packet rate per source: 100 packets per second
Burst rate per source: 200 packets per second
When the user starts sending requests, initially he will be able to send 200 packets per second but once the 200 packets are received, in the next phase the user will only be able to send 100 packets per second. So in the next phase, if the user sends 150 packets per second, the device will consider it as an attack and drop 50 (150 -100) packets. The device will then only accept traffic from the user 30 seconds after having dropped the packets.
Threshold values
The device uses packet rate and burst rate values as a threshold value to detect DoS attacks. These values depend on various factors like:
• Network bandwidth
• Nature of traffic
• Capacity of servers in the network
These values are applicable to the individual source or destination requests per user/IP address and not globally to the entire network traffic. For example, if the source rate is 2500 packets/minute and the network consists of 100 users then each user is allowed a packet rate of 2500 packets per minute
Configuring high values will degrade the performance and too low values will block the regular requests. Hence it is very important to configure appropriate values for both source and destination IP address.
Spoof Protection General Settings
You can configure a MAC and/or IP address pair entry in the IP-MAC trusted list to improve the security of your network. Using MAC address filtering makes it more difficult for a hacker to guess and use a random MAC address or spoof a MAC address to gain access to your network as the traffic does not even reach your firewall.
Similarly, it is also possible to filter packets based on the IP-MAC pair. It prevents hosts which try to violate trusted
IP-MAC. To make the restriction more granular, you can enable restriction on the zones.
Enable Spoof Prevention
If enabled, the device provides 3 ways to prevent spoofing using an IP-MAC trusted list:
• IP Spoofing – Packets will be dropped if a matching route entry is not available.
• MAC Filter – Packets will be dropped if the MAC addresses are not configured as trusted
MAC.
• IP-MAC Pair Filter – Packets will be dropped if either IP or MAC address does not match with any entry in the IP-MAC trusted list. Packets will be allowed if both IP and MAC address are not defined as an entry in the IP-MAC trusted list.
Restrict Unknown IP on Trusted MAC (Only applicable if Spoof Prevention is enabled)
Enable the option, if you want to drop traffic from any IP address not in the trusted list for the trusted MAC address.
By default, it is disabled. When disabled, traffic from any IP address not in the trusted list will be allowed even if it is coming for the trusted MAC address.
Zone
IP Spoofing
WAN
No
DMZ
Yes
WiFi
Yes
LAN
Yes
Enable at least for one zone.
The device will reverse lookup for the route of the source network and, if not available, packets will be dropped and logged.
Default: disabled for all zones
| Protect | 128
Zone LAN
MAC Filter
Note: To enable
MAC
Filtering, you need to
a trusted
MAC address.
it is
If enabled, to be enabled for at least one zone.
Default: disabled for all zones
Yes all the requests from the
MAC address not configured in the trusted list, please make sure
It restricts the access of your network to the external hosts.
As the device will drop to include
MAC addresses of all your internal devices.
WAN
Yes
DMZ
Yes
WiFi
Yes
| Protect | 129
Zone
IP-MAC
Pair Filter
LAN
Yes
• MAC address differs for the trusted
IP address and
• IP address differs for the trusted
MAC address
The device will drop the request considering it as a spoofed request if: it is
If enabled, to be enabled for at least one zone.
Default: disabled for all zones
IP-
MAC pair does not exist in the trusted list.
in the list.
Request is dropped if the
But, the request will be allowed if
IP or
MAC address does not exist at all
WAN
No
DMZ
Yes
WiFi
Yes
| Protect | 130
Figure 137: Spoof Protection General Settings
Spoof Protection Trusted MAC
You can enable MAC address and/or IP address pair filtering to improve security. By enabling filtering, you define the devices that can access your network. It is also possible to import the trusted MAC list through a CSV (Comma
Separated Value) file. When a user attempts to access the network, the device checks the MAC address and/or IP address from the list. User gets access to the network only if the MAC address and/or IP address are in the trusted
MAC list, else the request is rejected.
The Spoof Prevention Trusted MAC section displays a list of all the MAC addresses configured as trusted MAC.
The page also provides options to
a new MAC address, update the existing addresses, and
the list of addresses.
DoS Settings
Attack definition can be defined both for source and destination.
SYN Flood
SYN Flood is the attack in which large numbers of connections are sent so that the backlog queue overflows. The connection is created when the victim host receives a connection request and allocates some memory resources to it. A SYN flood attack creates so many half-open connections that the system becomes overwhelmed and cannot handle incoming requests any more.
Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.
Select Apply Flag check box to apply the SYN flood definition and control the allowed number of packets.
Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied
Click on the link Click Here to view DoS attacks status. You will be redirected to Protect >
Intrusion Prevention > DoS Attacks. Then click SYN Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
UDP Flood
User Datagram Protocol (UDP) Flood links two systems. It hooks up one system’s UDP charactergenerating service, with another system’s UDP echo service. Once the link is made, the two systems are tied up exchanging a flood of meaningless data.
Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.
Select Apply Flag check box to apply the UDP flood definition and control the allowed number of packets.
| Protect | 131
Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied
Click on the link Click Here to view DoS attacks status. It will redirect you to Protect > Intrusion
Prevention > DoS Attacks and Click UDP Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
TCP Flood
TCP attack sends huge amount of TCP packets so that the host/victim computer cannot handle, thereby denying service to legitimate TCP users.
Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.
Select Apply Flag check box to apply the TCP flood definition and control the allowed number of packets.
Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied
ICMP/ICMPv6 Flood
ICMP/ICMPv6 attack sends huge amounts of packet/traffic so that the protocol implementation of the host/victim computer cannot handle, thereby preventing legitimate packets from getting through to their destination.
Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.
Select Apply Flag check box to apply the ICMP flood definition and control the allowed number of packets.
Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied
Click on the link Click Here to view DoS attacks status. It will redirect you to Protect > Intrusion
Prevention > DoS Attacks and Click ICMP/ICMPv6 Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
Dropped Source Routed Packets
Select Apply Flag check box to enable. This will block any source routed connections and prevent any packets with an internal address from entering your network.
Disable ICMP/ICMPv6 Redirect Packet
An ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and possibly weaken the security of the host by causing traffic to flow via another path.
Disable the option to prevent the attacker from forging ICMP redirect packets.
Default: enabled
ARP Hardening
If enabled, the device will send an ARP reply only if the destination IP address is a local address configured on the incoming interface and both the sender and destination IP address are in the same subnet.
| Protect | 132
Figure 138: DoS Settings
DoS Bypass Rule
The device allows to bypass the DoS rule in case you are sure that the specified source will not be used for flooding or the device ignores flooding coming from the specified source. By default, VPN zone traffic is also subjected to
DoS inspection. You can also bypass DoS inspection of the traffic coming from certain hosts of the VPN zone.
The DoS Bypass Rule section displays a list of all the bypass rule.
Add a Trusted MAC Address
This page allows you to add a trusted MAC address.
1. Go to Protect > Intrusion Prevention > DoS & Spoof Protectionand click Add under the Spoof Protection
Trusted MAC section.
2. Enter trusted MAC address details.
MAC Address
Specify a MAC address to be added to the Trusted MAC list.
IPv4 Address
Specify an IPv4 address that is to be bound to the MAC address. Packets will be rejected if either
MAC or IPv4 address does not match.
Available Options:Static – Specify an IP Address to be bound to the MAC address. Packets will be rejected if either MAC or IP address does not match. Multiple IP addresses separated by comma can be provided.DHCP – MAC address will be bound to the IP address leased by the device DHCP server as and when the IP is leased. Entry will be updated automatically when the leased IP address is updated.
To unbind the IPv4 address, select None.
IPv6 Address
Specify an IPv6 address that is to be bound to the MAC address. Packets will be rejected if either
MAC or IPv6 address does not match.
Available Options:Static – Specify an IP Address to be bound to the MAC address. Packets will be rejected if either MAC or IP address does not match. Multiple IP addresses separated by comma can be provided.DHCP – MAC address will be bound to the IP address leased by the device DHCP server as and when the IP is leased. Entry will be updated automatically when the leased IP address is updated.
To unbind the IPv6 address, select None.
| Protect | 133
Figure 139: Add Trusted MAC
3. Click Save.
Import Trusted MAC Addresses
Instead of adding the trusted entries individually, the device provides a facility to import the trusted list from a CSV
(Comma Separated Value) file.
The format for the CSV file should be as follows:
1. First row of the CSV file has to be the header row: MAC address, IP association, IP address.
2. The rest of the rows are values corresponding to the header fields .
3. Blank rows will be ignored.
4. An error message is displayed only for invalid rows.
5. Format of values:
• Compulsory fields: MAC address and IP association.
• Optional fields: IP address.
• IP association must be Static or DHCP or None.
• For Static IP association, IP address must be available.
• For None/DHCP type of IP association, IP address is not required.
• For invalid MAC/IP address or IP association entry will be discarded.
• Use comma to insert multiple static IP addresses.
1. Go to Protect > Intrusion Prevention > DoS & Spoof Protectionand click Import under the Spoof Protection
Trusted MAC section to import a CSV file.
2. Browse trusted MAC address file.
Trusted MAC Address File
To choose a CSV file, click the file selection button against Trusted MAC Address File.
3. Click Upload File to upload CSV file.
Figure 140: Import Trusted MAC Address CSV File
Create a DoS Bypass Rule
This page allows you to create a DoS bypass rule.
| Protect | 134
1. Go to Protect > Intrusion Prevention > DoS & Spoof Protection and click Add under the DoS Bypass Rule section.
2. Enter bypass rule details.
IP Family
Select the IP family of the traffic to be bypassed.
Source IP/Netmask (available only if selected IP Family is IPv4)
Specify the source IP/Netmask.
Specify * if you want to bypass entire network.
Destination IP/Netmask (available only if selected IP Family is IPv4)
Specify the destination IP/Netmask.
Specify * if you want to bypass entire network.
Source IP/Prefix (available only if selected IP Family is IPv6)
Specify the source IP/prefix.
Specify * if you want to bypass entire network.
Destination IP/Prefix (available only if selected IP Family is IPv6)
Specify the destination IP/prefix.
Specify * if you want to bypass entire network.
Protocol
Select the protocol whose traffic is to be bypassed if generated from the specified source to destination.
Available Options:TCPUDPICMPAll Protocols
For example, if you select TCP protocol then DoS rules will not be applied on the TCP traffic from the specified source to destination.
Source Port
Specify port number for the source.
Specify * if you want to bypass entire network.
Destination Port
Specify port number for the destination.
Specify * if you want to bypass entire network.
| Protect | 135
Figure 141: Add DoS Bypass Rule
3. Click Save.
| Protect | 136
Web
Use the web protection settings to identify and block the latest web threats. These settings let you control traffic and protect against threats and inappropriate web usage. Exceptions let you override settings as required for your business needs.
Policies
With policies, you can control traffic using rules and advanced settings. The default set of policies describes some common restrictions.
Figure 142: Policies
Rules
Rules specify the following criteria:
• Users to whom the rule applies. These include groups and individual users.
• Activities that describe the type of usage to restrict. These include user activities, categories, URL groups, file types, and dynamic categories.
• An action to take when the firewall encounters traffic that matches the rule criteria.
The firewall evaluates rules from highest to lowest. For example, a rule that allows all traffic that precedes a rule that restricts a specific type of traffic takes precedence and the subsequent rule is ignored.
Figure 143: Rules
Migrating Policies from Previous Releases
This release supports up to 128 rules in a single policy. If you are migrating policies from a previous release that contain more than 128 rules, only the first 128 rules will be used.
Web policy rules now support combined activities. These include user activities, categories, URL groups, file types, and dynamic categories. To maintain the overall functionality of the policy, replace blocks of adjacent rules for different activities with a single rule that contains a group of activities. Please delete or consolidate rules as required.
Add Policy
1. Go to Protect > Web > Policies and click Add Policy.
2. Type a name.
3. Click Add Rule.
Tip: To use an existing rule as a template, click the Clone button ( ).
The firewall creates a default rule that blocks all web traffic for all users. The default rule is disabled.
Figure 144: Add Rule
4. Specify users.
a) In the new rule, move the pointer over the users field, click on the user, and then click Add New Item.
b) Clear the Anybody check box.
c) Select users.
| Protect | 137
Tip: You can filter the type of users to display by clicking Show Only and selecting a user type.
d) Click Apply selected items.
| Protect | 138
Figure 145: Select Users
5. Specify activities.
These include user activities, categories, URL groups, file types, and dynamic categories.
a) Move the pointer over the activities field and click Add New Item.
b) Clear the All Web Traffic check box.
c) Select activities.
Tip: You can filter the type of activities to display by clicking Show Only and selecting an activity type.
d) Click Apply selected items.
6. In the Action field, specify an action to take when the firewall encounters HTTP traffic that matches the selected criteria .
Select from the following options (where permitted by the action type):
Options
Allow Warn Block
7. (Optional) Specify an action to take when the firewall encounters HTTPS traffic that matches the selected criteria.
Note: Follow these steps only if you want to specify an action for HTTPS traffic that is different from the one you specified for HTTP.
a) Move the pointer to the right of the Action list.
The firewall displays the HTTPS Use Action action list.
Figure 146: HTTPS Use Action
b) Select an option.
HTTPS Use Action
Use Action: Select this option to use the same action that is currently in effect for HTTP traffic. If you specify a different HTTP action at a later time, HTTPS action will also use that action. Allow:
Always allow HTTPS traffic that matches the selected criteria. Warn: Always display a warning message when encountering HTTPS traffic that matches the selected criteria. Block: Always block
HTTPS traffic that matches the selected criteria.
8. Move the pointer over the Constraints field and select a schedule.
Tip: You can create a new schedule by clicking Create new and specifying criteria.
9. Click the On/Off switch to enable the rule.
Figure 147: Enable Rule
10. Click and drag the rule handle to position the rule in the hierarchy.
Figure 148: Position Rule
The firewall evaluates rules from highest to lowest. For example, a rule that allows all traffic that precedes a rule that restricts a specific type of traffic takes precedence and the subsequent rule is ignored.
11. Click Advanced Settings and specify settings for the policy.
Enable logging and reporting
Include this policy in logs and reports.
Prevent downloading of large files
Prevent downloading files greater than the size specified.
Restrict login domains for Google Apps
Restrict logging in to Google Apps only on the domains specified.
Enable YouTube for Schools
Restrict YouTube content to videos on
YouTube for Schools
(a limited EDU-only site) and to those uploaded using the ID specified.
Note: You must have a YouTube school ID to use this setting.
| Protect | 139
Figure 149: Advanced Settings
User Activities
User activities combine web categories, file types, and URL groups in one container. For example, you can create a user activity to associate spyware and malware with a list of URLs. You can include user activities in web policies to control access to websites or files that match any of the specified criteria.
Add User Activity
1. Go to Protect > Web > User Activities and click Add.
2. Type a name.
3. Click Add New Item and select categories.
Select from the following:
• Web categories
• File types
• URL groups
Note: Categories are evaluated using ‘OR’. Only one category must return true in order to match traffic.
Tip: You can filter the type of categories to display by clicking Show: All and selecting a category type.
| Protect | 140
Figure 150: Add User Activity
Categories
With web categories, you can organize and classify domains in a container. The default categories define some common content types. You can use categories within policies to restrict access to websites.
Add Category
1. Go to Protect > Web > Categories and click Add.
2. Type a name.
3. Specify details.
Classification
Use classifications to group content types. Select from the following options:
• Productive
• Unproductive
• Acceptable
• Objectionable
Traffic Shaping Policy
If you want to apply a bandwidth restriction, choose a traffic shaping policy.
Configure Category
Specify domains and keywords for the category using a configuration type. Select from the following options:
• Local - Define domains and keywords that are specific to your organization. To import a domain or keyword list, click Choose File and select a text file. To create a domain or keyword list, type a domain or keyword in the Search/Add text box and click the Add button ( ).
• External URL Database - An external URL database contains a list of domains that is maintained by a third party. These include, for example, country-specific blacklists and opensource URL categorization lists. To specify an external URL database, type a URL in the
Search/Add text box and click
. The firewall checks for updates every two hours.
Acceptable formats: .tar, .gz, .bz, .bz2, and .txt
| Protect | 141
Figure 151: Add Category
4. Specify Advanced Settings.
Override Default Denied Message
Select this option to define a custom message that will be shown to the user when a website is blocked as a result of this category.
Figure 152: Advanced Settings
Related concepts
Firewall rules are security rule-sets to implement control over users, applications or network objects in an organization. Using the firewall rule, you can create blanket or specialized traffic transit rules based on the requirement. This page provides centralized management for the entire set of device firewall rules. Sophos XG
Firewall implements a single pane of management to secure all enterprise applications using configuration templates for various rule types.
on page 465
URL Groups
URL groups contain one or more URLs that you can use in web policies to block or allow access to websites.
Add URL Group
1. Go to Protect > Web > URL Groups and click Add.
2. Type a name.
3.
Type a URL in the Search/Add text box and click the Add button ( ).
| Protect | 142
Figure 153: Add URL Group
Exceptions
With exceptions, you can override protection settings for web traffic that matches the specified criteria. For example, you can create an exception to skip HTTPS decryption for sites that contain confidential data. The default set of exceptions specifies some common override behaviors.
Override behaviors now include Sandstorm.
Note: Existing exceptions that skip malware scanning now also skip Sandstorm analysis.
Add Exception
1. Go to Protect > Web > Exceptions and click Add Exception.
2. Type a name.
3. Specify web traffic criteria.
Note: The firewall evaluates all types of criteria specified using the ‘AND’ operator. For example, if you specify URL patterns and website categories, both types must return true in order to match traffic.
However, within each category, criteria are evaluated using ‘OR’.
URL pattern matches
Match web traffic according to the specified URL or pattern, for example, example.com. Regular expressions are allowed here. For example, ^([A-Za-z0-9.-]*\.)?example\.com/ matches all subdomains of example.com.
Note: You must specify pattern matches using ASCII characters. For information about converting non-ASCII characters, refer to
RFC 3490, Internationalizing
Domain Names in Applications
.
Website categories
Match web traffic according to the specified web categories.
Source IP addresses
Match web traffic that originates from the specified IP addresses.
Destination IP addresses
Match web traffic going to the specified IP addresses.
| Protect | 143
Figure 154: Add Exception
4. Specify an action to skip when the firewall encounters traffic that matches the criteria.
HTTPS Decryption
Do not decrypt HTTPS for traffic that meets the specified criteria.
Note: If you disable HTTPS decryption, the firewall will not perform any other check that relies on decrypted traffic, such as malware scanning or micro-app detection.
However, the firewall will continue to scan HTTP traffic that matches the exception.
Malware Scanning
Do not scan traffic that meets the specified criteria for malware.
Sandstorm
Do not send files that are downloaded using the specified criteria to Sandstorm for analysis.
Policy Checks
Do not check policies for traffic that meets the specified criteria.
Protection
The firewall provides several methods for protecting against threats and inappropriate web usage. Use these settings to configure how the firewall scans content for malware and to enable other protection features.
Malware Scanning
Configure general restrictions for scanning and restricting traffic by type and protocol.
Scan Engine Selection
Specify the type of scanning to apply.
Note: If you are using Sandstorm, set the single-scan engine to Sophos or select dualengine scanning.
Available Options:
Single Engine: Scan traffic using the primary anti-virus engine (by default, Sophos). This selection offers optimal performance.Dual Engine: Scan traffic using both engines, first by the primary and then by the secondary. Using this setting increases security, but may affect performance.
Malware Scan Mode
Specify batch or real-time scanning for HTTP/HTTPS traffic.
In batch mode, virus scanning will start only after the entire file has been downloaded. While this mode offers maximum protection, it may result in slower performance. Switch to real-time scanning to improve performance.
Content that could not be scanned
Specify an action to take when the firewall encounters content that could not be scanned.
Note: Files that cannot be fully scanned because they are encrypted or corrupted may contain undetected threats. Blocking offers the best protection.
Do not scan files larger than
Specify the maximum size of files to be scanned for HTTP(S), in MB. Files that exceed this setting will not be scanned.
Acceptable range: 1 to 256 MB
Default: 1 MB
Note: If you are using Sandstorm, this value has been reset to the recommended minimum value.
Maximum file scan size for FTP
Specify the maximum size of files to be scanned for FTP, in MB. Files that exceed this setting will not be scanned.
Acceptable range: 1 to 204 MB
Default: 1 MB
Scan audio and video files
Scan audio and video content for malware and threats. Scanning may cause issues with streaming audio and video.
Enable pharming protection
Pharming attacks redirect users from legitimate websites to fraudulent websites that have been created to look like the legitimate site.
Protect users against pharming and other domain name poisoning attacks by repeating DNS lookups before connecting.
Search Engine Enforcement
Enforce SafeSearch
Block websites that contain sexually explicit content from Google, Yahoo, and Bing search results.
| Protect | 144
| Protect | 145
Note: This setting is applicable only when the ‘No Explicit Content’ web policy is set to ‘Block’.
Enforce additional image filters
Restrict image search results to images with a Creative Commons license.
HTTPS Decryption and Scanning
HTTPS Scanning Certificate Authority (CA)
Specify the certificate authority for securing scanned HTTPS connections.
Block unrecognized SSL protocols
Prevent traffic that avoids HTTPS scanning by using invalid SSL protocols.
Block invalid certificates
Connect only to sites with a valid certificate.
Advanced
Configure advanced web protection such as caching behavior and proxy settings.
Web Content Caching
Enable web content cache
Keep a copy of frequently visited sites to reduce bandwidth consumption and improve performance.
Always cache Sophos Endpoint updates
Keep a copy of Sophos Endpoint updates to improve performance on your network.
Note: If this option is disabled you may experience network congestion when many endpoints attempt to download updates from the Internet at the same time.
Web Proxy Configuration
The firewall intercepts traffic transparently and enforces web protection (for example, policies and malware scanning) when the web proxy service is enabled for a network zone. By default, the service is enabled for LAN and WiFi zones. In transparent mode, the firewall allows HTTP traffic on port 80 and HTTPS traffic on port 443 only.
However, you can also configure the firewall to act as a proxy for configured web browsers by specifying a web proxy listening port. Users who are behind the proxy must specify the LAN or WiFi address and port in the web proxy configuration settings of their browsers. (Refer to the browser documentation for details.)
Specify the web proxy listening port and allowed destination ports when you want the firewall to act as a web proxy for configured web browsers.
Note: IPS policy is applicable on the traffic between proxy and WAN, but not between user and proxy.
Note: Traffic shaping policy is not applicable on the direct proxy traffic.
Web Proxy Listening Port
Specify the port on which the web proxy will listen for HTTP connection requests.
Allowed Destination Ports
The firewall may receive requests to connect to remote servers using a non-standard port. Specify the ports on which the proxy will allow connection. (This setting applies only when the web proxy listening port is set.)
CAUTION: Allowing connection on non-standard ports may pose a security risk.
| Protect | 146
File Types
A file type is a classification that is determined by file extension and MIME header. You can include file types in web policies to control access to files that match the specified criteria. The default file types contain some common criteria and you can create additional types.
Using File Types with Policy Rules
You can create file types to control access to files on a more granular level. For example, you may want to allow access to SQL files but deny access to all other database files. In this case, you would create a file type for SQL files and a policy that specifies the following rules in the following order:
1. Allow access to SQL files
2. Block access to all database files
Add File Type
1. Go to Protect > Web > File Type and click Add.
2. Type a name.
3. (Optional) Select a template.
You can select from predefined or custom file types. If you do not wish to use a template, choose Blank.
4. Specify the file extension and MIME header.
Figure 155: Add File Type
Surfing Quotas
Surfing quota policy allows you to assign the duration of Internet surfing time to users and groups.
• Duration of Internet access can be cyclic or non-cyclic.
• You can apply the surfing quota policy to users.
The device is shipped with the following predefined policies. Predefined policies can be applied straight away to users and groups.
• Unlimited Internet Access
• 1 Month Unlimited Access
• 1 Month 100 hours
• Monthly 100 hours Cyclic
• Daily 1 hour Cyclic
• Weekly 7 hours Cyclic
Note:
1. Users generally belong to a group. If the surfing quota policy applied to the user differs from the one applied to the user’s group, the user’s policy takes priority.
2. For details of policies and rules to which the surfing quota policy can be applied, view the following diagram.
| Protect | 147
Add Surfing Quota
To assign the duration of Internet surfing time to users and groups, you can create surfing quota policies. These policies are then applied to users (Configure > Authentication > Users) and groups (Configure > Authentication >
Groups).
The Add Surfing Quota Policy page allows you to create a surfing quota policy.
1. Go to Protect > Web > Surfing Quotas or System > Profiles > Surfing Quotas and click Add on the upper right side.
Note: Surfing Quota policies can also be created when applying the policy to users or groups from the respective pages. The Surfing Quota page displays the full list of predefined and custom policies.
2. Enter the details.
Name
Enter a unique name to identify the policy.
Description
Enter a description for the surfing quota policy.
Cycle Type
Select the cycle type.
Available Options:Cyclic: Duration of Internet access recurs for each cycle.Non-Cyclic: When the specified time limit ends, the user is disconnected.
Cycle Hours (available only if Cycle Type is Cyclic)
Specify the cycle hours in hours and minutes. Select the cycle from the drop-down list. Cycle hours define the upper limit of surfing hours for daily, weekly, monthly or yearly cycles.
At the end of each cycle, cycle hours are reset to zero.
Example: If cycle hours specified are 7 hours 30 minutes for a daily cycle, they are reset to zero at the end of each day whether cycle hours are fully or partially used or remain unused.
Validity
Select Unlimited if you do not want to restrict the validity period. Clear the check box to specify the validity period of Internet access.
Maximum Hours
Select Unlimited if you do not want to restrict the maximum allowed surfing duration. Clear the check box to specify the maximum duration (in hours and minutes) of surfing time allowed across the validity period.
Example: Cyclic Policy
Cycle Hours: 5 hours per day
Validity: 5 days
Maximum Hours: 20 hours
If the user accesses Internet for 5 hours each day, the user will have used 20 hours of Internet access by the end of the fourth day and hence will be disconnected.
Example: Non-Cyclic Policy
Validity: 10 days
Maximum Hours: 10 hours
The user is disconnected at the end of 10 hours even if the validity period does not expire.
| Protect | 148
| Protect | 149
Figure 156: Add Surfing Quota Policy
3. Click Save.
User Notifications
The firewall displays notifications to users when a web policy is set to block access or warn before connecting. Use these settings to create and preview notifications.
To specify an image to display on notification pages, enable the Use custom images check box and choose images.
To create a block notification, enable the Use custom block message check box and type a message.
To create a warning notification, enable the Use custom warn message check box and type a message.
You can preview current messages by clicking the preview links.
Applications
This section provides facilities to control and manage the applications shipped with the device.
The following pages are accessible:
•
on page 149: Displays all applications available for use.
•
on page 150: Enables you to control access to the applications.
•
: Apply traffic shaping policy to the application category or to the individual application within the category.
Application List
This page displays all the applications available for use.
The device can identify and control applications that use standard ports, non-standard ports, or port hopping, or that tunnel through encrypted SSL traffic. This feature enables prioritization of applications based on user identity, time, and bandwidth, allowing great flexibility, visibility, and control. The device also provides implementation of application-based bandwidth management, accelerating critical applications while blocking malware-laden sites through web filtering. Organizations can group applications as per their requirements into business-critical, entertainment, communication, or collaboration, and can control access through security policies.
Note: You need a subscription to Web Protection before you can use this feature. Check its features by taking a free trial. (See System > Administration > Licensing)
| Protect | 150
The device is shipped with a set of predefined applications. These applications are classified based on their risk level, characteristics and technology, offering more granular controls.
The total number of application signatures included depends on the Application Signatures Database used by the device.
The application list can be filtered based on name of the application, category of the application, risk, characteristics, and technology.
Application Filter
This page displays a list of all the predefined and custom policies.
An Application Filter Policy controls a user’s application access. It specifies which user has access to which applications and allows you to define powerful security policies based on almost limitless policy parameters like:
• Individual users
• Groups of users
• Time of day
The device is shipped with the following predefined policies for application filters to address common use cases:
• Allow All: By default, allows access to all the categories except the specified categories. Access to the specified categories depends on the strategy defined for each category.
• Deny All: By default, denies access to all the categories except the specified categories. Access to the specified categories depends on the strategy defined for each category.
• Block filter avoidance apps: Drops traffic from applications that tunnel other applications, proxy and tunnel applications, and from applications that can bypass firewall policy. These applications allow users to anonymously browse the Internet by connecting to servers on the Internet via encrypted SSL tunnels. This, in turn, enables users to bypass network security measures.
• Block generally unwanted apps: Drops generally unwanted application traffic. This includes applications such as file transfer, proxy & tunnel, risk prone, peer to peer networking (P2P) and applications that cause loss of productivity.
• Block high risk (Risk Level 4 and 5) apps: Drops traffic from applications that are classified under 'high risk' applications (Risk Level- 4 and 5).
• Block peer to peer (P2P) networking apps: Drops traffic from applications that are categorized as P2P applications. P2P could be a mechanism for distributing Bots, Spywares, Adware, Trojans, Rootkits, Worms and other types of malwares. It is generally advised to have P2P applications blocked in your network.
• Block very high risk (Risk Level 5) apps: Drops traffic from applications that are classified under 'very high risk' applications (Risk Level- 5).
These predefined policies are immediately available for use. You can also define custom policies to specify different levels of access for different users to meet your organization’s requirements.
The page also provides options to add a new policy, update the parameters of an existing policy, delete a policy, add a filtering rule to a policy, or delete a filtering rule attached to a policy.
Note: You cannot edit/delete Allow All and Deny All predefined policies.
Add Application Filter Policy
This page lets you configure custom policies to define different levels of access for different users to meet your organization’s requirements.
The Add page allows you to manually configure policies.
1. Go to Protect > Applications > Application Filter and click Add.
2. Enter the Application Filter Policy details.
Name
Enter a name to identify the Application Filter Policy.
Description
Enter description for the Application Filter Policy.
Enable Micro App Discovery
Enable to scan and classify microapps using HTTP protocol for communication. Microapps are applications that are used withing web browsers.
To allow/deny microapps, you need to specify action accordingly.
Refer Appendix D - Supported Micro-Apps for more details on supported applications.
Template
Select template for the Application Filter Policy.
| Protect | 151
Figure 157: Application Filter
3. Click Save.
4. Once the policy is added, next step is to add a rule for configuring filtering criteria.
Note:
• Rules can be added for custom policies only.
• If Micro App Discovery is enabled, one has to import SSL CA to avoid Certificate error.
Add Application Filter Policy Rules
Use the Add Application Filter Policy Rules page to configure a new rule for Application Filter Policy.
The Add Application Filter Policy Rules page allows you to manually configure a new rule.
1.
Go to Protect > Applications > Application Filter and click .
2. Click Add under Application Filter Policy.
3. Enter the application filter details.
Category
Select Application Category from the list of available categories.
Risk
Select the level of risk from the available options.Select All1 - VERY LOW 2 - LOW3 - MEDIUM
4 - HIGH5 - VERY HIGH
Characteristics
Select the characteristics from the available options.Select AllExcessive BandwidthProne to misuseTransfer filesTunnels other appsVulnerabilities Widely usedLoss of productivityCan bypass firewall policy
Technology
Select the technology from the available options.Select AllBrowser BasedClient ServerNetwork
ProtocolP2P
Figure 158: Application Filter Criteria
4. Enter the list of matching applications.
Select All
Click to select all the Applications from the list.
Applications are available based on the Application Filter Criteria.
Select Individual Application
Click to select the Applications from the list.
Applications are available based on the Application Filter Criteria.
Search
Specify the name of the application in the textbox to be searched.
This option is available, only if option "Select Individual Application" is selected.
Name
Displays name of the Applications under the Category selected. You can also select more than one application using the checkbox.
Description
Displays description of the Application.
Category
Displays category of the Application.
Risk
Displays the risk factor involved with the Application.
| Protect | 152
| Protect | 153
Characteristics
Displays the characteristics of the Application.
Technology
Displays the technology utilized for the Application.
Figure 159: List of Matching Applications
5. Enter the action you want to perform.
Action
Select an Action for the Policy from the available options. Allow Deny
Schedule
Select schedule from the list available in the dropdown list.
Figure 160:
6. Click Save.
Traffic Shaping Default
The Traffic Shaping Default page allows you to view the list of all application categories. This page also provides the option to edit the category or application to apply a traffic shaping policy.
The applications shipped with the device are grouped into categories. These categories can be used in filtering policy and bandwidth restriction can be applied to the category or to the individual application within the category.
The categories list can be filtered based on name of the category. Use the or toggle beside the category name to expand and collapse the list of applications grouped in the respective category.
Configure Traffic Shaping Policy for Category or Application
Use this page to configure traffic shaping policy.
This page allows you to configure traffic shaping policy for category or application.
1.
Go to Protect > Applications > Traffic Shaping Default and click .
2. Enter the details.
Name
Displays the name of the Application Filter Category or Application.
Traffic Shaping Policy
Select a policy or click Create new to create a new traffic shaping policy for the application/ application category.
Traffic Shaping policy allocates and limits the bandwidth usage of the user, web category, application category.
3. Click Save.
Wireless
Wireless Protection allows you to configure the following:
•
: Create and manage Wireless Networks.
•
: Create and manage Mesh Networks.
•
: Provides an overview of the access points known to the device.
•
: Allows you to organize access points in groups.
•
: Add/remove Hotspots and apply filtering policies.
•
: Manage different voucher definitions for Hotspot access vouchers.
•
: Schedule scanning to discover authorized APs and rogue APs.
Wireless Client List
The Wireless Client List page displays a live snapshot of currently managed APs, broadcasted SSIDs (wireless networks), wireless clients connected through SSID to AP and mesh networks.
Show by SSID/Show by AP
The administrator can filter currently connected clients by Access Point or SSID
The following details is displayed each SSID/AP: name, IP address, MAC address, signal, last data transfer rate, connection time, frequency, vendor.
| Protect | 154
Figure 161: Wireless Client List
Wireless Networks
The Wireless Networks menu allows managing the wireless networks connected to the device.
Note: You can also view the wireless network status on the Protect > Wireless > Wireless Client List
The page provides a list of all configured wireless networks along with their name, SSID, status, client traffic mode, encryption mode used and frequency band.
Figure 162: Wireless Networks List
Add a New Wireless Network
This page describes how to add a new wireless network.
Newly created wireless networks can be used in definitions for access points and access point groups.
1. Go to Protect > Wireless > Wireless Networks and click the Add button.
2. Specify the General Settings settings.
Name
Specify a descriptive name for the network.
Description
Enter a description for the wireless network that helps you to identify it.
SSID
Enter the Service Set Identifier (SSID) for the network which will be seen by clients and allow them to identify the wireless network. The SSID may consist of 1-32
ASCII printable characters
.
Security Mode
Select a security mode from the drop-down list.
Default: WPA 2 Personal.
Note: We recommend to use WPA2. For security reasons, we recommend not to use
WEP unless there are clients using your wireless network that do not support one of the other methods.
When using an enterprise authentication method, you also need to configure a RADIUS server on the Configure > Authentication > Servers page. As NAS ID of the RADIUS server enter the wireless network name.
Note: Sophos XG Firewall supports the IEEE 802.11r standard in WPA2 (PSK/
Enterprise) networks to reduce roaming times. Clients also need to support the IEEE
802.11r standard.
Passphrase/PSK (available only if WPA Personal, WPA2Personal, or WPA2/WPA Personal
security mode is selected)
Specify the passphrase to protect the wireless network from unauthorized access and repeat it in the
Confirm Passphrase/PSK field. The passphrase may consist of 8-63 ASCII printable characters.
Key (available only if WEP Open security mode is selected)
Specify a WEP key that consists of exactly 26 hexadecimal characters.
Client Traffic
From the dropdown list select how the wireless network is to be integrated into your local network.
Available options:
• Separate Zone
• Bridge to AP LAN
• Bridge to VLAN
Default: Separate Zone.
Separate Zone
The wireless network is handled as a separate network, having an IP address range of its own. Using
this option, after adding the wireless network, proceed as described in the chapter
.
Note: When switching an existing Separate Zone network to Bridge to AP LAN or
Bridge to VLAN, a previously configured WLAN interface will be deleted.
Zone
From the dropdown list select a zone where the wireless network should be broadcast.
| Protect | 155
Default: WiFi.
IP Address
Assign an IP address to the wireless network.
Netmask
Select a subnet mask for the IP address.
Bridge to AP LAN
You can bridge a wireless network into the network of an access point, which means that wireless clients share the same IP address range. Using this option, after adding the wireless network, proceed as described in the chapter
Next Steps for Bridge to AP LAN Networks
Bridge to VLAN (not available for local WiFi devices)
You can decide to have this wireless network's traffic bridged to a VLAN of your choice. This is useful when you want access points to be in a common network separate from the wireless clients.
Bridge to VLAN ID
Specify the VLAN ID of the network that the wireless clients should be part of.
Client VLAN ID (only available with an enterprise security mode)
Select how the VLAN ID is defined.
• Static: Uses the VLAN ID defined in the Bridge to VLAN ID field.
• RADIUS & Static: Uses the VLAN ID delivered by your RADIUS server: When a user connects to one of your wireless networks and authenticates at your RADIUS server, the
RADIUS server tells the access point what VLAN ID to use for that user. Thus, when using multiple wireless networks, you can define per user who has access to which internal networks.
If a user does not have a VLAN ID attribute assigned, the VLAN ID defined in the Bridge to
VLAN ID is used.
| Protect | 156
Figure 163: Add Wireless Network
3. Specify the Advanced Settings.
Encryption (available only if the WPA, WPA2, or WPA2/WPA encryption mode is selected)
Select an encryption algorithm, which can be AES, TKIP or TKIP&AES.
Note: For security reasons and better performance, we recommend you to use AES.
Frequency Band
Access points assigned to this wireless network will transmit on the selected frequency band(s).
The 5 GHz band generally has a higher performance, lower latency, and is typically less disturbed.
Hence it should be preferred for e.g. VoIP communication.
Time-based Access
Select this checkbox to enable the wireless network access according to a time schedule.
Select Active Time (available only if Time-based Access is selected)
Select a schedule definition which determines when the wireless network is enabled. You can add a new schedule definition by clicking Add New Item .
Client Isolation
Clients within a network usually can communicate with one another. If you want to prevent this, for example in a guest network, select Enabled from the drop-down list.
Hide SSID
If you want to hide the wireless network's SSID, select the Enable checkbox. Please note that this is not a security feature.
Fast Transition (available only if WPA2 Personal/Enterprise security mode is selected)
Wireless networks with WPA2 security use the IEEE 802.11r standard. If you want to prevent this, select Disabled from the drop-down list.
MAC Filtering
To restrict the MAC addresses allowed to connect to this wireless network, select Blacklist or
Whitelist. With Blacklist, all MAC addresses are allowed except those listed on the MAC List.
With Whitelist, all MAC addresses are prohibited except those listed on the MAC List.
MAC hosts added under System > Hosts and Services > MAC Host will be displayed in the MAC
List.
| Protect | 157
Figure 164: Wireless Network Advanced Settings
4. Click Save.
Next Steps for Separate Zone Networks
This page describes how to configure a seperate zone network.
| Protect | 158
When you add a wireless network with the option Separate Zone, a new corresponding virtual hardware interface will be added automatically, e.g., wlnet1. To be able to use the wireless network, some further manual configuration steps are required.
1. Enable DHCP for the wireless clients.
For your clients to be able to connect to Sophos XG Firewall, they need to be assigned an IP address and a default gateway. Therefore, on the Protect > Network > DHCP page, set up a DHCP server for the interface.
2. Create a network policy on the Policies page to provide Internet access to the wireless clients.
You can now assign the wireless network to the AP at Protect > Wireless > Access Points.
Bridge to AP LAN Networks with Local Devices
For Local Wi-Fi Devices you need to configure some extra settings to enable bridging for the AP LAN.
1. Edit the Local Wi-Fi Device on the Protect > Wireless > Access Points page and select the wireless network.
2. Either create a new bridge interface on the Protect > Network > Interfaces page to use the wireless interface in bridge mode or edit the interface on the on the Configure > Network > Interfaces page, select a zone and provide an IP address to use the interface in gateway mode.
3. If you want to use the interface in gateway mode, create a DHCP server on the Protect > Network > DHCP page so that the client can receive an IP.
Wireless clients can now connect to the wireless network.
Access Point Overview
This page provides an overview of the access points (AP) known to the system.
Access Point Types
Sophos XG Firewall currently provides the following types of dedicated access points:
Table 1:
Name
AP 5
AP 10
AP 15
AP 15c
AP 30
AP 50
AP 55
AP 55C
Standards
802.11b/g/n
802.11b/g/n
802.11b/g/n
802.11b/g/n
802.11b/g/n
802.11a/b/g/n
802.11a/b/g/n
802.11a/b/g/n
Band
2.4 GHz
2.4 GHz
2.4 GHz
2.4/5 GHz dual-band/ single-radio
2.4 GHz
2.4/5 GHz dual-band/ dual-radio
2.4/5 GHz dual-band/ dual-radio
Channels 1-11
Channels 1-11
Channels 1-11,
36-48, 149-165
Channels 1-11,
36-48, 149-165
2.4/5 GHz dual-band/ dual-radio
FCC regulatory domain (mainly US)
ETSI regulatory domain (mainly
Europe)
Channels 1-11,
36-48, 149-165
Channels 1-13
Channels 1-13
Channels 1–13,
36-48
Channels 1-13,
36-64, 100-116,
132-140
Channels 1-13,
36-64, 100-116,
132-140
| Protect | 159
Name
AP 100
AP 100C
Standards
802.11a/b/g/n/ac
802.11a/b/g/n/ac
Band
2.4/5 GHz dual-band/ dual-radio
2.4/5 GHz dual-band/ dual-radio
FCC regulatory domain (mainly US)
Channels 1-11,
36-48, 149-165
Channels 1-11,
36-48, 149-165
ETSI regulatory domain (mainly
Europe)
Channels 1-13,
36-64, 100-116,
132-140
Channels 1-13,
36-64, 100-116,
132-140
Sophos XG Firewall also provides the following dedicated outdoor access points:
Table 2:
Name
AP 100X
Standards
802.11a/b/g/n/ac
Band
2.4/5 GHz dual-band/ dual-radio
FCC regulatory domain (mainly US)
Channels 1-11,
36-64, 100-116,
132-140
ETSI regulatory domain (mainly
Europe)
Channels 1-13,
100-116, 132-140
Sophos XG Firewall also provides the following Wi-Fi Remote Ethernet Devices:
Table 3:
Name
RED 15w
Standards
802.11a/b/g/n
Sophos XG Firewall also provides the following local Wi-Fi devices:
Table 4:
Band
2.4/5 GHz dual-band
Name
SG 105w/115w
SG 125w/135w
Standards
802.11a/b/g/n
802.11a/b/g/n/ac
Band
2.4/5 GHz dual-band
2.4/5 GHz dual-band
Note: Because of the bandwith on the APs with ac standard there may be an automatic channel change in some cases. For example, if you select channel 36 the AP could choose channel 40 instead because it provides a better connection. The channel shown on the Access Points page represents the primary channel. This can affect all AP 100 appliances (AP 100, AP 100C and AP 100X) and all SG appliances with integrated access
(SG 105w/115w and SG 125w/135w).
Access Points
The Access Points menu allows you to manage the access points (AP) known to the system.
Sophos XG Firewall distinguishes between active, inactive and pending APs. To make sure that only genuine APs connect to your network, APs need to be authorized first.
Access points can be temporarily disabled. When an AP is physically removed from your network, you can delete from the table by clicking the Delete button. As long as the AP remains connected to your network, it will automatically re-appear in the Pending Access Points list after deletion. Sophos XG Firewall appliances with onboard Wi-Fi cannot be deleted from the AP list.
Protect > Wireless > Access Points
This page displays a list of all the active/inactive access points as well as a lists of all the pending access points. It provides options to edit or delete access points and to accept pending access points. You can also view access points on the Protect > Wireless > Wireless Client List page.
Active/Inactive Access Points
For each access point, the list shows you:
ID
Access point ID
Label
Label of the AP, which allows it to be identified easily in the network.
Status
Status of the access point (active/inactive). Active APs are connected, configured, and running.
Inactive APs have been configured in the past but are currently not connected to Sophos XG
Firewall. If an AP remains in this state for more than five minutes, please check the network connectivity of the AP and the configuration of your system.
Channel
Channel the AP transmits on.
Group
Access point group the AP is assigned to.
Country
Country where the AP is located.
MAC
MAC address of the AP.
IP/Last Seen
IP address of an active AP or the last seen IP address of an inactive AP.
Type
Type of the AP
| Protect | 160
Figure 165: Active/Inactive Access Points
Pending Access Points
Here, APs are listed that are connected to the system but not yet authorized. After receiving its configuration, the authorized access point will immediately be displayed in the above section. For each access point, the list shows:
ID
ID of the access point.
Label
Label of the AP, which allows it to be identified easily in the network.
Channel
Channel the AP transmits on.
Group
Access point group the AP is assigned to.
| Protect | 161
MAC
MAC address of the AP.
Figure 166: Pending Access Points
Rules for Assigning Networks to APs
An access point can only be assigned to a wireless network if the client traffic option of the wireless network and the
VLAN tagging option of the access point fit together. The following rules apply:
• Wireless network with client traffic Separate Zone: VLAN tagging of the access point can be enabled or disabled.
• Wireless network with client traffic Bridge to AP LAN: VLAN tagging of the access point has to be disabled.
• Wireless network with client traffic Bridge to VLAN: VLAN tagging of the access point has to be enabled.
The respective wireless clients will use the Bridge to VLAN ID specified for the wireless network, or they will receive their VLAN ID from the RADIUS server, if specified.
Note: An AP 5 can only be assigned to one single wireless network with the Client traffic option Bridge to
AP LAN.
Edit Access Point
This page describes how to edit an access point.
1. Go to Protect > Wireless > Access Points and click Edit icon under the Manage column.
2. Specify the Access Point details.
ID
Displays the ID for the access point.
Label
Specify a label for easier identification of the AP in your network.
Country
Select the country where the AP is located.
Group
Select to organize APs in groups. If a group has been created before, you can select it from the dropdown list.
Figure 167: Edit Access Point
3. Specify the Wireless Networks details.
Wireless Networks
Select the wireless networks that should be broadcasted by the AP.
Note: You can add wireless network only if AP is not the member of any AP Group.
| Protect | 162
Figure 168: Edit Access Point
4. Specify the Mesh Network details.
Mesh Networks (only available for AP50)
Select the mesh networks that should be broadcasted by the AP.
You can also add APs that should broadcast mesh networks from this page by clicking Create New.
Note: This option will only be displayed if a mesh network is configured.
5. Specify the Advanced Settings details.
Channel 2.4 GHz
Select a channel for your wireless network.
Default: Auto
Note: Selecting "Auto" will automatically select the least used channel for transmission.
Dyn Chan
Enable to scan for the optimal channel at regular intervals. This may result in re-connection of all connected clients.
Time-based scan (available if Dyn Chan is enabled)
Enable to set a time at which the scan should take place.
Select Scan-Time (available if Time-based scan is enabled)
Click Add New Item and select a scanning time schedule.
TX Power
Select the transmission power for the AP.
Default: 100%
Channel 5 GHz
Select a channel for your wireless network.
Default: Auto
Note: Selecting "Auto" will automatically select the least used channel for transmission.
Dyn Chan
Enable to scan for the optimal channel at regular intervals. This may result in re-connection of all connected clients.
Time-based scan (available if Dyn Chan is enabled)
Enable to set a time at which the scan should take place.
Select Scan-Time (available if Time-based scan is enabled)
Click Add New Item and select a scanning time schedule.
TX Power 5GHz
Select the transmission power for the AP.
Default: 100%
STP
Select Enabled to use Spanning Tree protocol (STP). STP prevents bridge loops.
Default: Disabled
VLAN Tagging
Select to connect the AP with an existing VLAN Ethernet interface.
Default: Disabled
AP VLAN ID (available if VLAN Tagging is enabled)
Specify the VLAN ID that will be used by the AP to connect to the device.
The VLAN ID can be any number between 2 and 4094.
| Protect | 163
| Protect | 164
Figure 169: Edit Access Point
6. Click Save.
Access Point Groups
The Access Point Groups page allows you to organize access points in groups.
Protect > Wireless > Access Point Groups This page provides an overview of all access point groups and Local Wi-
Fi Devices. You can add, edit or delete a group. For each group, the list shows:
Name
Name of the access point group.
Status
Status of the access point group (active/inactive). Use the toggle switch to enable/disable the access point group.
Wireless Networks
Wireless networks the access point group is assigned to.
Access Points
List of all the access points in this group.
Figure 170: Access Point Groups
Add Access Point Group
This page describes how to add an access point group.
1. Go to Protect > Wireless > Access Point Groups and click Add.
2. Specify the access point group details.
Name
Enter a descriptive name for the new access point group.
Wireless Networks
Search for wireless networks and select the wireless networks that should be broadcasted by the access points of this group.
Note: For an access point to broadcast a wireless network some conditions have to be fulfilled. They are explained in the chapter
in the section Rules for
Assigning Networks to APs.
VLAN Tagging
Select Enable if you want to activate VLAN tagging.
Note: Make sure that the VLAN interface is assigned to the zone which is selected in the Allowed Zone list on the System > System Services > Wireless page.
Access Points
Search for access points and select the ones you want to add to this group.
Note: Local Wi-Fi Devices cannot be grouped and do not appear in the Access Point list. Local Wi-Fi Devices appear in the Access Point Groups list.
| Protect | 165
Figure 171: Add Access Point Group
3. Click Save.
Mesh Networks
The Mesh Networks menu allows you to create mesh networks and associate APs.
| Protect | 166
Protect > Wireless > Mesh Networks
In a mesh network, multiple access points communicate with each other and broadcast a common wireless network.
On the one hand, access points connected via a mesh network can broadcast the same wireless network to clients, thus working as a single access point, while covering a wider area. On the other hand, a mesh network can be used to bridge Ethernet networks without laying cables. Access points associated with a mesh network can play one of two roles: root access point or mesh access point. Both broadcast the mesh network, thus the number of other wireless networks they can broadcast is reduced by one.
Root access point
This has a wired connection to Sophos XG Firewall and provides a mesh network. An access point can be root access point for multiple mesh networks.
Mesh access point
This needs a mesh network to connect to Sophos XG Firewall via a root access point. An access point can be mesh access point for only one mesh network at a time.
A mesh network can be used to implement a wireless bridge or a wireless repeater:
Wireless bridge
Using two access points, you can establish a wireless connection between two Ethernet segments. A wireless bridge is useful when you cannot lay a cable to connect those Ethernet segments. While the first Ethernet segment with your Sophos XG Firewall is connected to the
Ethernet interface of the root access point, the second Ethernet segment has to be connected to the Ethernet interface of the mesh access point.
Using multiple mesh access points, you can connect more Ethernet segments.
Wireless repeater
Your Ethernet with your Sophos XG Firewall is connected to the Ethernet interface of a root access point. The root access point has a wireless connection via the mesh network to a mesh access point, which broadcasts wireless networks to wireless clients.
This page displays a list of all the available mesh networks. You can add, edit or delete a mesh network. For each network the list shows:
Mesh-ID
Identifier of the mesh network.
Status
Indicates the current status of the mesh network
Frequency Band
Frequency band on which the associated access points broadcast the mesh network.
Related tasks
on page 167
This page describes how to create mesh networks and assign access points to them.
Add Mesh Network
This page describes how to create mesh networks and assign access points to them.
1. Go to Protect > Wireless > Mesh Networks and click Add.
2. Specify the General Settings details.
Mesh ID
Enter a unique ID for the mesh network.
Frequency Band
Select a frequency band from the available options:
• 5 GHz
• 2.4 GHz
Access points assigned to this network will transmit the mesh network on the selected frequency band. Generally, it is a good idea to use a different frequency band for the mesh network than for the broadcasted wireless networks.
Description
Enter a description or other information to identify the mesh network.
Access Point
Select one or more mesh access points.
a) Click the + icon to select access points that broadcast the mesh network.
b) Specify the Mesh Network Role details.
Access Points
Select an access point.
Note: Except for AP5 and AP10, all the APs can be used for broadcasting mesh networks.
Role
Define the access point's role for the selected mesh network. A root access point is directly connected to Sophos XG Firewall. A mesh access point, after having received its initial configuration, once unplugged from the Sophos XG Firewall will connect to a root access point via the mesh network.
Note: An access point can be mesh access point only for one mesh network.
| Protect | 167
Figure 172: Add Mesh Network
c) Click Save.
| Protect | 168
The dialog window is closed and the access point is added to the Access Points list.
3. Click Save.
Note: It is crucial for the initial configuration to plug the mesh access point, like every other access point, into one of the Ethernet segments selected in the Allowed Zone box on the Protect >
Wireless > Wireless page.
Hotspots
The Hotspots menu allows you to enable the Hotspots feature and define users who are allowed to view and distribute hotspot access information.
Protect > Wireless > Hotspots
By means of hotspots cafés, hotels, companies, etc. can provide time- and traffic-restricted Internet access to guests.
The hotspot feature is available within the Wireless Protection subscription, but also works with wired networks.
Note: You can also view and manage the hotspot status on the Monitor & Analyze > Diagnostics >
Services page.
Hotspot Generation
In the first step, the administrator creates and enables a hotspot with a specific type of access. The following types are available:
• Terms of use acceptance: The guest is presented with terms of use, which you can define, and has to select a checkbox to get access.
• Password of the day: The guest has to enter a password to get access. The password changes on a daily basis.
• Voucher: The guest gets a voucher and has to enter the voucher code to get access. The voucher can be limited in the number of devices, in time, and traffic.
Distribution of Access Information to Guests
With the access types Password of the day and Voucher, the access information has to be handed out to the guests.
Therefore you can define users who are allowed to manage and distribute access information. Those users receive and distribute the access information via the Hotspot tab of the User Portal:
• Password of the day: The current password can be sent via email and the users find the password in the User
Portal. The users forward the password to the guests. They can generate or enter a new password. The former password automatically becomes invalid and active sessions will be terminated. Other potential users will be informed of the new password, either by email or via the User Portal, depending on what is configured for them.
• Voucher: In the User Portal, users can create vouchers, each with a unique code. Different types of vouchers can be available if specified by the administrator. The vouchers can be printed or exported and given to the guests. A list of created vouchers gives an overview of their usage and helps to manage them.
Legal Information
In many countries, operating a public wireless LAN is subject to specific national laws, restricting access to websites of legally questionable content (e.g., file sharing sites, extremist websites, etc.). To meet this requirement, you can combine the hotspot with the web protection capabilities of Sophos XG Firewall which empowers you to control web access by blocking or allowing a single URL to an entire website category type. Sophos XG Firewall puts you in control of who accesses what and when. That way you can restrict hotspot usage as national or corporate policies require you to. In addition, the current feature of Sophos XG Firewall permits advanced logging and reporting capabilities. Reporting tracks who visited which site, when, and how many times, allowing you to identify inappropriate usage in case you want to operate a hotspot without any access restrictions. Which is even more important if legal regulations require you to register your hotspot at the national's regulatory body.
For each hotspot, the list shows:
Name
| Protect | 169
Displays the name of the hotspot.
Hotspot Type
Displays the type of the hotspot.
Note: If you have configured direct proxy settings within your web browser and using Hotspot, you need to add Device’s IP in the proxy exception list.
Related concepts
on page 177
Hotspot voucher definitions specify network access. You can use voucher definitions to limit the validity period, time quota, and data volume for users who have access to voucher-type hotspots.
Related tasks
This page describes how to add a hotspot.
Add Hotspot
This page describes how to add a hotspot.
Note: A hotspot has to be assigned to an existing interface, typically a WLAN interface. All hosts using this interface will automatically be restricted by the hotspot. Therefore, before you create a hotspot you would typically create a wireless network with client traffic Separate Zone, then create an interface for the respective WLAN interface hardware.
1. Go to Protect > Wireless > Hotspots and click Add.
2. Specify the followings:
Name
Enter a unique name for the hotspot.
Description
Enter a description or other information to identify the Hotspot.
Interfaces
Select or add the interfaces which are to be restricted by the hotspot. An interface can only be used by one hotspot.
Note: Hotspots will work only on LAN and DMZ member interfaces of the bridge.
You should not select an uplink interface here because traffic to the Internet will be completely blocked afterwards. Additionally, we strongly advise not to use interfaces applied by servers which provide essential services like authentication. You may irreversibly lock yourself out of Sophos XG Firewall.
Application Filter Policy
Select or add an application filter policy for the hotspot.
Web Policy
Select or add a web policy for the hotspot.
IPS Policy
Select or add IPS policy for the hotspot.
Traffic Shaping Policy
Select or add a traffic shaping policy for the hotspot.
Redirect to HTTPS
Enable this option to redirect users to HTTPS.
Hostname Type (available only if Redirect to HTTPS is enabled)
Select the hostname type for the hotspot.
Available Options:
• None (IP Address)
• Custom hostname
Hostname (available only if Custom hostname is selected)
Add a hostname for the redirection.
Hotspot Type
Select a hotspot type for the selected interfaces.
• Terms of Use Acceptance - Customers can access the Internet after accepting the terms of use.
Session Expires
Select the time span after which the access will be denied. After that, with the hotspot type Terms of
Use Acceptance, the users have to accept the terms of use again to log in.
Terms of Use
Add the text to be displayed as terms of use. Simple HTML markup and hyperlinks are allowed.
• Password of the Day - A new password will be created automatically once a day. This password will be available in the User Portal on the Hotspots tab which is available to all users specified for this hotspot. Additionally it will be sent to the specified email address(es).
Password Creation Time
Select the time of the day at which the new password will be created. At this time the former password will immediately become invalid and current sessions will be terminated.
Send Password by email to
Add email addresses to which the password will be sent.
Synchronize password with PSK of wireless networks
Select this option to synchronize the new generated/saved password with wireless PSK.
Note: With the new PSK all APs that are configured with a separate zone wireless network that is also used as a hotspot interface will be reconfigured and restarted. This means all connections will be dropped.
Administrative Users
Select or add users for administrative settings. Administrative users are allowed to create vouchers or change the password of the day in the User Portal. By default nobody is allowed to enter administrative settings.
• Voucher With this hotspot type, tokens with different limitations and properties can be generated in the User Portal, printed and given to customers. After entering the code, the customers can then access the Internet directly.
Voucher Definitions
Add or select the voucher definitions you want to use for the hotspot. How to add a voucher definition is explained on the Add Hotspot Voucher page.
Devices per voucher
Enter the number of devices which are allowed to log in with one voucher during its lifetime. It is not recommended to use the "unlimited" option.
Administrative Users
Select or add users for administrative settings. Administrative users are allowed to create vouchers or change the password of the day in the User Portal. By default nobody is allowed to enter administrative settings.
Users Have to Accept Terms of Use (not available with hotspot type Terms of Use Acceptance)
Enable this option if you want the hotspot users to accept your terms of use before accessing the
Internet.
Terms of Use
Add the text to be displayed as terms of use. Simple HTML markup and hyperlinks are allowed.
| Protect | 170
Redirect to URL after login
Enable this so that users will be redirected automatically to a particular URL after entering password or voucher data. The URL could, for example, be your hotel's website or a webpage stating your portal system policies.
URL
Enter the URL to which the user will be redirected .
| Protect | 171
| Protect | 172
3. Specify the Hotspot Customization details.
Enable Customization
Enable to use a customized HTML file with your own images and stylesheets. Additionally, you can customize the voucher layout.
Customization Type
Select the customization type.
• Basic Uses the default login page template. If required, change logo, title, and text.
Logo
Upload a logo for the login page. Supported image file types are jpg, jpeg, png and gif. A maximum image width of 300 px and height of 100 px is recommended (depending on the title length).
Scale logo to recommended size
If selected, a logo exceeding the recommended width or height will be scaled down and displayed in the recommended size. If it is not selected, the logo will be displayed in the original size.
Title
Add a title for the login page. Simple HTML markup and hyperlinks are allowed.
Custom Text
Add additional text for the login page. You can, for example, enter the SSID of the wireless network to be used. Simple HTML markup and hyperlinks are allowed.
• Full Select an individual login HTML page.
Login Page Template
Select the HTML template you want to use for your individual login page. Browse to select and upload the file. In this template, you can use variables that can insert information for each hotspot dynamically. For example, you can add the company name and administrator information, the terms of use and the login form. See detailed information in the chapter Login Page Template.
Images/Stylesheet
Add files that are referenced in your login page template, e.g., images, stylesheets, or JavaScript files. Browse to select and upload the files.
Voucher Template (only available for the hotspot type Voucher)
Browse to select and upload a PDF file with the voucher layout. By default, a default template is used. The voucher PDF file has to be of PDF version PDF 1.5 or lower. It may have any page size and format—both size and format will be adjusted during voucher creation in the User Portal, depending on page size and number of vouchers per page specified there.
The PDF file may contain the following variables that will be replaced with the respective values during voucher generation in the User Portal:
• Wireless network name (SSID): <?ssid0?> (and <?ssid1?>, <?ssid2?> and so on, if the
WLAN has more than one SSIDs)
• Wireless network password: <?psk0?> (and <?psk1?>, <?psk2?> and so on, if the WLAN has more than one SSIDs)
• Voucher code: <?code?>
• Voucher validity time:
<?validity?>
• Voucher data limit: <?datalimit?>
• Voucher time limit: <?timelimit?>
• Comment: <?comment?>
• QR code with the hotspot access data encoded:
<?qrX?>. The upper left corner of the QR code will be placed on the lower left corner of the variable.
Note: When using variables, the PDF file must include the entire character sets of the fonts used. When a variable is replaced by its value, and one of the substitute characters is not available, it
| Protect | 173
will be displayed incorrectly. We recommend to add the string
<?
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?
> (for English usage) to your PDF file, which will be removed automatically during voucher generation. If you use another language, you can include any other character set you want. Additionally, we recommend to use a separate line for the variables as the layout could get corrupted if the substituted text is too long.
| Protect | 174
Figure 173: Hotspot Customization
4. Click Save.
You can see if the hotspot is running on the Configure > System Services > Services page. There you can also stop or start the hotspot.
Related concepts
on page 469
Services page allows you to view and manage the status of configured services.
on page 174
This page gives an overview of possible variables of the hotspot login template.
Related tasks
Add Hotspot Voucher Definition
on page 177
Create a voucher definition.
Login Page Template
This page gives an overview of possible variables of the hotspot login template.
The HTML template for the login page may contain various variables that can insert information for the hotspot login page dynamically. When the device processes a template in order to display a login page, it replaces any template variables with the relevant value.
General variables
•
<?company_text?>: Default company text
• <?company_logo?>: Default company logo (Sophos logo). The variable will be replaced by the path of the logo file, usage e.g., <img src="<?company_logo?>">
• <?admin_contact?>: Administrator name or address as defined on System > Administration > Notification
Settings (Send Notifications to Email Address field)
•
<?admin_message?>: Administrator information label (default: For administrative questions please contact:)
• <?error?>: Error message that arose while trying to log in.
Variables used for all hotspot types
• <?terms?>: Terms of use (as defined on the Add Hotspot page)
•
<?redirect_host?>: Redirect URL that is specified for the hotspot (as defined on the Add Hotspot page)
• <?location?>: URL the user requested
• <?location_host?>: Hostname of the URL the user requested
• <?login_form?>: Login form suitable for the respective hotspot type: Password text box, Token text box,
Username and Password text boxes, or Accept checkbox, and Login button.
Note: For creating customized login forms, see section User Specific Login Form below.
• <?asset_path?> (only important for customization mode Full): Hotspot specific directory for storage of images or stylesheets (example usage: <img src="<?asset_path?>/logo.png">)
Variables only used for hotspot type Voucher
•
<?maclimit?> Number of allowed devices per voucher of this hotspot (as defined on the Add Hotspot page)
• <?numdevices?>: Number of devices used for this voucher
• <?timeend?>: Validity period (as defined on the Add Hotspot Voucher page)
• <?time_total?>: Total time quota allowed (as defined on the Add Hotspot Voucher page)
•
<?traffic_total?>: Total data volume allowed (as defined on the Add Hotspot Voucher page)
Templates can contain if variables that make up sections like the ones shown below. Each section has an opening and a closing variable. The contents of an if section is only displayed on a specific condition.
If Section Meaning
Section is displayed when the user has successfully logged in.
<?if_loggedin?>
<?if_loggedin_end?
>
<?if_notloggedin?>
<?
if_notloggedin_end?
>
Section is displayed when the user has not yet logged in, e.g., because terms of use have to be accepted or because an error occurred.
<?
if_authtype_password?
Section is displayed when hotspot type is Password of the Day.
>
<?
if_authtype_password_end?
>
<?
if_authtype_disclaimer?
Section is displayed when hotspot type is Terms of Use Acceptance.
>
<?
if_authtype_disclaimer_end?
>
| Protect | 175
| Protect | 176
If Section Meaning
<?
if_authtype_token?>
<?
if_authtype_token_end?
>
Section is displayed when hotspot type is Voucher.
<?if_location?>
<?if_location_end?>
Section is displayed when the user has been redirected.
<?if_redirect_url?>
<?
if_redirect_url_end?
>
Section is displayed when the checkbox Redirect to URL After Login is enabled.
<?
if_not_redirect_url?
>
<?
Section is displayed when the checkbox Redirect to URL after login is disabled.
if_not_redirect_url_end?
>
Section is displayed when a validity period is set for a voucher.
<?if_timelimit?>
<?if_timelimit_end?
>
<?if_trafficlimit?>
<?
if_trafficlimit_end?>
Section is displayed when a data volume is set for a voucher.
<?if_timequota?>
<?if_timequota_end?
>
Section is displayed when a time quota is set for a voucher.
Section is displayed when a Devices per voucher value is specified.
<?if_maclimit?>
<?if_maclimit_end?
>
<?if_terms?>
<?if_terms_end?>
Section is displayed when Terms of Use are defined and enabled.
<?if_error?>
<?if_error_end?>
Section is displayed when an error occurred while trying to log in.
User-Specific Login Form
If you want to create your own login form instead of using the pre-defined <?login_form?> variable, consider the following:
• Enclose the form in the following tags:
<form action="?action=login" method="POST"> ... </form>
• For a Terms of Use Acceptance hotspot, add a checkbox named "accept":
| Protect | 177
<input type="checkbox" name="accept">
• For Password of the Day or Voucher hotspots, add a text box named "token":
<input type="text" name="token">
• Add a means to submit the form, e.g., a "Login" button:
<input type="submit" name="login" value="Login">
Hotspot Voucher Definition
Hotspot voucher definitions specify network access. You can use voucher definitions to limit the validity period, time quota, and data volume for users who have access to voucher-type hotspots.
Related concepts
on page 181
The Hotspot Settings page allows you to make additional hotspot settings.
Related tasks
Add Hotspot Voucher Definition
on page 177
Create a voucher definition.
Add Hotspot Voucher Definition
Create a voucher definition.
1. Go to Protect > Wireless > Hotspot Voucher Definition and click Add.
2. Specify the voucher definition details.
Name
Specify a descriptive name for the voucher definition.
Description
Specify a description or other information.
Validity period
Specify the time for which vouchers of this type will be valid. The validity period starts from the first login.
Acceptable range: 1 minute to 730 days
Time quota
Specify the maximum connectivity time for vouchers of this type. The time quota starts at login and stops at logout. Counting stops after 5 minutes of inactivity.
Acceptable range: 1 minute to 500 hours
Data volume
Specify the maximum volume of data to be transmitted for vouchers of this type.
Acceptable range: 1 MB to 100 GB
| Protect | 178
Figure 174: Add Hotspot Voucher
3. Click Save.
Rogue AP Scan
This section is applicable to Wi-Fi models only.
A Rogue Access Point (AP) is any Wi-Fi access point connected to your network without authorization. It can be a setup used by an attacker for the purpose of sniffing wireless network traffic and can be used to conduct a man-in-themiddle attack. It allows anyone with a Wi-Fi-equipped device to connect to your corporate network, leaving your IT assets wide open for the casual snooper or criminal hacker.
Device can alleviate this by recognizing rogue access points potentially attempting to gain access to your network.
General Settings
Click Schedule system-triggered scan to enable a scheduled scan to discover authorized APs and rogue APs. You can select from the pre-defined schedules or create a custom schedule from System > Profiles > Schedule.
Figure 175: General Settings
Discover Access Points
To increase the security capabilities and identify unauthorized APs, Sophos Wireless Devices provide scanning capability by which nearby APs can be discovered and an administrator can take countermeasures against the most common types of illicit wireless activity.
To manually scan for the automatic discovery of APs, click Scan Now.
All the Access Points discovered are regarded as unrecognized until they are identified as authorized or rogue . To authorize an access point, click the icon against it in the Unrecognized AP table. To mark an access point as rogue, click the icon against it in the Unrecognized AP table.
If you are scanning for the first time after enabling Wireless LAN, all the discovered APs will be listed in the
Unrecognized Access Points table. The scanning result is displayed in the form of 3 tables:
Unrecognized Access Points table
The table lists all the nearby APs discovered and displays the following information:
Channel
The radio channel used by the access point.
BSSID
The MAC Address of the radio interface of the detected access point.
SSID
The radio SSID of the access point.
Signal Strength
The strength of the detected radio signal
Security Mode
Mode for encrypting the wireless traffic
Wireless Mode
Wireless protocol
Action
Click the icon to mark the AP as an authorized AP and move it to the Authorized AP table. Click the icon to mark the AP as a rogue AP and move it to the Rogue AP table.
Figure 176: Unrecognized Access Points
Rogue Access Points table
The table lists all the APs marked as “Rogue” and displays the following information:
Channel
The radio channel used by the access point.
BSSID
The MAC Address of the radio interface of the detected access point.
SSID
The radio SSID of the access point.
Signal Strength
The strength of the detected radio signal
Security Mode
Mode for encrypting the wireless traffic
Wireless Mode
Wireless protocol
Action
Click the icon to mark the AP as an authorized AP and move it to the Authorized AP table. Click the icon to mark the AP as an unrecognized AP and move it to the Unrecognized AP table.
| Protect | 179
Figure 177: Rogue Access Points
Authorized Access Points table
The table lists all the APs marked as “Authorized” and displays the following information:
Channel
The radio channel used by the access point.
BSSID
The MAC Address of the radio interface of the detected access point.
SSID
The radio SSID of the access point.
Signal Strength
The strength of the detected radio signal
Security Mode
Mode for encrypting the wireless traffic
Wireless Mode
Wireless protocol
Action
Click the icon to mark the AP as an unrecognized AP and move it to the Unrecognized AP table.
Click the icon to mark the AP as a rogue AP and move it to the Rogue AP table.
| Protect | 180
Figure 178: Authorized Access Points
Wireless Settings
The Wireless Settings page allows general configuration of wireless networks.
1. Go to Protect > Wireless > Wireless Settings.
2. Specify the Global Settings.
Enable Wireless Protection
Click the toggle switch to enable Wireless Protection.
Allowed Zone
Select network zones that are to be allowed for access point connectivity. These are the zones where access points are deployed to.
Note: If the wireless network uses WPA/WPA2 Enterprise Authentication as encryption mode then a RADIUS server needs to be specified.
Figure 179: Global Settings
3. Specify the Advanced Settings.
Notification Timeout
If an access point goes offline you get a notification. The Notification Timeout lets you configure a timeout for the notification. This means, if you set a delay of 2 minutes, the notification will be sent only if the access point is offline for at least 2 minutes. After the specified time, the AP will be considered inactive.
Timeout (in minutes)
The notification timeout requires an integer.
Default: 5 minutes.
Enterprise Authentication
For enterprise authentication, you need to provide some information of your RADIUS server. Note that access points do not communicate with the RADIUS server for authentication but only the
Sophos Firewall OS. Port 414 is used for the RADIUS communication between the Sophos Firewall
OS and the access points.
RADIUS Server
Select the required RADIUS server from the drop-down list. Servers can be added and configured on Configure > Authentication > Servers.
Note: When your RADIUS server is connected to the Sophos Firewall OS via an IPsec tunnel, you have to configure an additional SNAT rule to ensure that the communication works correctly. On the System > Profiles > Network Address
Translation page, add the following SNAT rule: For traffic from the APs' network(s), using service RADIUS, and going to the RADIUS server, replace the source address with the IP address of Sophos Firewall OS used to reach the RADIUS server.
| Protect | 181
Figure 180: Advanced Settings
4. Click Apply.
Hotspot Settings
The Hotspot Settings page allows you to make additional hotspot settings.
Use this page to configure additional hotspot settings.
General Voucher Options
Here you can decide if and after which time interval you want to delete expired vouchers from the database. In the hotspot log you will still find information about deleted vouchers.
Figure 181: General Voucher Options
Login Page Certificate
You can generate or upload new certificates on the System > Certificates > Certificates > Certificates page.
Select the requested certificate from the drop-down list and click Apply to activate it.
| Protect | 182
Figure 182: Login Page Certificate
Walled Garden
Add or select specific hosts or networks which ought to be permanently accessible to all users, without the need of entering a password or a voucher code.
You can add a new IP host, MAC host or FQDN host directly from this page or via the System > Hosts and Services menu.
Figure 183: Walled Garden
Download Templates
Here you can download the hotspot login template and the voucher template that are to be used by default when adding a new hotspot. You can modify the default templates to customize your hotspot login page or the voucher design without the need to create them from scratch.
You can upload a customized HTML and PDF template when editing or adding a template on the Protect >
Wireless > Hotspots page in the section Hotspot Customization (upload is available only if the customization type
Full is selected).
Figure 184: Download Templates
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
From the Email tab, you can configure SMTP/S, POP/S and IMAP/S settings, Email Security Policies, Secure PDF eXchange (SPX) and Data Control.
| Protect | 183
The device offers comprehensive Email Security, preventing sophisticated forms of zero-hour threats and blended attacks involving spam, botnets, phishing, spyware and more. The basic email protection configuration includes:
• Creating policies to allow or deny email traffic to and from your Email Server.
• Apply Spam, Malware, Data and File protection on email traffic.
• SPX
• configuring an email threshold size for scanning
• specifying action to be taken if a virus is detected
• blocking mails based on sender or recipient
• blocking mails with certain file types.
SMTP Deployment Modes
SF can be deployed in Two (2) Modes:
• Legacy Mode
• MTA Mode
Legacy Mode
In Legacy Mode, SF acts as a transparent proxy that scans emails for malware and spam, applies SPX Encryption and
Data Protection. Refer to the following guides to see how SF can be configured to scan email traffic in Legacy Mode:
MTA Mode
In MTA Mode, SF acts as a Mail Transfer Agent. A Mail Transfer Agent (MTA) is a service that is responsible for receiving and routing emails to their specified destinations.
Deploy SF in MTA Mode when you want it to perform actual routing of emails as compared to Legacy Mode where
SF only forwards the email traffic as a proxy.
In MTA Mode, SF performs the following functions:
• Performs relaying and routing of emails. You can configure relaying of emails from Email > Relay Settings.
• Protects multiple Email Servers using SMTP Policies. From Email > Policies > SMTP Policies, you define the kind of protection you want to apply on each of your Email Domains.
• Displays email messages that are either waiting or failed to be delivered in the Email > Mail Spool.
• Displays logs for all the emails processed by the Device from Email > Mail Logs.
MTA Mode
Policies
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This page allows configuration of SMTP Route and Scan Policies, SMTP Malware Scan Policies, SMTP Spam Scan
Policies and POP-IMAP Scan Policies:
• SMTP Route and Scan Policies (MTA Mode)
• SMTP Malware Scan Policies (Legacy Mode)
• SMTP Spam Scan Policies (Legacy Mode)
• POP3-IMAP Scan Policies (MTA and Legacy Mode)
SMTP Route and Scan Policies
SMTP Route and Scan policies appear only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
Device allows you to create SMTP Route and Scan policies which can be used to protect multiple Domains on your internal Email Server(s). Using these policies, device protects the server(s) from remote attacks and additionally provide powerful virus scanning, email encryption and email filtering services.
| Protect | 184
Click Add Policy and then SMTP Route & Scan to add a new policy. To update an existing policy, click the desired policy.
SMTP Malware Scan Policies
SMTP Malware Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.
SMTP Malware Scan policies allow you to define action to be taken on emails if they are virus-infected or contain a protected attachment. Based on the action defined in rule, such emails can be delivered as they are, dropped, or cleaned and then delivered or quarantined.
A Malware Scan policy defines:
• whether to quarantine the email
• whether sender, receiver or administrator are to be notified
• whether to block the email containing a specified file type
• what action is to be taken if email is infected or contains a protected attachment: deliver as it is, drop, clean and then deliver
Note: You can also view the Quarantine from Protect > Email > SMTP Quarantine page.
A default SMTP Malware Scan policy named default-smtp-av is pre-configured in the device and applied to all
SMTP traffic as soon as you subscribe to the Email Protection Module. We recommend that you create separate rules fine-tuned to your specific network requirements to minimize the possibility of threats.
Click Add Policy and then SMTP Malware Scan to add a new policy. To update an existing policy, click the desired policy.
SMTP Spam Scan and POP-IMAP Scan Policies
SMTP Spam Scan policies appear only when Legacy mode is enabled.
POP-IMAP Scan policy is available in both MTA and Legacy modes.
When you subscribe to the Email Protection Module, SMTP Spam Scan and POP-IMAP Scan policies can be configured for particular senders and recipients.
A policy defines the action to be taken if an email is detected as Spam, Probable Spam, part of Virus Outbreak or
Probable Virus Outbreak.
To reduce the risk of losing legitimate messages, the Spam Quarantine repository (a storage location) provides administrators with a way to automatically quarantine emails that are identified as spam. This helps in managing spam and probable spam quarantined mails so that the user can take appropriate actions on such emails.
A default POP-IMAP Scan policy named default-pop-av is pre-configured in the device and applied to all POP3/S and IMAP/S traffic so that whenever a virus gets detected in an email, the virus-affected attachment is stripped from the email and the email body is replaced with a notification message.
Detection of Spam attributes
The device uses Content Filtering, and premium and standard Realtime Blackhole Lists (RBLs) to check for the spam attributes in SMTP/S, POP3/S and IMAP/S emails:
• Premium
• Standard
RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam, that is, owners who are responsible for spam or are hijacked for spam relay. The device checks each RBL for the connecting IP Address. If the IP Address matches one on the list, then the specified action in the policy is taken.
Add SMTP Route and Scan Policy
SMTP Route and Scan policies appear only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
SMTP route and scan policy allows you to protect emails from spam and malware, to SPX-encrypt emails and to provide data and file protection.
1. Go to Protect > Email > Policies and click Add Policy. Click SMTP Route & Scan.
2. Enter the Name.
3. Enter the Domains and Routing Target details.
Protected Domain
Select the domains. The policy applies to emails to and from the selected domains. To add a new domain, click Create New.
Emails received by users of the protected domains are Inbound Emails.
Emails sent out by users of the protected domains are Outbound Emails.
Emails sent among users of protected domains are Internal Emails.
Route By
Select the email server to forward the emails to. Select from the following server types:
Available Options:
Static Host: From the Host List, select the static IP addresses of the internal email servers. If the first host in the selected list is not reachable, the device forwards emails to the next host until it reaches the end of the list. To create a new host, click Create.MX: Select to route emails based on
MX records.
Global Action
Select the action.Accept: Accepts all emails to the specified domains. You can apply SPX encryption on outbound emails by selecting the SPX Template from the drop-down list.Reject:
Rejects all emails to the specified domains. Sender is notified.
| Protect | 185
Figure 185: Domains and Routing Target
4. Turn on Spam Protection.
You can enable protection for inbound and outbound spam, virus outbreak and blacklisted sender IP addresses through RBLs. Select the action to be applied to spam and probable spam emails.
Available Actions:
• None
• Warn: Delivers the email to the recipient after adding a prefix to the subject. Specify the prefix in Prefix
Subject.
• Quarantine
• Drop: Drops the email without sending a notification to the sender.
Default: Drop
Figure 186: Spam Protection
5. Turn on Malware Protection.
Scanning
Select the scanning action.
Available Actions:
Disable: Emails are not scanned. Enable: Emails are scanned by the device's anti-virus engine.
Note:
In Sophos Firewall XG105, Cyberoam CR500iNG, and Sophos UTM SG105, and higher models, Enable is replaced by the following options.
Single Anti-Virus: The primary anti-virus engine scans the emails.
Dual Anti-Virus: The primary and secondary engines scan emails sequentially.
Select the Primary Anti-Virus Engine from Protect > Email > General Settings >
Malware Protection.
Detect zero-day threats with Sandstorm (Sandstorm Module required)
Enable to send emails for Sandstorm analysis. Emails found clean by Sandstorm will be delivered to the recipient(s) while selected action will be applied on those found malicious.
Note: Cannot implement Sandstorm with Single Anti-Virus Scanning, if Avira is the
Primary Anti-Virus Engine. You can update it from Protect > General Settings >
Malware Protection or Configure > Configure > System Services > Malware
Protection.
Scanned File Size (available if Detect zero-day threats with Sandstorm is enabled)
Enter the size of files that can be analyzed by Sandstorm. Files with size greater than that will not be analyzed.
Anti-virus Action
Select the action to be taken against malicious emails.
Available Actions:
• None
• Warn: Delivers the email to the recipient after adding a prefix to the subject. Specify the prefix in Prefix Subject.
• Quarantine
• Drop: Drops the email without sending a notification to the sender.
| Protect | 186
Notify Sender
Select to notify the sender about the infected email.
Quarantine unscannable content
Select to quarantine emails that could not be scanned. These include corrupt, encrypted, compressed files, oversized emails, and emails not scanned due to an internal error.
| Protect | 187
Figure 187: Malware Protection
6. Turn on File Protection to filter specific attachments.
Block File Types
Select the type of attachments you want to block. The corresponding MIME headers populate the
MIME Whitelist.
To select more than one file type, press Ctrl+Shift.
The device contains a default list of file types with the relevant file extensions.
Refer to Email > ... > File Type to view the list of file extensions.
Select All to block emails with an attachment.
Select None to allow emails with an attachment.
MIME White List
Select the MIME headers to be allowed during the malware scan. Unselected headers are blocked.
Drop Message Greater Than
Enter the maximum file size (in KB) to be scanned by the device. Larger emails are dropped.
Default: 51200 KB
Figure 188: File Protection
7. Turn on Data Protection. (applicable only to outbound emails)
Data Control List
Select the list to be applied to scan emails for sensitive information.
Data Control Lists (DCL) can be created from the pre-configured Sophos Content Control List
(CCL), which provides common financial and personally identifiable data types, like credit card numbers, social security numbers, postal addresses, or email addresses.
You can create a list from Protect > Email > Data Control List.
Data Control List Action
Select the action to be taken against emails containing sensitive information.
Available Actions:
Accept: Accepts the email and delivers it to the recipient.
Accept with SPX: Accepts and SPX-encrypts the email before delivering it to the recipient. Select the SPX Template to be applied to the email. You can create
Email > Encryption.
Drop: Drops the email without sending a notification to the sender.
Notify Sender
Select to notify the sender that the email contains sensitive information.
Figure 189: Data Protection
Add POP-IMAP Scan Policy
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Add a POP-IMAP scan policy to detect incoming and outgoing spam in POP/S and IMAP/S traffic.
1. Go to Protect > Email > Policies and click POP-IMAP Scan.
2. Enter a Name for the policy.
3. Enter email address or domain group details.
| Protect | 188
Sender
To specify the sender email addresses, select from the following options:
Contains: Specify the keywords to be matched with the senders' email addresses. Example:
If you specify the keyword 'mail', the rule applies to senders' email addresses such as [email protected], [email protected].
Equals: Specify the senders' exact email addresses.
To add a list of keywords or email addresses, click Create New.
Recipient
To specify the recipient email addresses select from the following options:
Contains: Specify the keywords to be matched with the recipient email addresses. Example:
If you specify the keyword 'mail', the rule applies to recipient email addresses such as [email protected], [email protected].
Equals: Specify the recipients' exact email addresses.
To add a list of keywords or email addresses, click Create New.
| Protect | 189
Figure 190: Email Address/Domain Group
4. Select from the following Filter Criteria based on which the specified action is to be taken:
Inbound Email is
Select from the following options:
Spam Probable Spam Virus Outbreak Probable Virus Outbreak
Source IP/Network Address
Sender's IP address matches the specified IP address.
Message Size
Sender's email size matches the specified restriction of message size.
Message Header
Select from the following message headers to match the specified keyword:
Subject From To Other
Select the type of keyword match from the following options:
Contains: Specify the keywords to be matched with the message header.
Equals: Specify the exact match to the actual headers.
None
Select to create a policy between specific senders and recipients without imposing any other condition.
| Protect | 190
Figure 191: Filter Criteria
5. Select the action.
Action
Action to be taken from the following options:
Available Options:
Accept: Email is accepted and delivered to the intended recipient. Prefix Subject: Email is accepted and delivered to the intended recipient after adding a prefix to the subject line. Specify the prefix in the To field. You can set the prefix to indicate the filter criteria.
Example:
Original subject line: Test mail
Tagged content: Probable Spam
Recipient receives email with the subject line: 'Probable Spam: Test mail'
6. Click Save.
Data Control List
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM and Sophos Firewall
Models.
You can create a Data Control List of confidential data by selecting from the Content Control List (CCL). The device provides CCLs based on expert definitions for common financial and personally identifiable data types (example: credit card and social security numbers, postal and email addresses).
Subsequently, you can use Data Control Lists to set Data Protection for emails.
Add a Data Control List
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM Models.
Add Data Control List allows you to create a list of confidential data types. The device provides Content Control
Lists (CCL) based on expert definitions for common financial and personally identifiable data types.
1. Go to Protect > Email > Data Control List and click Add.
2. Enter the name.
3. Select the CCLs (Content Control List) from the list. Filter the CCLs based on Type and Region.
| Protect | 191
Figure 192: Data Control List
4. Click Save.
SMTP Quarantine
SMTP Quarantine is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
The SMTP Quarantine allows you to filter the quarantined emails. The page displays all the emails quarantined by the device if they are found to be:
• From a blocked Source IP Address
• Destined to a blocked Destination IP Address
• Virus-infected
• Oversized
• Containing a Blocked Header
• Containing unscannable content or a protected attachment
• blocked by an RBL
• blocked by a Data Protection (DP)
• Spam
• Found malicious by Sandstorm
• quarantined due to any other reason
Use the filter to search for mails from the list of quarantined emails.
The filter result displays a list of all the quarantined emails based on the filter criteria.
Total utilization displays the percentage of the quarantine area used by quarantined emails. Once the quarantine repository is full older emails are purged.
Quarantine Digest
| Protect | 192
The Quarantine Digest is an email containing a list of quarantined emails filtered by the device and held in the user's quarantine area. If configured, the user receives a Quarantine Digest as per the frequency set in Email > Quarantine
Digest. The digest also provides a link to the User Portal from where the user can access quarantined emails and take the required action.
Releasing Quarantined Email
Either the Administrator or the user can release the quarantined Emails. Administrator can release the quarantined
Emails from the Quarantine Area while the user can release them from his User Portal. Released quarantined
Emails are delivered to the intended recipient’s inbox. The Administrator can access the Quarantine Area from
Email > SMTP Quarantine, while user can logon to the User Portal and access the Quarantine Area from SMTP
Quarantine. If Quarantine Digest is configured, user will receive Digest of the quarantined mails as per the configured frequency.
Note:
• Virus-infected emails and the emails found malicious by Sandstorm cannot be released.
• To delete Sandstorm related emails, you need Read-Write permission for Sandstorm Activity.
Figure 193: SMTP Quarantine
Mail Spool
Mail Spool appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in
Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Mail Spool displays emails that are waiting to be delivered. You can delete or retry sending these emails. This page does not display discarded emails.
1. Specify the filter criteria.
2. You can delete or retry sending the filtered emails.
Note:
• To delete or retry sending Sandstorm-related emails, you need Read-Write permission for Sandstorm
Activity.
• The device retries sending emails for three days. At the end of an additional four days, it discards the emails. You can view the discarded emails from Mail Logs.
Mail Logs
Mail Logs appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in
Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Mail Logs allows you to view and filter email logs.
1. Specify the filter criteria.
2. Specify the criteria for Result Filter to display logs based on delivery status.
3. Specify the criteria for Reason Filter to display logs based on the scan result.
4. Click Filter.
| Protect | 193
Figure 194: Mail Logs
Encryption
SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
What is SPX Encryption?
SPX (Secure PDF Exchange) encryption is a next-generation version of email encryption. It is clientless and extremely easy to set up and customize in any environment. Using SPX encryption, email messages and any attachments sent to the Device are converted to a PDF document, which is then encrypted with a password. You can configure the Device to allow senders to select passwords for the recipients, or the server can generate the password for the recipient and store it for that recipient, or the server can generate one-time passwords for recipients.
When SPX encryption is enabled, there are two ways in which emails can be SPX encrypted:
• The user can download the Sophos Outlook Add-in from User Portal. After having it installed, an Encrypt button is displayed in the Microsoft Outlook user interface. To encrypt a single message, the user needs to click the
Encrypt button and then write and send the message.
Note:
If you do not use Outlook you can also trigger SPX encryption by setting the header field
X-Sophos-SPX-Encrypt to "yes".
• In the Data Protection feature, you can enforce SPX encryption of Emails containing sensitive data (see Email >
Policies > SMTP Policy).
The encrypted message is then sent to the recipient's mail server. Using any PDF reader, the recipient can decrypt the message with the password that was used to encrypt the PDF. SPX-encrypted email messages are accessible on all popular smartphone platforms that have native or third-party PDF file support, including Android, iOS, Blackberry and Windows Mobile devices.
The SPX-encrypted email contains a Reply button which links to the SPX Reply Portal. Using the SPX Reply Portal, the recipient is able to answer to the email in a secure way.
SPX Configuration
Default SPX Template
Select the SPX Template to be used by default. The Default Template is used if any user explicitly
SPX-encrypts an email and no template is selected in the Content Scanning Rule.
The user can SPX-encrypt an Email by:
• Manually setting the Email header X-Sophos-SPX-Encrypt to "yes".
• Installing the Sophos Outlook Add-on and clicking Encrypt before sending the Email.
If the Default SPX Template is set to None, then SPX encryption is not applied to Email.
Allow Secure Reply for
Enter the maximum time (in days) in which recipient can securely reply to an SPX-encrypted email using the SPX Reply Portal.
Keep Unused Password for
Enter the expiry time in days of an unused password.
For example, if Keep Unused Password for is set to 3 days, the password will expire at 0 o'clock 3 days after being generated if no SPX encrypted message has been sent for a specific recipient.
Default: 30 days
Allow Password Registration for
Enter the time in days after which the link to Password Registration Portal expires.
Default: 10 days
Send Error Notification To
Specify whom to send a notification when an SPX error occurs. You can send the notification to the sender or you can send no notification at all. Error messages will always be listed in the SMTP log.
| Protect | 194
Figure 195: SPX Configuration
SPX Portal Settings
Host Name
Enter the IP Address or Domain on which the Password Registration Portal is hosted.
Allowed Network(s)
Enter the networks from which password registration requests will be accepted.
Port
Enter the port on which the SPX Password Registration Portal should listen.
Default: 8094
| Protect | 195
Figure 196: SPX Portal Settings
SPX Password Reset
Reset Password for
Enter the Email Address for the recipient for whom you want to reset the password. New SPX email to this address requires the recipient to obtain a new password from the sender.
Figure 197: Password Reset
SPX Templates
The SPX template defines the layout of the PDF file, password settings and recipient instructions. You can also define different SPX templates. So, if you are managing various customer domains, you can assign them customized SPX templates containing, for example, different company logos and texts.
Figure 198: SPX Templates
Add SPX Templates
SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This page allows you to define new SPX Templates or modify existing templates.
1. Go to Protect > Email > Encryption > SPX Templates and click Add.
2. Enter parameter values for the following basic settings.
Name
Specify the name to uniquely identify the template. The name should be a string containing alphanumeric and special characters EXCEPT forward slash (/), backslash (\), comma (,), double quote (") and single quote (').
Description
Specify details of the template.
Organization Name
Specify the organization name to be displayed on notifications concerning SPX sent to the administrator or the email sender, depending on your settings.
PDF Encryption
Select the encryption standard of the PDF file.
Page Size
Select the page size of the PDF file.
| Protect | 196
Figure 199: General Settings
3. Enter Password Settings.
Password Type
Select how you want to generate the password for accessing the encrypted email message. The sender always has to take care of transferring the password in a safe way to the recipient, unless you select Specified by recipient.
Available Options:
Specified by Sender:
If you select this, the email sender should provide the password. The sender has to enter the password into the Subject field, using the following format:
[secure:<password>]<subject text> where <password> is the password to open the encrypted PDF file and <subject text> is the random subject. Of course, the password will be removed by the Device before the email is sent to the recipient.
Generated one-time password for every email:
The Device automatically creates a new password for each affected email. An email notification is mailed to the sender containing instructions and the one-time generated password.
The HTML content of this Email can be customized from Notification Subject and Notification
Body. You can reset to the default content by clicking Reset .
Generated and stored for recipient:
The Device automatically creates a recipient-specific password when the first email is sent to a recipient. This password will be sent to the sender. With the next email, the same password is used automatically. The password will expire when it is not used for a configured time period, and it can
be reset by the administrator, see
.
The HTML content of this Email can be customized from Notification Subject and Notification
Body. You can reset to the default content by clicking Reset .
Specified by recipient:
If you select this, the email recipient should provide the password. The recipient receives an email notification containing a link leading to the Password Registration Portal to register a password and the Sender receives a failure notification. After registration, the recipient is able to view the current encrypted mail and any future encrypted mails using the same password from this or other senders from the same organization.
Note: The Recipient's password generated via Specified by recipient method and
Generated and stored for recipient are mutually exclusive. The recipient will have to use the respective password when email is received after SPX Encryption using different methods.
| Protect | 197
Figure 200: Password Settings
4. Specify Recipient Instructions:
Instructions for Recipient
The body of the email that is sent from the Device to the email recipient containing instructions concerning the encrypted email. Simple HTML markup and hyperlinks are allowed. You can also use variables, e.g.,
%%ORGANIZATION_NAME%%
Tip: The Default SPX Template on this tab contains all available variables and gives a useful example of recipient instructions. The variables used are:
• ENVELOPE_TO: The recipient for whom the password is generated.
• PASSWORD: The password to open SPX encrypted Email
• ORGANIZATION_NAME: The name provided in the Organization Name field.
• SENDER: The sender of the email.
• REG_LINK: The link to the Registration Portal for registering the password.
Figure 201: Recipient Instructions
5. Enable SPX Portal Settings
Enable SPX Reply Portal
Click to enable users to securely reply to SPX-encrypted emails using the SPX Reply Portal. You also have the option to Include Original Body into Reply.
| Protect | 198
Figure 202: SPX Portal Settings
General Settings
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Email Configuration allows you to configure the general settings Email traffic. This page contains the following sections.
SMTP Deployment Mode
MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
Click button to switch to MTA/Legacy Mode.
In MTA Mode, Device acts as a Mail Transfer Agent (MTA). In Legacy Mode, Device acts as a transparent proxy.
When acting as an MTA, Device is responsible for routing Emails to and from the protected Email Server(s). In this state Device allows you to:
• configure relay of inbound and outbound Emails from Email > Relay Settings.
• set up multiple SMTP Profiles to protect multiple Domains on your internal Email Server or multiple Email
Servers from Email > Policies > SMTP Policies.
• view email messages that are either waiting for delivery or have produced an error in the Email > Mail Spool.
• view the logs for all the emails processed by the Device from Email > Mail Logs.
Default: MTA Mode is enabled.
Note:
• On enabling MTA Mode, a firewall rule to allow SMTP/SMTPS traffic is automatically created.
• If you have migrated from CyberoamOS to SFOSv16 OR SFOSv15 to SFOSv16, Legacy Mode will be enabled by default.
Figure 203: SMTP Deployment Mode
Banner Settings
Append Banner to All Outbound Messages
Enable to add a banner at the end of all outgoing Email messages.
The banner is appended ONLY when SMTP and SMTPS Scanning is enabled in the relevant
Business Application Policy(s).
Email Banner
Specify a banner to be added to all outgoing Emails. Only text banners are allowed.
Example:
This email contains confidential information. You are not authorized to copy the contents without the consent of the sender. Please do not print this email unless it is absolutely necessary. Spread environmental awareness.
| Protect | 199
Figure 204: Banner Settings
SMTP Settings
SMTP Hostname
Specify the SMTP hostname to be used in HELO and SMTP banner strings. By default, Device uses
'Sophos' as hostname.
Note: For Legacy Mode, this hostname is applicable only to system-generated notification emails.
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through SMTP/S will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size scanning restriction to 51200 KB.
Action for Oversize Email
Specify the action for Oversize Emails.
Available Options
Accept: All the oversize mails are forwarded to the recipient without scanning.Reject: All the oversize mails are rejected and sender is notified.Drop: All the oversized mails are dropped, without notifying the sender.
Bypass Spam Check for SMTP/S Authenticated Connections (Available in Legacy Mode only)
Enable to bypass Spam Scanning for Email messages received over SMTP/S connections authenticated by the Email Server.
Verify Sender's IP Reputation
Click to verify the reputation of the sender IP Address. When enabled, the Device dynamically checks the sender’s IP Address of all Emails. If the IP Address is found to be responsible for sending spam email or malicious contents, the Device takes action as per the configured Scanning
Rules.
If enabled, specify an action for Confirmed Spam Emails and Probable Spam Emails.
Available Options
Accept: All the spam Emails are forwarded to the recipient after scanning as per the configuration.
Reject: All the spam mails are rejected and a notification is sent to the Email sender. Drop: All the spam mails are dropped, without notifying the sender.
As it is a global option, if spam scanning is enabled, all the mails will first be subjected to IP
Reputation filtering followed by filtering based on actions configured in the spam policy.
Default - Disable
SMTP DoS Settings
Enable to configure SMTP DoS Settings which protect the network from SMTP DoS Attacks.
If this is enabled, specify values for Maximum Connections, Maximum Connections/Host,
Maximum Emails/Connection, Maximum Recipients/Email, Email Rate per Minute/Host and
Connections Rate per Second/Host.
Maximum Connections (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections that can be established with the Email Server.
Default - 1024
Acceptable Range - 1 - 20000
Maximum Connections/Host (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections allowed to the Email Server from a particular host.
Default - 64
Acceptable Range - 1 - 10000
Maximum Emails/Connection (Available if SMTP DoS Settings Enabled)
Specify maximum number of Emails that can be sent in a single connection.
Default - 512
Acceptable Range - 1 - 1000
Maximum Recipients/Email (Available if SMTP DoS Settings Enabled)
Specify maximum number of recipientsfor a single Email.
Default - 100
Acceptable Range - 1 - 256
Email Rate per Minute/Host (Available if SMTP DoS Settings Enabled)
Specify number of Emails to be sent from a particular host in one minute.
Default - 512
Acceptable Range - 1 - 20000
Connection Rate per Second/Host (Available if SMTP DoS Settings Enabled)
Specify number of connections allowed to the Email Server from a particular host in one second.
Default - 8
Acceptable Range - 1 - 20000
| Protect | 200
Figure 205: SMTP Settings
POP/S and IMAP/S Settings
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through POP/
IMAP will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size restriction to 10240 KB.
Recipient Headers
Specify Header value to detect recipient for POP3/IMAP.
Default - Delivered-To, Received, X-RCPT-TO
| Protect | 201
Figure 206: POP/S and IMAP/S Settings
SMTP TLS Configuration
TLS Certificate
Select the CA Certificate or Server Certificate for scanning SMTP traffic over SSL from the available options.
Available Options
Default ApplianceCertificate SecurityAppliance_SSL_CA List of custom CA Certificates and
Server Certificates, if added. You can create the custom CA Certificate from Certificates >
Certificate Authorities and custom Server Certificate from Certificates > Certificates.
Allow Invalid Certificate
If enabled, SMTP over SSL connections will be allowed with an invalid certificate from the Email
Server. Disable this option to reject such connections.
Default - Enable
Require TLS Negotiation with Host/Net
Select the remote host (Email Server) or network from available options on whose connections
TLS encryption is to be enforced. In other words, the Device will always initiate TLS-secured connections when Emails are to be sent to selected hosts/networks. If TLS is enforced but connection cannot be established, then Emails to that remote host/network are discarded.
Require TLS Negotiation with Sender Domain
Specify the Sender Domain(s) on whose Email connections TLS encryption is to be enforced.
Sender Domain is the domain of the Email sender. Emails from the specified Sender Domain will be sent over TLS-encrypted connections only. If TLS is enforced but connection cannot be established, then Emails from that sender domain are discarded.
Skip TLS Negotiation Hosts/Nets
Select the remote host (Email Server) or network from available options on whose connections TLS encryption is to be skipped or bypassed. When configured, SMTP connections to selected hosts will be established in clear text and unencrypted.
| Protect | 202
Figure 207: SMTP TLS Configuration
POP and IMAP TLS Configuration
TLS Certificate
Select the CA for scanning POP and IMAP traffic over SSL from the available options.
Available Options
DefaultSecurityAppliance_SSL_CAList of custom CAs if added. You can create the custom CA from Certificates > Certificate Authorities.
Allow Invalid Certificate
If enabled, POP and IMAP over SSL connections will be allowed with invalid certificate from the
Mail Server. Disable to reject such connections.
Default - Enable
Figure 208: POP and IMAP TLS Configuration
Email Journaling (Available in Legacy Mode only)
Email being one of the most important communication and business tools in use by organizations, email journaling has become an integral part of every organization.
Using the Device's Email Journaling, the administrator can store all incoming Emails, or Emails for a specific recipient or a group of recipients and thereby keep a close watch over data leakage.
| Protect | 203
| Protect | 204
The device can journal all Emails intended for single or multiple recipients and can forward them to a single administrator or multiple administrators.
This section displays a list of the archivers created and provides options to
,
update the parameters of existing archiver
, or delete the archiver. You can filter the list based on recipient name.
Figure 209: Email Journaling
Spam Check Exceptions
To bypass spam scanning of certain domains, define the domains as Spam Check Exceptions. The page lists all the domains configured to be exempted from spam scanning.
It also provides the options to add a new domain and delete an existing domain.
Figure 210: Spam Check Exceptions
Malware Protection
Malware Protection is available in Sophos Firewall XG105, Cyberoam CR500iNG, Sophos UTM SG105, and higher models.
Sophos Firewall offers dual anti-virus scanning, wherein traffic is scanned by two (2) anti-virus engines. Traffic is first scanned by the primary engine, and then by the secondary engine.
Primary Anti Virus Engine
Select the primary anti-virus engine for traffic scanning. For dual scan, packets are first scanned by the primary engine and then by the secondary engine. For single scan, only the primary engine is used.
Available OptionsSophosAvira
Note: Selecting Avira will disable Sandstorm in all SMTP Policies with Single Anti-Virus Scanning.
Figure 211: Malware Protection
Advanced SMTP Settings (Available in MTA Mode only)
Reject invalid HELO or missing RDNS
Select this option if you want to reject hosts that send invalid HELO/EHLO arguments or lack
RDNS entries. Select Do strict RDNS checks if you want to additionally reject email from hosts with invalid RDNS records. An RDNS record is invalid if the found hostname does not resolve back to the original IP address.
Scan Outgoing Mails
Enable to scan all outgoing email traffic. Email is quarantined if found to be malware infected, or marked as Spam.
| Protect | 205
Figure 212: Advanced SMTP Settings
Address Groups
Policies are applied on Email Addresses. To make configuration easier and simpler, the Administrator can group the addresses that require the same scanning policy. The policy applied to the address group is applicable to all the group members. Hence when the group is used in a number of rules, it becomes much easier to add or remove addresses from the group rather than updating individual rules. Hence, just with the one update, the Administrator can re-align the rules.
An Address Group is a grouping by:
• Email Address or Domain
• IP Address
• RBL (Real time black hole List) (applicable only for the spam email)
An address can be a member of multiple groups.
An RBL is a list of IP Addresses whose owners are responsible for spam or are hijacked for a spam relay. These IP
Addresses might also be used for spreading viruses. The Device checks each RBL for the connecting IP Address and the action configured in the policy is taken if the IP Address is found in any of the RBL lists. The Administrator can directly use the two default RBL groups shipped with the Device or update them as per their requirement:
• Premium RBL Services
• Standard RBL Services
The Address Group page displays a list of all the default and custom groups and provides options to add a new group, update the parameters, import addresses in the existing group, or delete the group. You can sort the list based on address group name.
Add Address Group
1. Go to Protect > Email > Address Group and click Add.
2. Enter a name and description.
3. Group Type: Select to add email addresses or domains to the address group.
Available Options:
RBL (IPv4) or RBL(IPv6):
Select to add RBLs of IPv4 or IPv6 addresses or domain names.
If the connecting IP address is found on the RBL, the device takes the action specified by the relevant policy.
Email Address/Domain:
Select to add the email address or domain name.
Import: Select to upload a CSV or text file.
Manual: Select to add individual email addresses or domains.
Note:
• You can import a maximum of 400 email addresses or domains in a single file.
• Invalid and duplicate entries are not imported.
| Protect | 206
Figure 213: Address Group
4. Click Save.
Relay Settings
Relay Settings appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in
Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
You can configure an SF Device to act as an email relay, allowing mail servers to send emails through it. You can specify the criteria for one or all parameters.
1. Specify the criteria for Host Based Relay to allow or block the specified hosts/networks from using the device as email relay.
a) To set Allow Relay from Hosts/Networks, select from the list.
Note: Do not select Any. This causes the device to act as an open relay server, allowing anyone on the
Internet, including spammers to send messages through the device.
b) To set Block Relay from Hosts/Networks, select from the list.
2. Specify the criteria for Upstream Host to select the upstream hosts/networks from which the device allows or blocks inbound emails.
| Protect | 207 a) To set Allow Relay from Hosts/Networks, select from the list. If all of your inbound emails are routed via an upstream filtering service or ISP, enter their IP addresses here. Select Any to accept emails directly from the sender.
b) To set Block Relay from Hosts/Networks, select from the list.
Note:
• For Allow Relay from Hosts/Networks, only emails that are destined to an internal domain are accepted.
• The device allows hosts/networks specified in the Allow list even when they are part of the Block list.
This can happen when you select a group or network that they belong to, or 'Any' in the Block list.
3. Specify the Authenticated Relay Settings to allow only authenticated users and groups to use the device as email relay.
a) Select Enable Authenticated Relay.
b) Select the Users or Groups from the list.
4. Click Apply.
File Types
A file type is a classification that is determined by file extension and MIME header. You can include file types in web policies to control access to files that match the specified criteria. The default file types contain some common criteria and you can create additional types.
Using File Types with Policy Rules
You can create file types to control access to files on a more granular level. For example, you may want to allow access to SQL files but deny access to all other database files. In this case, you would create a file type for SQL files and a policy that specifies the following rules in the following order:
1. Allow access to SQL files
2. Block access to all database files
Add File Type
1. Go to Protect > Web > File Type and click Add.
2. Type a name.
3. (Optional) Select a template.
You can select from predefined or custom file types. If you do not wish to use a template, choose Blank.
4. Specify the file extension and MIME header.
| Protect | 208
Figure 214: Add File Type
Quarantine Digest
Quarantine Digest is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Quarantine Digest allows you to set the frequency at which the digest email is sent to the user. You can enable or disable user access to quarantined emails on the user portal. You can also enable quarantine digest for all users or to specific users and groups.
Quarantine Digest provides the date and time of message receipt, sender and recipient's email addresses and subject of the message.
Quarantine Digest Settings for All Users
1. Go to Protect > Email > Quarantine Digest.
2. Select Enable Quarantine Digest to email the digest to all users.
a. Set the Email Frequency of the digest. Set the interval, time, and day of week, based on the selection.
b. In the From Email Address box, enter the address from which the email is to be sent.
c. In the Display Name box, specify the name of the quarantine digest sender.
d. Click Send Test Email. Enter the To Email Address and click Send.
e. To set the IP address of the user portal, select the Reference User Portal IP from the list.
Note: Users located behind the selected port can click the "My Account" link in the digest email to gain access to quarantined emails on the user portal. Others can access the user portal by typing https://
<IP Address of SF Device> in the browser.
Example: If Port1 is selected as the Reference User Portal IP, only users located behind Port1 will be redirected to the user portal when they click on "My Account".
3. Click Apply.
Override Quarantine Digest Settings for Specific Users
1. Go to Protect > Email > Quarantine Digest.
2. Click Change User's Quarantine Digest Settings, to apply the settings to specific users or groups.
| Protect | 209
3. Select the users or groups.
4. Click Apply.
Figure 215: Quarantine Digest
Legacy Mode
Policies
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This page allows configuration of SMTP Route and Scan Policies, SMTP Malware Scan Policies, SMTP Spam Scan
Policies and POP-IMAP Scan Policies:
• SMTP Route and Scan Policies (MTA Mode)
• SMTP Malware Scan Policies (Legacy Mode)
• SMTP Spam Scan Policies (Legacy Mode)
• POP3-IMAP Scan Policies (MTA and Legacy Mode)
SMTP Route and Scan Policies
SMTP Route and Scan policies appear only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
Device allows you to create SMTP Route and Scan policies which can be used to protect multiple Domains on your internal Email Server(s). Using these policies, device protects the server(s) from remote attacks and additionally provide powerful virus scanning, email encryption and email filtering services.
Click Add Policy and then SMTP Route & Scan to add a new policy. To update an existing policy, click the desired policy.
SMTP Malware Scan Policies
SMTP Malware Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.
SMTP Malware Scan policies allow you to define action to be taken on emails if they are virus-infected or contain a protected attachment. Based on the action defined in rule, such emails can be delivered as they are, dropped, or cleaned and then delivered or quarantined.
| Protect | 210
A Malware Scan policy defines:
• whether to quarantine the email
• whether sender, receiver or administrator are to be notified
• whether to block the email containing a specified file type
• what action is to be taken if email is infected or contains a protected attachment: deliver as it is, drop, clean and then deliver
Note: You can also view the Quarantine from Protect > Email > SMTP Quarantine page.
A default SMTP Malware Scan policy named default-smtp-av is pre-configured in the device and applied to all
SMTP traffic as soon as you subscribe to the Email Protection Module. We recommend that you create separate rules fine-tuned to your specific network requirements to minimize the possibility of threats.
Click Add Policy and then SMTP Malware Scan to add a new policy. To update an existing policy, click the desired policy.
SMTP Spam Scan and POP-IMAP Scan Policies
SMTP Spam Scan policies appear only when Legacy mode is enabled.
POP-IMAP Scan policy is available in both MTA and Legacy modes.
When you subscribe to the Email Protection Module, SMTP Spam Scan and POP-IMAP Scan policies can be configured for particular senders and recipients.
A policy defines the action to be taken if an email is detected as Spam, Probable Spam, part of Virus Outbreak or
Probable Virus Outbreak.
To reduce the risk of losing legitimate messages, the Spam Quarantine repository (a storage location) provides administrators with a way to automatically quarantine emails that are identified as spam. This helps in managing spam and probable spam quarantined mails so that the user can take appropriate actions on such emails.
A default POP-IMAP Scan policy named default-pop-av is pre-configured in the device and applied to all POP3/S and IMAP/S traffic so that whenever a virus gets detected in an email, the virus-affected attachment is stripped from the email and the email body is replaced with a notification message.
Detection of Spam attributes
The device uses Content Filtering, and premium and standard Realtime Blackhole Lists (RBLs) to check for the spam attributes in SMTP/S, POP3/S and IMAP/S emails:
• Premium
• Standard
RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam, that is, owners who are responsible for spam or are hijacked for spam relay. The device checks each RBL for the connecting IP Address. If the IP Address matches one on the list, then the specified action in the policy is taken.
Add SMTP Malware Scan Policy
SMTP Malware Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
The Add SMTP Malware Scan Policy page allows you to configure scan policy to detect malware in Email traffic and take appropriate action.
1. Go to Email > Policies, click Add policy and then click SMTP Malware Scan.
2. Enter a Name to identify the scan rule.
3. Enter Email Address/Domain Group details.
Sender
Select the sender name from the list of users.
Select Any if the rule is to be applied on all the senders.
You can also add RBLs or list of Email addresses by clicking Create New link.
Recipient
Select the recipient name from the list of users.
Select Any if the rule is to be applied on all the recipients.
You can also add RBLs or list of Email addresses by clicking Create New link.
Figure 216: Email Address/Domain Group
4. Enter Attachment Filter details.
Block File Types
Select file types to be blocked as an attachment to remove all the files that are a potential threat and to prevent virus attacks.
More than one file type can be selected using ctrl/shift keys.
Device contains a default list of File Types, with each Type containing relevant file extensions.
Refer to Email > File Type to view the list of file extensions which can be blocked.
Select All to block Emails with any type of attachments.
Select None to allow Emails with any type of attachments.
MIME Whitelist
If one or more File Type is selected in Block File Type, this field is populated with the corresponding MIME Headers that belong to selected File Type(s).
Select the MIME Header(s) of the selected File Type(s). Only selected headers are to be allowed while the rest in the selected File Type are to be blocked during Anti-virus scanning of Email attachments.
Figure 217: Attachment Filter
5. Specify Malware Filter details.
Scanning
Select the scanning action.
Available Actions:
| Protect | 211
Disable: Emails are not scanned. Enable: Emails are scanned by the device's anti-virus engine.
Note:
In Sophos Firewall XG105, Cyberoam CR500iNG, and Sophos UTM SG105, and higher models, Enable is replaced by the following options.
Single Anti-Virus: The primary anti-virus engine scans the emails.
Dual Anti-Virus: The primary and secondary engines scan emails sequentially.
Select the Primary Anti-Virus Engine from Protect > Email > General Settings >
Malware Protection.
Action (Available only if Scanning is enabled)
Enable action to be taken on the mails received, from the available options:Quarantine: If enabled, copies the Email to the quarantine file list. Email is either delivered to recipient or dropped, as per configured Recipient Action.You can view the Email details like sender and receiver of the Email in the Quarantine. Administrator can access the Quarantine from Email > SMTP Quarantine while user can access from their respective User Portal.Notify Sender: If enabled, the original message is withheld by the Device and a notification is sent to the sender informing that the Email was infected. The sender will receive the notification only if the Receiver Action is configured as
Don't Deliver.
Default - Disable
Delivery Option for Infected Attachment/Protected Attachment (Available only if Scanning is enabled)
Recipient Action
Select the action to be taken on the message that is detected to be Infected, Suspicious or includes a
Protected Attachment.
Available Options:
Don't Deliver: Receiver will not receive the message and will also not receive the notification regarding the infected Email.Deliver Original: Receiver receives the original Email.Remover and
Deliver: Infected part of the Email is removed before delivering. Receiver will also receive the notification stating that the Email was infected and infected portion of the Email is removed. Not applicable for Blocked Attachments (Block File Type).
Note: Protected attachments are not scanned but receiver will be notified, if not specified otherwise.
Notify Administrator
Select the action to notify the Administrator for the message detected to be Infected, Suspicious or includes a Protected Attachment.
Available Options:
Don't Deliver: Administrator will not be notified about the infected Email.Send Original:
Administrator receives the original Email.Remove Attachment: Recipient receives message without attachment and the Administrator receives the notification that the Email attachment was infected and removed before delivering Email.
Note: Protected attachments are not scanned but receiver will be notified, if not specified otherwise.
| Protect | 212
| Protect | 213
Figure 218: Malware Filter
6. Click Save.
Add SMTP Spam Scan Policy
SMTP Spam Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
The Add SMTP Scan Policy page allows you to configure scanning policy to detect incoming and outgoing spam in email traffic and take appropriate action.
1. Go to Email > Policies, click Add Policy and then click SMTP Spam Scan.
2. Enter a Name for the policy.
3. Enter Email Address/Domain Group details.
Sender
Specify Email Address(es) of the Sender(s). You can select from:
Contains: Specify keywords to be matched with Sender Email Addresses. The rule applies to
Address(es) containing those keywords. For example, if the keyword "mail" is specified, the rule will apply to Sender Email Addresses [email protected], [email protected], etc.
Equals: Specify the exact Email Address(es) of the Sender(s).
You can also add RBLs, a list of Email Addresses or keywords using the Create New link.
Recipient
Specify Email Address(es) of the Recipient(s). You can select from:
Contains: Specify keywords to be matched with Recipient Email Addresses. The rule applies to
Address(es) containing those keywords. For example, if keyword "mail" is specified, the rule will apply to Recipient Email Addresses [email protected], [email protected], etc.
Equals: Specify the exact Email Address(es) of the Recipient(s).
You can also add RBLs, a list of Email Addresses or keywords using Create New link.
Figure 219: Email Address/Domain Group
4. Select the Filter Criteria.
Inbound Email is
All the Emails that are received by the users in their inbox are referred to as Inbound.
If you select Inbound Spam, all the Emails received by the users are scanned for spam and viruses by the Device.
The specified action will be taken if the Device has identified the Inbound Email to be one of the following:
Spam Probable Spam Virus Outbreak Probable Virus Outbreak
Outbound Email is
Emails that are sent by the user in the network to a remote user on another Email system, are referred as Outbound.
If you select Outbound Spam, all the Emails sent by the local users are scanned for spam and viruses by the Device before being delivered.
The specified action will be taken if the Device has identified the Outbound Email to be one of the following:
Spam Probable Spam Virus Outbreak Probable Virus Outbreak
Source IP/Network Address
Specify the action to be taken when the Email sender IP Address matches the specified IP Address.
Destination IP/Network Address
Specify the action to be taken when the Email recipient IP Address matches the specified IP
Address.
Sender Remote Blacklist
Specify the action to be taken when the sender is listed in the specified RBL Group.
Message Size
The specified action will be taken if the Email size matches the specified size.
Message Header
The specified action will be taken if the message header equals or contains the specified text.
Contains: Specify keywords to be matched with Message Header. The rule applies to Header(s) containing those keywords.
Equals: Specify the exact Header(s) to be scanned.
You can scan message header for Spam in:
Subject: The specified action will be taken if the header contains the matching subject. From: The specified action will be taken if the header contains the matching text in the From address. To: The specified action will be taken if the header contains the matching text in the To address. Other: The specified action will be taken if the matching text is found in the headers.
| Protect | 214
Data Control List
The specified action will be taken if the message contains data matching with the configured
. You can create Data Protection Policies at Email > Data Control List.
Note: Data Protection is applicable on outbound emails only.
None
Select this to create a rule for email between a specific sender and recipient without any conditions.
You can set actions for SMTP/S and POP/S-IMAP/S mails only on the basis of sender and recipient.
| Protect | 215
Figure 220: Filter Criteria
5. Select the Action.
Action
Select action to be taken for the SMTP/S traffic.
Available Options:
Reject: Email is rejected and a rejection notification is sent to the Email sender. Accept (Not
available for Outbound Spam): Email is accepted and delivered to the intended recipient. The
Administrator can bind an SPX Template to this action so that the Email is delivered to the intended recipient after being SPX-encypted.
Note: SPX Encryption is applicable on outbound emails only.
Change Recipient: Email is accepted but is not delivered to the intended recipient for whom the message was originally sent. Email is sent to the recipient specified in the spam policy. Prefix
Subject (Not available for Outbound Spam): Email is accepted and delivered to the intended recipient but after tagging the subject line. The Administrator can bind an SPX Template to this action so that the Email is delivered to the intended recipient after being SPX-encrypted. Tagging content is specified in the To field. You can customize subject tagging in such a way that the
recipient knows that the is a spam Email. For Example, Contents to be prefixed to the original subject: ‘Spam notification from the Device –' Original subject: ‘This is a test’ Recipient will receive Email with the subject line: ‘Spam notification from the Device - This is a test’ Drop: Email is rejected but a rejection notification is not sent to the Email sender.
SPX Template
If the action selected is Accept, Prefix Subject or Accept with SPX, select the SPX Template to be applied to the Email. You can create
Note: SPX Encryption is applicable on outbound emails only.
Quarantine
If this is enabled, the device does not deliver Email but copies it to the quarantine file list. You can view the Email details like the sender and recipient in the quarantined file list.
| Protect | 216
6. Click Save.
Add POP-IMAP Scan Policy
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Add a POP-IMAP scan policy to detect incoming and outgoing spam in POP/S and IMAP/S traffic.
1. Go to Protect > Email > Policies and click POP-IMAP Scan.
2. Enter a Name for the policy.
3. Enter email address or domain group details.
Sender
To specify the sender email addresses, select from the following options:
Contains: Specify the keywords to be matched with the senders' email addresses. Example:
If you specify the keyword 'mail', the rule applies to senders' email addresses such as [email protected], [email protected].
Equals: Specify the senders' exact email addresses.
To add a list of keywords or email addresses, click Create New.
Recipient
To specify the recipient email addresses select from the following options:
Contains: Specify the keywords to be matched with the recipient email addresses. Example:
If you specify the keyword 'mail', the rule applies to recipient email addresses such as [email protected], [email protected].
Equals: Specify the recipients' exact email addresses.
To add a list of keywords or email addresses, click Create New.
Figure 221: Email Address/Domain Group
4. Select from the following Filter Criteria based on which the specified action is to be taken:
Inbound Email is
Select from the following options:
Spam Probable Spam Virus Outbreak Probable Virus Outbreak
Source IP/Network Address
Sender's IP address matches the specified IP address.
Message Size
Sender's email size matches the specified restriction of message size.
Message Header
Select from the following message headers to match the specified keyword:
Subject From To Other
Select the type of keyword match from the following options:
Contains: Specify the keywords to be matched with the message header.
Equals: Specify the exact match to the actual headers.
None
Select to create a policy between specific senders and recipients without imposing any other condition.
| Protect | 217
Figure 222: Filter Criteria
5. Select the action.
Action
Action to be taken from the following options:
Available Options:
| Protect | 218
Accept: Email is accepted and delivered to the intended recipient. Prefix Subject: Email is accepted and delivered to the intended recipient after adding a prefix to the subject line. Specify the prefix in the To field. You can set the prefix to indicate the filter criteria.
Example:
Original subject line: Test mail
Tagged content: Probable Spam
Recipient receives email with the subject line: 'Probable Spam: Test mail'
6. Click Save.
Data Control List
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM and Sophos Firewall
Models.
You can create a Data Control List of confidential data by selecting from the Content Control List (CCL). The device provides CCLs based on expert definitions for common financial and personally identifiable data types (example: credit card and social security numbers, postal and email addresses).
Subsequently, you can use Data Control Lists to set Data Protection for emails.
Add a Data Control List
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM Models.
Add Data Control List allows you to create a list of confidential data types. The device provides Content Control
Lists (CCL) based on expert definitions for common financial and personally identifiable data types.
1. Go to Protect > Email > Data Control List and click Add.
2. Enter the name.
3. Select the CCLs (Content Control List) from the list. Filter the CCLs based on Type and Region.
| Protect | 219
Figure 223: Data Control List
4. Click Save.
SMTP Quarantine
SMTP Quarantine is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
The SMTP Quarantine allows you to filter the quarantined emails. The page displays all the emails quarantined by the device if they are found to be:
• From a blocked Source IP Address
• Destined to a blocked Destination IP Address
• Virus-infected
• Oversized
• Containing a Blocked Header
• Containing unscannable content or a protected attachment
• blocked by an RBL
• blocked by a Data Protection (DP)
• Spam
• Found malicious by Sandstorm
• quarantined due to any other reason
Use the filter to search for mails from the list of quarantined emails.
The filter result displays a list of all the quarantined emails based on the filter criteria.
Total utilization displays the percentage of the quarantine area used by quarantined emails. Once the quarantine repository is full older emails are purged.
Quarantine Digest
| Protect | 220
The Quarantine Digest is an email containing a list of quarantined emails filtered by the device and held in the user's quarantine area. If configured, the user receives a Quarantine Digest as per the frequency set in Email > Quarantine
Digest. The digest also provides a link to the User Portal from where the user can access quarantined emails and take the required action.
Releasing Quarantined Email
Either the Administrator or the user can release the quarantined Emails. Administrator can release the quarantined
Emails from the Quarantine Area while the user can release them from his User Portal. Released quarantined
Emails are delivered to the intended recipient’s inbox. The Administrator can access the Quarantine Area from
Email > SMTP Quarantine, while user can logon to the User Portal and access the Quarantine Area from SMTP
Quarantine. If Quarantine Digest is configured, user will receive Digest of the quarantined mails as per the configured frequency.
Note:
• Virus-infected emails and the emails found malicious by Sandstorm cannot be released.
• To delete Sandstorm related emails, you need Read-Write permission for Sandstorm Activity.
Figure 224: SMTP Quarantine
Encryption
SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
What is SPX Encryption?
SPX (Secure PDF Exchange) encryption is a next-generation version of email encryption. It is clientless and extremely easy to set up and customize in any environment. Using SPX encryption, email messages and any attachments sent to the Device are converted to a PDF document, which is then encrypted with a password. You can configure the Device to allow senders to select passwords for the recipients, or the server can generate the password for the recipient and store it for that recipient, or the server can generate one-time passwords for recipients.
When SPX encryption is enabled, there are two ways in which emails can be SPX encrypted:
• The user can download the Sophos Outlook Add-in from User Portal. After having it installed, an Encrypt button is displayed in the Microsoft Outlook user interface. To encrypt a single message, the user needs to click the
Encrypt button and then write and send the message.
Note:
If you do not use Outlook you can also trigger SPX encryption by setting the header field
X-Sophos-SPX-Encrypt to "yes".
• In the Data Protection feature, you can enforce SPX encryption of Emails containing sensitive data (see Email >
Policies > SMTP Policy).
| Protect | 221
The encrypted message is then sent to the recipient's mail server. Using any PDF reader, the recipient can decrypt the message with the password that was used to encrypt the PDF. SPX-encrypted email messages are accessible on all popular smartphone platforms that have native or third-party PDF file support, including Android, iOS, Blackberry and Windows Mobile devices.
The SPX-encrypted email contains a Reply button which links to the SPX Reply Portal. Using the SPX Reply Portal, the recipient is able to answer to the email in a secure way.
SPX Configuration
Default SPX Template
Select the SPX Template to be used by default. The Default Template is used if any user explicitly
SPX-encrypts an email and no template is selected in the Content Scanning Rule.
The user can SPX-encrypt an Email by:
• Manually setting the Email header X-Sophos-SPX-Encrypt to "yes".
• Installing the Sophos Outlook Add-on and clicking Encrypt before sending the Email.
If the Default SPX Template is set to None, then SPX encryption is not applied to Email.
Keep Unused Password for
Enter the expiry time in days of an unused password.
For example, if Keep Unused Password for is set to 3 days, the password will expire at 0 o'clock 3 days after being generated if no SPX encrypted message has been sent for a specific recipient.
Default: 30 days
Allow Password Registration for
Enter the time in days after which the link to Password Registration Portal expires.
Default: 10 days
Send Error Notification To
Specify whom to send a notification when an SPX error occurs. You can send the notification to the sender or you can send no notification at all. Error messages will always be listed in the SMTP log.
Figure 225: SPX Configuration
SPX Portal Settings
Hostname
Enter the IP Address or Domain on which the Password Registration Portal is hosted.
Allowed Network(s)
Enter the networks from which password registration requests will be accepted.
Port
Enter the port on which the SPX Password Registration Portal should listen.
| Protect | 222
Default: 8094
Figure 226: SPX Portal Settings
SPX Password Reset
Reset Password for
Enter the Email Address for the recipient for whom you want to reset the password. New SPX email to this address requires the recipient to obtain a new password from the sender.
Figure 227: Password Reset
SPX Templates
The SPX template defines the layout of the PDF file, password settings and recipient instructions. You can also define different SPX templates. So, if you are managing various customer domains, you can assign them customized SPX templates containing, for example, different company logos and texts.
This page allows you to add, edit and delete SPX templates.
Figure 228: SPX Templates
Add SPX Templates
SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This page allows you to define new SPX Templates or modify existing templates.
1. Go to Protect > Email > Encryption > SPX Templates and click Add.
2. Enter parameter values for the following basic settings.
Name
Specify the name to uniquely identify the template. The name should be a string containing alphanumeric and special characters EXCEPT forward slash (/), backslash (\), comma (,), double quote (") and single quote (').
Description
Specify details of the template.
Organization Name
Specify the organization name to be displayed on notifications concerning SPX sent to the administrator or the email sender, depending on your settings.
PDF Encryption
Select the encryption standard of the PDF file.
Page Size
Select the page size of the PDF file.
| Protect | 223
Figure 229: General Settings
3. Enter Password Settings.
Password Type
Select how you want to generate the password for accessing the encrypted email message. The sender always has to take care of transferring the password in a safe way to the recipient, unless you select Specified by recipient.
Available Options:
Specified by Sender:
If you select this, the email sender should provide the password. The sender has to enter the password into the Subject field, using the following format:
[secure:<password>]<subject text> where <password> is the password to open the encrypted PDF file and <subject text> is the random subject. Of course, the password will be removed by the Device before the email is sent to the recipient.
Generated one-time password for every email:
The Device automatically creates a new password for each affected email. An email notification is mailed to the sender containing instructions and the one-time generated password.
The HTML content of this Email can be customized from Notification Subject and Notification
Body. You can reset to the default content by clicking Reset .
Generated and stored for recipient:
The Device automatically creates a recipient-specific password when the first email is sent to a recipient. This password will be sent to the sender. With the next email, the same password is used automatically. The password will expire when it is not used for a configured time period, and it can
be reset by the administrator, see
.
The HTML content of this Email can be customized from Notification Subject and Notification
Body. You can reset to the default content by clicking Reset .
Specified by recipient:
If you select this, the email recipient should provide the password. The recipient receives an email notification containing a link leading to the Password Registration Portal to register a password and the Sender receives a failure notification. After registration, the recipient is able to view the current encrypted mail and any future encrypted mails using the same password from this or other senders from the same organization.
Note: The Recipient's password generated via Specified by recipient method and
Generated and stored for recipient are mutually exclusive. The recipient will have to use the respective password when email is received after SPX Encryption using different methods.
| Protect | 224
Figure 230: Password Settings
4. Specify Recipient Instructions:
Instructions for Recipient
The body of the email that is sent from the Device to the email recipient containing instructions concerning the encrypted email. Simple HTML markup and hyperlinks are allowed. You can also use variables, e.g.,
%%ORGANIZATION_NAME%%
Tip: The Default SPX Template on this tab contains all available variables and gives a useful example of recipient instructions. The variables used are:
• ENVELOPE_TO: The recipient for whom the password is generated.
• PASSWORD: The password to open SPX encrypted Email
• ORGANIZATION_NAME: The name provided in the Organization Name field.
• SENDER: The sender of the email.
• REG_LINK: The link to the Registration Portal for registering the password.
| Protect | 225
Figure 231: Recipient Instructions
General Settings
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Email Configuration allows you to configure the general settings Email traffic. This page contains the following sections.
SMTP Deployment Mode
MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
Click button to switch to MTA/Legacy Mode.
In MTA Mode, Device acts as a Mail Transfer Agent (MTA). In Legacy Mode, Device acts as a transparent proxy.
When acting as an MTA, Device is responsible for routing Emails to and from the protected Email Server(s). In this state Device allows you to:
• configure relay of inbound and outbound Emails from Email > Relay Settings.
• set up multiple SMTP Profiles to protect multiple Domains on your internal Email Server or multiple Email
Servers from Email > Policies > SMTP Policies.
• view email messages that are either waiting for delivery or have produced an error in the Email > Mail Spool.
• view the logs for all the emails processed by the Device from Email > Mail Logs.
Default: MTA Mode is enabled.
Note:
• On enabling MTA Mode, a firewall rule to allow SMTP/SMTPS traffic is automatically created.
• If you have migrated from CyberoamOS to SFOSv16 OR SFOSv15 to SFOSv16, Legacy Mode will be enabled by default.
Figure 232: SMTP Deployment Mode
Banner Settings
Append Banner to All Outbound Messages
Enable to add a banner at the end of all outgoing Email messages.
The banner is appended ONLY when SMTP and SMTPS Scanning is enabled in the relevant
Business Application Policy(s).
Email Banner
Specify a banner to be added to all outgoing Emails. Only text banners are allowed.
Example:
This email contains confidential information. You are not authorized to copy the contents without the consent of the sender. Please do not print this email unless it is absolutely necessary. Spread environmental awareness.
| Protect | 226
Figure 233: Banner Settings
SMTP Settings
SMTP Hostname
Specify the SMTP hostname to be used in HELO and SMTP banner strings. By default, Device uses
'Sophos' as hostname.
Note: For Legacy Mode, this hostname is applicable only to system-generated notification emails.
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through SMTP/S will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size scanning restriction to 51200 KB.
Action for Oversize Email
Specify the action for Oversize Emails.
Available Options
Accept: All the oversize mails are forwarded to the recipient without scanning.Reject: All the oversize mails are rejected and sender is notified.Drop: All the oversized mails are dropped, without notifying the sender.
Bypass Spam Check for SMTP/S Authenticated Connections (Available in Legacy Mode only)
Enable to bypass Spam Scanning for Email messages received over SMTP/S connections authenticated by the Email Server.
Verify Sender's IP Reputation
Click to verify the reputation of the sender IP Address. When enabled, the Device dynamically checks the sender’s IP Address of all Emails. If the IP Address is found to be responsible for
sending spam email or malicious contents, the Device takes action as per the configured Scanning
Rules.
If enabled, specify an action for Confirmed Spam Emails and Probable Spam Emails.
Available Options
Accept: All the spam Emails are forwarded to the recipient after scanning as per the configuration.
Reject: All the spam mails are rejected and a notification is sent to the Email sender. Drop: All the spam mails are dropped, without notifying the sender.
As it is a global option, if spam scanning is enabled, all the mails will first be subjected to IP
Reputation filtering followed by filtering based on actions configured in the spam policy.
Default - Disable
SMTP DoS Settings
Enable to configure SMTP DoS Settings which protect the network from SMTP DoS Attacks.
If this is enabled, specify values for Maximum Connections, Maximum Connections/Host,
Maximum Emails/Connection, Maximum Recipients/Email, Email Rate per Minute/Host and
Connections Rate per Second/Host.
Maximum Connections (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections that can be established with the Email Server.
Default - 1024
Acceptable Range - 1 - 20000
Maximum Connections/Host (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections allowed to the Email Server from a particular host.
Default - 64
Acceptable Range - 1 - 10000
Maximum Emails/Connection (Available if SMTP DoS Settings Enabled)
Specify maximum number of Emails that can be sent in a single connection.
Default - 512
Acceptable Range - 1 - 1000
Maximum Recipients/Email (Available if SMTP DoS Settings Enabled)
Specify maximum number of recipientsfor a single Email.
Default - 100
Acceptable Range - 1 - 256
Email Rate per Minute/Host (Available if SMTP DoS Settings Enabled)
Specify number of Emails to be sent from a particular host in one minute.
Default - 512
Acceptable Range - 1 - 20000
Connection Rate per Second/Host (Available if SMTP DoS Settings Enabled)
Specify number of connections allowed to the Email Server from a particular host in one second.
Default - 8
Acceptable Range - 1 - 20000
| Protect | 227
Figure 234: SMTP Settings
POP/S and IMAP/S Settings
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through POP/
IMAP will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size restriction to 10240 KB.
Recipient Headers
Specify Header value to detect recipient for POP3/IMAP.
Default - Delivered-To, Received, X-RCPT-TO
| Protect | 228
Figure 235: POP/S and IMAP/S Settings
SMTP TLS Configuration
TLS Certificate
Select the CA Certificate or Server Certificate for scanning SMTP traffic over SSL from the available options.
Available Options
Default ApplianceCertificate SecurityAppliance_SSL_CA List of custom CA Certificates and
Server Certificates, if added. You can create the custom CA Certificate from Certificates >
Certificate Authorities and custom Server Certificate from Certificates > Certificates.
Allow Invalid Certificate
If enabled, SMTP over SSL connections will be allowed with an invalid certificate from the Email
Server. Disable this option to reject such connections.
Default - Enable
Require TLS Negotiation with Host/Net
Select the remote host (Email Server) or network from available options on whose connections
TLS encryption is to be enforced. In other words, the Device will always initiate TLS-secured connections when Emails are to be sent to selected hosts/networks. If TLS is enforced but connection cannot be established, then Emails to that remote host/network are discarded.
Require TLS Negotiation with Sender Domain
Specify the Sender Domain(s) on whose Email connections TLS encryption is to be enforced.
Sender Domain is the domain of the Email sender. Emails from the specified Sender Domain will be sent over TLS-encrypted connections only. If TLS is enforced but connection cannot be established, then Emails from that sender domain are discarded.
Skip TLS Negotiation Hosts/Nets
Select the remote host (Email Server) or network from available options on whose connections TLS encryption is to be skipped or bypassed. When configured, SMTP connections to selected hosts will be established in clear text and unencrypted.
| Protect | 229
Figure 236: SMTP TLS Configuration
POP and IMAP TLS Configuration
TLS Certificate
Select the CA for scanning POP and IMAP traffic over SSL from the available options.
Available Options
DefaultSecurityAppliance_SSL_CAList of custom CAs if added. You can create the custom CA from Certificates > Certificate Authorities.
Allow Invalid Certificate
If enabled, POP and IMAP over SSL connections will be allowed with invalid certificate from the
Mail Server. Disable to reject such connections.
Default - Enable
Figure 237: POP and IMAP TLS Configuration
Email Journaling (Available in Legacy Mode only)
Email being one of the most important communication and business tools in use by organizations, email journaling has become an integral part of every organization.
Using the Device's Email Journaling, the administrator can store all incoming Emails, or Emails for a specific recipient or a group of recipients and thereby keep a close watch over data leakage.
| Protect | 230
| Protect | 231
The device can journal all Emails intended for single or multiple recipients and can forward them to a single administrator or multiple administrators.
This section displays a list of the archivers created and provides options to
,
update the parameters of existing archiver
, or delete the archiver. You can filter the list based on recipient name.
Figure 238: Email Journaling
Spam Check Exceptions
To bypass spam scanning of certain domains, define the domains as Spam Check Exceptions. The page lists all the domains configured to be exempted from spam scanning.
It also provides the options to add a new domain and delete an existing domain.
Figure 239: Spam Check Exceptions
Malware Protection
Malware Protection is available in Sophos Firewall XG105, Cyberoam CR500iNG, Sophos UTM SG105, and higher models.
Sophos Firewall offers dual anti-virus scanning, wherein traffic is scanned by two (2) anti-virus engines. Traffic is first scanned by the primary engine, and then by the secondary engine.
Primary Anti Virus Engine
Select the primary anti-virus engine for traffic scanning. For dual scan, packets are first scanned by the primary engine and then by the secondary engine. For single scan, only the primary engine is used.
Available OptionsSophosAvira
Note: Selecting Avira will disable Sandstorm in all SMTP Policies with Single Anti-Virus Scanning.
Figure 240: Malware Protection
Advanced SMTP Settings (Available in MTA Mode only)
Reject invalid HELO or missing RDNS
Select this option if you want to reject hosts that send invalid HELO/EHLO arguments or lack
RDNS entries. Select Do strict RDNS checks if you want to additionally reject email from hosts with invalid RDNS records. An RDNS record is invalid if the found hostname does not resolve back to the original IP address.
Scan Outgoing Mails
Enable to scan all outgoing email traffic. Email is quarantined if found to be malware infected, or marked as Spam.
| Protect | 232
Figure 241: Advanced SMTP Settings
Add Email Journal
Email Journal is available only in Legacy mode (device acts as transparent proxy).
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Add Email Journal allows you to forward copies of emails of specific recipients to a different email address, for example, to an administrator.
1. Go to Protect > Email > General Settings and click Add under Email Journaling.
2. Enter a name.
3. In the Recipient box, select Any to journal all incoming emails. Alternately, select the address groups, copies of whose emails are to be forwarded to a different email address.
4. In the Send Copy Of Email To box, enter the email address to which a copy of emails is to be forwarded.
5. Click Save.
Figure 242: Email Archiver
Address Groups
Policies are applied on Email Addresses. To make configuration easier and simpler, the Administrator can group the addresses that require the same scanning policy. The policy applied to the address group is applicable to all the group members. Hence when the group is used in a number of rules, it becomes much easier to add or remove addresses from the group rather than updating individual rules. Hence, just with the one update, the Administrator can re-align the rules.
An Address Group is a grouping by:
| Protect | 233
• Email Address or Domain
• IP Address
• RBL (Real time black hole List) (applicable only for the spam email)
An address can be a member of multiple groups.
An RBL is a list of IP Addresses whose owners are responsible for spam or are hijacked for a spam relay. These IP
Addresses might also be used for spreading viruses. The Device checks each RBL for the connecting IP Address and the action configured in the policy is taken if the IP Address is found in any of the RBL lists. The Administrator can directly use the two default RBL groups shipped with the Device or update them as per their requirement:
• Premium RBL Services
• Standard RBL Services
The Address Group page displays a list of all the default and custom groups and provides options to add a new group, update the parameters, import addresses in the existing group, or delete the group. You can sort the list based on address group name.
Add Address Group
1. Go to Protect > Email > Address Group and click Add.
2. Enter a name and description.
3. Group Type: Select to add email addresses or domains to the address group.
Available Options:
RBL (IPv4) or RBL(IPv6):
Select to add RBLs of IPv4 or IPv6 addresses or domain names.
If the connecting IP address is found on the RBL, the device takes the action specified by the relevant policy.
Email Address/Domain:
Select to add the email address or domain name.
Import: Select to upload a CSV or text file.
Manual: Select to add individual email addresses or domains.
Note:
• You can import a maximum of 400 email addresses or domains in a single file.
• Invalid and duplicate entries are not imported.
| Protect | 234
Figure 243: Address Group
4. Click Save.
File Types
A file type is a classification that is determined by file extension and MIME header. You can include file types in web policies to control access to files that match the specified criteria. The default file types contain some common criteria and you can create additional types.
Using File Types with Policy Rules
You can create file types to control access to files on a more granular level. For example, you may want to allow access to SQL files but deny access to all other database files. In this case, you would create a file type for SQL files and a policy that specifies the following rules in the following order:
1. Allow access to SQL files
2. Block access to all database files
Add File Type
1. Go to Protect > Web > File Type and click Add.
2. Type a name.
3. (Optional) Select a template.
You can select from predefined or custom file types. If you do not wish to use a template, choose Blank.
4. Specify the file extension and MIME header.
| Protect | 235
Figure 244: Add File Type
Quarantine Digest
Quarantine Digest is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Quarantine Digest allows you to set the frequency at which the digest email is sent to the user. You can enable or disable user access to quarantined emails on the user portal. You can also enable quarantine digest for all users or to specific users and groups.
Quarantine Digest provides the date and time of message receipt, sender and recipient's email addresses and subject of the message.
Quarantine Digest Settings for All Users
1. Go to Protect > Email > Quarantine Digest.
2. Select Enable Quarantine Digest to email the digest to all users.
a. Set the Email Frequency of the digest. Set the interval, time, and day of week, based on the selection.
b. In the From Email Address box, enter the address from which the email is to be sent.
c. In the Display Name box, specify the name of the quarantine digest sender.
d. Click Send Test Email. Enter the To Email Address and click Send.
e. To set the IP address of the user portal, select the Reference User Portal IP from the list.
Note: Users located behind the selected port can click the "My Account" link in the digest email to gain access to quarantined emails on the user portal. Others can access the user portal by typing https://
<IP Address of SF Device> in the browser.
Example: If Port1 is selected as the Reference User Portal IP, only users located behind Port1 will be redirected to the user portal when they click on "My Account".
3. Click Apply.
Override Quarantine Digest Settings for Specific Users
1. Go to Protect > Email > Quarantine Digest.
2. Click Change User's Quarantine Digest Settings, to apply the settings to specific users or groups.
3. Select the users or groups.
4. Click Apply.
Figure 245: Quarantine Digest
Web Server
Web Server Protection provides facilities to manage and add web servers, define protection policies for them and set up certificates.
The following pages are accessible:
•
on page 236: allows you to manage, add and delete settings of web servers connected to your
device.
•
on page 238: let you define methods to protect your web servers against malicious attacks.
•
on page 242: helps to set up authentication policies for direct access to Sophos
Firewall.
•
on page 244: sets up customized HTML login forms.
•
on page 514: manages certificates for authentication.
•
on page 516: manages certificate authorities which issue certificates.
•
on page 517: gives an overview of revoked certificates.
Web Servers
The Web Servers menu allows you to add web servers that are to be protected by the WAF.
This page displays all existing web servers. For each web server, the list shows:
Name
Name of the web server.
Host
Host name of the web server.
Type
Type of communication between Sophos XG Firewall and the web server.
Add Web Server
This page describes how to add a web server.
| Protect | 236
| Protect | 237
1. Go to Protect > Web Server > Web Servers and click Add.
2. Enter the following:
Name
Enter a unique name for the web server.
Description
Enter a description for the web server.
Host
Add or select a host, which can either be of the type IP Address or FQDN Host.
on page 485
on page 488
Note: FQDN Host is recommended here because hosts listed with their IP address transmit empty host headers which may lead to problems with some browsers.
Type
Select a server type, that is, whether you want the communication between Sophos XG Firewall and the web server to be encrypted (HTTPS) or plaintext (HTTP).
• Encrypted (HTTPS) - Browser-based access to the web server via HTTPS.
• Plaintext (HTTP) - Browser-based access to the web server via HTTP.
Default: Plaintext (HTTP)
Port
Enter a port number for the web server. By default the standard port of the selected web server type is selected.
Keep alive
Click the toggle switch Keep alive to keep the connection between Sophos XG Firewall and the web server open instead of opening a new connection for every single request.
Note: Some web servers do not support keep alive. If you experience reading errors or timeouts, you may need to disable keep alive for the affected server.
Timeout
Enter a timeout for the Keep alive option.
Acceptable range: 1 to 65535 seconds
Default: 300 seconds
Disable backend connection pooling
Click the toggle switch Disable backend connection pooling to create a new connection to the backend server every time it is used, instead of reusing an old connection from the connection pool.
This option is disabled by default. Only use it only if you face connection problems because this may decrease system performance.
Figure 246: Add Webserver
3. Click Save.
Protection Policies
The Protection Policies menu allows you to define the modes and levels of protection for your web servers.
This page displays all existing web application protection objects. For each protection object, the list shows:
Name
Name of the protection policy.
Add Protection Policy
This page describes how to add an application protection policy.
1. Go to Protect > Web Server > Protection Policies and click Add.
2. Specify the following:
Name
Enter a unique name for the protection policy.
Description
Enter a description for the policy.
Pass Outlook Anywhere
Enable this to allow external Microsoft Outlook clients to access the Microsoft Exchange Server via theWeb Application Protection. Microsoft Outlook traffic will not be checked or protected by the
Web Application Protection.
Mode
Select a mode from the drop-down list:
• Monitor: HTTP requests are monitored and logged.
• Reject: HTTP requests are rejected.
Cookie Signing
Enable this to protect a web server against manipulated cookies. When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built of the primary cookie's name, its value and a secret, where the secret is only known by the Web Application Protection. Thus, if
| Protect | 238
a request cannot provide a correct cookie pair, there has been some sort of manipulation and the cookie will be dropped.
Static URL Hardening
Enable this to protect against URL rewriting. For that, when a client requests a website, all static
URLs of the website are signed. The signing uses a similar procedure as with cookie signing.
Additionally the response from the web server is analyzed regarding what links can be validly requested next. Moreover, static hardened URLs can furthermore be bookmarked and visited later.
Note: Static URL hardening affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the URL hardening feature. It does not work for dynamic URLs created by client, for example:
JavaScript.
Note: You can find more information about Static URL Hardening and Form
Additional Information on Static URL Hardening and Form
on page 242
Entry URLs (only applicable if Static URL Hardening is enabled)
Specify a URL for static URL hardening:
Form Hardening
Enable this to protect against web form rewriting. Form hardening saves the original structure of a web form and signs it. Therefore, if the structure of a form has changed when it is submitted the
Web Application Protection rejects the request.
Note: Form hardening affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the form hardening feature.
Note: You can find more information about static URL hardening and form hardening under:
Additional Information on Static URL Hardening and Form
on page 242
Anti-Virus
Enable this to protect a web server against viruses.
Mode
Select a mode from the available options.
• Avira
• Sophos
• Dual Scan
Direction
Select from the drop-down list whether to scan only uploads or downloads or both.
• Uploads
• Downloads
• Uploads and Downloads
Block unscannable content
Enable this to block files that cannot be scanned. The reason for that may be, among other things, that files are encrypted or corrupt.
Limit scan size
Enable this to enter the scan size limit into an additional field. Provide the limitation in megabytes.
Note: Please note that the scan size limit refers to the entire upload volume, not to a single file. If, for example, you limit the scan size to 50 MB and make an upload
| Protect | 239
containing multiple files (45 MB, 5 MB and 10 MB), the last file will not be scanned.
Thus a virus being in the last file would not be detected due to the limitation.
Note: If you do not specify a limitation value at all, the limit scan size will be saved with '0' megabytes, which means the limitation is not active and every uploaded/ downloaded file will be scanned.
Block clients with bad reputation
Enable this to block clients which have a bad reputation according to their classification, based on
GeoIPClosed and RBLClosed information. Sophos uses the following classification providers: RBL sources:
• Commtouch IP Reputation (ctipd.org)
• http.dnsbl.sorbs.net
The GeoIP source is Maxmind. The WAF blocks clients that belong to one of the following
Maxmind categories:
• A1: Anonymous proxies or VPN services used by clients to hide their IP address or their original geographical location.
• A2: Satellite providers are ISPs that use satellites to provide Internet access to users all over the world, often from high risk countries.
Skip remote lookups for clients with bad reputation (only applicable if Block clients with bad reputation is enabled)
Enable to use GeoIP-based classification which uses cached information only and is therefore much faster. As reputation lookups include sending requests to remote classification providers, using reputation-based blocking may slow down your system.
Common Threat Filter
Enable this to protect your web servers from several threats. You can specify the threat filter categories you want to use in the Threat Filter Categories section below. All requests will be checked against the rule sets of the selected categories. Depending on the results, a notice or a warning will be shown in the live log or the request will be blocked directly.
Rigid Filtering
Enable this to tighten several of the selected rules. This may lead to false positives.
Skip Filter Rules
Some of the selected threat categories may contain rules that lead to false positives. To avoid false positives induced by a specific rule, add the rule number that you want to skip in this field.
Protocol Violations
Enforces adherence to the RFC standard specification of the HTTP protocol. Violating these standards usually indicates malicious intent.
Protocol Anomalies
Searches for common usage patterns. Lack of such patterns often indicates malicious requests.
These patterns include, among other things, HTTP headers like 'Host' and 'User-Agent'.
Request Limits
Enforces reasonable limits on the amount and ranges of request arguments. Overloading request arguments is a typical attack vector.
HTTP Policy
Narrows down the allowed usage of the HTTP protocol. Web browsers typically use only a limited subset of all possible HTTP options. Disallowing the rarely-used options protects against attackers aiming at these often less well-supported options.
Bad Robots
| Protect | 240
Checks for usage patterns characteristic of bots and crawlers. By denying them access, possible vulnerabilities on your web servers are less likely to be discovered.
Generic Attacks
Searches for attempted command executions common to most attacks. After having breached a webserver, an attacker usually tries to execute commands on the server like expanding privileges or manipulating data stores. By searching for these post-breach execution attempts, attacks can be detected that might otherwise have gone unnoticed, for example because they targeted a vulnerable service by the means of legitimate access.
SQL Injection Attacks
Checks for embedded SQL commands and escape characters in request arguments. Most attacks on web servers target input fields that can be used to direct embedded SQL commands to the database.
XSS Attacks
Checks for embedded script tags and code in request arguments. Typical cross-site scripting attacks aim at injecting script code into input fields on a target web server, often in a legitimate way.
Tight Security
Performs tight security checks on requests, like checking for prohibited path traversal attempts.
Trojans
Checks for usage patterns characteristic of trojans, thus searching for requests indicating trojan activity. It does not, however, prevent the installation of such trojans as this is covered by the antivirus scanners.
Outbound
Prevents web servers from leaking information to the client. This includes, among other things, error messages sent by servers which attackers can use to gather sensitive information or detect specific vulnerabilities.
| Protect | 241
Figure 247: Add Application Protection Policy
3. Click Save.
| Protect | 242
Additional Information on Static URL Hardening and Form Hardening
It is best practice always to enable both static URL hardening and form hardening. These two functions are complementary, especially in the way that they prevent the issues you may have if you enable just one of them:
• Only form hardening is activated: When a webpage contains hyperlinks with appended queries (which is the case with certain CMSs), e.g. http://example.com/?view=article&id=1, such page requests are blocked by form hardening because it expects a signature, which is missing.
• Only static URL hardening is activated: When a web browser appends form data to the action URL of the form tag of a web form (which is the case with GET requests), the form data becomes part of the request URL sent to the web server, thereby rendering the URL signature invalid.
Activating both functions helps to solve the problem s those issues because if either form hardening or static URL hardening consider a request to be valid, the Web Application Protection accepts the request.
Authentication Policies
The Authentication Policies menu allows you to configure policies for direct authentication.
You can use the Web Application Firewall (WAF) to authenticate users immediately instead of leaving the authentication to the web servers. Via authentication profiles, the reverse authentication can be used to assign specific authentication settings to each site path route.
Note: You can also view and manage the WAF status on the System > Hosts and Services > Services page.
This page displays all existing web application authentication profiles. For each authentication policy, the list shows:
Name
Name of the authentication policy.
Add Authentication Policy
This page describes how to add a web app authentication policy.
1. Go to Protect > Web Server > Authentication Policies and click Add.
2. Enter a unique Name for the authentication profile.
3. Enter a Description for the authentication policy.
4. Specify the Client Authentication details.
Mode
Select how the users should authenticate at the Web Application Firewall.
• Basic: Users authenticate with HTTP basic authentication, entering username and password. In this mode, no session cookies will be generated and a dedicated logout is not possible.
Note: As the credentials are sent unencrypted in this mode we strongly recommend that you use this mode over HTTPS.
• Form: Users will be presented with a form where they have to enter their credentials. In this mode, session cookies will be generated and a dedicated logout is possible. The form template to be used can be selected in the Web App Auth Template list. Besides the default form template,
the list shows the forms that have been defined on the
page
Basic Prompt (available only if Basic mode is selected)
The realm is a unique string that provides additional information on the login page and is used for user orientation.
Note: These characters are allowed for the Basic Prompt: A-Z a-z 0-9 , ; . : - _ ' + = )
( & % $ ! ^ < > | @
Web App Auth Template (available only if Form mode is selected)
Select the form template that will be presented to the users for authentication. Form templates are defined on the
Users or Groups
Select the users or user groups that should be assigned to this web app authentication profile or create a new one. After assigning this profile to a site path route, these users will have access to the site path with the authentication settings defined in this profile. Typically, this would be a backend user group.
You can create a new user directly from this page or from the Configure > Authentication > Users page.
You can create a new group directly from this page or from the Configure > Authentication >
Groups page.
Note: Sometimes users should be required to use the user principal name notation
'user@domain' when entering their credentials, for example when using Exchange servers in combination with Active Directory servers.
5. Specify the Authentication Forwarding details.
Mode
Select how the Web Application Firewall authenticates against the web servers. The mode has to match the web servers' authentication settings.
• Basic: Authentication works with HTTP basic authentication, providing username and password.
• None: There is no authentication between WAF and the web servers. Note that even if your web servers do not support authentication, users will be authenticated via the frontend mode.
Username affix (available only if authentication forwarding mode Basic is selected)
Select the type of affix for the username and specify a value for it. Affixes are useful when working with domains and email addresses.
• None
• Prefix
• Suffix
• Prefix & Suffix
Note: Prefix and suffix will be added automatically if the user only enters his username. Prefix and suffix will not be added if the user enters them. Example: If the suffix is @testdomain.de and the user only enters the username test.user the suffix
@testdomain.de will be added. If the user enters [email protected] the suffix will be ignored.
Remove Basic Header (available only if authentication forwarding mode None is selected)
Enable this if you do not want to send the basic header from Sophos XG Firewall to the web server.
6. Specify the User Session details (available only if client authentication mode Form is selected).
Session Timeout
Enable to set a timeout for the user session, which will confirm the user's credentials by requiring the user to log in again if he does not perform any action.
Default: ON
Limit to (available only if Session Timeout is selected)
Set an interval for the session timeout.
Default: 5 minutes.
Session Lifetime
Enable to limit the time users may remain logged in, regardless of the activity in the meantime.
Default: ON
| Protect | 243
Limit to (available only if Session Lifetime is selected)
Set a value for the session lifetime.
Default: 8 hours.
| Protect | 244
Figure 248: Add Web App Authentication Policy
7. Click Save.
Authentication Templates
The Authentication Templates menu allows you to upload HTML forms for reverse authentication.
A web application authentication template can be assigned to an authentication profile with frontend mode Form. The respective form will be presented when a user tries to access a site path to which the authentication profile is assigned.
This page displays all existing web application authentication templates. For each template, the list shows:
Name
Name of the template.
Template
Filename of the template.
Add Authentication Template
This page describes how to add a web application authentication template.
1. Go to Protect > Web Server > Authentication Templates and click Add.
2. Specify the following:
Name
Enter a unique name for the template.
Description
Enter a description for the template.
HTML template
Select an HTML template.
Images/Stylesheet
Select images, stylesheets, or JavaScript files that are used by the selected template.
3. Click Upload.
| Protect | 245
Figure 249: Add Web App Auth Template
4. Click Save.
SlowHTTP Protection
This page describes how to activate SlowHTTP protection and define the keys used for cookie signing and URL hardening.
The SlowHTTP Protection page helps to protect against Slow HTTP attacks by setting a timeout for request headers.
For more information, see
Sophos Knowledge Base
.
1. Go to Protect > Web Server > SlowHTTP Protection.
2. Specify the SlowHTTP Protection Settings:
Timeout for request headers
Click the toggle switch to activate SlowHTTP Protection.
Soft limit
Enter the minimum amount of time to receive a request header.
Default: 10 seconds
Note: The hard limit needs to be greater than the soft limit.
Hard limit
Enter the maximum amount of time to receive the request header.
Default: 30 seconds
Extension rate
Enter the amount of data volume which extends the timeout.
With the extension rate, you can increase the minimal timeout according to the data volume. For example, the soft limit allows at least 10 seconds to receive request headers, the extension rate is
500, and the hard limit is set to 30. If the client now sends data, the soft limit timeout increases 1 second for every 500 bytes received. After 30 seconds the client will be disconnected.
Default: 5000 Bytes
Skipped Networks/Hosts
Select or add networks/hosts that should not be affected by SlowHTTP Protection.
Figure 250: SlowHTTP Protection Settings
3. Click Apply.
Advanced Threat
This chapter describes how to configure the advanced threat features of Sophos XG Firewall.
Advanced threat features are:
• Advanced Threat Protection
• Security Heartbeat
Those features require a valid Network Protection subscription.
Advanced Threat Protection
This page allows the administrator to configure the Advanced Threat Protection feature.
ATP can help rapidly detect infected or compromised clients inside the network and raise an alert or drop the respective traffic.
The Advanced Threat Protection analyzes network traffic, e.g., DNS requests, HTTP requests, or IP packets in general, coming from and going to all networks. It also incorporates Intrusion Prevention and Antivirus data if the respective features are activated.
Note: Advanced Threat Protection module is a subscription module that needs to be subscribed before use.
General Settings
Enable Advanced Threat Protection
By default Advanced Threat Protection is disabled. To enable Advanced Threat Protection, click on the slider. This will make several setting fields editable.
Logging (available only if Enable Advanced Threat Protection is enabled)
Logging is enabled. You can change the log setting by clicking Change log settings or by navigating to the Configure > System Services > Log Settings page and clicking Add Syslog
Server.
Policy
Select the security policy that the Advanced Threat Protection system should use if a threat has been detected.
Available Options:
| Protect | 246
• Log and Drop - The data packet will be dropped and logged.
• Log Only - The data packet will be logged.
Network/Host Exceptions
Add or select the source networks or hosts that should be exempt from being scanned for threats by Advanced Threat Protection. How to add an IP host is explained on the System > Hosts and
Services > IP Host page.
Threat Exceptions
Add destination IP addresses or domain names that you want to skip from being scanned for threats by Advanced Threat Protection.
Caution: Be careful with specifying exceptions. By excluding sources or destinations you may expose your network to severe risks.
Figure 251: Advance Threat Protection
| Protect | 247
Security Heartbeat
The Security Heartbeat tab allows you to configure the Security Heartbeat feature to share health information.
Security Heartbeat connects cryptographically secured endpoints and Sophos XG Firewall via Sophos Central.
This allows to exchange information between endpoint devices and Sophos XG Firewall. This information gives a comprehensive overview of the network security. The administrator is able to define policies for network access based on the health status of the endpoint. The Security Heartbeat widget on the Control Center page provides the health status of all endpoint devices.
Note: If traffic will be routed through a VPN connection before the heartbeat connection has been established, the heartbeat traffic will also be routed through the VPN tunnel and thus, the firewall cannot see this heartbeat traffic and marks the endpoint as missing. When the endpoint is in missing state, all traffic through the firewall from this endpoint will be blocked.
Note: A missing heartbeat will not be detected by Sophos XG Firewall if the endpoint is located behind an intermediate router. This does not lead to false results and the endpoint will still share the health status.
Security Heartbeat is not supported if the router is a NAT gateway, i.e. the endpoints do not share the health status with Sophos XG Firewall.
Endpoint devices and users need to authenticate via Sophos Central to connect to Sophos XG Firewall. The authentication works via a client which is available on Sophos Central and must be installed on the endpoint device.
Once the installation is completed, the endpoint uses the Sophos Endpoint Security and Control which is an
| Protect | 248 integrated suite of security software, for example, antivirus, behavior monitoring and live protection. Sophos
Endpoint Security and Control ensures that the endpoint device belongs to the system and has the permission to access the network.
Note: For more information and documentation about Sophos Endpoint Security and Control visit the
Sophos Website
.
In regular intervals, the endpoint sends a heartbeat signal to Sophos XG Firewall to show that it is alive. Furthermore, the endpoint also informs the Sophos XG Firewall about potential threats. If Sophos Endpoint Security and Control detects any threats, the endpoint sends this information to Sophos XG Firewall which declares the endpoints health status. Depending on the user policy which defines the permission of the different health status, the endpoint maynot able to connect to networks, zones or services.
Note: You can enable Security Heartbeat and set the Minimum Heartbeat Permitted in the User /
Network Rule which is managed on the Firewall > Add User / Network Rule page in the Security
Heartbeat section.
Note: Please find a description of the enpoints health status colors on the Health Status page.
To use security heartbeat you need to register with your Sophos Central account. If you do not have an account you can create a new one. For more information about Sophos Central, see:
https://www.sophos.com/en-us/lp/sophoscentral.aspx
.
Note: Sophos XG Firewall does not support Security Heartbeat with bonded interfaces on MAC endpoints.
Related concepts
on page 14
on page 52
User/Network Rule is used to define access rights and protection to the network objects/hosts. In a nutshell, if you want to control traffic by source, service, destination, zone, then use a Network Rule. Additionally, the administrator has the option to attach user identity to a rule in order to customize access of assorted hosts/servers. Such an identity based rule is considered a User Rule.
Health Status
This page gives an overview of the health status of endpoints.
The health status can be red, yellow or green. If you are viewing multiple devices, the color together with the label indicates the status of the device with the worst health.
Red labeled "At risk"
You should take action. One or more of the following issues have occurred:
• Active malware has been detected or there might be active malware.
• Running malware has been detected.
• Malicious network traffic has been detected. This traffic might be headed to a command-and-control server involved in a botnet or other malware attack.
• Communications sent to a known bad host have been detected. This is based on the IP address or DNS resolution.
• Malware has not been cleaned up.
• Sophos security software is not working correctly. The device or devices might not be protected.
Red labeled "Missing"
You might take an action. One or more of the following issues occured:
• The endpoint is not sending heartbeat messages but is still using the network
• The endpoint might be compromised or broken.
Yellow labeled "Warning"
If you are very sensitive to security issues, you should take action. One of the following issues occurred:
• Inactive malware has been detected.
| Protect | 249
• A Potentially Unwanted Application has been detected.
Green
You do not need to do anything.
• Sophos security software is working correctly.
• No active malware has been detected.
• No inactive malware has been detected.
• No Potentially Unwanted Application has been detected.
Security Heartbeat Global Configuration
This page describes how to log in with your Sophos Central account and enable Security Heartbeat.
1. Go to Protect > Advanced Threat > Security Heartbeat.
2. Specify the Sophos Central login details.
Email Address
Enter the email address of your Sophos Central account.
Password
Enter the password of your Sophos Central account.
Note: You can also create a Sophos Central account by clicking Create Sophos Central Account.
3. Click Register.
You are registered with your Sophos Central ID to the Sophos XG Firewall. Security Heartbeat is enabled.
4. Add zones to the Missing Heartbeat Zones field.
Missing heartbeats will be detected only in these zones.
Note: If a zone is blocked by a policy but no zone is added here, in the Control Center the Security
Heartbeat widget shows "Missing".
5. Click Apply.
If you disable Security Heartbeat you are still registered with your Sophos Central account. This is a comfort function of Sophos XG Firewall and has no network security value.
To clear your registration from Sophos XG Firewall, click Clear Registration.
Sandstorm Activity
Activity records provide basic information such as the date and time on which files were sent to Sandstorm. They also indicate analysis and release status. Use the links provided to view report details and release files.
To filter the list, click the Filter button ( ) and specify criteria. For example, you can filter on a date range or file type.
To view details of a Sandstorm analysis, click Show report. Reports contain the following:
• Download details, for example, the source and download time
• File details, for example, the file name and type
• Result of the Sandstorm analysis
• Description of the potential threats contained by the file
• A list of all users who have downloaded the file
To release a file, click Release Now. When you release a file, users can download it immediately. Only files that are currently being analyzed or that have been returned with error status are eligible for release.
Sandstorm continues to analyze the file even if you release it.
CAUTION: Releasing an item before the analysis is complete may result in the downloading of malicious content.
| Configure | 250
Date
Date and time on which the file was sent to Sandstorm.
Recipient
IP address and user name associated with the download.
Source
Domain or IP address from which the user downloaded the file and the download type (web or email).
File Type
Type of file downloaded.
Status
Status of the analysis.
Manage
View release status and release files.
Sandstorm Settings
Use these settings to specify cloud location and files to exclude from Sandstorm analysis.
Cloud Location
Files to be analyzed by Sandstorm are transmitted using a secure SSL connection to a data center in the cloud. Data centers are located in the United States and Europe. By default, Sandstorm selects the closer data center according to the location of the device. You can override the default behavior by selecting a data center.
Note: Changing data centers may affect any analysis that is currently in progress.
Exclude File Types
A file type is a classification that is determined by file extension and MIME header. Click Add New
Item and select file types that you do not want to send to Sandstorm for analysis. Exclusions apply to web and email traffic.
Note: Any archive that includes a file of the selected type will also be excluded, regardless of what other types of files that archive may contain.
Note: Although you can add an exclusion for any type of file, many file types that are considered safe (for example, images) will never be sent to Sandstorm. Only risky file types that Sandstorm can detonate and analyze will be sent.
Related concepts
on page 146
A file type is a classification that is determined by file extension and MIME header. You can include file types in web policies to control access to files that match the specified criteria. The default file types contain some common criteria and you can create additional types.
Configure
VPN
The VPN menu allows you to configure required IPsec, L2TP, PPTP and SSL VPN connections and connections with a CISCO
™
VPN Client. Also, the section allows certificate and bookmark management required in the configured
VPN connections.
| Configure | 251
A virtual private network (VPN) is a tunnel that carries private network traffic from one endpoint system to another over a public network such as the Internet without the traffic, being aware that there are intermediate hops between the endpoints or the intermediate hops being aware they are carrying the network packets that are traversing the tunnel. The tunnel may optionally compress and/or encrypt the data, providing enhanced performance and some measure of security. VPN allows you to pretend you are using a leased line or a direct telephone call to communicate between the endpoints. VPNs allow users and telecommuters to connect to their corporate intranets or extranets.
VPNs are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This not only reduces overhead costs associated with traditional remote access methods, but also improves flexibility and scalability. For all business people traveling or working from home, connecting securely to the corporate network is essential. With the device, setting up a VPN is almost effortless.
The two endpoints in deevice VPN are referred to as:
• Local - First endpoint is the local machine itself.
• Remote - Second endpoint is the remote peer - the machine you are trying to establish a VPN connection to, or the machine which is trying to establish a VPN connection with you.
Device VPN automatically encrypts the data and sends it to the remote site over the Internet, where it is automatically decrypted and forwarded to the intended destination. By encrypting, the integrity and confidentiality of data is protected even when transmitted over the un-trusted public network. Device uses IPsec standard i.e. IPsec protocol to protect traffic. In IPsec, the identity of communicating users is checked with the user authentication based on digital certificates, public keys or preshared keys.
Device ensures that all the VPN traffic passing through the VPN tunnels is threat free. All the firewall rules and policies are applicable to the traffic going into the VPN tunnels and coming out of the VPN tunnels. Device inspects all the traffic passing through the VPN tunnels and makes sure that there are no viruses, worms, spam, and inappropriate content or intrusion attempts in the VPN traffic. As VPN traffic is by default subjected to the DoS inspection, the device provides a facility by which one can bypass scanning of traffic coming from certain hosts from a VPN zone. The above functionality is achieved by adding one additional zone called VPN zone. VPN traffic passes through the VPN zone and a firewall rule can be applied to the VPN zone.
Device can be used to establish VPN connection between sites, LAN-to-LAN and client-to-LAN connection. VPN is the bridge between local & remote networks/subnets.
Device supports following protocols to authenticate and encrypt traffic:
• Internet Protocol Security (IPsec)
• Layer Two Tunneling Protocol (L2TP)
• Point-to-Point Tunneling Protocol (PPTP)
• Secure Socket Layer (SSL)
IPsec Connections
The IPsec menu allows you to create and manage IPsec connections and failover groups.
IP Security (IPsec) is a suite of protocols designed for cryptographically secure communication at the IP layer (layer
3).
IPsec protocols:
• Authentication Header (AH) – Used for the authentication of packet senders and for ensuring the integrity of packet data. The authentication header protocol (AH) checks the authenticity and integrity of packet data. In addition, it ensures that sender and receiver IP addresses have not been changed during transmission. Packets are authenticated using a checksum created by using a hash-based message authentication code (HMAC) in connection with a key.
• Encapsulating Security Payload (ESP) – Used for encrypting the entire packet and for authenticating its contents. In addition to encryption, ESP provides the ability to authenticate senders and verify packet contents.
This page contains two (2) sections:
1.
2.
| Configure | 252
IPsec Connections
The IPsec Connections section displays a list of all the IPsec connections. You can filter the list based on name, group name, policy name, connection type, and status of the connection. The page also provides the option to add a new connection, update the parameters of the existing policy, or delete a policy. In addition, you can create a connection manually or through the connection wizard. In case of a remote access connection export the connection configuration by clicking the Export icon under the Manage column.
Note: You can also view and manage active IPsec connections on the System > Current Activity > IPsec
Connections page.
The status of each connection is indicated as follows:
Connection Status
Active Connection
Description
Connection is active but not connected. Click to initiate the connection.
Connection is active and connected. Click to disconnect the connection.
When you disconnect, the connection will be deactivated. To re-establish the connection, activate the connection.
Connection is active but only partially connected. Click to disconnect the connection. When multiple subnets are configured for LAN and/or remote network, the device creates a sub-connection for each subnet. This status indicates that one of the sub-connections is not active.
Connection is inactive. Click to activate the connection.
Failover Group
Connection Failover
Connection Failover is a feature that enables you to provide an automatic backup connection for VPN traffic and provide “Always ON” VPN connectivity for IPsec connection. If the primary connection fails, the subsequent connection in the group will take over without manual intervention and keep traffic moving. The entire process is transparent to users.
Connection Failback
During a connection failure, the device checks the health of a primary connection every 60 seconds. When the primary connection is restored without the administrator’s intervention, the secondary connection fails back to the primary connection.
Connection Failover Group
A VPN group is a grouping of IPsec connections. The phase 1 and phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the group defines the failover priority of the connection. Failover to the next connection will not occur if the group is manually deactivated.
The failover group containing the connection must be activated for the first time before participating in the failover.
Failover to the next connection will not occur if the group is manually disconnected.
When the primary connection fails, the subsequent active connection in the group takes over without manual intervention and keeps traffic moving. For example, if the connection established using the 4th connection in the group is lost then the 5th connection will take over. Once the 4th connection is re-stored, the 5th connection will automatically fail back on the 4th connection.
The device considers a Site to Site and Host to Host connection as failed connection if the remote peer does not reply.
| Configure | 253
Connections that are not a part of the connection group do not participate in failover/failback process and such connections will not be re-established automatically if lost.
To configure connection failover, you have to:
• Create connections.
• Create a failover group. A failover group is created by grouping all the connections that are to be used for failover.
The order of connections in the group defines the failover priority of the connection.
• Define a failover condition.
Prerequisites
• Packets of the protocol specified in the failover condition must be allowed from local server to remote server and its reply on both local and remote server
• One connection can only be member of single group
• Connection must be ACTIVE to participate in failover
Procedure
1. Once the connection is added as a member of the group, DPD is configured as “Disable”, Key Negotiation Tries as
3, and Action on VPN Restart as “Disable”.
2. Once the connection is removed from the group, the original policy and connection configuration will be considered.
3. If the connection is already established at the time of adding it in the failover group, it will get disconnected.
4. On factory reset, failover configuration will not be retained.
The Failover Group section displays the list of created failover groups. You can filter or sort the groups based on group name. You can add a new group, update, or delete the group. In addition, the list displays the status of the group as: indicating an activate group while indicates an inactive group.
Types of IPsec Connections
IPsec connection is the encrypted VPN connection established between two systems using the Internet protocol security (IPsec). It can link two hosts, two sites or remote user and a LAN.
The device supports following types of IPsec connections:
•
– This type of VPN is a user-to-internal network connection via a public or shared network. Many
large companies have employees that need to connect to the internal network from the field. These field agents access the internal network by using remote computers and laptops without a static IP address.
•
– A Site to Site VPN connects an entire network (such as a LAN or WAN) to a remote network via a
network-to-network connection. A network-to-network connection requires routers on each side of the connecting networks to transparently process and route information from one node on a local LAN to another node on a remote LAN.
•
– Host to Host VPN connects one desktop or workstation to another station by way of a host-to-host connection. This type of connection uses the network to which each host is connected to create a secure tunnel between the two.
Select to
•
Add IPsec Remote Access Connection
•
Add IPsec Site to Site Connection
•
Add IPsec Host to Host Connection
on page 262
Add IPsec Remote Access Connection
1. Go to Configure > VPN > IPsec Connections and click Add in the section IPsec Connections.
2. Specify the GeneralSettings details.
Name
Enter a unique name to identify the IPsec connection.
Description
Enter a description for the IPsec VPN connection.
Connection Type
Select Remote Access.
Policy
Select the policy to be used for connection.
Action on VPN Restart
Select the action to be taken on the connection when VPN services or the device restarts.
Available options:
• Respond Only – Keeps connection ready to respond to any incoming request.
• Disable – Keeps connection disabled until the user activates it.
| Configure | 254
Figure 252: General Settings
3. Specify the Authentication Details.
Authentication Type
Select the authentication type. Authentication of the user depends on the type of connection.
Available Options:Preshared Key
Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. Remote peer uses the preshared key for decryption. On selecting this option the user needs to provide the following details:
• Preshared Key – Specify the preshared key to be used. Preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Enter the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client has to specify this key for authentication. If there is a mismatch in the key, user will not be able to establish the connection.
Digital Certificate
Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device.
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
Figure 253: Authentication Details
4. Specify the Endpoint Details.
Local
Select local WAN port from the list.
IP aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote
Specify an IP address or domain name of the remote peer.
Figure 254: Endpoints Details
5. Specify the Network Details.
IP Family
IP family will be enabled automatically according to the IP selected in local WAN port.
Local Subnet
Select local LAN address.
Add and remove LAN address using Add button and Remove button.
Local ID (available only if Authentication Type selected is Preshared Key)
Select any type of ID from the available options and specify its value.
Available options:
• DNS
• IP Address
• Email Address
• DER ASN1 DN(X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
Allow NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has private/non-routable IP address.
At a time only one connection can be established behind one NAT box.
Remote LAN Network
Select IP hosts from the list of available IP hosts.
A new IP host can be created by clicking on Add New Item or through the System > Hosts and
Services > IP Host page.
Remote ID (available only if Authentication Type selected is Preshared Key)
For preshared key, select any type of ID from the available options and specify its value.
Available options:
| Configure | 255
• DNS
• IP Address
• Email Address
• DER ASN1 DN(X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
| Configure | 256
Figure 255: Network Details
6. Specify the User Authentication details.
User Authentication Mode
Select whether user authentication is required at the time of connection or not from the available options.
Available options:
• Disabled – Click if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
Figure 256: User Authentication
7. Specify the Quick Mode Selectors details.
Protocol
Select all the protocols that are to be allowed for negotiations.
Tunnel will pass only that data which uses the specified protocol.
Available options:
• All
• ICMP
• UDP
• 'TCP
Local Port (available only if Protocol selected is UDP or TCP)
Specify local port number that the local VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 – 65535
To specify any local port, enter *.
Remote Port (available only if Protocol selected is UDP or TCP)
Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 – 65535
To specify any local port, enter *.
| Configure | 257
Figure 257: Quick Mode Selectors
8. Specify Advanced Settings details.
Disconnect when tunnel is idle
Click this option to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
The default setting is disabled.
Idle session time interval (available only if Disconnect when tunnel is idle is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable range: 120 to 999
Figure 258: Advanced Settings
9. Click Save.
Add IPsec Site to Site Connection
1. Go to Configure > VPN > IPsec Connections and click Add in the section IPsec Connections.
2. Specify the General Settings details.
Name
Enter a unique name to identify the IPsec connection.
Description
Enter a description for the IPsec VPN connection.
Connection Type
Select Site to Site.
Policy
Select the policy to be used for connection.
A new policy can be added by clicking Create newor through the Configure > VPN > IPsec
Profiles page.
Action on VPN Restart
Select the action to be taken on the connection when VPN services or the device restarts.
Available options:
• Respond Only – Keeps connection ready to respond to any incoming request.
• Disable – Keeps connection disabled until the user activates it.
• Initiate – Activates connection on system/service start so that the connection can be established whenever required.
| Configure | 258
Figure 259: General Settings
3. Specify the Authentication details.
Authentication Type
Select the authentication type. Authentication of the user depends on the type of connection.
Available options:Preshared Key
Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. Remote peer uses the preshared key for decryption. On selecting this option the user needs to provide the following details:
• Preshared Key – Specify the preshared key to be used. Preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Enter the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. If there is a mismatch in the key, user will not be able to establish the connection.
Digital Certificate
Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device.
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
RSA Key
RSA Key authentication is a mechanism whereby two keys – local and remote RSA - are used for encryption and decryption.
• Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified.
• Remote RSA Key – It can be regenerated from CLI console. Refer to the console guide for more details.
| Configure | 259
Figure 260: Authentication Details
4. Specify the Endpoint Details.
Local
Select local WAN port from the list.
IP aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote
Specify an IP address or domain name of the remote peer.
Click Add icon next to the option field to add new endpoint pairs or click Remove icon to remove the endpoint pairs.
For any new endpoint pair, specify a failover group name and define the failover condition.
Figure 261: Endpoints Details
5. Specify the Network Details
IP Family
Select IP family to configure IPsec VPN tunnels with mixed IP families.
Available options:
• IPv4
• IPv6
By default, IPv4 will be selected.
Four types of IPsec VPN tunnels can be created:4 in 4 (IPv4 subnets with IPv4 gateway)6 in 6 (IPv6 subnets with IPv6 gateway)4 in 6 (IPv4 subnets with IPv6 gateway)6 in 4 (IPv6 subnets with IPv4 gateway)
Local Subnet
Select local LAN address.
Add and remove LAN address using Add button and Remove button.
Local ID (available only if Authentication Type selected is Preshared Key or RSA Key)
Select any type of ID from the available options and specify its value.
Available options:
• DNS
• IP Address
• Email Address
• DER ASN1 DN(X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
Allow NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has private/non-routable IP address.
At a time only one connection can be established behind one NAT box.
Remote LAN Network
Select IP hosts from the list of available IP hosts.
A new IP host can be created by clicking on Add New Item or through the System > Hosts and
Services > IP Host page.
Remote ID (available only if Authentication Type selected is Preshared Key or RSA Key)
Select any type of ID from the available options and specify its value.
Available options:
• DNS
• IP Address
• Email Address
• DER ASN1 DN(X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
| Configure | 260
Figure 262: Network Details
6. Specify the User Authentication details.
User Authentication Mode
Select whether user authentication is required at the time of connection or not from the available options.
Available options:
• Disabled – Click if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
| Configure | 261
Figure 263: User Authentication
7. Specify Quick Mode Selectors details.
Protocol
Select all the protocols that are to be allowed for negotiations.
Tunnel will pass only that data which uses the specified protocol.
Available options:
• All
• ICMP
• UDP
• TCP
Local Port (available only if Protocol selected is UDP or TCP)
Specify local port number that the local VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
Remote Port (available only if Protocol selected is UDP or TCP)
Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
Figure 264: Quick Mode Selectors
8. Specify Advanced Settings details.
Disconnect when tunnel is idle
Click this option to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
Default: disabled.
Idle session time interval (available only if Disconnect when tunnel is idle is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable range: 120 to 999
Figure 265: Advanced Settings
9. Click Save.
Add IPsec Host to Host Connection
This page describes how to create an IPsec Host to Host connection.
1. Go to Configure > VPN > IPsec Connections and click Add in the IPsec Connections section.
2. Specify the General Settings details.
Name
Enter a unique name for the IPsec connection.
Description
Enter a description for the IPsec VPN connection.
Connection Type
Select Host to Host.
Policy
Select the policy to be used for the connection.
A new policy can be added by clicking Create new or on the Configure > VPN > IPsec Profiles page.
Action on VPN Restart
Select the action to be taken on the connection when VPN services or the device restarts.
Available Options:
• Respond Only – Keeps the connection ready to respond to any incoming request.
• Disable – Keeps the connection disabled until the user activates it.
• Initiate – Activates the connection on system/service start so that the connection can be established whenever required.
| Configure | 262
Figure 266: General Settings
3. Specify the Authentication Details.
Authentication Type
Select the authentication type. Authentication of the user depend on the type of connection.
Available Options:
• Preshared Key – Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. Remote peer uses the preshared key for decryption. On selecting this option the user needs to provide the following details:
• Preshared Key – Specify the preshared key to be used. Preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Provide the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. If there is a mismatch in the key, user will not be able to establish the connection.
• Digital Certificate – Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device.
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
• RSA Key – RSA Key authentication is a mechanism whereby two keys – local and remote RSA
- are used for encryption and decryption.
• Local RSA Key – It is known only to the owner and never transmitted over network.
Displays automatically generated key which cannot be modified.
• Remote RSA Key – It can be regenerated from CLI console. Refer to the console guide for more details.
| Configure | 263
Figure 267: Authentication Details
4. Specify the Endpoint Details.
Local
Select local WAN port from the list.
IP aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote
Specify an IP address or domain name of the remote peer.
Click the add icon next to the option field to add new endpoint pairs or click the remove icon
to remove the endpoint pairs.
For any new endpoint pair, specify a failover group name and define the failover condition.
Figure 268: Endpoints Details
5. Specify the Network Details.
Local ID (available only if selected Authentication Type is Preshared Key or RSA Key)
Select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
Allow NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has private/non-routable IP address.
At a time only one connection can be established behind one NAT box.
Remote LAN Network (available only if Allow NAT Traversal is enabled)
Select IP hosts from the list of available IP hosts.
A new IP host can be created by clicking on Add New Item or on the System > Hosts and
Services > IP Host page.
Remote ID (available only if selected Authentication Type is Preshared Key or RSA Key)
Select any type of ID from the available options and specify its value.
Available Options:
• DNS
| Configure | 264
• IP Address
• DER ASN1 DN (X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
| Configure | 265
Figure 269: Network Details
6. Specify User Authentication details.
User Authentication Mode
Select whether user authentication is required at the time of connection or not from the available options.
Available Options:
• Disabled – Click if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
Figure 270: User Authentication
7. Specify Quick Mode Selectors details.
Protocol
Select all the protocols that are to be allowed for negotiations.
Tunnel will pass only that data which uses the specified protocol.
Available Options:
• All
• ICMP
• UDP
• TCP
Local Port (available only if Protocol selected is UDP or TCP)
Specify local port number that the local VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
Remote Port (available only if Protocol selected is UDP or TCP)
Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
| Configure | 266
Figure 271: Quick Mode Selectors
8. Specify Advanced Settings details.
Disconnect when tunnel is idle
Enable to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
Idle session time interval (available only if Disconnect when tunnel is idle is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable range: 120 to 999
Figure 272: Advanced Settings
9. Click Save.
IPsec Connection Wizard
The IPsec Connection Wizard allows you to configure a VPN connection manually.
The wizard is not available if you are managing the device through Sophos Firewall Manager.
The VPN Connection Wizard takes you step-by-step through the configuration of a VPN connection on the device.
After the configuration is completed, the wizard creates a new VPN connection.
Wizard is divided into two panels – Configuration panel and Help panel. Configuration parameters are to be entered in the Configuration panel while the Help panel on left-most side provides the help on the configuration parameters.
First screen of the wizard provides an overview of the configuration steps. You can create three types of connections through wizard:
•
•
•
| Configure | 267
Creating Remote Access Connection Using VPN Wizard
Go to Configure > VPN > IPsec Connections. Click Wizard and follow the steps given below.
Specify name and description (if required) for a VPN connection and click Start. The Help panel on left-most side provides an overview of each configuration step.
On the Select a Connection Type page
1. Select the connection type Remote Access.
2. Select VPN policy to be applied to the connection traffic. Default policies as well as custom policies applicable to connection will be displayed.
3. Select action to be taken on the connection when VPN services or the device restart.
Available options:
• Disable – Connection will be disabled till the user activates it.
• Respond Only – Connection in ready state to respond to any incoming request.
4. Click > icon to continue.
On the Authentication Details page
1. Select authentication type.
Available options:
Preshared Key
Digital Certificate
Specify the preshared key of minimum 5 characters.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. Refer to the VPN client guide, Phase 1
Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
Select local certificate that should be used for authentication by the device.
Select remote certificate that should be used for authentication by the remote peer.
2. Click > to continue.
On the Local Network Details page
1. Select Local WAN Port. Selected port acts as an end-point of the tunnel.
2. Select Local Subnet. Select the local network(s) you wish to give access to remote users via this connection.
3. Select Local ID.
For Preshared Key and Digital Certificate, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
For Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
4. Click > to continue.
On the Remote Network Details page
1. In the Remote VPN Server field specify the IP address or host name of the remote endpoint.
To specify any IP address, enter *.
2. Enable NAT traversal if a NAT device exists between your VPN endpoints i.e. when remote peer has private/nonroutable IP address.
3. Select Remote Subnet. Select the remote network(s) that you wish to access via this connection. This option will be available only if NAT traversal is enabled.
4. Select Remote ID.
| Configure | 268
For Preshared Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
5. Click > to continue.
On the User Authentication page
1. Select User Authentication Mode.
Available options:
• Disabled – Choose if authentication is not required.
• Enable as Client – Enter username and password for authentication by the remote gateway.
• Enable as Server – Select all the users that are to be allowed to connect.
2. Click > to continue.
On the IPsec Connection Summary page
The page displays the settings with which the IPsec connection will be created.
Click Finish to create the IPsec connection or click < to go back to the previous page and change the settings.
Creating Site to Site Connection using VPN Wizard
Go to Configure > VPN > IPsec Connections. Click Wizard and follow the steps given below:
Specify name and description (if required) for a VPN connection and click Start. The Help panel on left-most side provides an overview of each configuration step.
On the Select a Connection Type page
1. Select the connection type Site to Site.
2. Select VPN policy to be applied to the connection traffic. Default policies as well as custom policies applicable to connection will be displayed.
3. Select action to be taken on the connection when VPN services or the device restart.
Available options:
• Disable – Connection will be disabled until the user activates it.
• Respond Only – Connection is in ready state to respond to any incoming request.
• Initiate – Initiate to establish the connection every time VPN services or the device restart.
4. Click > icon to continue.
On the Authentication Details page
1. Select authentication type.
Available options:
Preshared Key
Digital Certificate
Specify the preshared key of minimum 5 characters.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. Refer to the VPN client guide, Phase 1
Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
Select local certificate that should be used for authentication by the device.
Select remote certificate that should be used for authentication by the remote peer.
| Configure | 269
RSA
Local RSA key is displayed which can be re-generated from the CLI console. Refer to the console guide for more details. Specify remote RSA key.
2. Click > to continue.
On the Local Network Details page
1. Select Local WAN Port. Selected port acts as an end-point of the tunnel.
2. Select Local Subnet. Select the local network(s) you wish to give access to remote users via this connection.
3. Select Local ID.
For Preshared Key and RSA Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
For Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
4. Click > to continue.
On the Remote Network Details page
1. In the Remote VPN Server field specify the IP address or host name of the remote endpoint.
To specify any IP address, enter *.
2. Enable NAT traversal if a NAT device exists between your VPN endpoints i.e. when remote peer has private/nonroutable IP address.
3. Select Remote Subnet. Select the remote network(s) that you wish to access via this connection. This option will be available only if NAT traversal is enabled.
4. Select Remote ID.
For Preshared Key and RSA Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
5. Click > to continue.
On the User Authentication page
1. Select User Authentication Mode.
Available options:
• Disabled – Choose if authentication is not required.
• Enable as Client – Enter username and password for authentication by the remote gateway.
• Enable as Server – Select all the users that are to be allowed to connect.
2. Click > to continue.
On the IPsec Connection Summary page
The page displays the settings with which the IPsec connection will be created.
Click Finish to create the IPsec connection or click < to go back to the previous page and change the settings.
Creating Host to Host Connection using VPN Wizard
Go to Configure > VPN > IPsec Connections. Click Wizard and follow the steps given below:
Specify name and description (if required) for a VPN connection and click Start. The Help panel on left-most side provides an overview of each configuration step.
On the Select a Connection Type page
1. Select the connection type Host to Host.
2. Select VPN policy to be applied to the connection traffic. Default policies as well as custom policies applicable to connection will be displayed.
3. Select action to be taken on the connection when VPN services or the device restart.
| Configure | 270
Available options:
• Disable – Connection will be disabled until the user activates it.
• Respond Only – Connection is in ready state to respond to any incoming request.
• Initiate – Initiate to establish the connection every time VPN services or the device restart.
4. Click > icon to continue.
On the Authentication Details page
1. Select authentication type.
Available options:
Preshared Key
Specify the preshared key of minimum 5 characters.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. Refer to the VPN client guide, Phase 1
Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
Digital Certificate
RSA
Select local certificate that should be used for authentication by the device.
Select remote certificate that should be used for authentication by the remote peer.
Local RSA key is displayed which can be re-generated from the CLI console. Refer to the console guide for more details. Specify remote RSA key.
2. Click > to continue.
On the Local Network Details page
1. Select Local WAN Port. Selected port acts as an end-point of the tunnel.
2. Select Local ID.
For Preshared Key and RSA Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
For Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
3. Click > to continue.
On the Remote Network Details page
1. In the Remote VPN Server field specify the IP address or host name of the remote endpoint.
To specify any IP address, enter *.
2. Enable NAT traversal if a NAT device exists between your VPN endpoints i.e. when remote peer has private/nonroutable IP address.
3. Select Remote Subnet. Select the remote network(s) that you wish to access via this connection. This option will be available only if NAT traversal is enabled.
4. Select Remote ID.
For Preshared Key and RSA Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
5. Click > to continue.
On the User Authentication page
| Configure | 271
1. Select User Authentication Mode.
Available options:
• Disabled – Choose if authentication is not required.
• Enable as Client – Enter username and password for authentication by the remote gateway.
• Enable as Server – Select all the users that are to be allowed to connect.
2. Click > to continue.
On the IPsec Connection Summary page
The page displays the settings with which the IPsec connection will be created.
Click Finish to create the IPsec connection or click < to go back to the previous page and change the settings.
Add VPN Failover Group
AVPN failover group enables you to have an always-on VPN connection. If the primary connection fails, the subsequent connection in the group will take over without manual intervention and keep traffic moving. The entire process is transparent to users.
1. Go to Configure > VPN > IPsec Connections and click Add in the section Failover Group.
2. Enter details of the group.
Name
Enter a unique name for the connection group.
Select Connections(s)
The Available Connections list displays the list of connections that can be added to the failover group. Click on the connections to be added to the Member Connections list. The device will select the subsequent active connection from the member connections list if the primary connection fails.
Connections having endpoints of different families can also be added to the failover group.
Top down order of connections in the Member Connections list specifies the failover preference i.e. if the primary connection fails the very next connection in the list will be used by the device to keep the VPN traffic moving.
Once the connection is included in any group, it will not be displayed in the Available Connection list.
Remote access connections will not be listed in the Available Connections list.
You need to add at least two member connections in a group.
Mail Notification
Enable to receive connection failure notification in case the connection fails. Notification is mailed on the email address configured in the email settings from the Network Configuration Wizard.
Figure 273: Connection Group
| Configure | 272
Details
Failover Condition
Specify the failover condition. The device checks for the connection failure after every 60 seconds and if failure is detected, VPN traffic is transferred through the subsequent connection specified in the connection group. The device considers a connection as failed connection if failover conditions are not met.
Specify communication protocol as TCP or PING. Select the protocol depending on the service to be tested on the remote server or local gateway depending on type of connection.
A request on the specified port is sent and if it is not responding, the device considers the connection as failed and shifts the traffic to the subsequent connection.
Configure gateway failover timeout from Configure > Network > WAN Link Manager.
Failover Condition is not applicable if:
• Connection is manually disconnected from either of the ends.
• Connection is not included in any group.
Figure 274: Failover
Condition
3. Click Save.
| Configure | 273
SSL VPN (Remote Access)
The SSL VPN (Remote Access) tab allows control of remote devices connected to your system.
The remote access SSL feature of Sophos XG Firewall is realized by OpenVPN, a full-featured SSL VPN solution.
You can create point-to-point encrypted tunnels between remote employees and your company, requiring both SSL certificates and a username/password combination for authentication. This enables access to internal resources. In addition, a secure User Portal is offered, which can be accessed by each authorized user to download a customized
SSL VPN client software bundle. This bundle includes a free SSL VPN client, SSL certificates and a configuration that can be handled by a simple one-click installation procedure. The SSL VPN client supports most business applications such as native Outlook, native Windows file sharing, and many more.
This page displays a list of all available remote policies. For each policy, the list shows:
Name
Displays the name of the SSL VPN remote access policy.
Use as Default Gateway
Displays if and which default gateway is used for the policy.
Description
Displays the description which was entered for the policy.
Figure 275: About SSL
Add SSL VPN Remote Access Policy
This page allows adding SSL VPN remote access policies.
1. Go to Configure > VPN > SSL VPN (Remote Access) and click Add.
2. Specifiy the General Settings details:
Name
Enter a unique name for the policy.
Description
Enter a description or other information.
Figure 276: General Settings
3. Specify the Identity details:
Policy Members
Click Add New Item to select available users/groups from a list or search for users/groups. When selected, click Apply Selected Items.
Note: You can also view and manage active SSL VPN users on the Monitor &
Analyze > Current Activities > Remote Users page.
Selected items are displayed in the list. To remove an item from the list, click the Minus icon on the right of the item.
Figure 277: Identity
4. Specify the Tunnel Access details:
Use as Default Gateway
Activate the toggle switch if you want to use this as default gateway. If activated, all traffic is forwarded to a default gateway including external Internet requests. If deactivated, the traffic uses a split mode to separate traffic for internal network segments and external Internet requests through different gateways.
Permitted Network Resources (IPv4)
Click Add New Item to select available network resources from a list or search for network resources. When selected, click Apply Selected Items.
Selected items are displayed in the list. To remove an item from the list, click the Minus icon on the right of the item.
Permitted Network Resources (IPv6)
Click Add New Item to select available users/groups from a list or search for users/groups. When selected, click Apply Selected Items.
Selected items are displayed in the list. To remove an item from the list, click the Minus icon on the right of the item.
| Configure | 274
Figure 278: SSL VPN (Remote Access) Tunnel Access
5. Specify the Idle Timeout settings:
Disconnect Idle Clients
Activate/deactivate by clicking the toggle switch. If activated, clients which are idle will be disconnected from the session after a specified time.
Override Global Timeout (Default 15 Minutes) (available only if Disconnect Idle Clients is selected)
Enter a value for the idle timeout in minutes.
Acceptable range: 15 to 60 minutes
Default: 15 minutes
| Configure | 275
Figure 279: SSL VPN (Remote Access) Idle Timeout
6. Click Apply.
New remote access policies immediately appear on the SSL VPN (Remote Access) list.
Note: For remote access connections to work check that LAN and WAN zones are activated for the User
Portal on the System > Administration > Device Access page.
SSL VPN (Site to Site)
The SSL VPN (Site to Site) tab allows you to establish secure Site-to-site VPN tunnels via an SSL connection.
SSL VPN connections have distinct roles attached. The tunnel endpoints act as either client or server. The client always initiates the connection, the server responds to client requests. Keep in mind that this contrasts with IPsec where both endpoints normally can initiate a connection.
Server Connections
This section displays a list of all existing SSL VPN site-to-site server connections along with their status, connection name, connection. local and remote networks, received and sent bytes, and the date of connection. You can sort the list by the connection name, the local or remote networks. The list displays the status of each connection as follows:
Status
Indicates if the connection is active or not. You can activate/deactivate the connection by clicking the toggle switch.
Connection Name
Displays the name of the connection.
Connection
Indicates the status of the connection: online (green) or offline (red).
Local Networks
Displays the local networks that are allowed to be accessed remotely.
Remote Networks
Displays the remote networks that are allowed to connect to the local network(s).
Bytes
Indicates the number of bytes sent and received through this connection.
Connected Since
Displays the date the connection was established.
Figure 280: Server
Client Connections
This section displays a list of all existing SSL VPN site-to-site client connections along with their status, connection name, connection. usage of HTTP proxy server, received and sent bytes. You can sort the list by the connection name and the usage of the HTTP proxy server. The page also provides options to add, edit, download or delete a connection.
The list displays the status of each connection as follows:
Status
Indicates if the connection is activated or not. You can activate/deactivate the connection by clicking the toggle switch.
Connection Name
Displays the name of the connection.
Connection
Indicates the status of the connection: online (green) or offline (red).
Use HTTP Proxy Server
Displays the HTTP proxy server which is used for the connection.
Bytes
Indicates the number of bytes sent and received through this connection.
| Configure | 276
Figure 281: Client
Add SSL VPN Site-to-Site Server Connection
This page describes how to add a SSL VPN site-to-site server connection.
1. Go to Configure > VPN > SSL VPN (Site to Site) and click Add in the Server section.
2. Specify the server details:
Connection Name
Enter a descriptive name for the connection.
Description
Enter the description or other information.
Use Static Virtual IP Address
Only select this option if the IP address pool is not compatible with the client's network environment: By default, clients are assigned an IP address from a virtual IP pool. Rarely, it may happen that such an IP address is already in use on the client's host. In that case, enter a suitable IP address in the Static Peer IP field which will then be assigned to the client during tunnel setup.
Local Networks
Select or add one or more local networks to which remote network(s) are allowed toconnect. If you create a new network, you can either add a single IP host or an IP host group.
Remote Networks
Select or add one or more remote networks that are allowed to connect to the local network(s). If you create a new network, you can either add a single IP host or an IP host group.
| Configure | 277
Figure 282: Add SSL Server Connection
3. Click Save.
The new SSL VPN site-to-site server connection appears on the Server list.
The next step is the client configuration which has to take place on client side and not on server side. Download the client configuration file with help of the provided button in the Server list.
Note: If you want to send the file via mail it is recommended to use the encryption option which is provided in the download dialog.
How to configure the client is described in the Client section.
Add SSL VPN Site-to-Site Client Connection
This page describes how to add a SSL VPN site-to-site client connection.
1. Go to Configure > VPN > SSL VPN (Site to Site) and click Add in the Client section.
2. Specify the client details:
Connection Name
Enter a descriptive name for the connection.
Description
Enter the description or other information.
Configuration File
Browse for the client configuration file and click Open.
Note:
• The file has to be in .apc or .epc format.
• The file can be downloaded via the download icon in the Manage column of the server list on the System > VPN > SSL VPN (Site to Site) page.
Password (optional)
If the file has been encrypted, enter the password.
Use HTTP Proxy Server (optional)
Activate if the client is located behind a proxy server and enter the proxy settings:
• Proxy Server: Select or add a proxy server.
• Proxy Port: Enter a proxy port.
• Proxy Requires Authentication: Select the checkbox if the client needs to authenticate against the proxy and enter Username and Password.
Override Peer Hostname
Select the checkbox and add or select a Hostname if the server system's regular hostname cannot be resolved from the client host.
| Configure | 278
Figure 283: Add SSL Client Connection
3. Click Save.
The new SSL VPN site-to-site client connection appears on the Client list.
CISCO
TM
VPN Client
This page describes how to configure an Cisco VPN client.
CISCO
TM
VPN Client is a software developed by CISCO that runs on Windows systems. It establishes encrypted
VPN tunnels with highly secured remote connectivity for the remote workers.
1. Go to Configure > VPN > Cisco VPN Client.
2. Specify the General Settings.
CISCO
™
VPN Client
Select to enable CISCO
™
VPN Client.
All the fields will be available for configuration, once CISCO
™
VPN Client is enabled.
Default: disabled.
Interface
Select an WAN port to act as endpoint.
IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Authentication Type
Select the authentication type.
Authentication of users depend on the connection type.
Available Options:
• Preshared Key - Preshared key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. The remote peer uses the preshared key for decryption. On selecting this option the user has to provide:
• Preshared Key – Specify the preshared key to be used. The preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Provide the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. If there is a mismatch in the key, the user will not be able to establish the connection.
• Digital Certificate: Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
Local ID (available only if Authentication Type selected is Preshared Key)
Specify a value for the local ID selected.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
Note: DER ASN1 DN(X.509) can not be used for Preshared Key authentication.
If Digital Certificate is selected, the ID and its value is displayed automatically as specified in the
Local Certificate.
Remote ID
Select a value for the remote ID selected.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
Note: DER ASN1 DN(X.509) can not be used for Preshared Key authentication.
Allowed User
Select all the users who are to be allowed to connect to the configured CISCO
™
VPN client.
| Configure | 279
Figure 284: General Settings
3. Specify the Client Information.
Name
Enter a unique name for the connection.
Assign IP from
Specify the IP address range.
The device will lease the IP address to the Cisco
™
IPsec client from the specified IP address range.
Note: Do not configure the above IP address range in L2TP or PPTP configuration.
Allow leasing IP address from Radius server for L2TP, PPTP and CISCO VPN Client
Click to lease the IP address to the L2TP, PPTP and CISCO VPN client users through the Radius server.
Radius is a protocol that allows network devices to authenticate users against a central database. It can also store technical information used by network devices.
If enabled, the configured IP address is overridden with the IP address provided by the Radius server.
DNS Server 1
Provide a DNS server IP address to be pushed to CISCO VPN clients.
DNS Server 2
Provide a DNS server IP address to be pushed to CISCO VPN clients.
Figure 285: Client Information
| Configure | 280
4. Specify the Advanced Settings.
Disconnect when tunnel is idle
Click to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
Idle session time interval (available only if Disconnect when tunnel is idle option is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable Range: 120 to 999
Apply
Click to accept and save the Cisco VPN client configuration.
Export Connection (available only if a Cisco VPN connection is configured)
Click to export Cisco VPN client configuration.
Once the .tgb file has been exported, it has to be passed to the client.
On the client side, the client needs the Sophos IPsec client to import the .tbg file and establish a connection to Sophos XG Firewall.
The Sophos IPsec VPN client may be downloaded from
https://www.sophos.com/en-us/support/utmdownloads.aspx
.
Note: You cannot export the connection when an external certificate is selected as
Remote Certificate.
Reset
Click to delete the entire Cisco VPN client configuration.
| Configure | 281
Figure 286: Advanced Settings
L2TP (Remote Access)
The L2TP Connections page displays a list of all the L2TP connections and you can sort the list based on the connection name. The page also provides the option to add a new connection, update existing connections, or delete a connection. The page displays the status of each connection as follows:
Connection Status
Active Connection
Description
Connection is active but not connected.
Click to initiate the connection.
Connection is active and connected.
Click to disconnect the connection. When you disconnect, the connection will be deactivated and to re-establish the connection, click again to activate the connection.
Connection is inactive. Click to activate the connection.
Add L2TP Connection
This page describes how to create an L2TP connection.
1. Go to Configure > VPN > L2TP (Remote Access) and click Add.
2. Specify the General Settings.
Name
Enter a unique name for the L2TP connection.
Description
Enter a description for the L2TP connection.
Policy
Select a policy to be used for the connection.
A new policy can be added by clicking Create New.
Action on VPN Restart
Select the action to be taken on the connection when VPN services or the device restart.
Available Options:
• Respond Only – Keeps the connection ready to respond to any incoming request.
• Disable – Keeps the connection disabled until the user activates it.
| Configure | 282
Figure 287: General Settings
3. Specify the Authentication Details.
Authentication Type
Select the authentication type. Authentication of the user depends on the type of connection.
Available Options:
• Preshared Key – Preshared key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. The remote peer uses the preshared key for decryption. On selecting this option the user shall has to provide the following details:
• Preshared Key – Specify the preshared key to be used. The preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Provide the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. If there is a mismatch in the key, the user will not be able to establish the connection.
• Digital Certificate – Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device.
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
| Configure | 283
Figure 288: Authentication Details
4. Specify the Local Network Details.
Local WAN Port
Specify the local port number that the local VPN peer uses to transport traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
Local ID (available only if Authentication Type selected is Preshared Key)
Select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
Note: DER ASN1 DN (X.509) can not be used for Preshared Key authentication.
If Digital Certificate is selected, the ID and its value is displayed automatically as specified in the
Local Certificate.
Figure 289: Local Network Details
5. Specify the Remote Network Details.
Remote Host
Specify the IP address or hostname of the remote end-point. Specify * for any IP address.
Allow NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has a private/non-routable IP address.
At a time only one connection can be established behind one NAT-box.
Remote LAN Network
Select an IP addresses and netmask of the remote network which is allowed to connect to the device server through a VPN tunnel. Multiple subnets can be specified. Select IP hosts from the list of IP hosts available on the Admin console.
You can also add a new IP host by clicking Create New or on System > Hosts and Services > IP
Host.
Remote ID
Select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
Note: DER ASN1 DN (X.509) can not be used for Preshared Key authentication.
| Configure | 284
Figure 290: Remote Network Details
6. Specify the Quick Mode Selectors.
Local Port
Specify local port number that the local VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Default: 1701
Acceptable range: 1 to 65535
To specify any local port, enter *.
Remote Port
Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Default: *
Acceptable range: 1 to 65535
To specify any local port, enter *.
Figure 291: Quick Mode Selectors
7. Specify the Advanced Settings.
Disconnect when tunnel is idle
Click this option to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
| Configure | 285
Idle session time interval (available only if Disconnect when tunnel is idle is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable range: 120 to 999 seconds.
Figure 292: Advanced Settings
8. Click Save.
Clientless Access
Using clientless access, you can allow users to access services and areas on your network such as remote desktops and file shares using only a browser, and without the need for additional plug-ins. Clientless access policies specify users (members) and bookmarks. Users obtain access to your network through bookmarks on the VPN page in the user portal.
You can use this feature to provide multiple users access to resources that do not support multi-user access themselves
(for example, network hardware) or constrain access to a specific service rather than providing access to entire systems or networks.
Allowing Access to the User Portal From Outside Your Network
If you want to allow users outside your network to access the user portal, go to System > Administration > Device
Access and specify WAN access.
Clientless Access for Safari on Mac OSX or iOS
Follow the instructions in
How to access clientless bookmarks in iOS
to use clientless access on Safari on Mac OSX or iOS.
Add a Clientless Access Policy
To be able to configure a policy, you need to create at least one bookmark.
1. Go to Configure > VPN > Clientless Access and click Add.
2. Type a name.
3. For Policy Members, click Add New Item and select the users or groups who should have access to the bookmarks.
4. For Published Bookmarks, click Add New Item and select bookmarks or bookmark groups.
5. Specify other settings as required.
Option Description
Restrict Web Applications
When enabled, hide the Secure Web Browsing section in the user portal. This prevents users from being able to enter a URL and restricts them to the URLs specified in the bookmarks.
Bookmarks
Bookmarks are connections that specify a URL, a connection type, and any required security settings. You can use bookmarks with clientless access policies to give users access to your internal networks or services. For example, you may want to provide access to file shares or allow remote desktop access. Users can access bookmarks through the
VPN page in the user portal.
Bookmarks support several secure and non-secure connection types, or protocols.
| Configure | 286
Add a Bookmark
1. Go to Configure > VPN > Bookmarks and click Add.
2. Type a name.
3. Select a type (protocol).
Note: If you select a secure type, you must specify security settings.
Option
HTTPS
HTTP
RDP
Description
Secure browser-based access to web applications using the Hypertext Transfer Protocol.
Bookmarks of this type support referred domains.
These are domains or URLs that contain formatting information or scripts (for example, CSS or JavaScript) that are required to render the bookmarked URL appropriately.
Non-secure browser-based access to web applications using the Hypertext Transfer Protocol.
Access to remote desktops using the Remote Desktop
Protocol.
TLS, NLA, and RDP protocol security is supported.
Your security settings must comply with the server settings.
TELNET
SSH
FTP
FTPS
SFTP
SMB
VNC
Terminal access using the Telnet protocol.
Secure terminal access using Secure Socket Shell.
Non-secure access to servers using the File Transfer
Protocol.
Secure access to servers using the File Transfer
Protocol. Security is provided by TLS and SSL.
Secure access to servers using the Secure File Transfer
Protocol. Security is provided by SSH.
Access to servers using the Server Message Block file sharing protocol.
Remote access to Linux/UNIX hosts using Virtual
Network Computing.
Classic VNC authentication (password only) is supported.
4. Type the URL of the website or the IP address of the server to which you want to provide access.
Note: Changing the default port number is advisable for advanced users only.
5. Specify security settings as required.
• For SSH: Specify a user name and paste the public host key.
• For FTPS: Paste the public host key.
• For SFTP: Type a user name and select an authentication method. Specify a password and paste keys as required.
6. Specify other settings as required.
| Configure | 287
Option
Automatic Login
Share Session
Domain
Init Remote Folder
Description
When enabled, users do not need to provide login credentials. The session will be established using the specified user name and password.
When enabled, users can use the same connection simultaneously, allowing them to see the same screen.
Domain that the user is allowed to access.
Remote directory. After successful authentication, the user is redirected to the specified folder on the remote server.
Bookmark Groups
Bookmark groups allow you to combine bookmarks for easy reference. For example, you can create a group containing all of the bookmarks for remote desktops so that you do not need to specify access on an individual basis.
Related tasks
Add a Clientless Access Policy
on page 285
Add a Bookmark Group
1. Go to Configure > VPN > Bookmark Groups and click Add.
2. Enter a name.
3. Click Add New Item and select bookmarks.
Figure 293: Add Bookmark Group
PPTP (Remote Access)
This page describes how to configure PPTP remote access.
The Point-to-Point Tunneling Protocol allows organizations to extend their own private network through private tunnels over the public Internet.
The device supports several authentication options including Password Authentication Protocol (PAP), Challenge
Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-
CHAPv2).
The PPTP (Remote Access) page provides options to configure the device as PPTP server and enable/disable remote access through PPTP to various users.
1. Go to Configure > VPN > PPTP (Remote Access).
2. Click to enable PPTP.
3. Specify the General Settings.
Assign IP from
Specify IP address range. PPTP server will lease IP address to the PPTP client from the specified IP address range. The PPTP client uses the assigned IP address as its source address for the duration of the connection.
Do not specify the same IP address range in L2TP configuration and PPTP configuration.
Allow leasing IP Address from Radius server for L2TP, PPTP and CISCO VPN Client
Click to lease the IP address to the PPTP users through the Radius server.
Radius server is a protocol that allows network devices to authenticate users against a central database. It can also store technical information used by network devices.
If enabled, the configured IP address is overridden with the IP address provided by the Radius server.
| Configure | 288
Figure 294: General Settings
4. Specify the Client Information.
Primary DNS Server
Select the DNS server to be used at the client end.
Secondary DNS Server
Select the alternate DNS server to be used at the client end.
Primary WINS Server
Specify the WINS server to be used at the client end.
Secondary WINS Server
Specify the alternate WINS server to be used at the client end.
Figure 295: Client Information
5. Click Apply to save the configuration.
6. Use the other buttons if required.
Add Member(s) (available only if PPTP is configured)
Click to select users who are to be allowed remote access through PPTP.
Show Members (available only if PPTP is configured)
Click to view a list of PPTP members.
Related tasks
Add PPTP Member
| Configure | 289
The Add PPTP Member page allows you to select users who are to be allowed remote access through PPTP.
1. Go to Configure > VPN > PPTP (Remote Access) and click Add Member(s) to add users or user groups. A new window is displayed showing a list of users and user groups.
2. Select users or user groups who are to be allowed remote access through PPTP. You can add a single or multiple users or user groups.
3. Click Apply to add these users and user groups to the PPTP members list.
PPTP Members
The PPTP Members page allows you to view list of PPTP members and remove members for whom remote access through PPTP is to be disabled.
1. Go to Configure > VPN > PPTP (Remote Access) and click Show Members to view a list of PPTP members. A new window is displayed showing a list of PPTP users who who are allowed access through the PPTP connection.
2. Select the users for whom you want to disable PPTP access. You can select multiple users or user groups.
3. Click Delete.
IPsec Profiles
This IPsec Profiles page displays a list of all preconfigured and custom IPsec policies.
A policy describes the security parameters used for negotiations to establish and maintain a secure tunnel between two peers.
Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the policy parameters for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels.
Click Show Configuration to show all configuration tabs.
Authentication mode
To ensure secure communication, there are two phases to every IKE (Internet Key Exchange) negotiation - Phase 1
(Authentication) and Phase 2 (Key exchange).
The Phase 1 negotiation establishes a secure channel between peers and determines a specific set of cryptographic protocols, exchanges shared secret keys and encryption and authentication algorithm that will be used for generating keys.
The Phase 2 negotiation establishes a secure channel between peers to protect data. During Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after which to negotiate.
Key life
Lifetime of key is specified as key life.
Once the connection is established after exchanging authenticated and encrypted keys, connection is not dropped till the key life. If the key life of both the peers is not same then negotiation will take place whenever the key life of any one peer is over. This means intruder has to decrypt only one key to break in your system.
Key generation and key rotation are important because the longer the life of the key, the larger the amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis.
Perfect Forward Secrecy (PFS)
It becomes difficult for a network intruder to get the big picture if keys are changing and they have to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting PFS, new key will be generated for every negotiation and a new DH key exchange is included. So every time intruder will have to break yet another key even though he already knows the key. This enhances security.
| Configure | 290
Diffie-Hellman (DH) Group (IKE group)
Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret over an insecure communications channel. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt the data.
The Diffie-Hellmann Group describes the key length used in encryption. Group number is also termed as Identifiers.
14
15
16
2
5
DH Group
1
Key length (bits)
768
1024
1536
2048
3072
4096
If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched during the negotiation.
Re-key Margin
Time before the next key is exchanged. Time is calculated by subtracting the time elapsed since the last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts automatically without interrupting service before key expiry.
Dead Peer Detection settings
Use to check whether device is able to connect the IP Address or not. Set time interval after which the status of peer is to be checked and what action to take, if peer is not alive.
Tunnel Negotiation
Negotiation process starts to establish the connection when local or remote peer wants to communicate with each other. Depending on the connection parameters defined, the key is generated which is used for negotiations. Lifetime of key is specified as Key life. Once the connection is established, connection is alive/active and data can be transferred up to the specified key life. Connection will be closed/deactivated once the key expires.
If the connection is to be activated again then the entire negotiation process is to be started all over again. Negotiation process can be started again automatically by either local or remote peer only if Allow Re-keying is set to ‘Yes’.
Set the re-keying time in terms of the remaining key life when negotiation is to be started automatically without interrupting the communication before key expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes of key usage.
Negotiation process will generate new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’. PFS will generate a new key from scratch and there will be no dependency between old and new key.
Re-keying
Yes
No
Result
Local and remote peer both will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.
Only remote peer will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.
Device provides 5 default policies and you can also create a custom policy to meet your organization’s requirement.
| Configure | 291
To make VPN connection configuration an easy task, following five preconfigured VPN policies are included for the frequently used VPN deployment scenarios:
• Road warrior
• L2TP
• Head office connectivity
• Branch office connectivity
• Default
It also provides option to add a new policy, update the parameters of an existing policy, or delete the policy. Instead of creating a policy from scratch, you can also create a new policy based on the already created policy by duplicating its parameters.
Duplicate - Click the icon in the Manage column against the VPN Policy to be duplicated. The Add VPN Policy window is displayed which has the same values for parameters as the existing policy. Click OK to add a new policy with modification in values for parameters.
Note: The default policy can be updated but cannot be deleted.
Create a New IPsec Policy
This page describes how to quickly configure a new IPsec policy.
The Add IPsec Policy menu allows you to manually enter details to add a IPsec policy.
1. Go to Configure > VPN > IPsec Profiles and click Add.
2. Specify the General Settings details.
Name
Enter a unique name for the IPsec policy.
Description
Enter a description for the IPsec policy.
Allow Re-keying
Enable Re-Keying to start the negotiation process automatically before key expiry. The process will start automatically at the specified time in re-key margin.
If enabled, the negotiation process can be initiated by both the local or remote peer. Depending on
PFS, the negotiation process will use the same key or generate a new key.
Key Negotiation Tries
Specify maximum key negotiation trials allowed. Set 0 for an unlimited number of trials.
Authentication Mode
Select an authentication mode. It is used for exchanging authentication information.
Available Options:Main Mode - Consists of 6 messages. It processes and validates the diffiehellman in 3 exchanges.Aggressive Mode - Consists of 3 messages. With Aggressive Mode, a tunnel can be established faster than using Main Mode as less number of messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use Aggressive Mode when remote peer has dynamic IP addresses.
Depending on Authentication Mode, the phase 1 parameters are exchanged for authentication purpose.
In Main Mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information while in Aggressive Mode phase1 parameters are exchanged in single messages without encrypted information.
Pass Data In Compressed Format
Enable to pass data in compressed format to increase throughput.
Figure 296: General Settings
3. Specify the Phase 1 details.
Encryption Algorithm
Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.
3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.
Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.
TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Authentication Algorithm
Select an authentication algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Maximum three combinations of encryption and authentication algorithms can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click the icon to add more than one combination of encryption and authentication algorithms.
Default: MD5
| Configure | 292
Note: We strongly recommend to use AES and SHA2 256 to reduce potential vulnerability.
DH Group (Key Group)
Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
• DH Group 1 uses 768-bit encryption
• DH Group 2 uses 1024-bit encryption
• DH Group 5 uses 1536-bit encryption
• DH Group 14 uses 2048-bit encryption
• DH Group 15 uses 3072-bit encryption
• DH Group 16 uses 4096-bit encryption
The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
Key Life
Specify the key life in terms of seconds. Key life is the amount of time that will be allowed to pass before the key expires.
Default: 3600 seconds
Re-Key Margin
Specify the re-key margin. Set time in terms of the remaining key life. Re-key margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.
For example, if Key Life is 8 hours and Re-key Margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of key life.
Default: 120 seconds
Randomize Re-Keying Margin By
Specify the randomize re-keying time.
For example, if Key Life is 8 hours, Re-Key Margin is 10 minutes and Randomize Re-Keying time is 20% then the re-key margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.
Default: 0%
Dead Peer Detection
Enable to check at regular interval whether peer is live or not.
Default: Enabled
Check Peer After Every (only if the Dead Peer Detection option is enabled)
Specify time after which the peer should be checked for its status. Once the connection is established, peer which initiated the connection checks whether another peer is live or not.
Default: 30 seconds
Wait For Response Upto (only if the Dead Peer Detection option is enabled)
Specify till what time (seconds) initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive.
Default: 120 seconds
Action When Peer Unreachable (only if the Dead Peer Detection option is enabled)
Specify what action should be taken if peer is not active.
Available Options:Hold - Holds the connectionDisconnect - Closes the connectionRe-initiate -
Re-establishes the connection
| Configure | 293
Default: Disconnect
Figure 297: Phase 1
4. Specify the Phase 2 details.
Encryption Algorithm
Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.
3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.
Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The serpent algorithm uses 32 rounds, or iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.
TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Authentication Algorithm
Select an authentication algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported Authentication algorithms: MD5, SHA1
Maximum three combinations of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click the icon to add more than one combination of encryption and authentication algorithm.
Default: MD5
| Configure | 294
PFS Group (DH Group)
Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
• DH Group 1 uses 768-bit encryption
• DH Group 2 uses 1024-bit encryption
• DH Group 5 uses 1536-bit encryption
• DH Group 14 uses 2048-bit encryption
• DH Group 15 uses 3072-bit encryption
• DH Group 16 uses 4096-bit encryption
The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
If Same as Phase-1 is selected PFS group specified at connection initiator’s end will be used.
If No PFS is selected, this security parameter cannot be added for Phase 2.
Key Life
Specify the key life in terms of seconds. Key life is the amount of time that will be allowed to pass before the key expires.
Default: 3600 seconds
| Configure | 295
Figure 298: Phase 2
5. Click Save.
SSL VPN
This page describes how to configure general SSL VPN settings.
The SSL VPN tab allows you to define parameters requested for remote access such as protocols, server certificates and IP addresses for SSL clients. The SSL VPN client supports most business applications such as native Outlook, native Windows file sharing, and many more.
1. Go to Configure > VPN > SSL VPN.
2. Specify the SSL VPN Settings.
Protocol
Select the protocol to use. You can choose either TCP or UDP. UDP is recommended because it provides a better performance.
SSL Server Certificate
Select a local SSL certificate to be used by the SSL VPN server to identify itself against the clients.
Default: ApplianceCertificate
Note: The SSL VPN server does not support self-signed certificates that are not approved by a CA (which is not identical to the Generate self-signed certificate option in the Certificate section.)
Override Hostname
Here you can set the server IP address for client VPN connection. Usually this should be the external IP address of Sophos XG Firewall.
IPv4 Lease Range
Set an IP address range which is used to distribute IP addresses to the SSL clients. This should be a private IP address range.
Default Range: 10.81.234.5 to 10.81.234.55
Subnet Mask
Select a netmask for the IP address range above. The netmask must not be greater than 29 bits, because OpenVPN cannot handle address ranges whose netmask is /30, /31, or /32. The netmask is limited to a minimum of 16.
IPv6 Lease (IPv6/Prefix)
If you want to lease IPv6 addresses to clients, set the IPv6 prefix in the first field and the netmask in the last field.
You then also have to select the option IPv4 and IPv6 both in parameter Lease Mode.
Lease Mode
Select if you want to only lease IPv4 addresses to SSL clients or both IPv4 and IPv6 addresses.
IPv4 DNS
Specify up to two IPv4 DNS servers, primary and secondary, of your organization.
IPv4 WINS
Specify up to two IPv4 WINS servers, primary and secondary, of your organization.
Windows Internet Naming Service (WINS) is Microsoft's implementation of NetBIOS Name Server
(NBNS) on Windows operating systems. Effectively, WINS is to NetBIOS names what DNS is to domain names—a central mapping of hostnames to IP addresses.
Domain Name
Enter the hostname of your Sophos XG Firewall as a Fully Qualified Domain Name (FQDN). The
FQDN is an unambiguous domain name that specifies the node's absolute position in the DNS tree hierarchy, for example sf.example.com. A hostname may contain alphanumeric characters, dots, and hyphens. At the end of the hostname there must be a TLD (top level domain) such as com, org, or de. The hostname will be used in notification messages to identify the Sophos XG Firewall.
Disconnect dead peer after
Enter a time limit in seconds after which a dead connection will be terminated by Sophos XG
Firewall.
Default: 180 seconds.
Disconnect idle peer after
Enter a time limit in minutes when an idle connection will be terminated.
Default: 15 minutes.
| Configure | 296
Figure 299: SSL VPN Settings
3. Specify the Cryptographic Settings.
Encryption Algorithm
Specify the algorithm used for encrypting the data sent through the VPN tunnel. The following algorithms are supported and all in Cipher Block Chaining (CBC) mode:
• DES-EDE3-CBC
• AES-128-CBC (128 bit)
• AES-192-CBC (192 bit)
• AES-256-CBC (256 bit)
• BF-CBC (Blowfish (128 bit))
Authentication Algorithm
• SHA-1 (160 bit)
• SHA2 256 (256 bit)
• SHA2 384 (384 bit)
• SHA2 512 (512 bit)
• MD5 (128 bit)
Key Size
The key size (key length) is the length of the Diffie-Hellman key exchange. The longer this key is, the more secure the symmetric keys are. The length is specified in bits. You can choose between a key size of 1024 or 2048 bits.
Key Lifetime
Enter a time period after which the key will expire.
Default: 28,800 seconds
Figure 300: SSL VPN Cryptographic Settings
| Configure | 297
4. Specify the Compression Settings.
Compress SSL VPN Traffic
If enabled, all data sent through SSL VPN tunnels will be compressed prior to encryption.
5. Specify the Debug Settings.
Enable Debug Mode
When enabling debug mode, the SSL VPN log file will contain extended information useful for debugging purposes.
6. Click Apply.
L2TP
This page describes how to enable and configure settings for L2TP connections.
Following is a description of the settings of this page:
1. Go to Configure > VPN > L2TP.
2. Click to enable L2TP.
3. Specify the General Settings.
Assign IP from
Set an IP address range which is used to distribute IP addresses to L2TP clients. This should be a private IP address range.
Allow leasing IP address from RADIUS server for L2TP, PPTP and CISCO VPN Client
If this option is enabled and if the user is authenticated via a RADIUS server, the configured IP address (static or leased from the IP address range) is overridden with the IP address provided by the RADIUS server. If no IP addresses are configured on the RADIUS server, the static IP address configured for the user will be assigned, else an IP address will be leased from configured IP address range.
4. Specify the Client Information.
Primary DNS Server
Select the DNS server to be used at the client end.
Secondary DNS Server
Select the alternate DNS server to be used at the client end.
Primary WINS Server
Specify the WINS server to be used at the client end.
Secondary WINS Server
Specify the alternate WINS server to be used at the client end.
5. Click Apply to save the configuration.
6. Use the other buttons if required.
Add Member(s) (available only if L2TP is configured)
Click to select users who are to be allowed remote access through L2TP.
Show Members (available only if L2TP is configured)
Click to view a list of L2TP members.
Related tasks
on page 298
on page 299
Add L2TP Member
This page describes how to add an L2TP member.
| Configure | 298
| Configure | 299
Before you can add L2TP members, L2TP must be enabled. See chapter
1. Go to Configure > VPN > L2TP and click Add Member(s) at the bottom of the page.
2. Select users and groups from the table who would use L2TP to connect to the device.
3. Click Add.
All selected entries will be added as LT2P members.
Related tasks
This page describes how to enable and configure settings for L2TP connections.
on page 299
Show/Remove L2TP Member
This page describes how to see which users or groups are members of L2TP and how to remove L2TP members.
Before you can view L2TP members, L2TP must be enabled. See chapter
on page 298.
1. Go to Configure > VPN > L2TP and click Show Members at the bottom of the page.
A dialog opens that shows all current members of L2TP.
2. Select users or groups from the table that should be removed as L2TP members.
3. Click Delete.
All selected entries will be removed as L2TP members.
Related tasks
This page describes how to enable and configure settings for L2TP connections.
on page 298
Network
Network section allows you to configure various components for optimal network operation.
In particular, this section covers the following topics:
•
: Configure and manage the ports/interfaces of the device.
•
: Configure custom zone and view the list of default and custom zones.
•
•
: Manage DNS servers to be used by the device, DNS host entries and routing of specific requests.
•
•
: View the list of configured router advertisements (RA), configure RAs.
•
: Configure parameters of the cellular WAN connection of the device.
•
: Create and manage 6in4, 6to4, 6rd and 4in6 IP tunnels for inter-communication between IPv6 and
IPv4 networks.
•
: View and manage device's ARP-NDP neighbors.
•
: Integrate device with a dynamic DNS. Manage existing configuration.
Interfaces
Interfaces lists all the interfaces of the device along with their configurations.
The device is shipped with a number of physical interfaces, that is, ports and a number of virtual interfaces, depending on the model of the device. The Interface page displays a list of physical interfaces, aliases, virtual interfaces, bridge interfaces, interfaces configured as LAG or as TAP as well as interfaces configured for wireless LAN or for cellular
WAN.
| Configure | 300
Interfaces allows you to configure a range of physical and virtual interfaces. If a virtual interface is configured for a physical interface, it is displayed below the physical interface. Virtual interface configuration can be updated or deleted.
Note: Updating the interface details may affect dependent configurations. Refer
for more details.
The possible configurations are provided below:
•
– Alias allows you to bind multiple IP addresses to a single physical interface.
•
– A bridge enables you to configure transparent subnet gatewaying.
•
– Link Aggregation Group (LAG) allows multiple network connections to be combined into a single connection. It is also known as trunking, NIC teaming, NIC bonding, or Ether Channel. LAG is mostly used to handle LAN traffic.
•
– A virtual LAN is a broadcast domain with each VLAN being configured on a switch to individual ports.
•
– A wireless network links devices through a wireless distribution method, connecting them to the Internet through an access point.
If a wireless network is configured with a “Separate Zone” for
mode under Protect > Wireless >
Wireless Networks, a wlnet interface of the type “Wireless Protection” is automatically created on this page with the configured IP address and zone of the wireless network. In order to use the interface, you need to configure a DHCP server for the interface so that the wireless clients can connect to the device. The interface will automatically be deleted once the wireless network is deleted.
•
– A cellular WAN is a wide area network (WAN) for data that is typically provided by cellular carriers to transmit a wireless signal over a range of several miles to a mobile device.
•
– A TAP interface enables you to deploy the device in Discover Mode. In this mode, the device can monitor all the network traffic without making any changes in the existing network schema. Discover Mode can be configured through the command line interface (CLI).
•
branch office is part of your local network. The RED device connects to the main device using a RED interface and can be configured using this interface. On factory default, all the configured RED interfaces are deleted.
Interface status messages can have the following values:
• Disabled - The interface is currently not bound to any zone.
• Connected - The interface is connected, configured and is running.
• Connecting (Displayed only for PPPoE and cellular WAN (WWAN1) interfaces) - Displayed when a new IP address is being leased.
• Disconnected (Displayed only for PPPoE and cellular WAN (WWAN1) interfaces) - Displayed after the IP address has been released.
• Disconnecting (Displayed only for PPPoE and cellular WAN (WWAN1) interfaces) - Displayed during the process of IP release.
• Unplugged - No physical connection.
• Not Available (Applicable for Flexi Ports devices) - If the Flexi Ports module has previously been inserted and
Flexi Ports have been configured, then after removing the Flexi Ports module from the device, the Flexi Ports will carry the status "Not Available".
The following list shows the different icons, representing the different interface types:
Icons Meaning
Ethernet
Wireless
Bridge
| Configure | 301
Icons Meaning
VLAN
RED10
RED15
RED50
LAG
WWAN
Note: Configurations dependent on Interfaces
• Updating the interface details may affect dependent configurations, including Interface zone binding,
DNS, gateway, interface-based hosts, VLAN interfaces, and dynamic DNS.
• Deleting the virtual interface will delete the firewall rule defined for the virtual interface.
• Deleting the interface will also remove all its dependent configurations, including interface zone binding,
DHCP server or relay, interface-based firewall rule, ARP (static and proxy), protected servers, protected server-based firewall rules, interface-based hosts and references from host groups as well as unicast and multicast routes.
• Your network connections might get affected for some time after updating/deleting Interfaces. If you face any network issues during this time then please wait for some time and check again.
Physical Interface Configuration
Use this page to edit physical interface configurations.
1. Go to Configure > Network > Interfaces. Identify the physical interface whose settings need to be updated and click the icon on the right side. Click Edit Interface within the box.
2. Enter the details for General Settings.
Physical Interface
Physical interfaces are ports which may be marked in numeric (Port1, Port2, and so on), alphabetic
(PortA, PortB, and so on), alphanumeric (PortA2, PortA3, and so on), or in special alphanumeric form (eth0, eth1, and so on), depending on your device.
Network Zone
Select the zone to which the interface belongs.
Available Options:
• None: Select to unbind the interface.
• LAN
• WAN
• DMZ
• WiFi
Figure 301: General Settings
3. Enter the IPv4 configuration details.
IP Assignment
Select the IP assignment type.
Available Options:
• Static - Click to specify the IP address manually.
• PPPoE - Click to enable the interface to receive the IP address from a PPPoE server.
• DHCP - Click to enable the interface to receive the IP address dynamically from a DHCP server.
IPv4/Netmask
Enter the IPv4 address of the interface. Select the network subnet mask.
Preferred IP (available only if selected IP Assignment is PPPoE)
Many Internet service providers assign a static IP address to PPPoE connections. The device allows you to bind the static IP address to the PPPoE connection.
Note: An IP Address other than the preferred IP Address may be assigned to the
PPPoE connection, depending on the PPPoE Server configuration.
4. Enter the IPv4 gateway details.
Gateway Detail (available only for WAN zone)
• Static IP Assignment - Enter the Gateway Name and the IPv4 address through which traffic is to be routed.
• PPPoE IP Assignment - Enter the Gateway Name through which traffic is to be routed.
• DHCP IP Assignment - Enter the Gateway Name through which traffic is to be routed.
| Configure | 302
Figure 302: IPv4 Configuration
5. Enter the details for PPPoE IP Assignment.
Username
Enter the PPPoE account username.
Password
Enter the PPPoE account password.
Access Concentrator/Service Name
Enter the access concentrator and service name.
The device initiates only those sessions with the access concentrator that can provide the specified service.
LCP Echo Interval
Enter the time interval at the end of which the system sends an echo request to check whether the link is alive. Once an attempt is made, the device waits for the defined time interval before the next attempt is made.
Default: 20 seconds
LCP Failure
Enter the number of attempts (echo requests) to be made. Once the specified number of attempts are made without receiving a response from the client, the device disconnects the PPPoE connection.
Default: 3
Schedule Time For Reconnect
The IP address assigned to a PPPoE connection, whether dynamic or static (preferred), can have a predefined validity period. Once the validity expires, the PPPoE connection is terminated and is reconnected.
To prevent reconnection during working hours, enable the PPPoE reconnect schedule. You may choose to schedule the PPPoE reconnection on daily or weekly basis at the configured time
(HH:MM).
Default: Disabled
Default schedule when enabled: All days of the week
Note: Even when a Preferred IP address has been configured, if Schedule Time For
Reconnect is enabled and configured, on reconnection, an IP address other than the preferred IP address may be assigned to the PPPoE connection.
| Configure | 303
Figure 303: PPPoE Configuration
6. Enter the IPv6 configuration details.
IP Assignment
Select the IP assignment type.
Available Options:
• Static
• DHCP
Mode (only for DHCP mode)
Select the DHCP mode.
Select the relevant option to configure the IPv6 addresses through stateful (DHCPv6) or Stateless address assignment methods depending on the Managed (M) Address Configuration and Other (O) configuration flags advertised in the Router Advertisement (RA) message.
Available Options:
Auto - If selected, the IPv6 address will be configured based on the router advertisement packet through Stateless Address Auto-Configuration (SLAAC) or through DHCPv6 depending on the
Managed (M) Address Configuration and Other (O) Configuration flags advertised in the Router
Advertisement (RA) message. Manual - Select the relevant option to configure the IPv6 address either through SLAAC or through DHCPv6.
• DHCP Only - In this manual mode, the client will configure IPv6 Address and other configuration parameters using DHCPv6 Server. Gateway details should be manually specified.
• Stateless - In this manual mode, client will configure IPv6 Address based on advertised RA message through SLAAC.
• Accept Other Configuration from DHCP: Select to configure other parameters using
DHCPv6 Server. By default, it is enabled.
DHCP Rapid Commit
If enabled, the interface will be configured using a 2-message exchange (Solicit and Reply) rather than the 4-message exchange (Solicit, Advertise, Request, and Reply). It allows for quicker client configuration.
Note: Rapid commit should also be enabled on the DHCPv6 server.
IPv6 / Prefix (Only for static IP assignment)
Enter the IPv6 address and the prefix.
Gateway Detail (Only for "WA"N zone)
For Static IP assignment:Enter the gateway name and IPv6 address through which the traffic is to be routed. For DHCP IP assignment:Enter the gateway name, if Stateless manual mode is selected. For DHCP only manual mode, specify the gateway name and IPv6 address.
| Configure | 304
Figure 304: IPv6 Configuration - DHCP
7. Enter details for the Advanced Settings.
Interface Speed
Select interface speed for synchronization. Interface speed can also be configured through CLI using set network interface-speed command.
Speed mismatch between the device and third-party routers and switches can result in errors or collisions on the interface, disconnection, traffic latency, or slow performance.
Depending on the model deployed, the following options are available:
Auto Negotiation 10 Mbps - Half Duplex 10 Mbps - Full Duplex 100 Mbps - Half Duplex 100
Mbps - Full Duplex 1000 Mbps - Full Duplex
Default - Auto Negotiation
MTU
Enter the MTU (Maximum Transmission Unit) value.
MTU is the largest physical packet size, in bytes, that a network can transmit. This parameter becomes an issue when networks are interconnected and the networks have different MTU sizes.
Any packets larger than the MTU value are divided (fragmented) into smaller packets before being sent.
Default - 1500
Acceptable Range (For IPv4 Configuration):576 to 1500
Acceptable Range (For IPv6 Configuration):1280 to 1500
Override MSS
Select to override the default MSS.
MSS defines the amount of data that can be transmitted in a single TCP packet.
Default: 1460
Acceptable Range:536 to 1460
Use Default MAC Address
Click to use the default MAC address for the interface.
By default, the first port that is included as member port becomes the default MAC address.
Override Default MAC Address
Click to override the default MAC address for the interface and enter the new MAC address.
On factory reset, it is set to the default MAC Address.
| Configure | 305
Figure 305: Advanced settings
8. Click Save.
Advanced Settings for Bridge Interface
Use this page to edit the advanced settings for bridge interface.
1. Go to Configure > Network > Interfaces. Identify the bridge interface whose advanced settings need to be updated and click the icon on the right-hand side. Click Edit Interface within the box.
2. Enter the details for Advanced Settings.
Physical Interface
Displays the physical bridge member interface.
Network Zone
Displays the zone to which the physical interface belongs.
Interface Speed
Select the interface speed for synchronization. Interface speed can also be configured through CLI using the set network interface-speed command.
Speed mismatch between the device and third-party routers and switches can result in errors or collisions on the interface, disconnection, traffic latency, or slow performance.
Depending on the device, the following options are available:
• Auto Negotiation
• 10 Mbps - Half Duplex
• 10 Mbps - Full Duplex
• 100 Mbps - Half Duplex
• 100 Mbps - Full Duplex
• 1000 Mbps - Full Duplex
Default: Auto Negotiation.
MTU
Enter the MTU (Maximum Transmission Unit) value. MTU is the largest physical packet size (in bytes) that a network can transmit.
Default: 1500
Override MSS
Select the checkbox to override the default MSS (Maximum Segment Size). MSS defines the amount of data that can be transmitted in a single TCP packet.
Default: 1460
Use Default MAC Address
Click to use the default MAC address of the interface. The MAC address of the first port to be added as member port becomes the default MAC address.
Override Default MAC Address
Click to override the default MAC address of the interface and enter the new MAC address. On factory reset, it will be set to the default MAC address.
| Configure | 306
Figure 306: Advanced Settings - Bridge Interface
3. Click Save.
Add Bridge
The device can be deployed in bridge mode.
Use this page to create a bridge interface.
This feature is not supported when the device is deployed on Microsoft Hyper-V hypervisors.
| Configure | 307
1. Go to Configure > Network > Interfaces, click Add Interface on the right side and click Add Bridge from the drop-down list.
2. Enter the details for General Settings.
Name
Enter a name to identify the bridge.
Description
Enter a description for the bridge.
Enable routing on this bridge pair
Select the checkbox to enable routing on this bridge.
Figure 307: General Settings
3. Enter the details of Member Interfaces.
Interface
Select the interfaces of the bridge. For example, Port A, Port B.
Zone
For each interface, select the zone to which the interface belongs.
Figure 308: Bridge Member Interfaces
4. Enter IPv4 configuration and gateway details.
IPv4 / Netmask
Enter the IPv4 address and select the network subnet mask.
Gateway Name
Enter a name to identify the gateway.
Gateway IP
Enter the IPv4 address for the gateway.
Figure 309: IPv4 Configuration and Gateway Details
5. Enter the IPv6 configuration details.
IPv6 / Prefix
Enter the IPv6 address and the prefix.
Gateway Name
Enter a name to identify the gateway.
IP Address
Enter the IPv6 address for the gateway.
Figure 310: IPv6 Configuration
6. Enter the details for Advanced Settings.
MTU
Enter the MTU (Maximum Transmission Unit) value.
MTU is the largest physical packet size (in bytes) that a network can transmit. Problem arises when networks with differing MTU sizes are interconnected. In such a scenario, packets larger than the specified MTU value are divided (fragmented) into smaller packets before they are sent.
Default: 1500
Acceptable Range (For IPv4 Configuration):576 to 1500
Acceptable Range (For IPv6 Configuration):1280 to 1500
Override MSS
Select the checkbox to override the default MSS (Maximum Segment Size).
MSS defines the amount of data that can be transmitted in a single TCP packet.
Default: 1460
Acceptable Range: 536 to 1460
Figure 311: Advanced Settings
| Configure | 308
| Configure | 309
Note:
• A single WAN interface is supported in a bridge.
• A single interface cannot be part of multiple bridges.
7. Click Save.
Add Alias
Use this page to bind multiple IP addresses to a single interface.
1. Go to Configure > Network > Interfaces, click Add Interface on the right side and click Add Alias from the drop-down list.
2. Enter the interface details.
Physical Interface
Select the interface to which an Alias must be bound.
IP Family
Select the IP family for the Alias.
Available Options:
IPv4 (Only for physical interfaces with IPv4 configuration)
IPv6 (Only for physical interfaces with IPv6 configuration)
IPv4/Netmask (Available only if IP Family selected is IPv4)
Enter the IPv4 address and select the network subnet mask.
IPv6/Prefix (Available only if IP Family selected is IPv6)
Enter the IPv6 address and the prefix.
Default: 64
Figure 312: Add Alias
3. Click Save.
Configure Cellular WAN Settings
The device allows you to configure Cellular WAN interface.
Use this page to configure celluar WAN settings.
Enable Cellular WAN from Configure > Network > Cellular WAN.
1. Go to Configure > Network > Interfaces. Identify the cellular WAN (WWAN1) interface whose settings need to be updated and click the icon on the right side. Click Edit Interface within the box.
2. Enter the details for General Settings.
Interface Name
Enter a name for the interface.
IP Assignment
Select the IP assignment method from the available options:
Available Options:Dial-up (PPP)Network Adapter (DHCP)
Show Recommended Configuration
Click to view the modem details and the recommended configuration. The recommended configuration is displayed in two sections:
Information Section:
• Modem Name
• Vendor ID
• Product ID
• SIM PIN Enabled – Yes/No
Configuration Section:
Available IP Assignment Methods:
Possible Values
• Dial-up (PPP)
• Network Adapter (DHCP)
• Dial-up (PPP) & Network Adapter (DHCP)
Modem Port:
Possible Values
• Not Available
• Serial n (n= 0, 1, …9)
Secondary Modem Ports:
Possible Values
• Not Available
• Serial n (n = 0, 1, …9)
Note: This parameter displays the next available modem port. This port must be used as the Modem Port, if the recommended modem port fails.
APN (Access Point Name):
Possible Values
• Not Available
• <name>
DHCP Connect Command:
Possible Values
• Not Required
• Required but not available
• <AT command>
DHCP Disconnect Command:
Possible Values
• Not Required
• Required but not available
• <AT command >
Click Load Recommended Configuration to load the recommended configuration onto the page.
This action removes previous configurations, if any, and replaces them with the recommended configuration.
Note: When you click Load Recommended Configuration, values of the secondary modem ports are not loaded.
Connect
Select the mode to establish a cellular WAN connection.
| Configure | 310
Available Options:AutoManual
Reconnect Tries
Select the number of attempts to be made when reconnecting to an access point.
Available Options:Always123Default: Always
Modem Port (Available only if IP Assignment selected is Dial-up (PPP))
Enter the serial interface on which the modem will establish a connection.
Available Options:Serial 0 to 9
Phone Number (Available only if IP Assignment selected is Dial-up (PPP))
Enter the phone number to be used in order to establish the connection or select one from the dropdown list.
Username
Enter a username for the connection.
Password
Enter a password.
SIM Card PIN Code
Enter the PIN code in order to unlock the PIN-enabled SIM card.
Many operators lock their SIM card to prevent the use of another operator's SIM card. Such modems can be unlocked using the PIN code in order to establish a connection.
APN
Enter the Access Point Name (APN).
The APN is a configurable network identifier based on which the device identifies the Packet Data
Network (PDN) or the GSM carrier with which the user wants to communicate.
DHCP Connect Command (Available only if IP Assignment selected is Network Adapter (DHCP))
Enter a DHCP command to connect to the cellular WAN.
DHCP Disconnect Command (Available only if IP Assignment selected is Network Adapter (DHCP))
Enter a DHCP command to disconnect from the cellular WAN.
Initialization String
Enter an initialization string for the specific wireless modem. In case of multiple strings, the strings must be entered in the order of their priority.
| Configure | 311
Figure 313: General Settings - Dial-up
3. Enter the details for Gateway Settings.
Gateway Name
Enter a name to identify the gateway.
Gateway IP
Enter the IP address of the gateway.
Figure 314: Gateway Settings
4. Enter the details for Advanced Settings.
MTU
Enter the MTU (Maximum Transmission Unit) value.
MTU is the largest physical packet size (in bytes) that a network can transmit. Problem arises when networks with differing MTU sizes are interconnected. In such a scenario, packets larger than the specified MTU value are divided (fragmented) into smaller packets before they are sent.
Default: 1500
Acceptable Range: 576 to 1500
MSS
Enter the MSS (Maximum Segment Size).
MSS is the amount of data that can be transmitted in a single TCP packet.
Default: 1460
Acceptable Range: 536 to 146
MAC Address (Available only if IP Assignment selected is Network Adapter (DHCP))
| Configure | 312
Select the method of providing a MAC address to the modem:
Available Options:Use Default MAC AddressOverride Default MAC Address (If you select this option, provide the MAC address.)
| Configure | 313
Figure 315: Other Settings
5. Click Save.
Virtual LAN (VLAN)
VLANs are virtual LANs in which work devices on one or more LANs are logically segregated into independent broadcast domains. The logical segregation allows devices from multiple LANs across different floors or geographical regions to communicate as if they are physically connected. At the same time, a single LAN can be separated into multiple VLANs based on roles, work groups, services, or any other logical parameter.
Although routers are generally used to create broadcast domains in LANs, switches create the VLAN broadcast domains. You can assign each VLAN to one or more ports on a single switch. In case of distributed VLANs, you can assign them across multiple switches. Communication within a VLAN happens through the switch, while communication across different VLANs requires a layer 3 device – a router, a layer 3 switch, or a firewall.
You can implement VLAN technology between a Sophos Firewall (SF) device and 802.1Q-compliant switches and routers. Tag-based LAN multiplexing technology simulates multiple LANs within a single physical LAN and traffic from each broadcast domain is given a different VLAN tag. VLAN IDs/tags are 4-byte frame extensions that contain a VLAN identifier and information specific to your configuration.
SF recognizes VLAN IDs, allowing you to apply firewall rules specific to each VLAN, including authentication and other relevant policies of your network. You can also apply firewall rules to secure the network between broadcast domains.
Advantages
• Increase in the number of ports
• Logical segmentation of network regardless of physical location
• Granular firewall rules specific to workgroups
• Improved network throughput due to the creation of smaller broadcast domains
Add VLAN Interface
1. Go to Configure > Network > Interfaces, click Add Interface on the right side and select Add VLAN from the drop-down list.
2. Enter the VLAN details.
Physical Interface
Select a parent interface for the virtual sub-interface. The virtual sub-interface becomes a member of the selected physical interface.
Zone
Select a zone to assign to the virtual sub-interface. The virtual sub-interface becomes a member of the selected zone which can be LAN, DMZ, WAN, WiFi or a custom zone.
VLAN ID
Enter the VLAN ID. The interface VLAN ID can be any number between 2 and 4094. The VLAN
ID of each virtual sub-interface must match the VLAN ID of the packet. If the IDs do not match, the virtual sub-interface will not receive the VLAN-tagged traffic.
Note: When added to the same physical interface, more than one virtual sub-interface cannot carry the same VLAN ID. However, virtual sub-interfaces carrying the same
VLAN ID can be added to different physical interfaces.
| Configure | 314
Figure 316: VLAN Details
3. Enter the IPv4 configuration details (Only for physical interfaces with IPv4 configuration).
IP Assignment
Select the IP assignment type.
Available Options:
• Static
• PPPoE
• DHCP
IPv4/Netmask
Enter the IPv4 address for the interface and select the network subnet mask.
Preferred IP (available only if IP Assignment selected is PPPoE )
Many Internet service providers assign a static IP address to PPPoE connections. The device allows you to bind the static IP address to the PPPoE connection.
Enter the preferred IP address for the PPPoE connection.
Gateway Detail (For "WA"N zone)
• Static IP Assignment: Specify the Gateway Name and the IPv4 address through which the traffic is to be routed.
• PPPoE IP Assignment: Specify the Gateway Name through which the traffic is to be routed.
• DHCP IP Assignment: Specify the Gateway Name through which the traffic is to be routed.
Figure 317: IPv4 Configuration
4. Enter the details for PPPoE IP Assignment.
Username
Enter the PPPoE account username.
Password
Enter the PPPoE account password.
Access Concentrator/Service Name
Enter the access concentrator and service name.
The device initiates only those sessions with the access concentrator that can provide the specified service.
LCP Echo Interval
Enter the length of time that the system must wait before it sends an echo request to check whether the link is alive. Once an attempt is made, the device waits for the defined time interval before the next attempt is made.
Default: 20 seconds
LCP Failure
Enter the number of attempts (echo requests) to be made. Once the specified number of attempts are made without receiving a response from the client, the device disconnects the PPPoE connection.
Default: 3
Schedule Time For Reconnect
The IP address assigned to a PPPoE connection, whether dynamic or static (preferred), can have a predefined validity period. Once the validity expires, the PPPoE connection is terminated and is reconnected.
To prevent reconnection during working hours, enable the PPPoE reconnect schedule. You may choose to schedule the PPPoE reconnection on daily or weekly basis at the configured time
(HH:MM).
Default: Disabled
Default schedule when enabled: All days of week
Note: Even when a Preferred IP address has been configured, if Schedule Time For
Reconnect is enabled and configured, on reconnection, an IP address other than the preferred IP address may be assigned to the PPPoE connection.
| Configure | 315
Figure 318: PPPoE Configuration
5. Enter the IPv6 configuration details (Only for physical interfaces with IPv6 configuration)
IP Assignment
Select the IP assignment type.
Available Options:
• Static
• DHCP
Mode (available only if IP Assignment selected is DHCP)
Select DHCP mode.
Administrator can select to configure IPv6 address through Stateful (DHCPv6) or StateLess address assignment methods depending on the Managed (M) Address Configuration and Other (O)
Configuration flags advertised in the Router Advertisement (RA) message .
Available Options:
Auto:If selected, IPv6 address will be configured based on the Router Advertisement packet through Stateless Address Auto-Configuration (SLAAC) or DHCPv6 depending on the
Managed (M) Address Configuration and Other (O) Configuration flags advertised in the Router
Advertisement (RA) message. Manual:Administrator can select to configure IPv6 address either through SLAAC or DHCPv6.
• DHCP Only:In this manual mode, client will configure IPv6 Address and other configuration parameters using DHCPv6 Server. Gateway details should be manually specified.
• Stateless:In this manual mode, client will configure IPv6 Address based on advertised RA message through SLAAC.
• Accept Other Configuration from DHCP: Select to configure other parameters using
DHCPv6 Server. By default, it is enabled.
DHCP Rapid Commit
If enabled, the interface will be configured using a 2-message exchange (Solicit and Reply) rather than the 4-message exchange (Solicit, Advertise, Request, and Reply). It enables quicker client configuration.
Note: Rapid commit should also be enabled on the DHCPv6 server.
IPv6 / Prefix (Only for static IP assignment)
Enter the IPv6 address and the prefix.
Gateway Detail (Only for "WA"N zone)
• For "Static" IP assignment:Specify the gateway name and IPv6 address through which the traffic is to be routed.
• For “DHCP” IP assignment:Specify the gateway name, if Stateless manual mode is selected.
For DHCP only manual mode, specify the gateway name and the IPv6 address.
| Configure | 316
Figure 319: IPv6 Configuration
6. Click Save.
Link Aggregation Group
| Configure | 317
LAG is not supported in Sophos virtual security devices.
Link Aggregation Group (LAG) combines multiple physical links into a single logical link, connecting the SF device to another network device (switch). Also known as trunking, NIC teaming, NIC bonding or Ether Channel, LAG provides redundancy – when one interface fails, the remaining interfaces continue to carry the LAN traffic, ensuring continuity within the network.
LACP
Link Aggregation Control Protocol (LACP) is part of the IEEE specification 802.3ad and provides additional LAG functionality. You can assign load sharing across links based on the algorithm applied in the xmit hash policy. Link aggregation increases the bandwidth available without the need to deploy additional hardware.
The SF device supports the following LAG modes:
• Active Backup: This mode provides automatic link failover. One link (member of the LAG) remains active while the other remains in standby mode. When the active link fails, the standby link becomes active.
• LACP (802.3ad): This mode provides load balancing and automatic failover. In this mode, all the links are used to forward traffic.
Prerequisites for LACP (802.3ad) mode
• For LACP to be functional, it must be enabled at both ends of the link.
• All the member interfaces (ports) in the LAG must be of the same type and have the same interface speed.
• All the links must be full-duplex.
Limitations
• Only unbound static physical interfaces can be members of the LAG.
• PPPoE, 3G, 4G, Cellular WAN, WLAN and Transport mode are not supported in LAG.
• A maximum of 4 ports can be configured on a single LAG interface.
Add Link Aggregation Group (LAG)
1. Go to Configure > Network > Interfaces, click Add Interfaceon the right-hand side and click Add LAG from the drop-down list.
LAG interface properties can be configured or edited from the command line, but a LAG interface cannot be added from CLI.
2. Enter the details for Global Settings.
Interface Name
Enter a name for the LAG interface.
Member Interface
Click Add New Item. The drop-down list displays all unbound ports.
Select the checkbox to select the port(s).
Note:
• At least 2 member ports are required to create a LAG interface.
• A maximum of 4 ports can be configured on a single LAG interface.
• Interfaces that have been configured for PPPoE, Cellular WAN or WLAN cannot participate in LAG.
Mode
Select the mode of LAG.
Available Options:
Active-Backup:Select the Active-Backup mode to provide failover. 802.3ad (LACP):Select the
802.3ad (LACP) mode to load balance the traffic in addition to providing failover.
Network Zone
Select the network zone for the interface.
Available Options:
LAN WAN DMZ WiFi
Figure 320: Global Settings
3. Enter the IPv4 configuration details.
IP Assignment
Select the type of IP assignment.
Available Options:StaticDHCP
IPv4/Netmask
Enter the IPv4 address for the interface and select the network subnet mask.
4. Enter the IPv4 gateway details (Available only if Network Zone selected is WAN)
Gateway Name
Enter the gateway name.
IPv4 Address
Enter the gateway IPv4 address.
Figure 321: IPv4 Configuration - Static
5. Enter the IPv6 configuration details.
IPv6/Prefix
Enter the IPv6 address and the prefix.
6. Enter the IPv6 gateway details (Available only if Network Zone selected is WAN).
Gateway Name
Enter the gateway name.
IPv6 Address
Enter the gateway IPv6 address.
| Configure | 318
Figure 322: IPv6 Configuration
7. Enter the details for Advanced Settings.
Interface Speed
Select the interface speed for synchronization. Interface speed can also be configured through CLI using the set network interface-speed command.
Speed mismatch between the device and third-party routers and switches can result in errors or collisions on the interface, disconnection, traffic latency, or slow performance.
Default: Auto Negotiation
MTU
Enter the MTU (Maximum Transmission Unit) value.
MTU is the largest physical packet size (in bytes) that a network can transmit. Problem arises when networks with differing MTU sizes are interconnected. In such a scenario, packets larger than the specified MTU value are divided (fragmented) into smaller packets before they are sent.
Default: 1500
Acceptable Range (For IPv4 Configuration): 576 to 1500
Acceptable Range (For IPv6 Configuration): 1280 to 1500
Override MSS
Select the checkbox to override the default MSS (Maximum Segment Size).
MSS defines the amount of data that can be transmitted in a single TCP packet.
Default: 1460
Acceptable Range: 536 to 1460
Xmit Hash Policy (Available only if Mode selected is LACP (802.3ad))
Select the Xmit hash policy to be applied to the member interfaces from the available options in the drop-down list:
Available Options:
Layer2:Select to generate the hash value using MAC Addresses. Layer2+3:Select to generate the hash value using a combination of Layer 2 (MAC Address) and Layer 3 (IP Address) protocol information. Layer3+4:Select to generate the hash value using Transport layer protocol information.
Primary Interface (Available only if Mode selected is Active-Backup )
Select an interface to be the primary interface. This interface remains active as long as it is available.
Default: Auto
The interfaces included in the member interface list are listed here. If you set the Primary Interface to Auto, the device selects any interface from the member interface list as the primary interface.
Use Default MAC Address
| Configure | 319
Click to use the default MAC address of the interface.
Override Default MAC Address
Click to override the default MAC address of the interface and enter the new MAC address.
On factory reset, it will be set to the default MAC address.
| Configure | 320
Figure 323: Advanced Settings
8. Click Save.
Add RED
This page allows you to configure a Remote Ethernet Device (RED) at a remote office.
1. Ensure that RED is activated. This can be done from Configure > System Services > RED.
2. Go to Configure > Network, click Add Interface on the upper right and select Add RED from the drop-down list.
3. Enter the RED Settings details.
Branch Name
Enter the name for the remote location in which the RED is to be set up.
Type
Select the RED device to be connected from the drop-down list.
• RED 10
• RED 15
• RED 15w
• RED 50
• Firewall RED Server
• Firewall RED Client
• Firewall RED Server Legacy
• Firewall RED Client Legacy
Note: RED device Firewall RED Server Legacy and Firewall RED Client Legacy are able to connect Sophos XG Firewall with Sophos UTM via RED Site2Site. For more information, see
RED Site-to-Site between Sophos XG Firewall and Sophos
RED ID (not available for Type Firewall RED Server, Firewall RED Server Legacy, Firewall RED Client
and Firewall RED Client Legacy)
Enter the RED ID.
The RED ID is a 15-character string printed on the sticker which is stuck to the bottom of the RED device as well as on the front of the carton.
Tunnel ID (not available if Type is Firewall RED Client and Firewall RED Client Legacy)
Select the Tunnel ID from the drop-down list.
By default, Automatic is selected. Tunnels are numbered consecutively. Select a unique tunnel ID and make sure that it is the same for both the devices - RED and Sophos XG Firewall.
Note: If the type is Firewall RED Server Legacy or Firewall RED Server Legacy make sure that the tunnel ID is available on the appliance that should be connected.
Unlock Code
Enter the unlock code. (Do not fill this field if this RED is being deployed for the first time.)
The unlock code is an 8-character string that is generated when a RED is added to a Sophos XG
Firewall. If this RED has been deployed before, you must enter the unlock code here. The unlock code is generated during the deployment of a RED device, and is emailed instantly to the address you provided by activating RED. This is a security feature, which ensures that a RED device cannot simply be removed and installed elsewhere.
For manual deployment through USB stick and for automatic deployment through Provisioning
Service (see
below), two separate unlock codes are generated. If you switch a
RED device from one deployment method to the other, make sure that you use the corresponding unlock code: For manual deployment, provide the unlock code of the previous manual deployment; for automatic deployment, provide the unlock code of the previous automatic deployment.
Firewall IP/Hostname (not available for Type Firewall RED Server and Firewall RED Server Legacy)
Enter the hostname of the Sophos XG Firewall.
The hostname must be a publicly resolvable DNS name or IP address for the Sophos XG Firewall.
The RED will use this name or the IP address to connect back to the Sophos XG Firewall.
2nd Firewall IP/Hostname (not available if client Type is RED 10)
Specify the hostname of the second Sophos XG Firewall.
Use 2nd IP/Hostname for (not available if client Type is RED 10)
Select from the following options:
• Failover: Ensures that the secondary Sophos XG Firewall takes over when the primary Sophos
XG Firewall fails. The secondary host takes over automatically without loss of connection.
• Load Balancing: Distributes traffic equally between, the primary and the secondary Sophos XG
Firewall.
Provisioning File (available only if Type is Firewall RED Client or Firewall RED Client Legacy)
To provide the configuration data to the remote client device. Upload the provisioning file using the
Browse button and transfer the file to the remote device.
Description
Enter a description for the RED interface.
Device deployment
Select the deployment method:
• Automatically via Provisioning Service
• Manually via USB Stick
Note: If you select manual deployment, it is extremely important to retain the unlock code, which is sent by email. If you lose the unlock code, you can never connect the RED device again to another Sophos XG Firewall and you have to contact the Sophos Support.
By default, Sophos XG Firewall provides the RED's configuration data automatically via Sophos'
RED Provisioning Service. In this case, the RED device receives its configuration via Internet.
If the RED does not have an Internet connection, you can provide the configuration manually,
| Configure | 321
via USB stick. If you deploy a RED device manually, you have to ensure that the Sophos XG
Firewall is acting as NTP server. Activate the NTP on the Sophos XG Firewall under System >
Administration > Time and allow the correct network or the IP address of the RED.
| Configure | 322
Figure 324: Add RED Interface
4. Enter the details for Uplink Settings.
Uplink Connection
Select the connection type for the uplink:
• DHCP: The RED pulls an IP address from a DHCP server.
• Static: Enter an IP address, the corresponding netmask, a gateway and a DNS server IP address.
2nd Uplink Connection (available only if client Type is RED 50 is selected)
Select the connection type for the uplink:
• DHCP: The RED pulls an IP address from a DHCP server.
• Static: Enter an IP address, a corresponding netmask, gateway and DNS server IP address.
2nd Uplink Mode (available only if client Type is RED 50)
Select an uplink mode for the 2nd host.
• Failover
• Load Balancing
3G/UMTS Failover (not available if Operation Mode is Transparent/Split)
Select to enable the 3G/UMTS failover function. Clear the check box to disable the function.
Note: Plug in a 3G/UMTS USB stick into the RED's USB port. The stick can provide
Internet uplink failover in case of WAN interface failure. For the necessary settings refer to your Internet provider's data sheet.
• Mobile Network: Select the mobile network type from the drop-down list.
• GSM
• CDMA
• Username/Password (available only if CDMA is selected): If required, specify a username and password for the mobile network.
• PIN (available only if GSM is selected): Specify the PIN of the SIM card if a PIN is configured.
Note: If you specify a wrong PIN, the connection cannot be established through
3G/UMTS in case of WAN interface failure. Instead, the 3G/UMTS Failover
checkbox of the RED device is automatically cleared. Thus, the wrong PIN is used only once. When the WAN interface comes up again, the RED device displays a warning: A wrong PIN was entered for 3G/UMTS failover uplink. Please change
the login data.. When you open the Edit RED dialog box, a message is displayed which tells you that the 3G/UMTS failover was automatically unselected. Enter the correct PIN and select the checkbox. After making three connection attempts with a wrong PIN, the SIM card is locked. It cannot be unlocking through the RED device or Sophos XG Firewall and you have to contact the Sophos support.
• APN (available only if GSM is selected): Enter your provider's access point name information.
• Dial String : If your provider uses a different dial string, enter it here.
Default for GSM: *99#
Default for CDMA: #777
| Configure | 323
Figure 325: RED Uplink Settings
5. Specify the RED Network Settings details.
RED Operation Mode
Select to define how the remote network is to be integrated into your local network:
• Standard/Unified: All the remote network traffic is routed through the Sophos XG Firewall which serves as the DHCP server and as the default gateway too. Sophos XG Firewall has complete control over the network traffic of the remote network. It can apply firewall rules to traffic between the local and remote LANs as well as filter web traffic and applications of the remote network.
Note: Handle VLAN traffic through this mode if VLAN is deployed behind the
RED.
• Standard/Split: Only traffic to select local networks is routed through the Sophos XG Firewall.
Select the local networks from the drop-down list in the Split Network box or create new networks which can be accessed by the RED. Sophos XG Firewall controls the traffic to these networks from the remote network. It also serves as the DHCP server and as the default gateway.
All other remote network traffic is sent directly out through the local Internet connection.
Note: VLAN tagged frames cannot be handled in this operation mode. To use a
VLAN behind your RED device, select the Standard/Unified operation mode.
• Transparent/Split (not available if 3G/UMTS Failover is selected): Sophos XG Firewall does not control network traffic of the remote network, nor does it serve as the DHCP server nor as the default gateway. On the contrary, it pulls an IP address of the remote network from the DHCP server to become part of that network. However, you can enable access to the local network for remote clients. Define split networks that can be accessed by the remote network.
Additionally, you can define one or more split domains to be accessible. If your local domains are not publicly resolvable, define a Split DNS Server, which can be queried by the remote clients.
Note: VLAN tagged frames cannot be handled in this operation mode. To use a VLAN behind your RED device, select the Standard/Unified operation mode instead.
RED IP (not available if Transparent/Split is selected)
Enter the IP address of the RED device.
RED Netmask (not available if Transparent/Split is selected)
Select the netmask from the drop-down list.
Zone
Select the zone from the drop-down list:
• LAN
• DMZ
• VPN
• WiFi
Configure DHCP
Enable to configure a DHCP range for RED.
RED DHCP Range (available only if Configure DHCP is selected)
Enter the DHCP range which the RED is allowed to use.
Split DNS Server (available only if Transparent/Split is selected)
If your local domains are not publicly resolvable, you need to define a Split DNS Server, which can be queried by remote clients.
Split Network (not available if Standard/Unified is selected)
Select the split networks from the drop-down list or add more networks.
Note: Traffic to the networks listed in the Split Network box is redirected to your
Sophos XG Firewall. The remaining traffic is directly routed to the Internet.
To check traffic from the branch office to the main office intranet for viruses, route it through the Sophos XG Firewall. Or use the Sophos XG Firewall as an HTTP proxy.
Split Domains (not available if Transparent/Split is selected)
Add one or more split domains.
Note: Since Sophos XG Firewall is only a client of the remote network, it is not possible to route traffic to the split networks the way it is done with the other modes.
Therefore, the RED device intercepts all traffic: Traffic targeting to a network listed in the Split Network box or going to a domain listed in the Split Domain box is redirected to the Sophos XG Firewall interface. This is accomplished by replacing the default gateway's MAC address in the respective data packets with the MAC address of Sophos XG Firewall.
Example: A partner or service provider requires access to your intranet or a certain server in your local network. Using a RED device the partner's network remains completely independent of your network, but they can access a defined part of your network for certain purposes, as if they were connected via LAN.
MAC Filtering Type
To restrict the MAC addresses allowed to connect to the RED device select Blacklist or Whitelist.
Whitelist: Only MAC addresses listed in the MAC Address list are allowed.
Blacklist, MAC addresses listed in the MAC address list are not allowed.
MAC Address: The list of MAC addresses used to allow or restrict access to the RED device. MAC address lists can be created on the System > Hosts and Services > MAC Host page.
Note: MAC filtering only works for RED rev. 2 or newer. For RED 10, a maximum of 200 MAC addresses is allowed, whereas for RED 50, the list may contain up to 400
MAC addresses.
Tunnel Compression
Select to compress all traffic sent through the RED tunnel. Data compression can increase the throughput of the RED device deployed in regions with very slow Internet connection such as
1-2 MBps. However, performance increase depends on the data's potential to be compressed (for
| Configure | 324
example, data that is already compressed such as HTTPS or SSH cannot be compressed further). In some circumstances enabling data compression can actually reduce throughput of the RED device.
In such case, disable data compression.
Note: Tunnel compression is not available for RED 10 rev.1.
| Configure | 325
Figure 326: RED Network Settings
6. Enter the details of Switch Settings (available only if client Type is RED 50).
Switchport Mode
RED 50 offers four LAN ports that can be configured either as simple switches or for intelligent
VLAN usage. When set to Switch, all the traffic is sent to all ports. When set to VLAN, traffic can be filtered according to the Ethernet frames' VLAN tag, thus allowing the tunneling of more than one network into the RED tunnel.
Select the switchport mode for the switch settings
• Switch: RED 50 uses the switch by default.
• VLAN: Select the LAN port(s) and enter the LAN VID(s).
When using the VLAN switch port configuration, you can configure each LAN port separately. For each LAN port, the following options are available:
• Untagged (Hybrid Port): Ethernet frames with the VLAN IDs specified in the LAN VID(s) field below will be sent to this port. The frames are sent without tags, thus the end devices do not have to support VLAN. This port allows just one VLAN ID.
• Untagged, drop tagged (Access port): Ethernet frames with the VLAN IDs specified in the
LAN VID(s) field below will not be sent to this port. The frames are sent without tags, thus the end devices do not have to support VLAN.
• Tagged (Trunk Port): Ethernet frames with the VLAN IDs specified in the LAN VID(s) field below will be sent to this port. The frames are sent with tags, and the end devices have to support VLAN. Frames without VLAN IDs will not be sent to this port. This port allows up to
64 different VLAN ID(s) separated by comma.
• Disabled: This port is closed. No frames with or without VLAN IDs specified in the LAN
VID(s) will be sent to this port.
7. Click Save.
Note: If the message "Registering with RED service failed. Please make sure that this device can connect to the Internet on port 3400" appears, a network problem has occurred. Check if you can reach
| Configure | 326 red.astaro.com through port 3400 (via console command telnet red.astaro.com 3400). If you can, the error could be due to high network load. Retry to connect later.
Related tasks
This page describes how to configure RED.
Related information
RED Supported 3G/4G/LTE USB Dongles
Manage RED Interface
This chapter describes the functions of the icon of RED interfaces on the Configure > Network > Interfaces page.
The following options are available:
Activate/deactivate
The toggle switch next to the branch name shows the status of the interface. Click it to turn it on/off.
Note: The RED interface is deactivated and can not be edited if the RED device is bound to another system.
Download Provisioning file
This option is available only if the RED interface is in offline provisioning mode (if Device Deployment is set to
Manually via USB Stick).
Clicking on the link will download the provisioning file for the RED device. Save the file to the root directory of a USB stick. Then plug the USB stick into the RED appliance before turning it on. The RED will fetch its configuration from the USB stick. After that the connection between your appliance and the RED appliance is going to be established.
Note: It is crucial that you keep the unlock code, which is emailed instantly to the address provided on the
RED Configuration page as soon as the RED appliance receives its configuration. (In case of switching between manual and automatic deployment, make sure to keep both unlock codes.) You need the unlock code when you want to use the RED appliance with another Sophos XG Firewall. If you then do not have the unlock code ready, the only way to unlock the RED appliance is to contact the Sophos Support. The Support however can only help you if you deployed the configuration automatically, via the RED Provisioning
Service.
3G/UMTS Failover
Displays if the 3G/UMTS Failover function is enabled or disabled.
Configure RED Site-to-Site Tunnel
This page describes how to set up a RED Site-to-Site Tunnel.
For such a connection, you need a RED server and a RED client. RED Site-toSite connection is also possible between
Sophos XG Firewall and Sophos UTM using the RED server legacy and RED client legacy. For more information,
RED Site-to-Site between Sophos XG Firewall and Sophos UTM
on page 327.
1. Configure the Firewall RED Server on the server machine.
How to configure RED is described in chapter
on page 455.
2. Add a RED interface on the Interfaces page.
How to add a RED interface is described in chapter
3. Go to Configure > Network > Interfaces.
4.
On the required RED interface, click the icon towards the right and select Download Provisioning File.
| Configure | 327
5. Configure the Firewall RED Client on the client machine and upload the provisioning file you downloaded from the server machine.
The RED Site-to-Site tunnel has been established and is active. You can control the RED connection status on both machines in the Network Security Control Center in the section User Threat Quotient.
RED Site-to-Site between Sophos XG Firewall and Sophos UTM
RED Site-toSite connection is also possible between Sophos XG Firewall and Sophos UTM. Select interface type
RED Server Legacy if you want to use Sophos XG Firewall as a RED firewall server for a Sophos UTM client. The provisioning file needs to be uploaded in the Sophos UTM client management. When you use Sophos UTM as RED firewall you need to upload the provisioning file from the Sophos UTM in a Sophos XG Firewall interface with type
RED Client Legacy.
Sophos XG Firewall as RED Firewall server
This page describes how to set up a RED Site-to-Site Tunnel between Sophos XG Firewall as RED firewall server legacy and Sophos UTM as RED client.
1. Ensure that RED on Sophos XG Firewall is activated. This can be done from Configure > System Services >
RED.
2. Go to Configure > Network, click Add Interface on the upper right and select Add RED from the drop-down list.
3. Create a RED interface with type RED Firewall Server Legacy.
How to create a RED interface is described in chapter
on page 320.
4. Download the provisioning file.
5. Log in to Sophos UTM.
6. Ensure that RED on Sophos UTM is activated. This can be done from RED Management > Global Settings.
7. Go to RED Management > [Client] Tunnel Management, click New Tunnel.
8. Create a tunnel and upload the provisioning file from Sophos XG Firewall.
How to create a tunnel is described in
Sophos UTM Administration Guide
(Chapter 15.5 Tunnel Management).
9. Go to Interface & Routing > Interfaces, click New Interface.
10. Create a interface with the RED tunnel.
How to create a RED interface is described in
Sophos UTM Administration Guide
(Chapter 6.1 Interfaces).
The Site-to-Site connection between Sophos XG Firewall and Sophos UTM is now activated and can be seen in SF-
OS under Configure > Network > Interfaces and in the Control Center.
Sophos UTM as RED Firewall Server
This page describes how to set up a RED Site-to-Site Tunnel between Sophos UTM as RED firewall server and
Sophos XG Firewall as RED client legacy.
1. Ensure that RED on Sophos UTM is activated. This can be done from RED Management > Global Settings.
2. Go to RED Management > [Server] Client Management, click New RED.
3. Create a RED.
How to create a RED is described in
Sophos UTM Administration Guide
(Chapter 15.3 Client Management).
4. Download the provisioning file.
5. Go to Interface & Routing > Interfaces, click New Interface.
6. Create an interface with the RED server.
How to create a RED interface in Sophos UTM is described in
Sophos UTM Administration Guide
(Chapter 6.1
Interfaces).
7. Ensure that RED on Sophos XG Firewall is activated. This can be done from Configure > System Services >
RED.
8. Go to Configure > Network, click Add Interface on the upper right and select Add RED from the drop-down list.
| Configure | 328
9. Create a RED interface with type RED Firewall Client Legacy and upload the provisioning file from Sophos
UTM.
How to create a RED interface is described in chapter
on page 320.
The Site-to-Site connection is between Sophos XG Firewall and Sophos UTM is now activated and can be seen in SF-
OS under Configure > Network > Interfaces and in the Control Center.
Tap
The device provides seamless proof of concept through the Discover Mode, allowing you to evaluate its security performance prior to purchase. Through the Tap interface, Discover Mode enables you to monitor network traffic without making any change in the current network schema.
Connect the device to a switch through which all the network traffic passes. Configure the switch to forward a copy of every packet passing through it to the device. The device monitors the traffic passively and generates a Security
Assessment Report (SAR) from the gathered data. SAR provides visibility into potential risks within the network, including application and web risks, risky users, intrusion risks, and more.
Note:
• When deployed in Discover Mode, the device functions in listening mode. Hence, no firewall rule is applied.
• Only unbound physical interfaces can be configured in Discover mode.
• For interfaces configured in Discover Mode, the Interfaces page displays the zone name as Discover.
• The Tap interface cannot be updated or deleted.
• Subscription to Network Protection and Web Protection modules is required for the analysis of IPS, Web
Filter and Application Filter policies.
• Pre-requisites for Discover Mode:
• The device must be connected to the Internet for web classification, IPS updates and SAR generation in the cloud.
• The device must be integrated with external authentication servers, such as Active Directory,
RADIUS, LDAP etc., for the SAR to provide user-specific data.
Enable Discover Mode
This page allows you to enable the Discover Mode through the Tap interface.
1. Access the CLI console by clicking admin on the upper right-hand corner of the Admin Console screen.
2. Select the option Console.
3. Provide the admin password.
4. Select the option 4. Device Console.
5. Execute the following command to enable discover mode: console> system discover-mode tap add
<Port>
Figure 327: Enable Discover Mode
The message "Discover Interface added successfully" is displayed on the CLI. Additionally, the interface configured in Discover Mode displays the message "Discover, Physical (Tap)" on the Interfaces page.
Zones
This page displays a list of all the zones including system zones and lets you manage the zones.
A zone is a logical grouping of ports/physical interfaces and/or virtual sub-interfaces if defined.
Zones provide a flexible layer of security for the firewall. With the zone-based security, the administrator can group similar ports and apply the same policies to them instead of writing the same policy for each interface.
| Configure | 329
Next to the Name of the zone type, the list displays the Members belonging to the specific zone, the zone Type, the kind of Device Access and, optionally, a Description.
Default Zone Types
• LAN - Depending on the device in use and network design, you can group one to six physical ports in this zone.
Group multiple interfaces with different network subnets to manage them as a single entity. Group all the LAN networks under this zone.
• By default the traffic to and from this zone is blocked and hence, it is the most secured zone. However, traffic between ports belonging to same zone with different networks will be allowed if the policy is applied for LAN to
LAN.
• DMZ (DeMilitarized Zone) – This zone is normally used for publicly accessible servers. Depending on the device in use and network design, you can group multiple physical ports in this zone.
• WAN - This zone is used for Internet services. It can also be referred to as Internet zone.
• VPN – This zone is used for simplifying secure, remote connectivity. It is the only zone that does not have an assigned physical port/interface. Whenever the VPN connection is established, the port/interface used by the connection is automatically added to this zone and on disconnection; the port is automatically removed from the zone. Like all other default zones, scanning and access policies can be applied on the traffic for this zone.
• WiFi - This zone is used for wireless Internet services.
The device is shipped with a single zone for LAN, WAN, DMZ, VPN and WiFi. These zones are called system zones.
Additionally, you can define LAN and DMZ zone types.
Add Zone
Use the Add Zone page to create a new zone.
1. Go to Configure > Network > Zonesand click Add.
2. Enter the zone details.
Name
Enter a name to identify the zone.
Description
Enter the description for the zone.
Type
Select the type of zone from the available options. LAN - Depending on the device in use and network design, you can group one to six physical ports in this zone. Group multiple interfaces with different network subnets to manage them as a single entity. Group all the LAN networks under this zone.
By default the traffic to and from this zone is blocked and hence, it is the highest secured zone.
However, traffic between ports belonging to the same zone will be allowed.
DMZ (DeMilitarized Zone) - This zone is normally used for publicly accessible servers.
Depending on the device in use and network design, you can group one to five physical ports in this zone.
Note: By default, the entire traffic will be blocked except LAN to Local zone services like administration, authentication, and network.
Members
Displays all the member ports.
Click the checkbox to select the ports. All the selected ports are moved to the 'Selected port' list.
Device Access
Device access defines the type of administrative access permitted to a zone.
Admin Services - Enable administrative services that should be allowed through this zone:
• HTTPS - Allow secure HTTPS connection to the admin console through this zone
• Telnet – Allow Telnet connection to CLI through this zone
• SSH – Allow SSH connection to CLI through this zone
Authentication Services – Enable authentication services that should be allowed through this zone:
• Client Authentication
• Captive Portal
• NTLM
• Radius SSO
Network Services - Enable network services that should be allowed through this zone:
• DNS – Allow this zone to respond to DNS requests
• Ping/Ping6 – Allow this zone to respond to pings
Other Services - Enable other services that should be allowed through this zone:
• Web Proxy
• SSL VPN Tunnel
• Wireless Protection
• User Portal
• Dynamic Routing
• SNMP
• SMTP Relay
| Configure | 330
Figure 328: Add Zone
3. Click Save.
Note:
• If DMZ uses a private IP address, use NATing to make them publicly accessible.
• Local and VPN zones cannot be updated or deleted.
The new zone has been created and appears on the Zones page.
| Configure | 331
WAN Link Manager
A gateway routes traffic between the networks, and if the gateway fails, communication with an external network is not possible.
By default, the device supports only one gateway. However, to cope with gateway failure problems, the device provides an option to configure multiple gateways. But simply adding one more gateway is not an end to the problem.
Optimal utilization of all the gateways is also necessary. The device's WAN Link Manager provides link failure protection by detecting the dead gateway and switching over to an active link. It also offers a mechanism to balance traffic between various links.
At the time of deployment, you have configured the IP address for a default gateway through the Network
Configuration Wizard. You can change this configuration any time and configure additional gateways. You can use the WAN Link Manger to configure multiple gateways for load balancing and failover.
By default, all the gateways defined through the Network Configuration Wizard will be defined as “Active” gateway.
The device provides a powerful solution for routing and managing traffic across multiple Internet connections.
Designed to provide business continuity for an organization of any size, the WAN Link Manager optimizes the use of multiple Internet links, such as T1s, T3s, DSL and cable connections from one or multiple Internet service providers.
Capable of automatic failover in the event of link failure, it helps to assure that your network is always connected to the Internet.
It also gives you an option to configure multiple WAN interfaces to allow connecting your device to more than one
Internet service provider (ISP).
When you configure multiple external interfaces, you even have an option to control which interface an outgoing packet uses.
Load Balancing
Load balancing is a mechanism that permits to balance traffic between various links. It distributes traffic among various links, optimizing utilization of all the links to accelerate performance and cut operating costs. The device employs weighted round robin algorithm for load balancing to reach maximum utilization of the capacities across the various links.
Using link load balancing gives organizations the possibility to achieve:
• Traffic distribution that does not overburden any link
• Automatic ISP failover
• Improved user performance because of no downtime
• Increased bandwidth scalability
To achieve outbound traffic load balancing between multiple links:
• Configure links in active-active setup, defining gateways as Active
• Assign an appropriate weight to each gateway. Traffic is distributed across the links in proportion to the ratio of weights assigned to individual links.
How it works
Load balancing is determined by the load metric. The load metric is weight. Each link is assigned a relative weight and the device distributes traffic across links in proportion to the ratio of weights assigned to individual links. This weight determines how much traffic will pass through a particular link in relation to the other link(s).
The administrator can set the weight and define how the traffic will be directed to providers to best utilize their bandwidth investments. Weight can be selected based on:
• Link capacity (for links with different bandwidths)
• Link/Bandwidth cost (for links with varying costs)
A weighted load balancing feature enables network managers to optimize network traffic and balance the load between multiple links/interfaces.
| Configure | 332
Gateway failover
Gateway failover provides link failure protection so that when one link goes down; the traffic is switched over to the active link. This safeguard helps to provide uninterrupted, continuous Internet connectivity to users. The transition is seamless and transparent to the end user with no disruption in service and without downtime.
To achieve WAN failover between multiple links:
• Configure links in active-backup setup
• Define Active gateway/interface
• Define backup gateway/interface – Traffic through this link is routed only when the active interface is down
• Define failover rule
In the event of Internet link failure, the WAN Link Manager automatically sends traffic to available Internet connections without administrator intervention. If more than one link is configured as backup link, traffic is distributed among the links in the ratio of the weights assigned to them. On failover, the backup gateway can inherit the parent gateway’s (active gateway) weight or can be configured.
The transition from the dead link to the active link is based on the failover rule defined for the link. The failover rule specifies:
• how to check whether the link is active or dead
• what action to take when a link is not active
The failover rule has the form:
IF Condition 1 AND/OR Condition 2 then Action
Depending on the outcome of the condition, traffic is shifted to any other available gateway.
A ping rule is automatically created for every gateway. The device periodically sends the ping request to check health of the link and if link does not respond, traffic is automatically sent through another available link. The selection of the gateway and how much traffic is to be routed through each gateway depends on the number of configured active and backup gateways.
Gateway Failback
During a link failure, the device regularly checks the health of a given connection, assuring a fast reconnection as soon as the Internet service is restored. When the connection is restored and the gateway is up again, without the administrator’s intervention, traffic is again routed through the active gateway. In other words, the backup gateway fails back on the active gateway.
WAN Link Manager
The WAN Link Manager page displays a list of configured IPv4 and IPv6 gateways. The page also displays the status
Active or Deactive for each gateway and failover rule in case multiple gateways are configured. You can change the gateway parameters, change the gateway status, add or remove the failover rule, and view the data transfer passed through the gateway.
For the backup gateway, the weight is NA while for the active gateway, the configured weight is displayed.
Click the data transfer icon under the Manage column of the corresponding gateway to view the total data transferred through the gateway in graphical as well as in tabular form.
Gateway Failover Timeout Configuration
Gateway Failover Timeout
Configure the gateway failover timeout in seconds.
This is the time period the device waits before the gateway failover occurs.
Default: 60 seconds
| Configure | 333
Acceptable Range: 1 to 65535
Figure 329: Gateway Failover Timeout Configuration
Update Gateway Configuration
You can update the gateway configuration from this page.
1. Go to Configure > Network > WAN Link Manager, click the gateway's Name hyperlink or click the edit icon under the Manage column to edit its settings.
2. Enter the gateway details.
Name
Enter the name of the gateway.
IP Address
Enter the IP address assigned to the gateway.
Interface
Specify the IP address of the interface.
Type
Specify the type of the gateway.
Available Options: Active - Traffic will route through the active gateway(s). If more than one active gateway is configured then the traffic will be load balanced between these gateways depending on the weight assigned to the each gateway.Backup – A gateway used in an active/ passive setup, where traffic is routed through the backup gateway only when the active gateway is down.
Weight
Depending on the weight, the gateway is selected for load balancing. The device distributes traffic across links in proportion to the ratio of weights assigned to individual links.
This weight determines how much traffic will pass through a particular link relative to the other link(s).
Gateways can be assigned a weight from 1 to100.
Note: When multiple gateways are configured and one gateway goes down, the traffic is switched over to the available gateways according to the ratio of the weights assigned to the available gateways.
Default NAT Policy
Select the NAT policy to be used as default for a particular gateway.
By default, the MASQ NAT policy is configured.
Select None, if NAT should not be applied on that particular gateway.
Figure 330: Update Active Gateway Configuration
3. Enter the backup gateway details (Only available, if the type is Backup)
Activate This Gateway
Select gateway activation condition: automatically or manually.
Automatic failover
For automatic failover, activate the option If ... Active gateway fails.
From the dropdown list, specify when the backup gateway should take over from the active gateway. This takeover process will not require the administrator’s intervention.
Available Options:
• Specific Gateway - The dropdown list displays all configured gateways. The backup gateway will take over and traffic will be routed through the backup gateway only when the selected gateway fails.
• ANY – The backup gateway will take over and traffic will be routed through the backup gateway when any of the active gateway fails.
• ALL – The backup gateway will take over and traffic will be routed through the backup gateway when all the configured active gateways fail.
Manual failover
If you select Manually, the administrator will have to change the gateway manually when the active gateway fails.
Action on Activation
Configure weight for the backup gateway. The device distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.
Inherit weight of the failed active gateway
If this option is selected, the backup gateway will inherit the parent gateway’s (active gateway) weight
Use configured weight
If this option is selected, the weight specified in the Weight field will be used for the backup gateway.
| Configure | 334
| Configure | 335
Figure 331: Backup Gateway Details
4. Click Save.
The gateway details have been updated.
5. Configure the Failover Rules.
IF Then Condition
From the dropdown list, select the communication protocol, such as TCP or PING (ICMP). Select the protocol depending on the service to be tested on the host.
Port: For TCP communication, specify the port number for communication.
on IP Address: Specify the IP address of the computer or the network device which is permanently running or most reliable.
Condition
• AND - All the conditions must be satisfied before the specified action is taken
• OR - At least one condition must be satisfied before the specified action is taken.
A request is sent to an IP address. If the IP address does not respond to the request, the device considers the IP address as unreachable.
Figure 332: Configure Failover Rules
6. Click Save.
The failover rule has been updated.
Add Failover Rule
You can add failover rule from this page.
1. Go to Configure > Network > WAN Link Manager, click the gateway's Name hyperlink or click the edit icon under the Manage column and click Add under the Failover Rules section.
2. Configure the failover rules.
IF Then Condition
From the dropdown list, select the communication protocol, such as TCP or PING (ICMP). Select the protocol depending on the service to be tested on the host.
Port: For TCP communication, specify the port number for communication.
on IP Address: Specify the IP address of the computer or the network device which is permanently running or most reliable.
Condition
• AND - All the conditions must be satisfied before the specified action is taken
• OR - At least one condition must be satisfied before the specified action is taken.
A request is sent to an IP address. If the IP address does not respond to the request, the device considers the IP address as unreachable.
| Configure | 336
Figure 333: Configure Failover Rules
3. Click Save.
The failover rule has been added.
Network Traffic Report for Default Gateway
Click the data transfer icon under the Manage column of the corresponding gateway to view the total data transferred through the gateway in graphical as well as in tabular form.
Network Traffic Report for Default Gateway
Period
From the available options, select the period for the report of the network traffic that passed through the gateway.
Available Options:
• Weekly
• Monthly
• Custom
The graph displays the upload, download and total data transfer through the gateway.
• X-axis: Date (depending on the period selected)
• Y-axis: KB/MB/GB used
Legend
• Orange Color – Upload Network Traffic (MB)
• Purple Color – Download Network Traffic (MB)
• Green Color – Total Network Traffic (MB)
Note: When the selected period is Custom, then the user can select to view data of not more than the last six (06) months. At one time, only thirty (30) days data will be displayed.
| Configure | 337
Figure 334: Network Transfer Report
DNS
Use this page to configure the DNS settings of the device.
The DNS server is configured at the time of installation. You can add additional DNS servers to which the device can connect for name resolution. If multiple DNS are defined, they are queried in the order as they are entered.
Note: You can also view and manage the DNS server status on the Monitor & Analyze > Diagnostics >
Services page.
Sophos XG Firewall supports static DNS host entry where the device acts as a DNS Name Server that provides the requesting client with 'A' records to resolve their requested URL.
You can manually add static DNS host entries for a particular domain name. Sophos XG Firewall checks DNS host entries for the requested domain name. If the domain name requested by the user matches the DNS host entry then the device performs DNS resolution and replies to the client with the IP address found in the static DNS host entry. DNS requests do not need to be redirected to the Local/Authoritative DNS server any longer. This facilitates faster data transfer and avoids multiple DNS resolution cycles for every client request. You can also add multiple IP addresses for a single website hosted behind Sophos XG Firewall.
When you want external domains names to be resolved through internal DNS servers in your network, you can add
DNS request routes to such servers. This will decrease the Internet traffic over the network and speed up DNS client requests as queries will not be forwarded outside the network. Also, DNS information would be less exposed on the
Internet thus enhancing security.
IPv4
Obtain DNS from DHCP
Click to override the device DNS with the DNS address received from the DHCP server.
The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.
Obtain DNS from PPPoE
Click to override the device DNS with the DNS address received from the PPPoE server.
The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.
Static DNS
Select to provide a static IPv4 DNS server address.
A maximum of three static DNS IPv4 addresses can be provided.
| Configure | 338
Figure 335: IPv4 DNS Settings
IPv6
Obtain DNS from DHCP
Click to override the device DNS with the DNS address received from the DHCP server.
The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.
Static DNS
Select to provide a static IPv6 DNS server address.
A maximum of three static DNS IPv6 addresses can be provided.
Figure 336: IPv6 DNS Settings
DNS Query Configuration
Choose server based on incoming requests record type
Select to choose the DNS server to be used for resolving the domain name on the basis of the incoming requests record type. Incoming request can be of A or AAAA type.
Choose IPv6 DNS server over IPv4
Select to first choose the IPv6 DNS server for resolving the DNS and then the IPv4 DNS server.
If both IPv6 and IPv4 DNS servers are configured, then it first selects the IPv6 DNS server for all requests followed by the IPv4 DNS server.
Choose IPv4 DNS server over IPv6
Select to first choose the IPv4 DNS server for resolving the DNS and then the IPv6 DNS server.
If both IPv6 and IPv4 DNS servers are configured, then it first selects the IPv4 DNS server for all requests followed by the IPv6 DNS server.
Choose IPv6 if request originator address is IPv6, else IPv4
Select to choose the IPv6 DNS server if a request is received from an IPv6 source or choose the
IPv4 DNS server, if a request is received from an IPv4 source.
Apply
Click to save the configuration.
Test Name Lookup
Click and provide an IP address or host name for testing the connectivity with the DNS server.
| Configure | 339
Figure 337: DNS Query Configuration
DNS Host Entry
The DNS Host Entry section displays the list of all the configured host entries. You can filter the list based on the host/domain name. This section provides the option to add, update, or delete entries.
DNS Request Route
This section displays a list of all the configured DNS request routes. You can filter the list based on the name or the target. Additionally, you can add, update and delete routes.
Add DNS Host Entry
The Add DNS Host Enry page allows you to create and manage DNS host entries.
1. Go to Configure > Network > DNS and click Add under DNS Host Entry section.
2. Enter the host entry details.
Host/Domain Name
Provide a fully qualified domain name (FQDN) for the host/domain.
Address
Enter the address details for the host entry.
Entry Type
Select the DNS host entry type.
Available Options:
• Manual – Enter the IP address for the host manually
• Interface IP – Configure an interface as host
IP Address
Specify the IP address of the host/domain or select an interface IP depending on the option selected for the entry type.
Maximum entries per host: 8
Time to Live (seconds)
Specify the TTL in seconds.
Default: 60 seconds
Weight
Specify the weight for load balancing the traffic. The device distributes traffic across the links in proportion to the ratio of weights assigned to individual links.
This weight determines how much traffic will pass through a particular link relative to the other link(s).
Default: 1
Publish on WAN
Enable to publish the DNS host entry on WAN.
Default: Disabled
Reverse DNS Lookup
Reverse DNS lookup is the resolution of an IP address to its designated domain name. Enable to allow reverse DNS lookup.
Note: If there are multiple hosts resolving to the same IP address then Reverse DNS
Lookup can only be configured for one of the IP addresses.
• Only A, AAAA, and PTR type of DNS records are supported.
• Address (A) record points a hostname to an IP address and returns a 32-bit IPv4 address.
• AAAA record points a hostname to an IP address and returns a 128-bit IPv6 address.
• Pointer records (PTR) are just the reverse of A records and are used for reverse lookups. They map the IP address to a hostname.
• Maximum DNS entries supported: 1024
• If the device interface is used as a DNS in the client system then a query is sent to the configured DNS servers prior to querying the ROOT severs.
| Configure | 340
Figure 338: DNS Host Entry
3. Click Save.
The DNS host entry has been created and appears on the DNS page.
Add DNS Request Route
This page allows you to configure DNS Request routes to internal DNS servers.
1. Go to Configure > Network > DNS and click Add under DNS Request Route section.
2. Enter DNS request route details.
Host/Domain Name
Specify the domain for which you want to use the internal DNS server.
Target Servers
Select a DNS server(s) to resolve the domain specified above.
You can also add IP address to the DNS from this page by entering it in the entry field. Up to eight
IP addresses can be added.
| Configure | 341
Figure 339: Add DNS Request Route
3. Click Save.
The DNS request route has been created and appears on the DNS page.
DHCP
The DHCP section allows you to configure DHCP for your network.
On a network, the dynamic host configuration protocol (DHCP) automatically assigns IP addresses to the hosts on a network, thus reducing the administrator’s configuration task. Instead of requiring administrators to assign, track and change (when necessary) IP addresses for every host on a network, DHCP settles it automatically. Furthermore,
DHCP ensures that duplicate addresses are not used.
The DHCP section covers the following topics:
Server
The device acts as a DHCP server: it assigns a unique IP address to a host and releases the address when the host leaves and re-joins the network. Each time, when the host connects to the network, it can have another IP address. In other words, the device provides a mechanism for allocating the IP address dynamically so that addresses can be reused.
An interface having static IP assignment can also act as a DHCP server. You can disable or change this DHCP server configuration. You can configure IPv4 and IPv6 DHCP servers.
Using the Server section, you can configure and manage DHCP servers on the device. It displays a list of all configured DHCP servers, and you can filter the list based on the IP family.
Note:
| Configure | 342
• The device cannot act as DHCPv6 server and DHCPv6 relay agent simultaneously.
• DHCPv4 Server and DHCPv4 Relay cannot be configured using the same Interface.
Relay
Deploying DHCP in a single segment network is easy. All DHCP messages are IP broadcast messages, and therefore all the computers on the segment can listen and respond to these broadcasts. But things get complicated when there is more than one subnet on the network. The reason is that the DHCP broadcast messages do not cross the router interfaces by default. The DHCP relay agent makes it possible to place DHCP clients and DHCP servers on different networks. The relay agent allows DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP relay agent enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or from a server which is not located on the local subnet. If the DHCP relay agent is not configured, clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet.
Using the Relay section, you can configure and manage DHCP relay agents on the device. It displays a list of all interfaces configured as a relay agent, and you can filter the list based on the relay agent name and the IP family.
Lease
The device acting as a DHCP server assigns or leases an IP address from an address pool to a host DHCP client. The
IP address is leased for a determined period of time or until the client relinquishes the address. The IPv4/IPv6 Lease section displays a list of all IPv4 and IPv6 addresses leased dynamically, and you can filter the lists based on the leased IP, or the client's physical address.
IPv4 Lease
For each IPv4 address, the list displays the following:
• Leased IP address
• Leased start and end time
• Client physical address
• Client host name
• Lease type
IPv6 Lease
For each leased IPv6 address the list displays the following:
• Leased IP address
• Leased start and end time
• Client physical address
• DUID
Related information
Configure DHCP Options
Configure Interface as DHCPv4 Server
This page describes how to configure an interface as DHCP server for IPv4.
1. Go to Configure > Network > DHCP, click Add in the Server section and select IPv4 using the default filter.
2. Specify the General Settings details.
Name
Enter a name to identify the DHCPv4 server uniquely.
Interface
Select an interface to set it as DHCPv4 server. DHCP service can be configured on a virtual interface but not on an interface alias.
Note: DHCPv4 Server and DHCPv4 Relay cannot be configured using the same
Interface.
Dynamic IP Lease
Specify the range of IP addresses from which the DHCP server must assign an IP address to the clients and set a subnet mask for the IP address range. You can configure multiple IP ranges for the same interface. Furthermore, you can provide multiple IP ranges for the DHCP server.
Click and to add or delete a range.
Static IP MAC Mapping
If you want to assign specific IP addresses to some or all clients permanently, you can define static
MAC address-to-IP address mappings. To define a MAC-IP mapping, you should know the MAC address of the client’s network card. The MAC address is usually specified in hexadecimal digits separated by colons (for example, 00:08:76:16:BC:21). Specify the host name, the MAC address and the IP address. You can provide multiple MAC-IP mappings for the DHCP server.
Use and to add or delete a MAC-IP mapping.
Subnet Mask
Select a subnet mask for the server.
Domain Name
Specify the domain name that the DHCP server will assign to the DHCP clients.
Gateway
Use this option to apply an interface IP as gateway.
Specify the IP address to be used as default gateway or select Use Interface IP as Gateway to use the IP address entered for Interface
Default Lease Time
Specify the default lease time.
Acceptable range: 1 to 43200 minutes (30 days)
Default: 1440 minutes
Max Lease Time
Specify the maximum lease time. The DHCP client must ask the DHCP server for new settings after the specified maximum lease time has expired.
Acceptable range: 1 to 43200 minutes (30 days)
Default: 2880 minutes
Conflict Detection
Enable IP conflict detection to check the IP address before leasing. If enabled, the already leased IP address will not be leased again.
| Configure | 343
Figure 340: General Settings
3. Specify the DNS Server details.
Use Device’s DNS Settings
Click to use the device's DNS server. In this case, the first two configured DNS will be used.
If not enabled, provide a primary and secondary DNS to be used.
Primary DNS (available only if Use Device' DNS Settings is disabled)
Specify the IP address of the primary DNS server.
Secondary DNS (available only if Use Device' DNS Settings is disabled)
Specify the IP address of the secondary DNS server.
Figure 341: DNS Server details
4. Specify WINS Server details.
Primary WINS Server
Specify the IP address of the primary WINS server.
Secondary WINS Server
| Configure | 344
| Configure | 345
Specify the IP address of the secondary WINS server.
Figure 342: WINS Server details
5. Click Save.
Related information
Configure DHCP Options
Configure Interface as DHCPv6 Server
This page describes how to configure an interface as DHCP server for IPv6.
1. Go to Configure > Network > DHCP, click Add in the Server section and select IPv6 using the default filter.
2. Specify the General Settings details.
Name
Enter a name to identify the DHCPv6 server uniquely.
Interface
Select an interface to set it as DHCPv6 server. DHCP service can be configured on a virtual interface but not on an interface alias.
Dynamic IP Lease
Specify the range of IPv6 addresses from which the DHCP server must assign an IP address to the clients and set a subnet mask for the IPv6 address range. You can configure multiple IPv6 range for the same interface.
Furthermore, you can provide multiple IP ranged for the DHCP server.
Click and to add and delete a range.
Static IP DUID Mapping
If you want to assign specific IP addresses to some or all clients permanently, you can define static
DUID address-to-IP address mappings. To define DUID-IP mapping, you should know the DHCP
Unique Identifier (DUID) of the client. The DUID address is usually specified in groups of two hexadecimal digits separated by colons.
*Each DHCP client and server has a DUID. DHCP servers use DUIDs to identify clients for the selection of configuration parameters. DHCP clients use DUIDs to identify a server in messages where a server needs to be identified.
Specify the host name, DUID and the IP address. You can provide multiple DUID-IP mappings for the DHCP server.
Click and to add or delete a DUID-IP mapping.
Preferred Time
Specify the preferred time.
Acceptable range: 1 to 43200 minutes (30 days)
Default: 540 minutes
Note: Preferred time should be less than valid time.
Valid Time
Specify the valid time.
Acceptable range: 1 to 43200 minutes (30 days)
Default: 720 minutes
Figure 343: General Settings
3. Specify the DNS Server details.
Use Device’s DNS Settings
Click to use the device's DNS server. In this case, the first two configured DNS will be used.
If not enabled, provide a primary and secondary DNS to be used.
Primary DNS (available only if Use Device' DNS Settings is disabled)
Specify the IPv6 address of the primary DNS server.
Secondary DNS (available only if Use Device' DNS Settings is disabled)
Specify the IPv6 address of the secondary DNS server.
Figure 344: DNS Server details
4. Click Save.
Related information
Configure DHCP Options
* RFC 3315 (Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
Add DHCP Relay Configuration
This page describes how to configure an interface as DHCP relay agent.
1. Go to Configure > Network > DHCP and click Add in the Relay section.
2. Enter the DHCP relay configuration details.
Name
Provide a name to identify the DHCP relay agent.
| Configure | 346
IP Family
Select the IP family for the DHCP relay agent.
Available Options:
• IPv4
• IPv6
Interface
Select an interface on which your client network is configured. Device listens for DHCP queries on this interface and is used to forward packets between client and server.
Interfaces having a static IP assignment can act as a DHCP relay agent.
The DHCP relay agent can be configured on a virtual interface but not on an interface alias.
Note:
• The device cannot act as DHCPv6 server and DHCPv6 relay agent simultaneously.
• DHCPv4 Server and DHCPv4 Relay cannot be configured using the same
Interface.
DHCP Server IP
Specify the DHCP server IP address. You can also configure multiple DHCP servers. This facilitates deploying DHCP servers in high availability environment. The DHCP relay will forward packets to all configured DHCP servers, and the active server will serve the request. In case the active server goes down, the backup server serves the request. The DHCP server takes care of leasing the IP address to a client.
Maximum DHCP servers configurable per DHCP relay: 8
Relay through IPSec (Only availabe if IP family is IPv4)
Select to relay DHCP messages through an IPSec VPN tunnel.
| Configure | 347
Figure 345: Add DHCP Relay Configuration
3. Click Save.
The DHCP relay agent has been created and appears on the DHCP page.
| Configure | 348
IPv6 Router Advertisement
Address Assignment for IPv6 Devices
IPv6 clients are assigned an IP address through:
• DHCP for IPv6
• Stateless address auto configuration (SLAAC)
DHCP for IPv6
Similar to IPv4, IPv6 can use DHCP to assign IP addresses to any clients. The device can be configured to be a stateful DHCP server. The DHCP server is responsible for assigning the IP address to the client and for keeping a record of all clients and the IPv6 addresses assigned to them.
Stateless Address Auto Configuration
The IPv6 protocol supports address auto configuration for stateless addresses. IPv6 devices automatically create unique link-local addresses for IPv6 enabled interfaces, and clients use router advertisement messages to configure their own IP address automatically.
Router Advertisement
The device acting as a router has the ability to participate in stateless auto configuration (SLAAC) and by default provides a IPv6 address and a default gateway to the client.
When the device interface is connected to a network and enabled, the host may send out an ICMPv6 (type 135)
Router Solicitation (RS) message that requests the device to generate Router Advertisement (RA) immediately instead of waiting until their next scheduled time. On receiving the RS message, the device immediately sends an ICMPv6
(type 134) router advertisement (RA) message announcing the state of its availability. Router advertisements include information about which method to be used for address assignment, prefixes used for on-link determination and/or address configuration, hop limit value, several flag status, etc. The critical parameters can be administered centrally and if necessary, can be propagated automatically to all hosts on the network. The device advertises information about various interfaces and Internet parameters either periodically or in response to the RS message, informing all the nodes on the network about any modification regarding addressing information. Thus, Router advertisement (along with prefix flags) permits simple stateless auto configuration and guides a host in generating an address using autoconfiguration.
Note: You can also view and manage the router advertisement service status on the Monitor & Analyze >
Diagnostics > Services page.
Configure IPv6 Router Advertisement settings
You can configure the router advertisement settings for an interface from this page.
1. Go to Configure > Network > IPv6 Router Advertisement and click Add.
2. Enter details for the General Settings.
Interface
Select an interface for router advertisement.
All IPv6 enabled physical interfaces, LAG, VLAN and bridge interfaces can be selected.
Description
Enter a description for the interface to be selected for router advertisement.
Min Advertisement Interval
Specify the minimum time interval in seconds between two consecutive unsolicited router advertisement messages sent to the clients.
Acceptable range: 3 to 1350 seconds
Default: 198 seconds
If the Max Advertisement Interval is 9 seconds or above, then the Min Advertisement Interval must be: 0.75 * maximum advertisement interval.
Max Advertisement Interval
Specify the maximum time interval in seconds between two consecutive unsolicited router advertisement messages sent to the clients.
Acceptable Range: 4 to 1800 seconds
Default: 600 seconds
Managed Flag
Select to set the managed flag. When this flag is set, IPv6 addresses are obtained from the DHCPv6 server.
By default, this flag is not selected.
Note: The option must be selected only if a DHCPv6 Server is available else IPv6 clients would not get IPv6 addresses
Other Flag
Select to set the other flag. When this flag is set, the DHCPv6 client obtains other network parameters such as DNS server, domain name, NIS, NISP, SIP, SNTP, and BCMS servers from the
DHCPv6 server.
Note: This option must be selected only if a DHCPv6 server is available.
Default Gateway
Select to use the device as default gateway for communication with the client.
Life Time
Specify the time in seconds to be used for router advertisement as a default gateway at the client end.
The value specified should be between the value specified for Max Advertisement Interval and
9000 seconds.
Default: 1800 seconds
Prefix Advertisement Configuration
Prefix Advertisement includes zero or more prefix options containing information that the default gateway advertises. This information is used by stateless address auto configuration to auto-generate a global IPv6 address. Prefix advertisement has its own list of attributes:
Prefix / 64
Provide the first 64 bits of the IPv6 address.
The interface uses this prefix information from the router advertisement message to determine the last 64 bits (interface identifier) of its 128-bit IPv6 address.
The first 64 bits (higher order bits) of the IPv6 address so provided, specify the network, while the remaining specify a particular address in the network. Hence, IPv6 addresses in one network have the same first 64 bits and are called “prefix”.
On-link
Select to set the prefix to be “On-link”. With the attribute On-link set, the devices with IPv6 addresses that are within this prefix are reachable on the subnet without a need of a router.
By default, this flag is set.
Autonomous
Select to set the prefix attribute Autonomous. On being set, the global IPv6 address is automatically generated by appending the 64 bit interface identifier to the prefix (prefix /64) advertised in the prefix information.
| Configure | 349
Only those prefixes that has the Autonomous flag set gets a stateless address auto configuration
(SLAAC) IPv6 address.
By default, the flag is set.
Preferred Life Time
Specify the time in minutes for a valid address to remain in the preferred state. The use of the preferred address is unlimited.
On expiry of the valid life time, the preferred address becomes deprecated. The use of the deprecated address must be avoided, however, it is not forbidden and can be continued to be used as source address for an existing communication.
The IPv6 address will continue to remain in the preferred state as long as it is refreshed by prefixes in the router advertisement or by any other means or are renewed by DHCPv6.
Acceptable values: 0 to 71582789 minutes
Default: 240 minutes
Specify the attribute value as “-1” for an infinite preferred life time.
Valid Life Time
Specify the time in minutes for an address to remain in the valid state.
This value determines the time for an address to be in the valid state. Until the time expires, the prefix is considered to be on-link and auto-configured addresses using the prefix can be used.
On expiry of the valid life time, the IPv6 address becomes invalid and cannot be used to send or receive traffic.
Acceptable range: 0 to 71582789 minutes
Default: 1440 minutes
Specify the attribute value as “-1” for an infinite valid life time.
Use the and icons to add or remove a prefix.
Note: The value of attribute Valid Life Time must be greater than or equal to value of Preferred Life Time.
| Configure | 350
Figure 346: General Settings
3. Enter the details for the Advanced Settings
Using the network discovery protocol (NDP) devices on the same interface discover the presence of each other and the respective link-layer addresses, find gateway routers and maintain the reachability information about the active paths to the peers.
Link MTU
Specify the Maximum Transmission Unit (MTU) in bytes for the packets sent on this interface.
Specify the Maximum Transmission Unit (MTU) in bytes for the packets sent on this interface.
Default: 0
Acceptable range: 1280 to 1500 bytes
If Link MTU is set to zero, the information will not be advertised by the interface.
Reachable Time
Specify the reachable time in seconds that the client will use to assume a neighbor is reachable after having received a reachability confirmation message.
Default: 0
Acceptable range: 0 to 3600 seconds
Retransmit Time
Specify the retransmission time in seconds that the client will use to determine how long it should wait before retransmitting neighbor solicitation messages.
Default: 0
Acceptable range: 0 to 4294968 seconds
Hop Limit
Specify the hop limit value.
This value determines the number of hops that a packet is limited to. The hop value is decremented by each router along the route. On reaching zero, the packet is destroyed.
Default: 64
Acceptable range: 0 to 255 seconds
| Configure | 351
Figure 347: Advanced Settings
4. Click Save.
The IPv6 router advertisement settings have been updated.
Cellular WAN
This feature is not supported in Sophos Virtual Security Devices.
Cellular WAN is a wide area network (WAN) for data that is typically provided by the cellular carriers to transmit a wireless signal over a range of several miles to a mobile device. Cellular WAN connectivity allows a user with a laptop and a Cellular WAN support to use the web, or connect to a VPN from anywhere within the regional boundaries of a cellular service.
Cellular WAN are popularly known as "wireless broadband".
To configure Cellular WAN:
| Configure | 352
1. Enable Cellular WAN. You can also enable from CLI with the command: system cellular_wan enable.
2. Re-login to the Admin console.
3. Edit the Cellular WAN (WWAN1) interface and configure the Cellular WAN initialization string and gateway from Configure > Network > Interfaces page.
To configure Cellular WAN settings, please refer :
Configure Cellular WAN Settings
on page 309
Once Cellular WAN is enabled, an interface named WWAN1 is created and it is the member of the WAN zone.
As Cellular WAN interface is a member of WAN zone:
• All the services enabled for the WAN zone from the Device Access page are automatically applicable on WWAN1 connection too.
• All the firewall rules applied on WAN zone will be applied on Cellular WAN (WWAN1) interface.
• A default host named ##WWAN1 is created and firewall rules and VPN policies can be created for the default host.
• WWAN1 gateway is added as backup gateway
• When the Cellular WAN is disabled from CLI in the Cellular WAN menu, default host ##WWAN1and Cellular
WAN gateway options will be removed from the Admin Console.
Note:
• Cellular WAN is not supported in bridge mode.
• DHCP server configuration is not supported for the Cellular WAN (WWAN1) interface.
• If backup of a device is taken on which Cellular WAN is enabled and restored on a device where it is not enabled, Cellular WAN configuration would still be visible.
Status
The Cellular WAN page displays the status of the Cellular WAN connection. Along with details of the Cellular WAN connection, the page also provides the facility to connect and disconnect the Cellular WAN connection. Below are the screen elements with their description:
Cellular WAN
Enable/Disable Cellular WAN.
Default - Disabled
Connect/Disconnect Button
Click to connect or disconnect the Cellular WAN connection. This process may take some time.
Status
Displays the status of the connection. Status messages can be of the following types:
Possible Status:
• Modem not supported
• No Modem plugged-in
• Connecting…
• Reconnecting
• Connected
• Disconnected
Modem Name
Name of the modem.
IP Address
IP address assigned to the device.
Gateway IP
IP address assigned as the gateway.
| Configure | 353
Bytes Uploaded
Number of bytes uploaded (in KB).
Bytes Downloaded
Number of bytes downloaded (in KB).
Time Duration
Time period since Cellular WAN is connected.
Format: HH:MM::SS
Figure 348: Status of the cellular WAN Connection
IP Tunnels
An IP tunnel is an Internet protocol network communications path between two networks. It is used to encapsulate one network protocol as a carrier for another network protocol. It is often used by two separate networks having a router with different network addresses for communication. The device supports IPv6 tunneling. Hence, IPv6 packets can be encapsulated in IPv4 headers using the IP Tunnel feature.
This page provides a list of all configured IP tunnels. The administrator can create and manage IP tunnels from this page.
Add IP Tunnel
The Add IP Tunnel page allows you to create or edit an existing 6in4, 6to4, 6rd or 4in6 IP tunnel.
1. Go to Configure > Network > IP Tunnels and click Add.
2. Enter the tunnel details.
Tunnel Name
Enter a unique name to identify the tunnel.
Tunnel Type
Select the tunnel type from the available options.
Available Options:
• 6in4 – 6in4 uses tunneling to encapsulate IPv6 traffic over IPv4 links. This is used when IPv6 packets have to travel over IPv4 links with IPv6 networks at both endpoints..
• 6to4 – 6to4 allows encapsulation of an IPv6 packet in an IPv4 header to send it to an IPv4 destination. This is used when the local endpoint is an IPv6 host while the remote endpoint is an
IPv4 host.
• 6rd – 6rd is similar in implementation to the 6to4 tunnel. However, unlike 6to4, 6rd allows the administrator to use a native IPv6 prefix.
• 4in6 – 4in6 uses tunneling to encapsulate IPv4 traffic over configured IPv6 tunnels. This is used when IPv4 traffic is to be used in a pure IPv6 network.
6rd Prefix (available only if the tunnel type 6rd is selected)
Specify the native IPv6 prefix to be used for the tunnel.
Zone
Select the zone to create the tunnel for.
The tunnel is used for the traffic of the selected zone.
Available Options:
• LAN
• WAN
• DMZ
• WiFi
Local Endpoint
Specify the IP address of the local endpoint of the tunnel.
For:
• 6in4: Specify the IPv6 address of the local endpoint.
• 6to4: Specify the IPv6 address of the local endpoint.
• 6rd: Specify the IPv6 address of the local endpoint.
• 4in6: Specify the IPv4 address of the local endpoint.
Remote Endpoint (available only if the tunnel types 6in4 or 4in6 are selected)
Specify the IP address of the remote endpoint of the tunnel.
For
• 6in4: Specify the IPv4 address of the remote endpoint.
• 4in6: Specify the IPv6 address of the remote endpoint.
3. Enter the Advanced Settings.
TTL
Specify the time to live (TTL) life time for the data.
The attribute TTL defines a limit regarding the number of attempts to transmit an IP packet before discarding it.
Default: 0
Acceptable Range: 0 to 255
TOS
Specify the type of service (TOS) for the data.
The attribute TOS provides the value for an IP packet depending on the service which is provided.
The service mainly defines the packet priority, the type of route (latency, throughput, or reliable service).
Default: 0
Acceptable Range: 0 to 99
| Configure | 354
| Configure | 355
Figure 349: IP Tunnel
4. Click Save.
The IP tunnel has been created or updated and appears on the IP Tunnel page.
Neighbors (ARP-NDP)
From this page, view the IPv4 and IPv6 ARP-NDP neighbors, create static neighbors and flush existing neighbors.
ARP-NDP
TCP/IP uses ARP (Address Resolution Protocol) protocol to translate an IPv4 address into a MAC address (physical network address). In other words, it maps layer 3 (IPv4 addresses) to layer 2 (physical or MAC addresses) to enable communications between hosts residing on the same subnet. Similarly to translate IPv6 addresses, NDP (Neighbor
Discovery Protocol) is used.
ARP is used by hosts that are directly connected on a local network and uses either or both unicast and broadcast transmissions directly to each other. The host finds the physical address of another host on its network by sending an ARP query packet that includes the IP address of the receiver. As a broadcast protocol, it can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information.
NDP in IPv6 is similar to ARP in IPv4. The main purpose of both protocols is to enable a host (node) to determine the link layer address (MAC address) of the node it wants to communicate with, in the local network and to find out the link layer address of the router through which it can access a node in an external network. Thus, the actual exchange of messages can take place between the two nodes. Apart from neighbor discovery, NDP functionality includes router discovery, neighbor presence, redirects, network options (as in DHCP options) and stateless auto-configuration.
Similar to ARP, NDP is also susceptible to flooding and poisoning attacks.
NDP has neighbor solicitations analogous to ARP request and neighbor advertisements analogous to ARP replies.
Unsolicited neighbor advertisements in IPv6 correspond to gratuitous ARP replies in IPv4. Static neighbor configuration protects the neighbor cache from trusted or vulnerable nodes in the network. Static neighbor discovery helps -to prevent solicit requests for configured entries and ignores any incoming solicit or advertised ND for configured entries.
Neighbors
ARP and NDP traffic is a vital communication on a network and is enabled on the Device interfaces by default.
A static neighbor entry allows binding the MAC address to the designated IP address and port. Once the MAC address is bound to a port and IP address, the Device will not update its neighbor table dynamically and will not respond to that IP-MAC pair on any other port. It will also remove any dynamically cached references to that IP address that might be present, and will not allow additional static mappings of that IP address.
| Configure | 356
These entries will be stored in the Static Neighbor Table, the IPv4 Neighbor Cache and the IPv6 Neighbor Cache.
The Device performs the neighbor lookup in the static neighbor table when it receives the request on a particular port.
If there is any mismatch in an IP address or MAC address, the Device considers it as a neighbor poisoning attempt and does not update its neighbor cache. If an entry is not available in the table, the Device will lookup in the IPv4 or
IPv6 neighbor cache and adds the MAC address to the neighbor cache if required.
Consider an example when IP1 is mapped to MAC1 and the IP1-MAC1 pair is bound to Port A. Similarly, IP2 is mapped to MAC1 and the IP2-MAC1 pair is bound to Port A
Table 5: Illustration for Neighbor Poisoning
IP Address
IP1
IP1
IP1
IP1
IP3
IP2
IP2
MAC Address
MAC1
MAC1
MAC2
MAC2
MAC1
MAC1
MAC1
Port
A
Any other port than A
A
Any other port than A
No static ARP
A
Any other port than A
Neighbor Poisoning Attempt
No
Yes
Yes
Yes
No
No
Yes
Neighbors (ARP-NDP)
The device maintains three types of table for neighbor entries: Static Neighbor Table, IPv4 Neighbor Cache and IPv6
Neighbor Cache.
IPv4/IPv6 Neighbor Cache table
The IPv4/IPv6 neighbor cache table stores static and dynamic neighbor entries. Static neighbor entries are defined by administrators and are permanent while dynamic neighbor entries are learned entries and are updated dynamically.
Such dynamic entries can be flushed by clicking Flush.
Go to Configure > Network > Neighbors (ARP-NDP) and select IPv4 Neighbor Cache or IPv6 Neighbor Cache to view the large number of neighbor entries. This page allows navigating and managing the neighbor entries in all three tables. Select the table type from the drop-down list to view the neighbor entries in the respective table. It lists IP address, MAC address, interface and type of the entry. Entry type can be static or dynamic. If everything is working properly with the neighbor, the dynamic neighbor entry will be displayed as “Complete, Dynamic”.
“Complete, Dynamic” means both MAC and IP values are there in the table while “Incomplete, Dynamic” means that the neighbor request was sent but no reply has yet been received.
Neighbor Configuration
Neighbor cache entry timeout
Specify time interval after which the entries in the cache should be flushed.
Default: 2 minutes
Input range: 1 to 500 minutes
Flush the IPv4/IPv6 neighbor cache whenever the host IP address on the network changes. As the
IP address is linked to a physical address, it can change but can still be associated with the physical address in the IPv4/IPv6 Neighbor Cache. Flushing the IPv4/IPv6 Neighbor Cache allows new information to be gathered and stored in the IPv4/IPv6 Neighbor Cache.
Log Possible Neighbor Poisoning Attempts
Enable to log the poisoning attempts.
| Configure | 357
Figure 350: Neighbor Configuration
Flushing Neighbor Table and Cache
The neighbors page displays a list of all the IP address-and-MAC address mappings and you can filter the list based on the IP address or the MAC address.
Select Static Neighbor Table or the required cache and click the Flush button to empty the cache or click Add to add a new entry.
Figure 351: Neighbors
Add Static Neighbor
The Add Static Neighbor page allows you to add an IPv4 or IPv6 neighbor.
1. Go to Configure > Network > Neighbors (ARP-NDP). In Show section select Static Neighbor Table and click
Add.
2. Specify the details.
IP Family
Select the IP Family for the static neighbor.
Available Options:
• IPv4
• IPv6
IPv4/IPv6 Address
Specify a IPv4/IPv6 address of the host outside the firewall.
MAC Address
Specify a MAC address of the host.
Interface
Select the physical interface on which the binding is to be done.
Add as a Trusted MAC Address to prevent a spoofing attempt
On enabling this option, the IP-MAC pair is added to the Trusted MAC list. If disabled, the IP-MAC pair will not be included in the Trusted MAC list.
By default, this option is enabled.
| Configure | 358
Figure 352: Static Neighbor
3. Click Save.
The static neighbor is created and appears in the Static Neighbor Table on the Neighbors (ARP-NDP) page.
Dynamic DNS
This section allows you to configure Dynamic DNS settings for your device.
Dynamic DNS (Domain Name Service) is a method of keeping a static domain/host name linked to a dynamically assigned IP address allowing your server to be more easily accessible from various locations on the Internet.
Powered by Dynamic Domain Name System (DDNS), you can access your device by the domain name, not the dynamic IP address. DDNS will tie a domain name (for example, mydevice.com, or mycompany.mydevice.com) to your dynamic IP address.
The device supports the following Dynamic DNS providers:
1. DynDNS
2. ZoneEdit
3. EasyDNS
4. DynAccess
5. Sophos
| Configure | 359
The page displays a list of all the configured DDNS, along with their names, interfaces, service providers, the last updated IP, status and time as well as the reason for failure. In addition it provides the option to add, update or delete a configuration.
Add Dynamic DNS
This page describes how to either add details of a third-party DDNS provider or to configure the device itself to act as a DDNS.
Dynamic DNS cannot be configured from Sophos Firewall Manager (SFM).
1. Go to Configure > Network > Dynamic DNS and click Add.
2. Specify the DDNS parameter details.
Note: For configuring a third-party service provider, you need a registered account with any of the supported Dynamic DNS service providers:
1. DynDNS
2. ZoneEdit
3. EasyDNS
4. DynAccess
5. Sophos
Hostname
Specify a name to identify the host that you want to use on the DDNS server. It is the domain name that you registered with your DDNS service provider, for example sophos.com.
In case you are configuring DynAccess as a service provider, provide the host name in the following format: <accountname>.dynaccess.com.
In case you are configuring Sophos as a service provider, provide the host name in the following format:
<host name>.myfirewall.co.
Note: You cannot add DDNS provider as <host>.ddns.cyberoam.com.
Interface
Select the external interface. The IP address of the selected interface will be bound to the specified hostname.
IPv4 Address
Select the IPv4 address source.
Available Options:
• Use Port IP: Select to use the IP address of the selected port or interface.
• NATed Public IP: Select to use the public IP address assigned to the selected port.
IP Edit Checking Interval
Specify the time interval after which the device should check and edit the IP address of your server, if changed.
Acceptable range: 4 - 60 minutes
Default: 20 minutes
For example, if the time interval is set to 10 minutes, after every 10 minutes, the device will check for any changes in your server IP address.
| Configure | 360
Figure 353: Host Details
3. Specify the Service Provider's Details.
Service Provider
Select the service provider with whom you have registered your hostname. In case you are configuring Sophos as a service provider, login name and password are not required.
Login Name
Specify your DDNS account’s username.
In case you are configuring DynAccess as a service provider, provide the host name in the following format: <accountname>.dynaccess.com.
Provide your login name as <accountname>.
Password
Specify your DDNS account’s password.
Figure 354: Service Provider Details
4. Click Save.
Note: You can configure multiple hosts having the same interface and service provider for Dynamic
DNS.
Routing
This section provides options to configure both static and dynamic routes.
Available configurations:
•
- Allows to configure packets redirection to a destination other than the configured default gateway.
•
- Allows to configure Policy routes.
•
- Allows to configure IPv4/IPv6 gateways.
•
- Allows to configure and manage BGP routes.
•
- Allows to configure and manage OSPF routes.
| Configure | 361
•
- Shows information and status of dynamic routes configured using RIP, OSPF, BGP or PIM-SM protocols.
•
- Allows to configure parent proxy settings when the web traffic is blocked by the upstream gateway.
•
- Allows to configure and manage PIM-SM routes.
•
- Allows to configure and manage RIP routes.
Static Routing
A route provides the device with the information it needs to forward a packet to a particular destination. A static route causes packets to be forwarded to a destination other than the configured default gateway.
By specifying through which interface the packet will leave and to which device the packet should be routed, static routes control the traffic exiting the device.
IP Multicast
Internet Protocol (IP) multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of recipients and homes. IP multicast delivers source traffic to multiple receivers without adding any additional burden on the source or the receivers.
Applications like videoconferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news use IP multicasting.
If IP multicast is not used, the source is required to send more than one copy of a packet or individual copy to each receiver. In such case, high-bandwidth applications like video or stock where data is to be send more frequently and simultaneously, uses large portion of the available bandwidth. In these applications, the only efficient way of sending information to more than one receiver simultaneously is by using IP multicast.
Multicast Group
Multicast is based on the concept of a group. An arbitrary group of receivers expresses an interest in receiving a particular data stream. This group does not have any physical or geographical boundaries - the hosts can be located anywhere on the Internet. Hosts that are interested in receiving data flowing to a particular group must join the group.
Hosts must be a member of the group to receive the data stream.
IP Multicast Addresses
Multicast addresses specify an arbitrary group of IP hosts that have joined the group and want to receive traffic sent to this group.
IP Class D Addresses
The Internet Assigned Numbers Authority (IANA) controls the assignment of IP multicast addresses. Multicast addresses fall in class D address space ranging from 224.0.0.0 to 239.255.255.255.
This address range is only for the group address or destination address of IP multicast traffic. The source address for multicast datagram is always the unicast source address.
| Configure | 362
Multicast forwarding
With multicast forwarding, a router forwards multicast traffic to networks where other multicast devices are listening.
Multicast forwarding prevents the forwarding of multicast traffic to networks where there are no nodes listening.
For multicast forwarding to work across inter-networks, nodes and routers must be multicast-capable.
A multicast-capable node must be able to:
• Send and receive multicast packets.
• Register the multicast addresses being listened to by the node with local routers, so that multicast packets can be forwarded to the network of the node.
IP multicasting applications that send multicast traffic must construct IP packets with the appropriate IP multicast address as the destination IP address. IP multicasting applications that receive multicast traffic must inform the TCP/
IP protocol that they are listening for all traffic to a specified IP multicast address.
Manage Static Routes
Static Routing menu allows configuring a unicast route and a multicast route. This page describes the available elements.
IPv4 Unicast Route
The IPv4 Unicast Route section displays a list of all the configured IPv4 unicast routes. You can filter the list based on
IP address, gateway, or interface. The page also provides the option to Add a route, update the route configuration and
Delete the route.
IPv6 Unicast Route
The IPv6 Unicast Route section displays a list of all the configured IPv6 unicast routes. You can filter the list based on
IP address, gateway, or interface. The page also provides the option to Add a route, update the route configuration and
Delete the route.
Multicast Forwarding Setting
Enable Multicast Forwarding
Enable/disable multicast forwarding. Enable and click Apply to allow the router to forward packets to other networks where other multicast devices are active and listening.
Manage Multicast Route
| Configure | 363
The Manage Multicast Route section displays a list of all the configured multicast routes. You can filter the list based on source IP, multicast IP, source interface and destination interface. The page also provides the option to Add a route, update the route configuration and Delete the route.
Add Unicast Route
1. For an IPv4 unicast route, go to Configure > Routing > Static Routing and click Add under IPv4 Unicast
Route. For an IPv6 unicast route, click Add under IPv6 Unicast Route.
2. Enter unicast route details.
Destination IP/Prefix
Specify the destination IPv4 or IPv6 address and select the prefix of subnet mask from the dropdown list.
Gateway
Specify the gateway IPv4 or IPv6 address. The gateway address specifies the next-hop router to which traffic will be routed.
Interface
Select an interface from the drop-down list.
Distance
Specify the distance for routing.
For IPv4
For IPv6
Default: 0
Acceptable Range: 0 to 255
Default: 1
Acceptable Range: 1 to 255
Figure 355: IPv4 Unicast Route
Figure 356: IPv6 Unicast Route
3. Click Save.
The unicast route has been created and appears on the Static Routing page.
Add Multicast Route
1. Go to Configure > Routing > Static Routing and click Add under Manage Multicast Route.
2. Enter multicast route details.
Source IPv4 Address
Specify the source IPv4 address.
Source Interface
Select the source interface from the drop-down list.
Multicast IPv4 Address
Specify the multicast IPv4 address. For example, (224.0.2.0 - 239.255.255.255)
Destination Interface
Select destination interface(s) from the available options. You can select more than one destination interface.
| Configure | 364
Figure 357: Add Multicast Route
3. Click Save.
Policy Routing
Routers generally forward packets to the destination addresses based on the information available in their routing tables. With Policy Routing, you can make routing decisions based on the policies configured by the administrator.
You can selectively forward the packets based on different criteria such as source network, destination network, services and so on. If the packet matches the criteria defined in the policy routing then the packet will be forwarded to the gateway configured in the policy.
Firewall Rule can still override policy route decision, if primary and/or backup gateway is configured.
Benefits of Policy Routing include:
• Packets originating from different source networks and having same destination can be routed to different networks.
• You can distribute traffic requiring high bandwidth to use different Internet connection.
• You can implement policies to achieve failover/failback. For example: If you have two links MPLS and VPN link and if MPLS link fails then you can route your traffic that matches the policy to VPN link. When the MPLS link comes up, then traffic can be failed back to MPLS link.
Note: When device firmware is upgraded to SF-OS v16, source routes will be migrated as policy routes.
Manage Policy Route
This page displays a list of all the configured IPv4 and IPv6 policy routes.
You can also reorder the policy routes. To change the processing order, you can reorder policy routes by drag and drop action. Policy routes are evaluated top down in the order they appear on the Manage page until first match is made, after which subsequent policy routes are not evaluated.
The page also displays the status Up or Down for the gateways configured in the policy route.
Add Policy Route
1. Go to Configure > Routing > Policy Routing and click Add under IPv4/IPv6 Policy Route section.
2. Specify the Policy Route details.
Name
Specify a name for policy route.
Description
Specify a description for policy route.
| Configure | 365
Figure 358: About this Policy Route
3. Specify the Traffic Selector details.
Incoming Interface
Select the incoming interface receiving the packet.
Note: Deleting the incoming interface will also delete the policy route defined for the interface.
Source Networks
Select the source network(s) of the packet to be routed. A new network host can be created directly from this page itself or from System > Hosts and Services.
Destination Networks
Select the destination network(s) of the packet to be routed. A new network host can be created directly from this page itself or from System > Hosts and Services.
Services
Select the services(s) of the packet to be routed. These services allow you to specify precisely which kind of traffic should be processed. A new service/service group can be created directly from this page itself or from System > Hosts and Services.
DSCP Marking
Select the type of DSCP Marking to match the packets marked with the given DSCP value.
For available options, refer to
DSCP Values
.
| Configure | 366
Figure 359: Traffic Selector
4. Specify the Routing details.
Gateway
Select the gateway to which you want to forward the packet if the packet meets the configured matching criteria.
Note:
• Deleting the gateway will also delete the policy route defined for the gateway.
• Policy route is not applied when gateway goes down. As soon as the gateway comes up again, traffic is routed through the gateway automatically.
Figure 360: Routing
5. Click Save.
Gateways
The Gateway page displays a list of configured IPv4 and IPv6 gateways. The page also displays the status Up or Down for each gateway. You can add/delete/clone gateway, change the gateway parameters/status and enable health check for the gateway.
Add a Gateway
1. Go to Configure > Routing > Gateways and click Add.
2. Enter Gateway details.
Name
Enter the name of the gateway.
Gateway IP
Enter the IP address of the gateway.
Interface
Select the Out interface for the gateway.
Default NAT Policy
Select the default NAT policy to be used for the gateway.
Select None, if NAT policy should not be applied on the gateway.
Figure 361: Gateway Host
3. Enter Health Check details
Health Check
Click to enable health check for monitoring the gateway and specify the parameters based on the description shown below.
Interval (in seconds)
Specify the time interval in seconds after which the health should be monitored.
Acceptable Range: 5 to 65535 seconds
Default: 60 seconds
Timeout (in seconds)
Specify the time interval in seconds within which the gateway must respond.
Acceptable Range: 1 to 10 seconds
Default: 2 seconds
Retries
Specify the number of tries to probe the health of the gateway, after which the gateway will be declared unreachable.
Acceptable Range: 1 to 10
Default: 3
Mail Notification
Enable to receive an Email notification if there is a change in gateway status.
for the device to send and receive alert
Emails.
Monitoring Condition
| Configure | 367
Protocol:From the drop-down list, select the communication protocol, such as TCP or PING
(ICMP). Select the protocol depending on the service to be tested for the gateway's health.
Port: For TCP communication, specify the port number for communication.
IP Address: Specify the IP address of the computer or the network device which is permanently running or most reliable.
Operator:
• AND - All the conditions must be satisfied for the gateway to be considered alive.
• OR - At least one condition must be satisfied for the gateway to be considered alive.
A protocol request is sent to the given IP address. If the IP address does not respond to the request within the timeout interval then given number of retries are attempted. If it still does not respond then the device considers the IP address as unreachable.
| Configure | 368
Figure 362: Health Check
BGP
This page allows you to manage BGP routes.
Border Gateway Protocol (BGP) is a path vector protocol that contains path information, enabling the routers to share routing information between autonomous systems (AS) so that loop-free routes can be created. This protocol is generally used by ISPs.
An AS is a connected group of networks or routers under the control of single administrative entity and share common routing policies. A unique AS number is assigned to each AS to uniquely identify them. AS number enables information exchange between neighboring autonomous systems. You should use private AS numbers if you don't require a unique AS number. BGP private AS-numbers range from 64512 to 65535.
BGP selects a single path from the multiple advertisements received from multiple sources for the same route. When the path is selected, BGP puts it in the IP routing table and passes the path to its neighbor.
Global Configuration
Router ID
Specify router ID for BGP.
Example: 12.34.5.66.
Local AS
Specify Local Autonomous System (AS) number.
Acceptable Range: 1 to 4294967295
Figure 363: Global Configuration
Neighbors
Neighbors are the routers between which a TCP connection is established. In this section, you can
, update, or delete neighbors.
Networks
This section list all available BGP networks togegher with their corresponding netmasks. You can
delete networks.
Add BGP Network
This page allows you to specify IPv4 address network and subnet mask.
1. Go to Configure > Routing > BGP and click Add in the section Networks.
2. Enter the IPv4 address of the network and select a subnet mask from the dropdown list.
Figure 364: Add BGP Network
3. Click Save.
Add Neighbor
This page allows you to add a BGP neighbor and specify an IPv4 address of the neighbor router and AS number.
1. Go to Configure > Routing > BGP and click Add in the section Neighbors.
2. Specify the IPv4 address of the neighbor router.
3. Specify the remote autonomous system (AS) number of the neighbor.
Acceptable Range: 1 to 4294967295
| Configure | 369
Figure 365: Add BGP Neighbor
4. Click Save.
OSPF
This page allows you to manage OSPF routes. You can also add, update, or delete the areas/networks/interfacespecific configuration from this page.
Open Shortest Path First (OSPF) is an interior gateway protocol that multicasts the routing information to all the hosts within a single network. It sends routing information to all the routers in the network by calculating the shortest path to each router on the basis of the structure built up by each router.
| Configure | 370
OSPF allows sets of networks to be grouped together into what is known as areas. Area is a logical division of a network. Each area maintains a separate database whose information may be summarized by the connecting router.
Hence, the topology of an area is not known to the outside world. There are three types of areas:
Backbone Area
Backbone area also known as area 0, distributes information between non-backbone areas. All other areas in the network are connected to it and the routing between areas takes place using routers which are connected to the backbone area as well as to their respective areas.
Stub Area
A stub area is an area that do not receive route advertisements external to the Autonomous System (AS), which is a collection of networks under a common network operator that share same routing policy.
NSSA
A Not-so-stubby-area (NSSA) is a type of stub area that can import AS external routes in a limited amount.
Area Border Router
An Area Border Router (ABR) is a router that connects areas to the backbone network and maintains separate routing information for each area that it is connected to. It has interfaces in more than one area with at least one interface in the backbone area.
Global Configuration
Router ID
Specify a unique router ID.
Example: 12.34.5.66.
Figure 366: Global Configuration
Advanced Settings
Default Metric
Specify the default metric value to be used for redistributed routes.
Metric is a property that contains a value used by a routing protocol to decide whether a particular route should be taken or not.
Default: 1
Acceptable Range: 1 to 16777214
ABR Type
Select the type of Area Border Router (ABR).
Available Options:
• Standard
• CISCO
• IBM
• Shortcut
Auto cost reference bandwidth (Mbits/s)
Specify the cost reference to calculate the OSPF interface cost based on bandwidth.
Default: 100 Mbits/s
Acceptable Range: 1 to 4294967
Default Information Originate
Select an option to control the distribution of the default route.
Available Options:
• Never
• Regular – On selecting Regular provide the metric and select the metric type.
• Always – On selecting Always provide the metric and select the metric type.
The default setting is Never.
Redistribute Connected
Click to enable the redistribution of connected routes into the OSPF routing table.
Specify the metric and the metric type for redistributing connected routes.
Acceptable Range: 0 to 16777214
Metric Type: External Type 1 or External Type 2.
Redistribute Static
Click to enable the redistribution of static routes into the OSPF routing table.
Specify the metric and the metric type for redistributing static routes.
Acceptable Range: 0 to 16777214
Metric Type: External Type 1 or External Type 2.
Redistribute RIP
Click to enable the redistribution of OSPF routes into OSPF routing table.
Specify the metric and the metric type for redistributing RIP routes.
Acceptable Range: 0 to 16777214
Metric Type: External Type 1 or External Type 2.
Redistribute BGP
Click to enable the redistribution of BGP routes into the OSPF routing table.
Specify the metric and the metric type for redistributing BGP routes.
Acceptable Range: 0 to 16777214
Metric Type: External Type 1 or External Type 2.
| Configure | 371
| Configure | 372
Figure 367: Advanced Settings
Click Apply.
Networks and Areas
Networks
This section lists all available OSPF networks together with the corresponding netmasks and the area they belong to.
Areas
This section lists all available OSPF areas, specifies their types and authentication type, the area cost and, if available, virtual links.
Override Interface Configuration
You can manage the interface configuration from this section.
Add OSPF Areas
1. Go to Configure > Routing > OSPF and click Add in the Areas section.
2. Enter OSPF area details.
Area
Specify an IP address for the area.
Type
Select the type of OSPF area from the options available.
Available Options: NormalStub Stub No-SummaryNSSANSSA No-Summary
Virtual Links (Available only if Normal area type is selected)
Specify a virtual link for an area that does not have a physical connection to connect to the backbone area.
Use Add icon and Remove icon to add and remove virtual links.
Authentication
Select the type of authentication from the options available.
Available Options: TextMD5
Area Cost (Not Available for Normal area type)
Specify the area cost.
Acceptable Range: 0 to 16777215
Figure 368: Add OSPF Area
3. Click Save.
Add OSPF Network
1. Go to Configure > Routing > OSPF and click Add in the Networks section.
2. Enter the IPv4 address of the network and select a subnet mask from the dropdown list.
3. Enter an OSPF area.
Figure 369: Add OSPF Network
4. Click Save.
Override Interface Configuration
You can override default interface configurations of OSPF from this page.
1. Go to Configure > Routing > OSPF and click Select Interface in the Override Interface Configuration section.
2. Enter interface configuration details.
Interface
Select the interface to be configured for OSPF.
Hello Interval
Specify the time interval after which the interface sends hello packet to the neighbor router.
Default: 10 seconds
Acceptable Range: 1 to 65353 seconds
Dead Interval
Specify the time interval after which the interface is declared as dead.
Default: 40 seconds
Acceptable Range: 1 to 65353 seconds
| Configure | 373
Retransmit Interval
Specify the time interval for retransmitting the link state advertisements (LSA) to the interface’s neighbor.
Default: 5 seconds
Acceptable Range: 3 to 65353 seconds
Transmit Delay
Specify the time in seconds needed to transmit a link state update packet to the interface.
Default: 1 second
Acceptable Range: 1 to 65353 seconds
Interface Cost
Specify the interface cost.
You can either provide the interface cost automatically by selecting Auto or specify it manually.
Acceptable Range: 1 to 65353 seconds
Authentication
Select the type of authentication for authenticating the OSPF packets.
Available Options: Text - If Text is selected, provide a password for authentication. MD5 - If MD5 is selected, provide a key ID and a key. Key ID can be from 0 to 255.
Router Priority
Specify priority for a router.
Default: 1
Acceptable Range: 0 to 255
| Configure | 374
Figure 370: Override Interface Configuration
3. Click Save.
Information
| Configure | 375
Administrator can view various information and status of any dynamic routes configured using RIP, OSPF, BGP and
PIM-SM protocols. This overview of the dynamic route information will be useful for further configurations and/or debugging.
RIP
Routes
Displays the entire routing configuration information and the routing table for an interface configured using the RIP protocol.
Codes and Sub-codes
Codes
Sub-codes
Network
Next Hop
Metric
From
Shows how the destination routing information is obtained.
R – RIP, C – connected, S – Static, O – OSPF, B
– BGP, K – Kernel route.
(n) – normal, (s) – static, (d) – default, (r) – redistribute, (i) – interface
Specifies the IP address and subnet mask of the destination.
Specifies an IP address of the next hop routing device.
Specifies the number of routing devices (hop count) a packet must pass through to reach the final destination.
Indicates the router (router IP address) from which the metric is calculated to reach the destination.
If it is directly connected it will show self.
Tag
Indicates the method used for distinguishing between internal routes (learned by RIP) and external routes learned from External Gateway
Protocol (ERP) protocols.
0 indicates no tag is attached to the route.
Time
Indicates the elapsed time after which the routing entry will be flushed from the RIP table.
Status
Displays the RIP routing protocol process parameters and statistics.
Routing Protocol is "rip"
Sending updates
Next due
Timeout after
Garbage collect
Indicates the routing protocol used.
Indicates the time between sending updates.
Specifies when the next update is due to be sent.
Indicates the timeout interval for RIP route after which it is declared invalid and removed from the routing table until the garbage-collect time expires.
Indicates the time period during which the route metric is set to 16. If no updates are received for the route before the expiry of the garbage-
Outgoing update
Incoming update
Default redistribution metric
Redistributing
Default version control
Interface
Send
Recv
Key-chain
Routing for Network
Routing Information Sources
collect timer, a route with metric 16 is deleted from the routing table.
Indicates whether the outgoing filtering list has been set.
Indicates whether the incoming filtering list has been set.
Metric of routes that are redistributed from other routes.
Indicates the information about redistribution of other protocols.
Indicates the version of RIP packet that are sent and received.
Shows a RIP-enabled routing interface
Displays the version of RIP packets sent out to the routing interface. The version is one of the following: RIP1, RIP2
Displays the version of RIP packets accepted on the routing interface. The version is one of the following: RIP1, RIP2 , Both
Displayed the authentication key-chain name for the interface, if it is configured.
Indicates the networks for which the routing process is currently injecting routes.
Indicates the routing sources used to build the routing table. For each source, the following information is displayed.
Gateway
Indicates an IP address of the next hop routing device.
Bad Packets
Indicates the number of bad packets received by the router.
Bad Routes
Distance Last Update Indicates the time when the administrative distance was last updated.
Distance
Indicates the number of invalid routes from the router.
Indicates the administrative distance. The distance displayed by default is
120
| Configure | 376
OSPF
Border Routers
Displays the information about the internal OSPF routing table entries to an Area Border Router
(ABR) and Autonomous System Boundary Router (ASBR).
R
Network IP Address
Metric
Area
Next Hop
Outgoing Interface
Indicates that the information for the route is provided to a particular border router.
Indicates the router ID of the destination.
Specifies the cost to reach the final destination.
Indicates the area identifier of the outgoing interface.
Specifies the management IP address of the next hop routing device.
Indicates the name and IP address of the outgoing interface to reach the destination.
Routes
Displays the information about the internal OSPF routing table entries.
N
Network IP Address
Metric
Area
Next Hop
Directly attached
Outgoing Interface
Indicates that the information is provided for a network.
Indicates the router ID of the destination.
Specifies the cost to reach the final destination.
Indicates the area identifier of the outgoing interface.
Specifies the management IP address of the next hop routing device.
Indicates a network is directly connected to the interface.
Indicates the name and IP address of the outgoing interface to reach the destination.
Database
Database shows the list of information related to the OSPF database summary for a specific router.
Each link-state database includes link-state an advertisement from throughout the areas to which the router is attached.
Link ID
ADV Router
Indicates the ID of the link-state advertisement using which a router learns the route. In other words, while a link-state advertisement describes a router, the link-state ID router’s
OSPF router ID.
The link-state advertisement describing a network can have one of the following two formats of link-state ID: the network's IP address or an address generated using the linkstate ID.
Indicates the advertising router ID of the destination.
| Configure | 377
Age
Seq#
CkSum
Link count
Net Link States
Router Link States
Summary Net Link States
Indicates the time, in seconds, since the LSA was generated.
Link state sequence number (detects old or duplicate link-state advertisements).
Checksum of the complete content of the linkstate advertisement.
Number of interfaces detected for the router.
Gives information about network LSA originated by DR (designated router)
Gives information about router LSA originated by every router.
Indicates the information about summary LSA originated by ABR’s.
Neighbors (ARP - NDP)
Provides neighbor information based on peer-interface relation.
Neighbor ID
Pri
State
Indicates the neighbor router’s ID.
Indicates the router priority assigned to that neighbor.
Displays the conversation between router and neighbor since the neighbor was created. It can have one of the following values:
Down
Attempt
Init
Indicates the initial state of a neighbor conversation, that is, there has been no recent information received from the neighbor.
Valid only for neighbors attached to non-broadcast networks. Indicates that there has been no recent information received from the neighbor.
Indicates a hello packet has been received recently from a neighbor although the adjacency is not two-way, that is, a bi-directional communication has not yet been established with neighbor.
| Configure | 378
2-Way
ExStart
Exchange
Loading
Full
Backup
Dead time
Indicates that a bi-directional communication is established between the routers and the neighbor has included the router ID in its
Hello message. The
DR and BDR are elected from the set of neighbors in 2-way state or higher.
Indicates that the two routers are going to synchronize and determine which router will be master and which the slave.
Indicates that the two routers are describing their respective linkstate database by sending database description packets.
Indicates that link-state request packets are sent to the neighbor, requesting for more advertisements that have been discovered but are not yet received in Exchange state.
Indicates that both routers have accomplished the exchange of all the relevant advertisements and can now appear in router-link and neighbor-link advertisements.
Indicates that the neighbor is a backup designated router
The waiting time in seconds to receive a hello message from
OSPF neighbor before assuming the neighbor is dead.
| Configure | 379
Interface
Displays OSPF interface information.
Interface Value
IfIndex
MTU
BW
Internet Address
Network Type/IP Address
Area
MTU mismatch detection
Router ID
Network Type
Address
Interface
RXmtL
RqstL
DBsmL
Specifies the IP address of the router’s interface with the neighbor.
Indicates the IP address of neighbor interface
Indicates the link-state retransmit count.
Indicates the link-state request count.
Indicates the link-state summary count.
| Configure | 380
Indicates the status of the physical interface, that is, whether the interface is up or down.
Indicates the value of interface index (IfIndex).
It is an identification unique number associated with an interface.
Indicates the Maximum Transmission Unit
(MTU) value of the interface.
MTU is the largest physical packet size, in bytes, that a network can transmit. This parameter becomes an issue when networks are interconnected and the networks have different
MTU sizes. Any packets larger than the MTU value are divided (fragmented) into smaller packets before being sent.
Indicates the bandwidth of the interface.
Displays the IP address of the interface.
Indicates the type of the network along with the
IP address.
Indicates the IP address of the area identifier.
Indicates whether the MTU mismatch detection is enabled or disabled. If it is enabled, it would match the MTU of both the interfaces participating in neighborship establishment.
Indicates the identification number of the
OSPF router selected at the start of the OSPF process. The router ID is unique within the
OSPF domain and does not change unless OSPF restarts or is manually modified.
Indicates the type of network to which the OSPF interface is connected. A network can be one of the following types:
Cost
Transmit delay
State
Point-to-point
Point-to-Multipoint
(non-broadcast)
Broadcast
Non Broadcast
Multiple Access
(NBMA)
Displays the OSPF metric. It is calculated using formula: 10
8
[bps]) where
/ bandwidth (in bits per seconds
• 10
8
: is the reference bandwidth
• bandwidth: is the bandwidth of the interface in bps
Indicates the time in seconds which the OSPF router waits before flooding a link-state advertisement (LSA) over the link. The link state age is incremented by this value, before transmitting an LSA.
The default value of transmit delay is 1 second.
Indicates the current state of the specified interface. The state can be one of the following:
DR
BDR
DROTHER
The router is a designated router
(DR) on the network.
The router is a backup designated router (BDR) on the network.
The router is neither a DR nor a BDR on the network
A point-to-point network can connect only two routers.
A point-to-multipoint network connects one router to several other routers.
Indicates a network that supports broadcast. In a broadcast network a single packet sent
(broadcasted) by a router is received by all the routers within the network.
Indicates that the network does not have the capability to broadcast or multicast. It is used to accurate model
X.25 and framerelay environment in multiple-access network.
| Configure | 381
Priority
Designated Router ID
Backup Designated Router ID
Saved Network-LSA sequence number
Multicast group membership
Timer intervals configured
Waiting
and it establishes adjacencies only with the DR and the BDR.
The interface router is in waiting to announce the state of the link as
DR.
Note: This state is normal in case of non broadcast multi access network.
Point-to-Point
The interface in pointto-point state is fully functional and starts exchanging hello packets with all its neighbors.
Point-to-Multipoint
Indicates the interface to be point-to multipoint for OSPF.
Indicates the priority of the interface router.
It assists in electing the DR and BDR on the network to which the interface is connected.
Default: 1
Note: A router with priority value 0 can never be a DR/BDR.
Indicates the DR router ID for the respective network.
Indicates the BDR router ID for the respective network
Indicates the network's link-state sequence number. It is used to calculate shortest path first
(SPF).
Indicates the multicast group in which the router is a member.
Displays the value of following OSPF timers:
Hello
Dead
Wait
Time interval in seconds that a router sends a hello packet.
Indicates the waiting time in seconds before declaring a neighbor dead.
Displays the time interval that leads the
| Configure | 382
Retransmit
Hello Due In
Neighbor Count
Adjacent neighbor count
interface to terminate the waiting period and elect the DR on the network.
Displays the waiting time before retransmitting a database description
(DBD) packet if it has not been acknowledged earlier.
Specifies when the next hello packet is due to be sent.
Indicates the total number of discovered neighbors on the interface.
Indicates the total number of adjacent neighbors that are fully adjacent to the interface.
BGP
Neighbors (ARP - NDP)
Displays the information about the BGP and its peer connections and shows the number of routes advertised/neighbors to/from that peer.
BGP Neighbor
Remote AS
Local AS
Internal/External Link
BGP Version
Remote Router ID
BGP State
Last Read
Hold Time
Indicates the IP address of the BGP neighbor.
Indicates the AS number of the neighbor router.
Indicates the value of the configured local autonomous systems (AS).
Displays internal links for internal BGP (iBGP) neighbors and external link for external BGP
(eBGP).
Indicates BGP version used for communication with remote router.
Indicates router ID of the neighbor router.
Indicates the finite state machine (FSM) stage.
It describes what action should be taken by the BGP routing engine and when for session negotiation.
Displays the time, since BGP router last received a message from the neighbor. The time is displayed in HH:MM:SS format.
Displays the time in seconds, until which the
BGP will maintain the session with the neighbor without receiving any message from it.
| Configure | 383
Keepalive Interval
Message Statistics
Displays the time interval in seconds specifying how often the BGP router sends the keep-alive message to the neighbor.
Displays the statistics organized by message type.
InQ
OutQ
Sent
Received
Opens
Notifications
Updates
Keepalives
Route Refresh
Capability
Total
Indicates the number of messages that are in queue, pending to be processed from the neighbor.
Indicates the number of messages that are in queue, pending to be sent to the neighbor.
Indicates the number of messages sent to the neighbor.
Indicates the number of messages received from the neighbor.
Indicates the total number of open messages sent and received.
Indicates the total number of error notification messages sent and received.
Indicates the total number of update messages sent and received.
Indicates the total number of keep-alive messages sent and received.
Indicates the total number of route refresh messages sent and received.
Indicates the total number of BGP capabilities advertised and received from the neighbor.
Indicates the total number of messages sent and received.
| Configure | 384
Minimum Time between advertisement runs Displays the time in seconds between the sent advertisements.
For Address Family
Community attribute sent to this neighbor
Indicates the IP address family.
Indicates the numerical value of the BGP community.
This numerical value is assigned to a specific prefix and advertised to the neighbor, based on which it decides whether to filter or modify attributes.
Accepted Prefix
Indicates the number of accepted prefixes that can participate in a BGP peer session.
Connections established
Indicates the number of times a TCP and a BGP connection has been established successfully.
Dropped
Indicates the number of times a valid session failed or has been taken down.
Last reset
Displays the time since when the previously established session with the neighbor ended.
Local host and Local port
Displays the IP address and port number of the local BGP router.
Foreign host and Foreign port
Displays the IP address of neighbor and BGP destination port number.
Next hop
Indicates the management IP address of the next hop routing device.
Next connect timer due in
Specifies when the next hello packet is due to be sent to the BGP neighbor.
Read Thread
Write Thread
Indicates if the read thread is ON or Off.
Indicates if the write thread is ON or Off.
Routes
Displays the entire routing configuration information and the routing table for an interface configured using the BGP protocol.
BGP Table Version
Local Router ID
Status codes and Origin codes
Indicates the table version number. The version number is updated with any change in the BGP table.
Indicates the IP address of the router.
Shows how the destination routing information is obtained.
Status Codes: A Status code indicates the status of the table entry and is displayed at the beginning of each line in the table. Status code value can be one of the following: s – suppressed, d –damped, h – history, *
– valid, > – best, i – internal, r – Routing
Information Base (RIB)-failure, S – Stale, R –
Removed.
Origin codes: An Origin code indicates the origin of the entry and is displayed at the end of
| Configure | 385
Network
Next Hop
Metric
LocPrf
Weight
Path
Total number of prefixes
each line in the table. Origin code value can be one of the following: i – Interior Gateway Protocol (IGP), e – Exterior
Gateway Protocol (EGP), ? – incomplete/path not clear.
Indicates the IP address and subnet mask of the destination.
Indicates the management IP address of the next hop routing device.
0.0.0.0 indicates the router has noon-BGP routes to the network.
Indicates the value of inter autonomous system metric.
Indicates the local preference value.
Local preference is one of the methods to change the path taken by one autonomous system (AS) to reach to another AS.
Local preference value indicates to AS about the path that has local preference, and one with the highest preference being preferred.
Indicates the route weight as set via autonomous system filters. If more than one path exists to a particular IP address, then the path with the highest weight is selected.
Indicates the autonomous system path to the destination network.
Indicates the total number of prefixes/networks.
Summary
Displays the status of all the BGP connections details such as path, prefixes and attributes information about all the connections to BGP neighbors.
BGP Router Identifier
Local AS Number
RIB entries
Memory
Peer
Memory
Neighbor
V
LocPrf
Indicates the router ID of the BGP router
Indicates the local autonomous system number to which this router belongs.
Indicates the number of routing information entries in RIB
Indicates the memory used by RIB entry/ies.
Indicates the number of neighbors with which the connection is established.
Indicates the memory used by neighbor entries.
Indicates the IP address of the neighbor.
Indicates BGP version number provided to the neighbor.
Indicates local preference value.
| Configure | 386
| Configure | 387
AS
MsgRcvd
MsgSent
TblVer
InQ
OutQ
Up/Down
State/PfxRcd
Total number of neighbors
Local preference is one of the methods to change the path taken by one autonomous system (AS) to reach to another AS.
Local preference value indicates to AS about the path that has local preference, and one with the highest preference being preferred.
Indicates the autonomous system number.
Indicates the number of messages received from the neighbor.
Indicates the number of messages sent to the neighbor.
Indicates the last version of the BGP database that was sent to the neighbor.
Indicates the number of messages that are in queue, pending to be processed from the neighbor.
Indicates the number of messages that are in queue, pending to be sent to the neighbor.
Indicates the total time of a BGP session to remain in established state, or gives the current status of BGP session, if it is not in established state.
Indicates the state of the neighbor and the number of prefixes received.
Indicates the total number of neighbors.
PIM-SM
Interface Table
Displays all the PIM enabled interfaces and the neighbor information of each interface.
Multicasting Routing Table
Displays the information of the multicast groups joined. The information includes the source address, multicast group address, the incoming interface from which packets are accepted, list of outgoing interfaces to which packets are sent, PIM timers, flag bits etc.
RP SET
Displays RP set information which is a collection of group-to-RP mappings. This information is used to determine the RP for a multicast group and is maintained by a PIM router.
Upstream Proxy
If your enterprise contains numerous internal branches, an upstream proxy can bundle the requests from the internal network before passing the traffic on to the external network/Internet.
This page allows you to configure an upstream proxy for IPv4/IPv6.
IPv4 Parent Proxy
Parent Proxy
Click to enable the parent proxy, if the web traffic is intercepted by an upstream gateway.
If enabled, the device forwards all the HTTP requests to the parent proxy server.
Domain Name/IPv4 Address
Specify a domain name or IPv4 address for the parent proxy.
Port
Specify the port number, which is to be used for the parent proxy.
Default: 3128
Username
Specify a username for authentication.
Password
Specify a password for authentication.
Figure 371: IPv4 Parent Proxy
Click Apply.
IPv6 Parent Proxy
Parent Proxy
Click to enable the parent proxy. if the web traffic is intercepted by an upstream gateway.
If enabled, the device forwards all the HTTP requests to the parent proxy.
Domain Name/IPv6 Address
Specify a domain name or IPv6 address for the parent proxy.
Port
Specify the port number to be used for the parent proxy.
Default: 3128
Username
Specify a username for authentication.
Password
Specify a password for authentication.
| Configure | 388
| Configure | 389
Figure 372: IPv6 Parent Proxy
Click Apply.
Multicast (PIM-SIM)
This page allows you to configure PIM.
Protocol Independent Multicast (PIM) is a protocol for routing IP packets efficiently to multicast groups that may span throughout the Internet. PIM provides dynamic multicast support on the device. With dynamic multicast support, a host can join/leave a multicast group dynamically and there is no need to manually add/delete multicast routing entries on the device.
Note: The device supports PIM version2 and PIM-SM mode with Rendezvous Point (RP) selection method as BSR (Bootstrap Router)
PIM-SM Configuration
Enable PIM
Enable PIM to provide dynamic multicast support on the device.
PIM Enabled Interface
Select the physical interfaces on which PIM service needs to be enabled.
To enable PIM, at least one interface has to be selected.
Note:
• Only IPv4 bound interfaces can be selected.
• Alias, PPPoE and Cellular WAN interfaces are not supported.
Figure 373: PIM-SM Configuration
RP Settings
Enable to configure Static RP or Candidate RP.
Static RP
RIP IP
Multicast Group
Specify a unicast IP address for static RP. RPs can be added or deleted.
Maximum eight RP IP addresses per RP are allowed.
Specify Multicast Group IP address or network address separated by comma that will be served by given RP.
Maximum eight multicast group addresses per
RP are allowed
Use * in Multicast Group List to serve all the multicast groups by the defined RP.
| Configure | 390
Figure 374: Static RP Settings
Candidate RP
Candidate RP IP
Multicast Group List
Candidate RP Priority
Timer
Select interface IP that will be used as RP IP, if the router is selected as candidate RP.
Specify multicast group IP address or network address separated by a comma that will be served by given RP.
Maximum eight multicast group IP/network addresses are allowed.
Use * in Multicast Group List to serve all the multicast groups by the selected RP.
Specify the priority of the PIM router in the RP election process.
Default: 1
Acceptable Range: 1 to 255
Specify time in seconds after which at every specified time, RP candidate messages are generated.
Default: 60 seconds
Acceptable Range: 30 to 180 seconds
| Configure | 391
Figure 375: Candidate RP Settings
RIP
This page allows you to manage RIP routes. You can also add, update, or delete the networks/interface-specific configuration from this page.
Routing Information Protocol (RIP) is a widely used routing protocol that uses hop count to determine the best route to a destination.
RIP avoids routing loops from continuing indefinitely by limiting the number of hops permitted between the source and destination. The maximum number of hops supported is 15. Hence, if the hop count becomes 16, it is known as an infinite distance and is considered as unreachable.
With the help of the RIP protocol, the device sends routing update messages at regular intervals to the next router.
When the next router receives the changes, it updates them in the routing table and also increases the metric value for the path by 1. The sender of the message is considered as the next hop. The device maintains only the route with the least metric value to a destination.
Global Configuration
Default Metric
Specify the default metric value to be used for redistributed routes.
Metric is a property that contains a value used by a routing protocol to decide which route will be taken.
Default: 1
Acceptable Range: 1 to 16
Administrative Distance
Specify the administrative distance. It is a number used by the routers to find out the better route.
Default: 120
Acceptable Range: 1 to 255
RIP Version
Select the RIP version to be used for sending and receiving updates.
Available Options:
• Send V2 & Receive both
• V1
• V2
Timers
Update
Specify the time interval in seconds between two periodic routing updates.
Default: 30 seconds
Acceptable Range: 5 to 2147483647 seconds
Timeout
Specify the time in seconds after which the route becomes invalid.
Default: 180 seconds
Acceptable Range: 5 to 2147483647 seconds
Garbage
Specify the garbage time. It is amount of time that the device will advertise a route as being unreachable before deleting the route from the routing table.
Default: 120 seconds
Acceptable Range: 5 to 2147483647 seconds
Default Information Originate
Enable to control the distribution of the default route. It will generate and advertise a default route into the RIP-enabled networks.
The default setting is disabled.
Redistribute Connected
Click to enable the redistribution of connected routes into the RIP routing table.
Specify metric for redistributed connected routes.
Acceptable Range: 0 to 16
Redistribute Static
Click to enable the redistribution of static routes into the RIP routing table
Specify metric for redistributed static routes.
Acceptable Range: 0 to 16
Redistribute OSPF
Click to enable the redistribution of OSPF routes into the RIP routing table.
Specify metric for redistributed OSPF routes.
Acceptable Range: 0 to 16
Redistribute BGP
Click to enable the redistribution of BGP routes into RIP routing table.
Specify metric for redistributed BGP routes.
Acceptable Range: 0 to 16
| Configure | 392
Figure 376: Global Configuration
Click Apply.
RIP Networks
This section shows a list of available RIP networks including the corresponding netmasks.
Override Interface Configuration
You can manage interface configuration from this section.
Add RIP Network
1. Go to Configure > Routing > RIP and click Add in the RIP Networks section.
2. Enter the IPv4 address of the network and select a subnet mask from the dropdown list.
Figure 377: Add RIP Network
3. Click Save.
Override Interface Configuration
You can override default interface configurations of RIP from this page.
1. Go to Configure > Routing > RIP and click Select Interface under the Override Interface Configuration section.
2. Enter interface configuration details.
Interface
Select the interface for which you want to override the default configuration.
RIP Version
Send
Select the RIP version(s) to be used for sending the routing updates.
| Configure | 393
You can select V1 or V2 or both, V1 and V2. The selection overrides the version selected in the
Global Configuration settings.
The default setting is V2.
Receive
Select the RIP version to be used for receiving the routing updates.
You can select V1 or V2 or both, V1 and V2. The selection overrides the version selected in the
Global Configuration settings.
The default setting is V2 and V2.
Split Horizon
Enable to prevent the routing loops.
The default setting is disabled.
Poisoned Reverse (only applicable when Split Horizon is enabled)
Enable to prevent the device from sending packets through the route that has become invalid.
The default setting is disabled.
Authentication
Click to enable authentication of RIP packets.
If enabled, provide a password to authenticate the RIP packets.
Passive Mode
Enable to prevent the interface from sending RIP advertisements.
The default setting is disabled.
| Configure | 394
Figure 378: Override Interface Configuration
3. Click Save.
Authentication
The Authentication menu provides basic authentication settings for the device.
| Configure | 395
This menu covers the following topics:
•
on page 395: Manage external servers for authentication
•
or the Captive Portal.
•
on page 412:Set up policies and assign them to a number of users
•
on page 416: Manage user accounts for access to the device
•
: Configure the one-time password (OTP) service.
•
: Customize Captive Portal through which users can log in
•
on page 429: Manage users accessing the device without user account
•
on page 435: Manage user accounts for clientless access
•
: Configure general parameters to provide secured Internet access for guest users
•
on page 443: Download clients from different platforms to interact with the device
Servers
The Authentication Server menu allows the management of databases and backend servers for external user authentication services.
External user authentication enables you to validate user accounts against existing user databases or directory services on other servers of your network.
Authentication services currently supported are:
• Novell's eDirectory
• Microsoft's Active Directory
• RADIUS
• TACACS+
• LDAP
This page displays a list of all existing authentication servers. For each server the list shows:
Name
Displays the name of the authentication server.
IP
Displays the IP address of the authentication server.
Port
Displays the port of the authentication server.
Type
Displays the type of the authentication server.
Domain/Admin
Displays the domain or admin of the authentication server.
Add External Server
This page describes the authentication servers to be added. It covers the following topics:
Active Directory
Active Directory (AD) is Microsoft's implementation of a directory service and is a central component of Windows
2000/2003 servers. It stores information about a broad range of resources residing on a network, including users, groups, computers, printers, applications, services, and any type of user-defined objects. As such it provides the means of centrally organize, manage, and control access to these resources. The Active Directory authentication method allows you to register Sophos XG Firewall at a Windows domain, thus creating an object for Sophos
XG Firewall on the primary domain controller (DC). Sophos XG Firewall is then able to query user and group information from the domain.
| Configure | 396
Note: Sophos XG Firewall supports Active Directory 2003 and newer.
on page 398
LDAP
LDAP, an abbreviation for Lightweight Directory Access Protocol, is a networking protocol for querying and modifying directory services based on the X.500 standard. Sophos XG Firewall uses the LDAP protocol to authenticate users for several of its services, allowing or denying access based on attributes or group memberships configured on the LDAP server.
RADIUS
RADIUS, the acronym of Remote Authentication Dial In User Service, is a widespread protocol for allowing network devices such as routers to authenticate users against a central database. In addition to user information,
RADIUS can store technical information used by network devices, such as supported protocols, IP addresses, routing information, and so on. This information constitutes a user profile, which is stored in a file or database on the RADIUS server. The RADIUS protocol is very flexible, and servers are available for most operating systems.
The RADIUS implementation on Sophos XG Firewall allows you to configure access rights on the basis of proxies and users. Before you can use RADIUS authentication, you must have a running RADIUS server on the network.
Whereas passwords are encrypted using the RADIUS secret, the username is transmitted in plain text.
TACACS+
TACACS+, the acronym of Terminal Access Controller Access Control System, is a proprietary protocol by Cisco
Systems, Inc. and provides detailed accounting information and administrative control over authentication and authorization processes. Whereas RADIUS combines authentication and authorization in a user profile, TACACS
+ separates these operations. Another difference is that TACACS+ utilizes the TCP protocol (port 49) while
RADIUSClosed uses the UDPClosed protocol.
on page 402
eDirectory
Novell eDirectory is an X.500 compatible directory service for centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical, object-oriented database that represents all the assets in an organization in a logical tree. Those assets can include people, servers, workstations, applications, printers, services, groups, and so on.
Add LDAP Server
This page describes how to add a LDAP server.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select LDAP Server.
3. Specify the LDAP server details:
Server Name
Specify a descriptive name for the LDAP server.
Server IP/Domain
Specify an IP address or domain for the LDAP server.
Port
Specify the port of the LDAP server.
Default: 389
Version
Select the version of the LDAP server.
Default: 3
Anonymous Login
Enable to send anonymous requests to the LDAP server.
Disable to bind user with the server.
Username (not available if Anonymous Login is selected)
Enter user name. The username must be specified as a full distinguished name (DN) in LDAP notation, using commas as delimiters (e.g., uid=root,cn=user).
Password (not available if Anonymous Login is selected)
Specify a password for the user.
Connection Security
Select the connection security for the LDAP server:
• Simple: User credentials will be send unencrypted, as plaintext. This connection security is selected by default.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Validate Server Certificate (not available for Simple connection security)
Enable to validate the certificate on the external server.
Client Certificate (not available for Simple connection security)
Select a client certificate from the list to establish a secured connection. If you do not want a client certificate, select None.
Default: ApplianceCertificate
Note: You can manage client certificates under Protect > Web Server >
Certificates.
Base DN
Enter the Base DN for the LDAP server. The Base DN is the starting point relative to the root of the
LDAP tree where the users are included who are to be authenticated. Note that the Base DN must be specified by the Fully Distinguished Name (FDN) in LDAP notation, using commas as delimiters
(e.g., O=Example,OU=RnD).
Get Base DN
Click Get Base DN if you are not aware about the Base DN. The Base DN is automatically retrieved from the directory.
Authentication Attribute
Specify an authentication attribute for searching the LDAP directory. The user authentication attribute contains the actual login name each user is prompted for, for example by remote access services.
Display Name Attribute
Specify the name for the LDAP server which is displayed as LDAP username.
Email Address Attribute
Specify the alias for the configured email address which is displayed to the user.
Group Name Attribute
Specify the alias for the configured group name which is displayed to the user.
| Configure | 397
Expiry Date Attribute
Specify the user expiry date displayed to the user. The attribute specifies how long a user account is valid.
| Configure | 398
Figure 379: Add LDAP Server
4. Click Test Connection to check the connectivity between LDAP and Sophos XG Firewall. It also validates the
LDAP server user credentials.
5. Click Save.
Add Active Directory Server
This page describes how to add an Active Directory server.
Active Directory allows the device to map the users and groups from ADS for the purpose of authentication on a
Windows platform.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select Active Directory.
Note: If a user is required to authenticate using AD, the device needs to communicate with the AD server for authentication.
3. Specify the Active Directory server details.
Server Name
Enter a unique name for the Active Directory server.
Server IP
Specify an IP address for the Active Directory server.
Port
Specify the port of the Active Directory server.
Default: port 389.
NetBIOS Domain
Specify a NetBIOS domain for the Active Directory server.
ADS Username
Specify a username for the admin user of the Active Directory server.
Password
Specify a password for the admin user of the Active Directory server.
Connection Security
Select the type of security to be implemented on the established connection.
It provides a method to login to the external server by sending the username and password in encrypted format instead of plaintext.
• Simple: User credentials will be send unencrypted as plaintext.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Note: We strongly recommend using the encryption method to protect the user credentials.
Validate Server Certificate (not available for Simple connection security)
Enable to validate the certificate on the external server.
Display Name Attribute
Specify the name for the AD server which is displayed as AD username.
Email Address Attribute
Specify the alias for the configured email address which is displayed to the user.
Domain Name
Specify the domain name for which the query is to be added.
Search Queries
Click Add to enter the search query. Use the Move Up and Move Downbuttons to rearrange the search queries in the list. Use Remove to remove the selected item.
Note: If you do not know the search DN, refer to
| Configure | 399
| Configure | 400
Figure 380: Add Active Directory Server
4. Click Test Connection to check the connectivity between the Active Directory server and Sophos XG Firewall. It also validates the Active Directory server user credentials.
5. Click Save.
NetBIOS Name, FQDN and Search DN
This page describes how a Search DN is built.
The settings have to be performed on an AD (Windows) server.
1. Go to Start > All Programs > Administrative Tools > Active Directory Users and Computers.
2. Right-click the required domain and go to the Properties tab.
Search DN is based on the FQDN. For example, if the FQDN is "google.com", then the Search DN will be
DC=google, DC=com.
Figure 381: Search Query
Import AD User Group
This page describes how to import Active Directory groups from the Windows platform into the device.
| Configure | 401
1.
Go to Configure > Authentication > Servers and click against the AD server from which AD groups are to be imported.
The Import Group Wizard Help appears.
2. Specify a Base DN. Appliance fetches AD groups or OU groups from the specified Base DN.
3. Select the AD groups or OU groups to be imported in the appliance. Hold downCtrl to select multiple groups. The appliance already available in the device will not be imported.
4. Select various policies (surfing quota, traffic shaping, web filter, application filter, network traffic and SSL VPN) and user authentication timeout group members. Selected policies are attached to all imported groups. If you want to specify different policies for different groups, do not enable the policy. For example if you want to specify different Internet policies to filter policies to different groups, do not enable Attach to all the Groups.
5. If you do not want to apply common policies which are valid for all groups, specify policies to be applied to each group individually.
If groups are imported successfully, a "successful" message will be displayed; else the appropriate error message will be displayed. This message remains even if you close the wizard.
6. Click Close to end the wizard.
If a user is member of multiple AD groups, then the policies are applied to the first group the user is member of.
Therefore, the device browses through the group ordered list from top to bottom to determine the user's group membership. The first group that matches is considered the group of the user and that group policies are applied to the user.
Using the wizard, you can reorder the groups to change the membership preference.
Add RADIUS Server
This page describes how to add a RADIUS server.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select RADIUS Server.
3. Specify the RADIUS server details:
Server Name
Specify a descriptive name for the RADIUS server.
Server IP
Specify an IP address for the RADIUS server.
Authentication Port
Specify the authentication port of the RADIUS server.
By default, this is port 1812.
Enable Accounting
Enable accounting on the RADIUS server.
Sophos XG Firewall sends the following information to the RADIUS server as soon as the user logs in:
• Accounting start request
• User login time
Sophos XG Firewall sends the following information to the RADIUS server the moment the user logs out:
• Accounting stop request
• User logout time
Note: Supported client types: Windows client, HTTP client, Linux client, Android, iOS, iOS HTTP client, Android HTTP client, API client.
Note: The accounting stop message is not sent to the RADIUS server when Sophos
XG Firewall shuts down or reboots.
Accounting Port (available only if Enable Accounting is active)
Specify a RADIUS port number through which Sophos XG Firewall can communicate with the
RADIUS server.
Shared Secret
Specify the shared secret which is a text string that serves as a password between a RADIUS client and a RADIUS server.
Group Name Attribute
Specify the alias for the configured group name which is displayed to the user.
| Configure | 402
Figure 382: Add RADIUS Server
4. Click Test Connection to check the connectivity between the RADIUS server and Sophos XG Firewall. It also validates the RADIUS server user credentials.
5. Click Save.
Add TACACS+ Server
This page describes how to add a TACACS+ server.
1. Go to Configure > Authentication > Serversand click Add.
2. As Server Type, select TACACS+ Server.
3. Specify the TACACS+ server details:
Server Name
Specify a descriptive name for the TACACS+ server.
Server IPv4
Specify an IP address for the TACACS+ server.
Port
Specify the port of the TACACS+ server.
By default, this is port 49.
Shared Secret
Specify the shared secret which is a text string that serves as a password between a TACACS+ client and a TACACS+ server.
| Configure | 403
Figure 383: Add TACACS+ Server
4. Click Test Connection to check the connectivity between the TACACS+ server and Sophos XG Firewall. It also validates the TACACS+ server user credentials.
5. Click Save.
Add eDirectory Server
This page describes how to add an eDirectory server.
1. Go to Configure > Authentication > Serversand click Add.
2. As Server Type, select eDirectory.
3. Specify the eDirectory server details:
Server Name
Specify a descriptive name for the eDirectory server.
Server IP/Domain
Specify an IP address or domain for the eDirectory server.
Port
Specify the port of the eDirectory server.
By default, this is port 389.
Username
Specify a username for the eDirectory server.
Password
Specify a password for the eDirecory server.
Connection Security
Select the connection security for the eDirectory server:
• Simple: User credentials will be send unencrypted as plaintext.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Base DN
Specify the Base DN for the eDirectory server. The Base DN is the starting point relative to the root of the eDirectory tree where the users are included who are to be authenticated. Note that the Base
DN must be specified by the full distinguished name (DN) in LDAP notation, using commas as delimiters (e.g., O=Example,OU=RnD).
Get Base DN
Click Get Base DN if you are not aware about the Base DN. The Base DN is automatically retrieved from the directory.
| Configure | 404
Figure 384: Add eDirectory Server
4. Click Test Connection to check the connectivity between the eDirectory server and Sophos XG Firewall. It also validates the eDirectory server user credentials.
5. Click Save.
Services
This page allows you to configure authentication for firewall, VPN and admin traffic.
You can also configure global settings, NTLM settings, web client settings, Captive Portal parameters and Radius client settings for Single Sign-On server.
Note: You can also view and manage the authentication status on the Monitor & Analyze > Diagnostics >
Services page.
Once you have deployed the device, the default access policy is automatically applied which will allow complete network traffic to pass through the device. This will allow you to monitor user activity in your network based on the default policy.
As device monitors and logs user activity based on the IP address, all the reports are also generated based on the IP address. To monitor and log user activities based on usernames or logon names, you have to configure the device for integrating user information and authentication process. Integration will identify access requests based on usernames and generate reports based on usernames.
When the user attempts to access, the device requests a user name and password and authenticates the user’s credentials before giving access. User level authentication can be performed using the local user database on the device, external ADS server, LDAP, RADIUS or TACACS+ server.
To set up the user database
1. Integrate ADS, LDAP, RADIUS or TACACS+ if external authentication is required.
2. Configure for local authentication.
3. Register user
The device provides policy-based filtering that allows defining individual filtering plans for various users of your organization. You can assign individual policies to users, or a single policy to a number of users (group).
The device detects users as they log on to a Windows domain in your network via client machines. Users are allowed or denied access based on username and password. In order to authenticate a user, you must select at least one database against which the device should authenticate users.
To filter the Internet requests based on policies assigned, the device must be able to identify a user making a request.
You can configure Administrator, Firewall, VPN, and SSL VPN authentication through one or more servers.
This section covers the following topics:
Firewall Authentication Methods
Authentication Server List
Select an authentication server.
Authentication Server List displays all the configured servers while Selected Authentication
Server List displays servers that will be used for authentication when the user tries to login.
In case of multiple servers, the authentication request is forwarded as per the order configured in the
Selected Authentication Server list.
Default Group
Select the default group for firewall authentication.
| Configure | 405
Figure 385: Firewall Authentication Methods
VPN (IPsec/L2TP/PPTP) Authentication Methods
Set Authentication Methods Same As Firewall
Enable to use the same authentication method as configured for the firewall traffic. If enabled all the authentication servers configured for the firewall traffic will be available for VPN traffic authentication configuration.
Authentication Server List displays all the configured servers while Selected Authentication
Server list displays servers that will be used for authentication when user tries to login.
Override the authentication method for VPN traffic by selecting or deselecting any authentication server.
In case of multiple servers, the authentication request will be forwarded as per the order configured in the Selected Authentication Server list.
If RADIUS server authenticates users then PPTP and L2TP connections established using
MSCHAPv2 or CHAP protocol can be authenticated through RADIUS.
| Configure | 406
Figure 386: VPN (IPsec/L2TP/PPTP) Authentication Methods
Administrator Authentication Methods
You can configure and manage authentication settings for all administrator users except for the super administrator.
Set Authentication Methods Same As Firewall
Select to use the same authentication method as configured for firewall traffic. If enabled all the authentication servers configured for the firewall traffic will be available for administrator traffic authentication configuration.
Authentication Server List displays all the configured servers while Selected Authentication
Server list displays servers that will be used for authentication when user tries to login.
Override the authentication method for administrator traffic by selecting or deselecting any authentication server.
In case of multiple servers, the authentication request will be forwarded as per the order configured in the Selected Authentication Server list.
Figure 387: Administrator Authentication Methods
SSL VPN Authentication Methods
Same as VPN
Enable to use the same authentication method as configured for VPN traffic.
Same as Firewall
Enable to use the same authentication method as configured for the firewall traffic
Set Authentication Method for SSL VPN
Enable to configure the authentication server for SSL VPN.
Authentication Server List displays all the configured servers while Selected Authentication
Server list displays servers that will be used for authentication when user tries to login.
Override the authentication method for SSL VPN traffic by selecting or deselecting any authentication server.
In case of multiple servers, the authentication request will be forwarded as per the order configured in the Selected Authentication Server list.
| Configure | 407
Figure 388: SSL VPN Authentication Methods
Global Settings
Maximum Session Timeout
Specify the timeout duration in minutes.
Maximum Session Timeout is the time in minutes a user is logged into the device. Exceeding the period, the user will be logged out automatically and the user must re-authenticate. This is applicable to administrative sessions only.
Acceptable range: 3 to 1440 minutes
Enable Unlimited to allow the users to remain logged in.
Simultaneous Logins
Specify the maximum number of concurrent logins allowed to the user.
Acceptable range: 1 to 99 concurrent logins
Alternatively, enable Unlimited to allow unlimited concurrent logins to the user.
Note: Login restriction is applicable only to those users who are added after this configuration.
Figure 389: Global Settings
NTLM Settings
Inactivity Time
Specify the inactivity time in minutes.
| Configure | 408
The user inactivity timeout is the inactive/idle time in minutes after which the user will be logged out and has to re-authenticate.
Acceptable range: 6 to 1440 minutes
Default: 6 minutes
Data Transfer Threshold
Specify the minimum data to be transferred.
If the minimum data is not transferred within the specified time, the user will be marked as inactive.
Default: 1024 bytes
HTTP challenge redirect on Intranet Zone
Enabled: When a site hosted on the Internet initiates the NTLM web proxy challenge for authentication, the device redirects NTLM authentication challenge to the Intranet zone. The client is transparently authenticated through the device's local interface IP and credentials are exchanged only in the Intranet zone. User credentials remain protected.
Disabled: The client is transparently authenticated by the browser through the device by sending user credentials over the Internet.
Default: Enabled
| Configure | 409
Figure 390: NTLM Settings
Web Client Settings (iOS and Android and API)
Inactivity Time
Specify the inactivity time in minutes.
The user inactivity timeout is the inactive/idle time in minutes after which the user will be logged out and has to re-authenticate.
Acceptable range: 6 to 1440 minutes
Default: 6 minutes
Data transfer threshold
Specify the minimum data to be transferred.
If the minimum data is not transferred within the specified time, the user will be marked as inactive.
Default: 1024 bytes
Figure 391: Web Client Settings
SSO using RADIUS accounting request
Device can authenticate users transparently who have already authenticated on an external RADIUS server.
RADIUS Client IPv4
Specify the IPv4 address of the RADIUS client.
Only requests from the specified IP address will be considered for SSO.
Shared Secret
Provide shared secret for authentication.
Show Shared Secret
Click Show to view the configured shared secret.
Figure 392: SSO using radius accounting request
Web Policy Actions for Unauthenticated Users (Captive Portal)
Prompt unauthenticated users to login
Select Yes to redirect the access request of unauthenticated users either to the Captive Portal or
Custom Message page.
Select No to drop unauthenticated user traffic. Unauthenticated users will not be redirected to the
Captive Portal or the Custom Message page.
Login prompt method
Configure where the unauthenticated user access requests should be redirected to.
Available Options:
• Include link to the Captive Portal in the User Notification message
• Display a custom message
Select Include link to the Captive Portal in the User Notification message, if an unauthenticated user access request is to be forwarded to the Captive Portal page.
Captive Portal uses HTTPS
If enabled, the user gets access to the Captive
Portal page through secure channel.
Default: Enabled
Provide link to full User Portal
Redirect to a URL after login
URL to redirect
Preserve captive portal after login
Use keep alive to maintain user session
If enabled, the User Portal link is available on the Captive Portal page.
Default: Enabled
If enabled, the user gets redirected to the user requested page or custom page.
If request is to be redirected to the custom page, click Custom URL and specify the URL, else click User requested URL.
Select Yes to minimize the Captive Portal popup, once the user is successfully authenticated.
Selecting No lets the Captive Portal to be displayed on system screen after successful authentication.
Disable to logout the user after the configured inactivity time. If disabled, specify User
| Configure | 410
Inactivity Timeout and Data Transfer
Threshold.
The keep alive request is constantly exchanged between the device and user to check whether the user has logged out or is idle. If the device does not receive a response, the user is logged out automatically.
The more concurrent HTTP Captive Portal users there are, the more keep-alive requests are exchanged. In case of multiple concurrent HTTP
Captive Portal users we recommend to disable this option.
Default: Enabled
• User Inactivity Timeout
User Inactivity timeout is the inactive/idle time in minutes after which user will be logged out and has to re-authenticate. Enable and specify timeout duration in minutes.
Acceptable range: 3 to 1440 minutes
Alternatively, select the checkbox Unlimited to keep the user logged in.
Default: Disabled
• Data Transfer Threshold
Specify a threshold value in bytes for the data transfer. If the minimum data is not transferred within the specified time, the user will be marked as inactive.
Select Display a custom message, if unauthenticated user is to be displayed custom message.
Page Header Image
Select Default to display the default image shipped with the device at the top of the custom message page, or select Custom to browse and upload a customized image.
Supported image format: JPG, PNG or GIF
Size: 700 X 80 pixels
Page Footer Image
Select Default to display the default image shipped with the device at the bottom of the custom message page, or select Custom to browse and upload a customized image.
Supported image format: JPG, PNG or GIF
Size: 700 X 80 pixels
Custom Message
Specify a message. You can customize the message to include the client IP address, category, and
URL.
Blink Custom Message
Preview
Enable this option to display a blinking message.
Preview and check how the message will be displayed before saving the configuration.
| Configure | 411
Figure 393: Captive Portal Settings
Groups
The Groups page displays a list of all the default and custom groups.
A group is a collection of users having common policies that can be managed as a single unit thus providing the possibility to assign various policies to a number of users in one operation/step. Users that belong to a particular group are referred to as group users.
A group can contain default as well as custom policies.
Various policies that can be grouped are:
• Surfing quota policy which specifies the duration of surfing time and the period of subscription
• Access time policy which specifies the time period during which the user will be allowed access
• Network traffic policy which specifies the time allocated to cyclic/non-cyclic network traffic
• Traffic shaping policy which specifies the bandwith allocated for upload and download traffic
• Remote access policy which controls the access of remote clients
• Clientless policy which controls the access of clientless users
Creating a New User Group
This page describes how to configure a user group.
Once the appropriate group is assigned, the user will automatically inherit all the policies added to the group.
1. Go to Configure > Authentication > Groups and click Add.
2. Specify the user group details.
Group Name
Enter a unique name for the group.
Description
Specify a description for the group.
Group Type
Select the group type.
Available Options:
• Normal - The user of this group needs to log on using the client device to access the Internet.
| Configure | 412
• Clientless - The user of this group does not need to log on using the client device to access the
Internet and is symbolically represented by "group name (C)". Access control is performed through the IP address.
| Configure | 413
Figure 394: User Group Details
3. Specify the Policies.
Surfing Quota
Select the surfing quota policy from the list.
Note: For the group type Clientless, the option Unlimited is automatically applied.
Access Time
Select the access time policy from the list.
Note: For the group type Clientless, the option Unlimited is automatically applied.
Network Traffic (not available for the Clientless group)
Select the network taffic policy from the list.
Configured policy will be applicable to all the users who are member of this group.
Traffic Shaping
Select the traffic shaping policy from the list.
Configured policy will be applicable to all the users who are member of this group.
Remote Access
By default, the user will inherit his group's policy. To override the group policy, select a policy from the list.
You can also create a new policy directly on this page or from VPN > SSL VPN (Remote
Access) > VPN > SSL VPN (Remote Access) page.
If a user shall not be provided SSL VPN access then select No Policy Applied.
Clientless
By default, the user will inherit his group's policy. To override the group policy, select the policy from the list.
You can also create a new policy directly on this page or from VPN > Clientless Access > VPN >
Clientless Access page.
If a user shall not be provided SSL VPN access then select No Policy Applied.
Quarantine Digest
Configure quarantine digest.
Quarantine digest is an email containing a list of quarantined spam messages filtered by the device and held in the user quarantine area. If configured, the device will mail the digest on hourly, daily
or weekly basis to the user. Digest also provides a link to the User Portal from where the user can access and take an action on quarantined messages.
Available Options:
• Enable - The user will receive the quarantine digest at the configured frequency. This setting overrides the group setting.
• Disable - The user will not receive quarantine digest. This setting overrides the group setting.
Note: Quarantine digest is not applicable to Wi-Fi devices.
MAC Binding
Enable to bind the user to a MAC address. By binding a user to a MAC address, you are mapping the user with a group of MAC addresses.
L2TP (not available for the Clientless group)
Enable to grant group members access through an L2TP connection.
PPTP (not available for the Clientless group)
Enable to grant group members access through an PPTP connection.
Login Restriction (not available for the Clientless group)
Select the appropriate option to specify the login restriction for the group.
Available Options:
• Any Node - Select to allow a user to login from any of the nodes in the network.
• Selected Nodes - Select to restrict user login to the specified nodes. Specify an IP address. For an existing group, you can add further nodes, edit a node or remove a node.
• Node Range - Select to allow the user to login from a range of IP address. Specify the IP address range.
For the options Selected Nodes and Node Range, only IPv4 addresses are permitted.
| Configure | 414
| Configure | 415
Figure 395: Policies
4. Click Save.
Note: User configuration - MAC binding and policies is given precedence over the group configuration.
Adding Users to the Existing Groups
This page describes how to add a user to an existing group.
1. Go to Configure > Authentication > Groups
2.
Select the group to which you want to add the users by clicking the respective icon in the Manage column.
3. Click Add Member(s).
A pop-up window Add Group Member appears providing a list of all the users who can be added to the group along with some details. To search for a user filter the list based on the name and/or the current group.
4. Select the user you want to add to the group. You can select a single user or multiple users on the same page.
5. Click Add to confirm adding the member to the group.
6. Click Save.
The user is added to the group. You can check this by editing the group and clicking the Show Group Members button.
Viewing List of Group Members
This page describes how to check a user's membership in a group.
1. Go to Configure > Authentication > Groups.
2.
Select the group for which you want view the group members and click the edit icon in the Manage column.
| Configure | 416
3. Click Show Group Member(s).
A pop-up Group Members appears providing the list of all the users who are member of the selected group along with their usernames.
4. Click Close to close the Group Members pop-up window.
Users
The Users page displays the list of all users added in the device.
Users are identified by an IP address or a username and are assigned to a user group. All the users in a group inherit the policies defined for that group.
User Types
The device supports the following types of users:
• Normal
• Clientless
• Single Sign-On
• Thin Client user
• WWAN user
A normal user has to log in into the device which requires a client (client.exe) on the user machine, or the user can use a HTTP client component and all the policy-based restrictions are applied.
A clientless user does not require a client component (client.exe) on the user machine.
If Single Sign-On settings are configured, users are automatically logged to the device.
Thin client users do not need to have a client installed on the user machine.
WWAN users can log on via WLAN.
Use the given decision matrix below to choose which type of the user should be created.
Table 6: Decision matrix for adding a user
Feature Normal User
User login required
Type of Group
Normal
Clientless
Yes
Yes
No
Apply login restriction Yes
Apply Surfing Quota policy Yes
Apply Access Time policy Yes
Apply Traffic Shaping policy
Yes
Apply Web Filter Policy
Apply Application Group policy
Yes
Yes
Apply Network Traffic policy
Yes
Clientless User
No
No
Yes
Yes
No
No
Yes
Yes
Yes
No
Single Sign On User
No
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
The page displays a list of all the available users along their user IDs, names and usernames, user types, profiles, group memberships, and their activity status.
| Configure | 417
Note: You can also view and manage live users on the Monitor & Analyze > Current Activities > Monitor
& Analyze > Current Activities > Live Users page.
Registering a New User
This page describes how to create a new user and quickly configure a related policy.
Once a user is registered successfully, the page provides two more options:
•
- Click to reset Internet usage time and data transfer of the user.
•
- Click to view the Internet usage and data transfer usage for that user.
1. Go to Configure > Authentication > Usersand click Add.
2. Specify the user details.
Username
Enter a unique username for the user.
Name
Enter a name for the user.
Description
Specify a description for the user.
Password
Specify a password and re-enter the same password for confirmation.
The password is case-sensitive.
User Type
Select the type of user from the available options.
Available options:
• User
• Administrator
Profile (available only if Uuser Type selected is Administrator)
Select the administrator profile. The administrator will get access to various Admin Console menus as per the configured profile.
You can create a new profile directly from this page or from the System > Profiles > Device Access page after clicking Add.
Enter a email address of the user.
Use comma to seperate multiple email addresses.
Figure 396: Add User
3. Specify the Policies details.
Group
Select a group in which the user is to be added. User will inherit all the policies assigned to the group.
Surfing Quota
By default, the user will inherit its group policy. To override the group policy, select the policy from the list.
You can also create a new policy directly from this page or from the Protect > Web > Surfing
Quotas page.
Access Time
By default, the user will inherit its group policy. To override the group policy, select the policy from the list.
You can also create a new policy directly from this page or from the System > Profiles > Access
Time page.
Network Traffic
By default, the user will inherit its group policy. To override the group policy, select the policy from the list.
You can also create a new policy directly from this page or from the System > Profiles > Network
Traffic Quota page.
Traffic Shaping
By default, user will inherit its group policy. To override the group policy, select the policy from the list.
You can also create a new policy directly from this page or from the System > Profiles > Traffic
Shaping page.
| Configure | 418
Figure 397: Policies
4. Specify the SSL VPN Policy details.
Remote Access
By default, the user will inherit its group policy. To override the group policy, select a policy from the list.
You can also create a new policy directly from this page or from the Configure > VPN > SSL VPN
(Remote Access) page.
If the user is not to be provided SSL VPN access then select No Policy Applied.
Clientless
By default, the user will inherit its group policy. To override the group policy, select a policy from the list.
You can also create a new policy directly from this page or from the Configure > VPN > Clientless
Access page.
If the user is not to be provided clientless access then select No Policy Applied.
L2TP
By default, the user is provided remote access through L2TP. Disable if remote access is not to be provided to the user.
If enabled, provide the IP address (IPv4/IPv6) to be leased to the user for L2TP access.
PPTP
By default, the user is provided remote access through PPTP. Disable if remote access is not to be provided to the user.
If enabled, provide the IP address (IPv4/IPv6) to be leased to the user for PPTP access.
CISCO
™
VPN Client
By default, the user is provided remote access through CISCO VPN client. Disable if remote access is not to be provided to the user.
If enabled, provide the IP address (IPv4/IPv6) to be leased to the user for CISCO VPN access.
Note: To use this feature, CISCO ™
VPN client needs to be configured from the
Configure > VPN > Cisco VPN Client page.
Quarantine Digest
Configure the quarantine digest.
Quarantine digest is an email containing a list of quarantined spam messages filtered by the device and held in the user quarantine area. If configured, the device will mail the digest to the user at the
| Configure | 419
configured frequency. Digest also provides a link to the User Portal from where the user can access and take an action on quarantined messages.
Available options:
• Enable - The user will receive the quarantine digest daily. This option overrides the group setting.
• Disable - User will not receive quarantine digests. This option overrides the group setting.
Note: This feature is only available for non-wifi devices.
Simultaneous Logins
Specify the number of concurrent logins that will be allowed for the user or click Unlimited for allowing unlimited concurrent logins.
Acceptable range: 1 to 99
Default: 1
Note: The specified setting will override the global setting specified in the client preferences.
MAC Binding
Enable/disable MAC Binding. By binding the user to a MAC address, you are mapping the user with a group of MAC addresses.
If enabled, specify MAC addresses for example 01:23:45:67:89:AB.
Once you enable MAC binding, the user will only be able to login through pre-specified machines.
Use a comma to seperate multiple MAC addresses. For example 01:23:45:67:89:AB,
01:23:45:67:89:AC.
Login Restrictions
Select the appropriate option to specify the login restriction for the user.
Available options:
• Any Node - User will be able to login from any of the nodes in the network.
• User Group Node(s) - User will be able to login only from the nodes assigned to his group.
• Selected Nodes (only available for IPv4) - User will be able to login from the specified nodes only.
•
Node Range (only available for IPv4) - User will be able to login from any of the IP addresses from the configured range.
| Configure | 420
Figure 398: SSL VPN Policy
5. Select Administrator Advanced Settings (available only if the user type is Administrator)
Schedule for Device Access
Schedule the device access.
The administrator will be able to access the device only during the time configured in the schedule.
Login Restriction for Device Access
Select the appropriate option to specify the login restriction for the user.
Available options:
• Any Node - Administrator will be able to login from any of the nodes in the network.
• Selected Nodes - Administrator will only be able to login from the specified nodes.
• Node Range - Administrator will be able to login from any of the IP addresses from the configured range.
Reset User Accounting (available only when editing a user)
Click to reset the Internet usage time and network traffic of the user.
View Usage (available only when editing a user)
Click to view the Internet usage and data transfer usage.
Note: User configuration is given precendence over group configuration.
Figure 399: Administrator Advanced Settings
6. Click Save.
| Configure | 421
| Configure | 422
Reset User Accounting
This option allows you to reset the Internet usage time and data transfer of the user.
1.
Edit the user account of the user whose data accounting you want to reset by clicking the icon in the Manage column.
2. Click Reset User Accounting and OK to confirm.
Note: You cannot reset user accounting for the live user.
View Usage
This page describes how to view the Internet usage and data transfer usage of users.
1. Go to Configure > Authentication > Users.
2.
Edit the user account of the user whose data usage you want to view by clicking the icon in the Manage column.
3. Click View Usage.
A pop-up window displays policy information such as time allotted, renewal of the surfing quota cycle, the data transfer cycle and the spent Internet usage time. In addition it provides facts on the network traffic.
4. Select the month for which you want to display the usage information.
5. Click OK to return to the parent page.
Importing User Information
The Import Users page allows you to add new users by importing user details from the file.
Instead of creating users again in the device, if you already have users detail in a csv file, you can upload the csv file.
1. Go to Configure > Authentication > Users and click Import to import the csv file.
2. Browse to include the complete path for migrating user’s information file.
3. Please consider the csv file format requirements:
• Header (first) row should contain field names. Format of header row:
• Compulsory field: username
• Optional fields: password, name, group, email address
• Fields can be configured in any order.
• Subsequent rows should contain values corresponding to each field in the header row.
• Number of fields in each row should be same as in the header row.
• An error will be displayed if data is not provided for any field specified in the header.
• Blank rows will be ignored.
• If no password field is included in the header row then it will be set the same as the username.
• If no group name is included in the header row, the administrator will not be able to configure a group at the time of migration.
4. Click Upload to import the file.
Exporting Users
This menu allows you to export user information.
1. Go to Configure > Authentication > Users and click Export to export the user details in a csv file.
A pop-up window appears displaying the name of the csv file you are going to export.
2. Select to open or save the file.
3. Click OK.
The csv file is generated with the following headers: Name, Username, Enc_password, Email Address, and Group.
Note: Backend users, that means users who are authenticated against a backend authentication service like
Active Directory, will not be exported.
| Configure | 423
Purging Active Directory Users
This page allows you to purge AD Users.
1. Go to Configure > Authentication > Users and click Purge AD Users to synchronize the device’s Active
Directory users with an external Active Directory server.
Note: The purge operation will not interrupt user login/logout and accounting events. If HA is configured, user details are deleted from both, the primary device and the auxiliary device.
2. Click OK to confirm the message.
Change Status
1. Go to Configure > Authentication > Users.
2. Select a user whose status is to be changed and click Change Status to change the status of that user.
If the current status is Enabled, the status of the user will change to Disabled when you click this button and viceversa.
One-Time Password
On this page, you can configure the one-time password (OTP) service, and you can monitor or edit the tokens of the one-time-password users.
One-time passwords are a method to improve security for password-based authentication. The user-specific password, which is sometimes too weak, will be amended with a one-time password that is valid for only one login. Thus, even if an attacker gets hold of it, he will not be able to log in with it.
One-time passwords generally change consistently, in regular intervals, being calculated automatically by a specific algorithm. Soon after a new password is calculated, the old password expires automatically. To calculate one-time passwords, the user needs to have either a mobile device with an appropriate software, or a special hardware or security token. Hardware tokens are ready to use from the start. On the mobile device, the end user needs to install
Sophos Authenticator or a similar software and deploy the configuration, which is available in the User Portal as a QR code, on the start page or on the OTP Token page (see User Portal page). Having done that, the device calculates onetime passwords in token-specific intervals. It is important that date and time are correct on the mobile device as the time stamp is used for one-time password generation.
Note: To authenticate on the facilities where the one-time password ist required, the user has to enter his user-specific device password, directly followed by the one-time password.
The administrator can also generate one-time passwords, also known as passcodes, manually. In this case, you have to ensure that these not time-limited one-time passwords are safely transmitted to the end user. This process, however, should only be considered as a temporary solution, for example when a user temporarily has no access to his or her password calculating device.
The page displays all existing one-time passwords. You can add , update or delete an OTP. For each OTP, the list shows:
Username
Displays the user name of the OTP owner.
Status
Displays the status of the OTP.
Secret
Displays the 32-hex secret of the OTP.
Related information
Create OTP Token Automatically for Two-Factor Authentication
Add OTP Token
This page enables you to add and edit one-time password tokens.
1. Go to Configure > Authentication > One-Time Password and click the Add button.
2. Specify the following details for adding an OTP token:
Secret
This is the shared secret of the user's hardware token or soft token. A hardware token has an unchangeable secret, given by the hardware producer. The soft token is created randomly by Sophos
XG Firewall, when Auto-create OTP tokens for users is enabled. The secret should have a hexadecimal format and consist of at least 32 characters.
User (optional)
Select the user to whom the token should be assigned.
Description (optional)
Add a description or other information. This text will be displayed for the administrator with the QR code. If you define different tokens for one person, e.g., a hardware token and a soft token for the mobile phone, it is useful to enter some explanation here as the user will be displayed all QR codes side by side.
Use custom token timestep
If you need another timestep for a token than the default token timestep defined in the OTP Settings section, enable this toggle switch and enter the value. The timestep defined here has to correspond with the timestep of the user's password generation device, otherwise authentication fails.
Timestep
Enter the value for the additional timestep.
Acceptable range: 10 - 300 seconds.
Additional Codes (Available only when editing OTP token)
You can add one-time passwords manually for a token. Click the Plus icon to generate the one-time passwords (10 at maximum). These one-time passwords are not time-limited. A one-time password will be deleted automatically when the user logged in with it.
| Configure | 424
Figure 400: Add OTP Token
3. Click Save.
The OTP token for the specific user has been created and appears in the one-time password list on the One-time
Password page.
Configure One-time Password
This page allows you to enable and configure the one-time password service.
1. Go to Configure > Authentication > One-Time Password and click the Settings button.
2. Activate the one-time password service by clicking on the ON/OFF slider.
3. Specify the OTP service status.
OTP for all users
If enabled, all users have to use one-time passwords. If only specific users should use one-time passwords, disable this option and select or add users or groups from the list.
Auto-Create OTP Tokens for users
If enabled, a QR code for configuring the mobile device software will be presented to the authorized users the next time they log in to the User Portal. For this to work, make sure that the users have access to the User Portal. When a user logs in to the User Portal, the respective token will appear in the OTP Tokens list. Enabling this feature is recommended when you are using soft tokens on mobile devices. If your users only use hardware tokens you should instead disable this option and add the tokens before enabling the OTP feature.
Enable OTP for facilities
Here, you select the Sophos XG Firewall facilities that should be accessed with one-time passwords by the selected users. When you select the Auto-create OTP tokens for users option, the User
Portal needs to be enabled for security reasons: As the User Portal gives access to the OTP tokens, it should have no weaker protection itself.
Note: When selecting WebAdmin you have to ensure that the selected users have access to the one-time password tokens. Otherwise you may log them out permanently.
4. Specify the timestep settings.
Default token timestep in seconds
To synchronize one-time password generation on the mobile device and on the Sophos XG Firewall, the timestep has to be identical on both sides. Some hardware tokens use 60 seconds. Other software
OTP tokens use a timestep of 30 seconds which is the default value here. If the timestep does not match, authentication fails.
Acceptable Range: 10 - 300 seconds
Default: 30 seconds
Maximum passcode offset steps
With help of this option you can set the maximum passcode offset steps. This means if you for example set 3 steps you restrict the clock of a token to drift no more than 3 timesteps between two logins.
Acceptable range: 0 - 10 steps
Default: 1 step
Maximum initial passcode offset steps
With help of this option you can set the maximum initial passcode offset steps. This means if you for example set 10 steps you restrict the clock of a token to drift no more than 10 timesteps between two logins. This option is only applied when the user employs the token for the very first time.
Acceptable range: 0 - 600 steps
Default range: 10 steps
| Configure | 425
| Configure | 426
Figure 401: Configure OTP
5. Click Apply.
Captive Portal
The Captive Portal allows customization of the Captive Portal login page.
The device provides flexibility to customize the Captive Portal login page. This page can include your organization name and logo.
The device also supports a customized page in languages other than English.
External users, who need to use authentication services, are required to log in over the Captive Portal once before they get access to the User Portal. External users can access the Captive Portal by browsing to https://<Sophos
Device IP Address>:8090. After login, external users have access to the User Portal and are listed on the Configure >
Authentication > Users page. External users can access the User Portal by browsing to https://<Sophos Device IP
Address> or clicking Click here for User My Account on the Captive Portal page.
1. Go to Configure > Authentication > Captive Portal.
2. Specify the General Settings.
Logo
Decide which logo to use.
• Custom - Select to upload the custom logo and specify an image file name to be uploaded. Click
Browse to browse and select the complete path.
• Default - Select to use the default logo
The image size should not exceed 125x70 pixels.
Logo URL
Provide an URL to be redirected to on clicking the logo.
Default:
/www.sophos.com
Page Title
Change the page title if required.
Default: Network Authentication
Login Page Header
Provide the text to be displayed on the Captive Portal login page.
Login Page Footer
Provide a message to be displayed in the footer of the Captive Portal login page.
Username Caption
Provide a label for the textbox to be displayed on the Captive Portal login page.
Default: Username
Password Caption
Provide a label for the textbox to be displayed on the Captive Portal login page.
Default: Password
Login Button Caption
Provide a label for the button to be displayed on the Captive Portal login page.
Default: Login
Logout Button Caption
Provide a label for the button to be displayed on the Captive Portal login page.
Default: Logout
User Portal Link Caption
Provide a text to be displayed for the User Portal login page link. By clicking the link, the user will be directed to the User Portal login page.
Default: Click here for User Portal
| Configure | 427
Figure 402: General Settings
3. Specify the Color Scheme settings.
Customize the color scheme of the Captive portal if required. Specify the color code or click the square box to pick the color.
Figure 403: Color Scheme
4. Specify the Custom HTML Template settings.
Use Custom HTML Template
Select to fully customize Captive Portal using custom HTML code.
HTML Text
Provide HTML code to render the Captive Portal according to your requirement. Dynamic contents like banners from external web servers, a customizable Message of the day box and so on can be integrated in the HTML code.
By default, sample HTML will be displayed.
Note: It is compulsory to have one HTML div element with ID '__loginbox' (e.g.
<div id='__loginbox'>The system will render necessary input elements in this div.
| Configure | 428
| Configure | 429
Figure 404: Custom HTML Template
5. Select from the following possibilities:
Apply
Click to save your settings.
Preview
Click to view the custom settings before saving the changes.
Reset To Default
Click to revert to the default settings.
Guest Users
The Guest Users page displays a list of all the guest users added.
Users without a pre-existing user account who want to access the Internet using a hotspot, via a network available at the airport, hotels, hostels, etc., are called “guest users”. These users, that are otherwise considered unauthenticated and/or are denied access, are allowed to make a request to connect to the Internet for a limited time by authenticating themselves. Being authenticated, these users are authorized to access the Internet as guest user. At such public places,
Internet access is secured by configuring access policies to restrict any malicious use of the network.
Sophos XG Firewall allows the administrator to pre-configure individual or multiple guest users using the Admin
Console. The credentials of guest users configured via the Admin Console can be printed and handed over to the guest user. Alternately, guest users can register themselves using the guest user portal. The credentials and Internet access details of guest users registered via the guest user portal can either be sent via SMS or can be printed.
In case of successful authentication the guest user is granted access according to the applicable group, or else is redirected to the Captive Portal page.
You can filter the list based on the name or username of the user, cell phone number of the user, and validity of the user account, . The page also provides options to add a single or multiple users, distributing credentials for the
Internet access, update user parameters, view or reset the data transfer usage.
Resend Credential – Click the Resend Credential icon in the Manage column against a user registered via the
Guest User Portal to whom the access detail’s SMS are to be resent.
Registering a Single Guest User
This page describes how to register a new single guest user.
This page allows you to manually enter and configure guest user details. Before adding a guest user, you have to configure the general settings on the Configure > Authentication > Guest User Settings page.
1. Go to Configure > Authentication > Guest Usersand click Add Single.
2. Specify guest user details.
Username
Displays auto-generated username.
Password
Displays auto-generated password.
Name
Specify the name of the guest user.
Specify the email address of the guest user.
User Validity (Duration in Days)
Specify the validity for the specified guest user in days.
Minimum number of days: 1 day
Maximum number of days: 999 days
Validity Start
Select the type from when a user's validity should be counted.
Available Options:
• Immediately - Validity is counted from the time the guest user is created.
• After First Login - Validity is counted from the time the guest user logs into the network for the first time.
| Configure | 430
Figure 405: Add Guest User
3. Click Add to register the guest user or Add and Print to register the user and print the login credentials.
Reset User Accounting
This option allows you to reset the Internet usage time and data transfer of the user.
1.
Edit the user account of the user whose data accounting you want to reset by clicking the icon in the Manage column.
2. Click Reset User Accounting and OK to confirm.
Note: You cannot reset user accounting for the live user.
View Usage
This page describes how to view the Internet usage and data transfer usage of users.
1. Go to Configure > Authentication > Users.
2.
Edit the user account of the user whose data usage you want to view by clicking the icon in the Manage column.
3. Click View Usage.
A pop-up window displays policy information such as time allotted, renewal of the surfing quota cycle, the data transfer cycle and the spent Internet usage time. In addition it provides facts on the network traffic.
4. Select the month for which you want to display the usage information.
5. Click OK to return to the parent page.
Register Multiple Guest Users
This page describes how to create multiple guest users.
1. Go to Configure > Authentication > Guest Users and click Add Multiple.
2. Specify the guest user details.
Number of Users
Specify the number of guest users to be created.
User Validity (Duration in Days)
Specify the validity of multiple guest users in days.
Minimum number of day: 1 day
Maximum number of days: 999 days
Validity Start
Select the type from when the users' validity should be counted.
Available Options:Immediately - Validity is counted from the time the guest users are created.After
First Login - Validity is counted from the time one of the guest users just created logs into the network for the first time.
| Configure | 431
Figure 406: Add Guest User
3. Click Add to register the users or Add and Print to register the users and print the login credentials.
The guest users have been created and appear on the Guest Users page.
Note: The users only appear with the name "guest-XXX". To allocate names to these entries, you have to edit each user.
Update Guest User Configuration
Ich This page describes how to change the policies configured for the guest user.
1. Go to Configure > AuthenticationGuest Users.
2.
Select the guest user for which you want to change the policies by clicking the icon in the Manage column.
3. Update the guest user details.
Username
Displays the username of the guest user.
Name
Change the name of the guest user if required.
Descripton
Specify a description of the guest user.
Password
Displays the password in encrypted format.
You can change the password by clicking on Change Password.
If you change it, enter the new password in the Password field and re-enter it in the Confirm
Password field.
Cell Phone Number
Displays the cell phone number.
Note: The cell phone number cannot be edited.
Change the the email address of the guest user if required.
Internet Usage Time
Displays total Internet usage time information in HH:MM format.
| Configure | 432
Figure 407: Edit Guest User
4. Specify the Policies.
Group
Displays the group to which the user belongs. User will inherit all the policies assigned to the group.
Note: The guest user group cannot be edited.
Surfing Quota
Select the surfing quota policy from the list.
You can also create a new policy directly from this page by selecting Create new and attach it to the user.
Access Time
Select the access time policy from the list.
You can also create a new policy directly from this page by selecting Create new and attach it to the user.
Network Traffic
Select the network traffic policy from the list.
You can also create a new policy directly from this page by selecting Create new and attach it to the user.
Traffic Shaping
Select the traffic shaping policy from the list.
You can also create a new policy directly from this page by selecting Create new and attach it to the user.
Note: User configuration is given precedence over group configuration i.e. user MAC binding and policies configuration is given priority over group configuration.
| Configure | 433
Figure 408: Policy
5. Specify the SSL VPN Policy details.
Remote Access
Select a policy for remote access from the list or create a new one. To create a new policy, select
Create new.
You can create a new policy directly from this page or from the Configure > VPN > SSL VPN
(Remote Access) page.
Clientless
Select a policy for clientless access from the list or create a new one. To create a new policy, select
Create new.
You can create a new policy directly from this page or from the Configure > VPN > Clientless
Access page.
If a user is not to be provided SSL VPN access then select No Policy Applied.
L2TP
Enable if you are mapping the user to get access through L2TP connection.
Provide the IP address to be leased to the guest user for L2TP access.
PPTP
Enable if you want to allow the user to get access through a PPTP connection.
If enabled, provide the IP address (IPv4/IPv6) to be leased to the guest user for PPTP access.
CISCO
™
VPN Client
By default, the user is provided remote access through the CISCO VPN client. Disable if remote access is not to be provided to the user.
If enabled, provide the IP address (IPv4/IPv6) to be leased to the user for CISCO VPN access.
Note: To use this feature, CISCO ™
VPN client needs to be configured from the
Configure > VPN > Cisco VPN Client page.
Quarantine Digest
Configure the quarantine digest.
Quarantine digest is an email and contains a list of quarantined spam messages filtered by the device and held in the user quarantine area. If configured, the device will mail the quarantine digest to the user every day. The digest provides a link to the user's My Account from where the user can access his quarantined messages and take the required action.
Available Options:
• Enable - User receives the quarantine digest daily. This option overrides the group setting.
• Disable - User does not receive quarantine digests. This option overrides the group setting.
Note: Quarantine digest is not applicable to Wi-Fi devices.
Simultaneous Logins
Specify the number of concurrent logins that will be allowed to the user or click Unlimited for allowing unlimited concurrent logins.
The specified setting overrides the global setting specified in the client preferences.
MAC Binding
Enable/disable MAC Binding. By binding the user to a MAC address, you are mapping the user with a group of MAC addresses.
For Selected Nodes and Node Range only IPv4 addresses can be provided.
MAC address List
Specify MAC addresses, for example 01:23:45:67:89:AB.
Once you enable MAC binding, the user can login through pre-specified machines only.
To configure multiple MAC addresses use commas. For example 01:23:45:67:89:AB,
01:23:45:67:89:AC.
Login Restriction
Select the appropriate option to specify the login restriction for the user.
Available Options:
• Any Node - User can login from any of the nodes in the network.
• User Group Node(s) - User can login only from the nodes assigned to the group.
• Selected Nodes - User can login from the specified nodes only.
• Node Range - User can login from any of the IP addresses from the configured range.
| Configure | 434
Figure 409: SSL VPN Policy
| Configure | 435
Note: Before saving, you have two more options on this page
•
- Click to restart the accounting of the guest user's Internet usage.
Note: You cannot reset the user accounting of live users.
•
- Click to view the Internet usage information of a particular guest user.
6. Click Save .
The guest user settings have been updated.
Clientless Users
The Clientless Users page displays a list of all the clientless users.
Clientless users are the users who can bypass the client login to access the Internet and are managed by the device itself. As clientless users can bypass the device login, create clientless users when your network has few Non-
Windows machines, VOIP boxes, or servers.
Add a Single Clientless User
This page describes how to add a single clientless user.
1. Go to System > Authentication > Clientless Usersand click Add.
2. Specify the clientless users details.
Username
Specify a username which uniquely identifies the user and will be used for login.
IP Address
Specify an IP address(IPv4/IPv6) for the clientless user.
Group
Select a group to which the user is to be added. The user will inherit all the polices assigned to the group.
Change the policies applied to the user by editing the user details (once the user has been created).
Name
Enter a unique name for the user.
Specify an email address.
Quarantine Digest
Configure quarantine digest. Quarantine digest is an email and contains a list of quarantined spam messages filtered by the device and held in the user quarantine area. If configured, the device will mail the quarantine digest to the user every day. The digest provides a link to the User Portal from where the user can access quarantined messages and take the required action.
Available Options:
• Enable - User will receive the quarantine digest daily. This option overrides the group setting.
• Disable - User will not receive quarantine digests. This option overrides the group setting.
• Apply Group Settings - User will receive quarantine digests as configured for the group the user belongs to.
Note: Quarantine digest is not available for Wi-Fi devices.
Description
Specify a user description.
| Configure | 436
Figure 410: Add Clientless User
By clicking the icon you can add further users.
By clicking the icon you can remove users.
3. Click Save.
Reset User Accounting
This option allows you to reset the Internet usage time and data transfer of the user.
1.
Edit the user account of the user whose data accounting you want to reset by clicking the icon in the Manage column.
2. Click Reset User Accounting and OK to confirm.
Note: You cannot reset user accounting for the live user.
View Usage
This page describes how to view the Internet usage and data transfer usage of users.
1. Go to Configure > Authentication > Users.
2.
Edit the user account of the user whose data usage you want to view by clicking the icon in the Manage column.
3. Click View Usage.
A pop-up window displays policy information such as time allotted, renewal of the surfing quota cycle, the data transfer cycle and the spent Internet usage time. In addition it provides facts on the network traffic.
4. Select the month for which you want to display the usage information.
5. Click OK to return to the parent page.
Add Multiple Clientless Users
This page describes how to add multiple clientless users.
1. Go to Configure > Authentication > Clientless Usersand click Add Range.
2. Specify the following:
From IP
Specify a Start-IP address for the range.
To IP
Specify an End-IP address for the range.
Group
You can change the policies applied to the user by editing the user details. If you change the policies for the user, user specific policies will take precedence over user group policies.
| Configure | 437
Figure 411: Clientless User
3. Click Save.
The users have been created and appear on the Clientless Users page.
Note: The users only appear with their IP addresses. To allocate names to these addresses, you have to edit each user.
Changing Policies of the Clientless User
This page describes how to change the policies configured for a clientless user.
Changing the policies applied to a user can be performed by updating the user details. If you change the policies for the user, user specific policies will take precedence over user group policies.
1. Go to Configure > Authentication > Clientless Users.
2.
Select the user for which you want to change the policies by clicking the icon in the Manage column.
3. Update the Policies.
Traffic Shaping
Change the Traffic Shaping policy applied to the user.
The policy applied here will take the precedence over the group policy.
You can also create a new traffic shaping policy on this page or on the System > Profiles > Traffic
Shaping page.
Quarantine Digest
Configure quarantine digest.
Quarantine digest is an email and contains a list of quarantined spam messages filtered by the device and held in the user quarantine area. If configured, the device will mail the quarantine digest every day to the user. The digest provides a link to the User Portal from where the user can access his quarantined messages and take the required action.
Available Options:
• Enable - User will receive the quarantine digest daily. This option overrides the group setting.
• Disable - User will not receive quarantine digests. This option overrides the group setting.
Note: Quarantine digest is not available for Wi-Fi devices.
Figure 412: Policies
Note: Before saving, you have two more options on this page.
•
- Click to reset the Internet usage time and data transfer of the user.
| Configure | 438
Note: You cannot reset the user accounting of live users.
•
- Click to view the Internet usage and data transfer usage.
4. Click Save.
Guest User Settings
This page allows you to configure general settings, registration settings and SMS gateway for guest users.
Users without a pre-existing user account wanting to access the Internet using a hotspot, or via a network available at the airport, hotels, hostels, etc. are called “guest users”. These users, that are otherwise considered unauthenticated and/or denied access, are allowed to make request to connect to the Internet for a limited period by authenticating themselves. On being authenticated, these users are authorized to access Internet as guest users. At such locations,
Internet access is secured by configuring access policies to restrict any malicious use of the network.
Sophos XG Firewall allows administrator to pre-configure single or multiple guest users using the Admin Console.
The credentials of guest users configured via the Admin Console can be printed and handed over to the guest user.
Alternately, guest users can register themselves using the guest user portal. The credentials and Internet access details of guest users registered via the guest user portal can either be sent via SMS or can be printed.
In case of successful authentication the guest user is granted access according to the applicable group, or else is redirected to the Captive Portal page.
The page allows configuring general parameters to provide secured Internet access for guest users.
1. Go to Configure > Authentication > Guest User Settings.
2. Specify the Guest User General Settings.
Username Prefix
Enter a prefix to be used for auto-generation of a username for guest users.
Default: guest
Group
Select a group of policies to assign to guest users or create a new one.
Note: You can create a new group of policies directly from this page or from the
Configure > Authentication > Groups page.
Password Length
Specify the length of the auto-generated password for Guest Users.
Acceptable range: 3 to 60 characters
Default: 8 characters
The password length is a basic security parameter, the value of which affects the strength of password against brute force attack.
Password Complexity
Select a type of password from the available options to be used for complexity of an auto-generated password:
Available options:
• Numeric Password – Password will include only numeric characters.
• Alphabetic Password – Password will include only alphabetic characters.
• Alphanumeric Password – Password will include numeric as well as alphabetic characters.
• Alphanumeric with Special Character Password - Password will include numeric, alphabets and special characters.
The password strength is a function of its length, complexity, and unpredictability. Combining password length with password complexity makes a password difficult to guess.
Disclaimer
Provide the disclaimer message to be printed below every user’s login credentials.
Disclaimer once configured can be edited but cannot be removed.
Auto Purge on Expiry
Check to enable automatic purging of user details on expiry of user validity.
Note: Details of a user who is bound to rules (like firewall, IM, etc.) will not be purged automatically.
| Configure | 439
Figure 413: Guest User General Settings
3. Specify the Guest User Registration Settings.
Enable Guest Users Registration
Enable to allow secured Internet access to guest users.
SMS Gateway
Select the gateway using which SMS should be sent.
Alternately you may add the SMS gateway from this page itself by clicking Create new.
Guest Username
Select Use Cell Number as Username as method of generating a username.
If the Guest Username option is not selected, by default, the new user name will be generated with the value specified in Username Prefix.
User Validity (Duration in Days)
Specify the validity of guest users in days.
Default Country Code
Enable to configure a default country code.
The selected country is displayed as default option in the Cell Phone Number selection at the guest user registration page.
CAPTCHA Verification
Select to enable or disable CAPTCHA (Completely Automated Public Turing Test To Tell
Computers and Humans Apart) code verification on the guest user registration page to ensure the request is received for human being.
By enabling CAPTCHA verification, the user will be displayed a picture with characters that user must insert in a provided textbox below the picture. The administrator can therefore protect the device against attacks generated by automated programs.
Default: Enabled
| Configure | 440
Figure 414: Guest User Registration Settings
4. Click Apply.
5. Specify the SMS Gateway.
An SMS gateway allows sending and receiving short message service (SMS) to/from a home network for guest user registration. The device supports HTTP and HTTPS protocol based SMS service.
Configure SMS Gateway
This page allows you to configure an SMS Gateway for guest user registration.
1. Go to Configure > Authentication > Guest User Settingsand click Add under the SMS Gateway section.
2. Enter SMS gateway details.
Name
Enter the name of the SMS gateway.
URL
Specify the URL of the SMS gateway for sending an SMS request.
HTTP Method
Select the method for sending an SMS request to the SMS gateways from the options available:
Available Options:Get: Requests data from a specified resource.Post: Submits data to be processed to a specified resource.
Cell Number Format
Select to use country code with cell number.
Number Prefix
Specify the prefix value to be used with the cell number.
Number Prefix can include alpha-numeric and ASCII special characters.
It can be up to 4 characters long.
Request Parameters
Specify the following request parameters to configure the SMS gateway.
Name
Value
Name is a descriptor used to describe the meaning of the value. E.g. username, password, mobile
Indicates the value of a variable that are defined for the Name.
| Configure | 441
Response Format
Response describes the delivery status of the message such as success, failed, limit exceeded. Status message can be in various formats. Few of them are described below:
Response Format
{0} | {1} | {2}
Response Received
success | mbno | msgid/transactionid
Response Format
<status>500</status><transactionid>{0}</ transactionid><reason>{1}</reason>
Response Received
<status>500</status><transactionid>2323</ transactionid><reason>Limit Exceeded</reason>
When the response format is different for success and failure, it is recommended that the response format string should have a single content holder. E.g. {0}
Response Parameters
Response Parameter is the value presented by the content holder {0,1, 2...n} that will be displayed in the log viewer.
Parameter Index: Parameter Index is the content holder value {0,1, 2...n}.
Name: Name represents the content holder in the log viewer.
Example 1:
Parameter Index
0
1
2
Name
Status
Recipient
SMSID
Example 2:
Parameter Index
0
1
Name
SMSID - 2323
SMS Status Message – Length Exceeded
| Configure | 442
Figure 415: Add SMS Gateway
3. Click Save.
Testing Connectivity with SMS Gateway
This page allows you to check connectivity with the gateway after you have configured an SMS gateway.
1. Go to Configure > Authentication > Guest User Settings and in section SMS Gateway, edit the configured
SMS gateway and click Test Connection.
| Configure | 443
2. Enter cell phone number . You will receive SMS through the gateway configured if you are able to connect to the gateway.
Figure 416: Test Connectivity
3. Click Save.
Client Downloads
The Client Downloads page allows you to to download all the clients or add-ins needed to interact with the device.
The device provides various options for user authentication. All the users are authenticated before they are provided access to network resources. User authentication can be performed using a local database, Active Directory, LDAP,
RADIUS, TACACS, eDirectory, NTLM or combination of these. The device also supports Single Sign On (SSO) for transparent authentication whereby Windows credentials can be used to authenticate and the user has to login only once to access network resources. SSO can be used in Active Directory and Citrix or Terminal Services Environment.
Users can authenticate with the device using the Captive Portal, authentication clients for Windows, Linux,
Macintosh, Android and iOS platforms or Single Sign On (SSO).
Following Clients can be downloaded from this page:
Single Sign-On
Sophos Single Sign-On Client - Enables users to logon to the organization network as well as to the device simultaneously. This requires client installation on the user’s machine.
Sophos Transparent Authentication Suite (STAS) - Enables transparent authentication whereby Windows credentials can be used to authenticate and the user has to login only once to access network resources. This does
NOT require a client installation on the user’s machine.
Sophos Authentication for Thin Client (STAC) - Enables transparent authentication for users in Citrix or Terminal
Services Environment whereby network credentials can be used to authenticate and the user has to login only once to access network resources. This does NOT require a client installation on the user’s machine.
Authentication Clients
Download MSI - Enables admins to install authentication clients via Microsoft Installer to multiple user devices to access network resources and the Internet as per the policies configured in the device.
Download CA for MSI - Download the digital certificate to be installed via MSI to ensure a safe connection with the device.
Download for Windows - Enables users using a Windows operating system to logon to the device to access network resources and the Internet as per the policies configured in the device.
Download for MAC OS X - Enables users using a system with Macintosh OS X onwards to logon to the device to access network resources and the Internet as per the policies configured in the device.
Download for Linux 32 - Enables users using a 32-bit Linux operating system to logon to the device to access network resources and the Internet as per the policies configured in the device.
Download for Linux 64 - Enables users using a 64-bit Linux operating system to logon to the device to access network resources and the Internet as per the policies configured in the device.
| Configure | 444
Download Certificate for iOS/Android client - Download the digital certificate to be installed in an iOS or Android system to ensure a safe connection with the device. Authentication Clients for iOS/Android can be downloaded from the respective App Store/Play Store.
SPX Add-ins
This feature is available only with a valid Email Protection subscription
This feature is available in Sophos Firewall Models XG105 and above, Cyberoam Models CR25iNG and above, and all Sophos UTM Models.
The SPX Add-in simplifies the encryption of the messages that contain sensitive or confidential information leaving the organization. The Add-in integrates seamlessly with the user’s Microsoft Outlook software, making it easy for users to encrypt messages through the Sophos Firewall (SF) Email Protection.
Follow the steps given below to install the Add-in Outlook:
1. Unzip the files to a temporary folder.
2. For an interactive installation, run setup.exe (users will be prompted for input).
3. For an unattended installation, please note the following prerequisites.
• Windows XP, Windows Vista, Windows 7, Windows 8 (both 32 and 64-bit) versions are supported.
• Microsoft Outlook 2007 SP3, 2010 or 2013 (both 32 and 64-bit) versions are supported.
Now, proceed as follows:
a. Install Microsoft .NET Framework 4 Client Profile.
b. Install Microsoft Visual Studio 2010 Tools for Office Runtime 4.0.
c. Run the installer with the following parameters: msiexec /qr /i SophosOutlookAddInSetupUTM.msi T=1
EC=3 C=1 I=1.
STAS
This page describes how to configure the Sophos Transparent Authentication Suite (STAS).
Sophos Transparent Authentication Suite (STAS) enables transparent authentication whereby Microsoft Windows credentials can be used to authenticate. The user has to log in only once to access the network resources. A client installation on the user's machine is not required.
The Sophos Transparent Authentication Suite (STAS) program can be found under Configure > Authentication >
Client Downloads. For more information about STAS installation, see
Sophos Transparent Authentication installation guide
.
1. Go to Configure > Authentication > STAS.
2. To enable Sophos Transparent Authentication Suite click the toggle switch.
3. Click Activate STAS.
4. To enable the user inactivity click the toggle switch.
5. Specify the user inactivity.
Inactivity Time
Specify the inactivity time in minutes. The user inactivity timeout is the inactive/idle time in minutes after which the user will be logged out and has to re-authenticate.
Acceptable range: 3 to 1440 minutes
Default: 3 minutes
Data Transfer Threshold
Specify the minimum data to be transferred.
Default: 100 bytes
6. Click Apply.
| Configure | 445
Related information
How to implement Single Sign-On using STAS
Add New Collector
This page describes how to add a collector.
The STAS Collector collects user authentication requests from multiple agents, processes the requests and sends them to Sophos XG Firewall for authorization.
1. Go to Configure > Authentication > STAS.
2. Click Add New Collector.
3. Specify the collector details.
Collector IP
Enter a collector IP address.
Collector Port
Select collector port.
Default: 6677
Collector Group
Select a collector group. If you select New Group the collector will automatically be tagged with a group number. If you select Existing Group you can add the collector to an existing group.
Figure 417: Add New Collector
4. Click Save.
Disable STAS
This page describes how to disable STAS.
If you disable STAS, the current STAS configuration will be removed.
1. Click the toggle switch of the Sophos Transparent Authentication Suite.
2. Confirm deactivation by clicking on the Confirm removal of STAS configuration button.
System Services
System Services allows configuration of device components along with the associated services.
Available configurations:
•
- High Availability allows a second system to be used for redundancy or scalability.
•
- QoS traffic shaping allows network bandwidth to be limited or guaranteed.
•
•
- Configure Syslog servers and enable/disable logs to be sent.
•
- Enable Data Anonymization and set Authorizers.
•
- Displays list of predefined and custom policies and provides option to create a new traffic
shaping policy.
| Configure | 446
•
- View the current status and manage all the configured services.
High Availability
Hardware failure such as a failure of the power supply, hard disk, or processor is the main reason behind the failure of a Internet security system and/or a device. To provide reliable and continuous connection to the Internet and to provide security services such as firewall, VPN, intrusion detection and prevention, virus scanning, web filtering, and spam filtering services, two devices can be configured to function as a single device and provide high availability.
Clustering technology is used to ensure high availability. In a cluster, devices are grouped together and instructed to work as a single entity.
Note: This feature is not available in models: CR15i, CR 15wi, CR25wi, CR35wi, CR15wiNG,
CR25wiNG/6P and CR35wiNG/6P and on all WiFi models of XG Series devices.
How a Cluster works
The device offers high availability by using virtual MAC address shared between a primary device and an auxiliary device linked together as a “cluster”.
Devices - primary and auxiliary device, are physically connected over a dedicated HA link port.
Typically, traffic enters your network by passing through a network switch. In an HA solution, one of the devices in the cluster has a virtual MAC address and traffic is forwarded to the cluster device which has the virtual MAC address. The device which has virtual MAC address is the primary device and the other peer is the auxiliary device.
Primary device acts as a load balancer and forwards the traffic to the auxiliary device for processing. Auxiliary device can process traffic only if cluster is operating in the Active-Active mode.
If configured in Active-Passive mode, the primary device processes the entire traffic. Auxiliary device waits in a ready mode to operate as primary device, in case the primary device or any of the monitored links fail.
Auxiliary device monitors the primary device through the dedicated HA link and if it does not receive any communication within the pre-configured time, the primary device is considered to have failed. In this case, the auxiliary device takes ownership of the virtual MAC address from the primary device, and becomes the primary device temporarily. Primary device automatically takes over from the auxiliary device once it starts functioning.
HA terminology
1. HA Cluster
Group of two devices instructed to work as a single entity. Every HA cluster has one primary device and one auxiliary device. The primary device controls how the cluster operates. The roles that the primary and auxiliary devices play in the cluster depend on the configuration mode.
2. HA Configuration Modes
Active-Active
Active-Passive
A configuration of HA cluster consists of a primary
Device and an auxiliary device. In this mode, both primary device and auxiliary device process traffic while the primary unit is in charge of balancing the traffic. Decision of load balancing is taken by the primary device. The auxiliary device can take over only in case of a primary unit failure.
A configuration of HA cluster which consists of a primary device and an auxiliary device. In this mode, only the primary device processes traffic while the auxiliary device remains in stand-by mode, ready to take over if a primary device failure occurs.
3. Primary Device
| Configure | 447
The primary device also tracks the status of all cluster devices. In an Active-Active cluster, the primary device receives the entire network traffic and acts as load balancer to redirect traffic to the auxiliary device. In an Active-
Passive cluster, the primary device processes the network traffic while the auxiliary device does not process any traffic but remains ready to take over if the primary device fails.
4. Auxiliary Device
Auxiliary device always waits to become the primary device.
In an Active-Active cluster, the auxiliary device processes the network traffic assigned to it by the primary device.
In case the primary device fails, the auxiliary device becomes the primary device. In an Active-Passive cluster, the auxiliary device does not process network traffic and is in stand-by. It becomes active only when the primary device is not available to process the traffic.
5. Dedicated HA Link Port
Dedicated HA link is a direct physical link between the devices participating in HA cluster.
6. Load Balancing
The ability of HA cluster of balancing the traffic between nodes in the HA cluster.
7. Monitored Interface
Set of interfaces that are selected to be monitored. Each device monitors its own selected interface(s) and if any of them goes down, the device removes itself from the cluster and a failover occurs.
8. Virtual MAC
It is a MAC address associated with the HA cluster. This address is sent in response when any of the machines make an ARP request to HA cluster. It is not the actual MAC address and is not assigned to any interface of any unit in the cluster.
The primary device owns the MAC address and is used for routing network traffic. All external clients use this address to communicate with the HA cluster. In case of failover, the new primary device will have the same MAC address as the failed primary device. The cluster device which has a virtual MAC address acts as a primary device.
9. Primary State
In Active-Active mode, the device that is in charge of receiving all the traffic and load balancing is said to be in
"primary" state. A device can be in "primary" state only when the other device is in "auxiliary" state.
In Active-Passive mode, the device in charge of processing all the traffic is said to be in the "primary" state. A device can be in "primary" state only when the other device is in "auxiliary" state.
10. Auxiliary State
In Active-Active mode, the device that receives the traffic to be processed by it from the primary device is called to be in "auxiliary" state. A device can be in "auxiliary" state only when the other device is in "primary" state
In Active-Passive mode, the device which is not processing the traffic is called to be in "auxiliary" state. A device can be in "auxiliary" state only when the other device is in "primary" state.
11. Standalone State
A device is called to be in standalone state when it can still process network traffic and when the other device is not in position to process network traffic (i.e. in "fault" state or shut down).
12. Fault State
A device is in fault state when it cannot process network traffic if a device or link fails.
13. Peer
Once the HA cluster is configured, cluster devices are termed as peers i.e. for the primary device, the auxiliary device is its peer device and vice versa.
14. Synchronization
The process of sharing the various cluster configuration, between cluster devices (HA peers). Reports generated are not synchronized.
15. Device failover
| Configure | 448
If an device does not receive any communication within the predetermined period of time from the HA peer, the peer device is considered to have failed. This process is termed as device failover as when this occurs, the peer device is taken over.
16. Link failover
Both the device in an HA cluster continuously monitor the dedicated HA link and the interfaces configured to be monitored. If any of them fails it is called link failure.
17. Session failover
Whether it is a device or link failover, session failover occurs for forwarded TCP traffic except for the virus scanned sessions that are in progress, VPN sessions, UDP, ICMP, multicast, and broadcast sessions and proxy traffic.
Device normally maintains session information for TCP traffic which is not passing through proxy service. Hence, in case of failover, the device which takes over will take care of all the sessions (TCP session not passing through proxy application). The entire process is transparent for the end users.
Configure HA
Points to be noted
• WWAN, WLAN - High Availability (HA) cluster cannot be configured if WWAN or WLAN is configured.
• DHCP, PPPoE - High Availability (HA) cluster cannot be configured in Active-Active mode if any of the interfaces are dynamically configured using DHCP or PPPoE protocols.
• You cannot configure interfaces using DHCP/PPPoE protocols when HA cluster is configured in Active-Active mode.
• Masqueraded Connections - In case of the manual synchronization events from any of the HA cluster devices, all the masqueraded connections will be dropped.
• HA can be disabled from either of the devices. If disabled from the primary device, HA will be disabled on both the devices. If disabled from the auxiliary device, HA will not be disabled on the primary device and will act as stand-alone device.
• After disabling HA, primary device IP schema will not change.
• After disabling HA, for the auxiliary device, all the ports except the dedicated HA link port and peer administration port will be disabled. The peer HA link IP will be the assigned IP address assigned to the dedicated
HA link port while the peer administration IP will be the assigned IP address assigned to the peer administration port.
• If HA is disabled from a stand-alone machine, IP schema will not change.
• Super Administrator privileges are required to access the auxiliary device Admin console and therefore it can be accessed by “admin” user only and Live users/DHCP leases/IPsec live connections pages will not be displayed.
• After disabling HA, for the auxiliary device, for LAN zone all the administrative service – HTTPS, Telnet, SSH are allowed while for DMZ zone only HTTPS and SSH are allowed.
• For the auxiliary device, Deployment Wizard will not be accessible.
• Dedicated HA link port should be from any of the DMZ zone interface only. Make sure that the IP address of the
HA link port of primary and auxiliary devices are in the same subnet.
• After enabling HA if backup without HA configuration is restored then HA will be disabled and the primary device will be accessible as per the backup configuration while auxiliary device will be accessible with the
Auxiliary Admin IP Address.
• In Active-Active mode, mails will be quarantined separately on both the devices as SMTP proxy traffic is load balanced in round robin manner.
• In Active-Passive mode, mails will be quarantined on the primary device only.
• If quarantine digest is configured, both the devices in the cluster will send quarantine digests.
• Administrator can release quarantined mails of all the users from both the devices.
• User can release quarantined mails from the User Portal. The User Portal displays mails quarantined only on the primary device. Also, the user can release them from the quarantine digest mailed from the primary device.
Note:
| Configure | 449
• Not available in models CR15i, CR15wi, CR25wi, CR35wi, CR15wiNG, CR25wiNG/6P, CR25wiNG/6P and on all WiFi models of SG series devices.
• HA will get disabled if you run the Deployment Wizard.
• You must register the device to configure HA.
Session failover
• Session failover is possible for Forwarded TCP traffic under Route Mode, Bridge Mode, Mixed Mode and
Multiport Bridge Mode.
• Session Failover is not possible for the following types of traffic under Route Mode, Bridge Mode, Mixed Mode and Multiport Bridge Mode:
• Proxy Subsystem (Transparent/Direct/Parent proxy)
• VPN Traffic
• IPv4 and IPv6 forwarded traffic like UDP, ICMP, multicast, broadcast etc.
• System generated traffic
• AV Scanned sessions
• Parent proxy traffic
Load Balancing
• Active-Active HA Cluster will successfully balance the load of following types of traffic under Route Mode,
Bridge Mode, Mixed Mode and Multiport Bridge Mode:
• TCP traffic passing through the proxy subsystem (Transparent/Direct/Parent)
• Forwarded TCP Traffic
• NATed (SNAT and Virtual Host) forwarded TCP traffic
• HTTPS connection
• VLAN traffic
• Active-Active HA Cluster does not load balance the following types of traffic under Route Mode, Bridge Mode,
Mixed Mode and Multiport Bridge Mode:
• VPN sessions
• Traffic other than TCP (UDP, ICMP, multicast, broadcast etc.)
• System generated traffic
• Scanned FTP Traffic
• Traffic coming through wireless RED devices and Access Points.
• TCP Traffic for User Portal, Admin Console or Telnet Console
• H323 Traffic sessions
• Control traffic for all modules
Before configuring HA
Before attempting to configure two devices as an HA pair for Hardware failover, check the following requirements:
• Both devices in the HA cluster i.e. primary and auxiliary device must be registered and have the same number of interfaces. Both member devices should be of the same model.
• Both devices in the HA cluster must have the same firmware version installed on it.
• Active-Active: Two separate licenses are required, one for the primary device and other for the auxiliary device.
On both the devices, the same subscription modules should be enabled.
• Active-Passive: One license is required for the primary device. No license is needed for the auxiliary device.
• Cables to all the monitored ports on both the devices must be connected. Connect dedicated HA link port of both the devices with crossover cable.
• Dedicated HA link port should be from the DMZ zone interface only and must have a unique IP address on both the devices. SSH should be enabled for both the devices on the DMZ zone.
• WWAN and WLAN configuration must be disabled before HA configuration.
• DHCP/PPPoE configuration must be disabled before configuring HA in Active-Active mode.
| Configure | 450
Before enabling HA
Before enabling HA, you need to provide the Passphrase and Dedicated HA Link Port details on the auxiliary device by selecting Auxiliary for Initial HA Device State. If the details are not configured on the auxiliary device then the primary device will not be able to connect to the auxiliary device.
Configure Primary Device
1. Go to Configure > System Services > High Availability.
2. Enter High Availability details.
Serial Number
Displays serial number.
Peer Serial Number
Displays peer’s serial number.
For the primary device, it displays the auxiliary device's serial number.
For the auxiliary device, it displays the primary device's serial number.
HA Configuration Mode
Select HA configuration mode for the cluster.
Active-Active
Active-Passive
Select to configure a cluster for load balancing and failover HA. In Active-Active mode both, the primary device and the auxiliary device processes the traffic and monitors the status of the other cluster device. The primary device controls load balancing among both the cluster devices.
Select to configure a cluster for failover HA.
In Active-Passive mode the primary device processes all connections. The auxiliary device passively monitors the cluster status and remains synchronized with the primary device.
Initial HA Device State
Select to set initial device state from the available options.
Available Options:
Primary Auxiliary
Passphrase
Passphrase - Specify a passphrase for communication.
Confirm Passphrase - Confirm the specified passphrase.
Note: To configure HA, both devices in the cluster must have the same passphrase.
Dedicated HA Link Port
Specify HA link port.
HA peers are physically connected using a crossover cable through this port. The same port must also be used as an HA link port on the peer device.
For example, if port E is configured as HA link port on the primary device then use port E only as HA link port on the auxiliary device. Make sure that the IP address of the HA link port for both, the primary device and auxiliary devices are in same subnet. Cluster devices use this link to communicate cluster information and to synchronize with each other.
before attempting to configure two devices as an HA pair.
Peer HA link IPv4
Specify the IP address configured on the HA link port of the peer device.
Peer Administration Port
Specify an administration port for the auxiliary device. This port can be used for administration purpose.
Peer Administration IP
Specify an administration IPv4/IPv6 address for the auxiliary device.
With this IP address, the Admin console of the auxiliary device can be accessed. Any user accessing the Admin console of the auxiliary device will be logged -in with an HA profile and have read-only rights.
Select Ports to be Monitored
Select the ports to be monitored.
Both devices will monitor their own ports and if any of the monitored port goes down, the device will leave the cluster and failover will occur.
Note: This feature is not supported in virtual security devices.
| Configure | 451
Figure 418: Configure HA
3. Click Enable HA to enable HA.
Note: The device from which HA is enabled, acts as a Primary Device while the peer device acts as
Auxiliary Device.
If everything is cabled and configured properly and HA is enabled successfully:
• Both devices will have the same configuration except the HA link port IP address.
| Configure | 452
• Additional options will be made available:
Primary Device
• Put on Standby (for Active-Passive mode)
•
• Sync Auxiliary (used to synchronize auxiliary device and primary device configurations)
Auxiliary Device
•
• Sync with Primary (used to synchronize auxiliary device and primary device configurations)
• By default, both the devices will synchronize automatically.
• As soon as Active-Active is configured, traffic load balancing is enabled. If required, it can be disabled from CLI console using the “system ha load-balancing on/off” command.
Disable HA
This page allows you to disable HA.
Go to Configure > System Services > High Availability and click Disable HA.
Note:
• HA can be disabled from either of the devices. If disabled from the primary device, HA will be disabled on both the devices. If disabled from the auxiliary device, HA will not be disabled on the primary device and will act as stand-alone device.
• After disabling HA, the primary device IP schema will not change.
• If HA is disabled from a stand-alone machine, the IP schema will not change.
After disabling HA, the auxiliary device will reboot, all the ports except the dedicated HA link port and peer administration port will be disabled. The dedicated HA link port will be assigned to the peer HA link IP address and the peer administration port will be assigned to the peer administration IP address.
Switch Device to Standby Mode
Standby mode for the device can be configured only if the cluster is operating in Active-Passive mode. The auxiliary device takes over as primary device.
Synchronize HA Peers
Under normal conditions, the auxiliary device is always synchronized with the primary device. However, if required, the auxiliary device can also be forcefully synchronized with the primary device.
Manual synchronization process can be initiated from either of the peers. If synchronized from the primary device, the primary device will push updates and if synchronized from the auxiliary device, the auxiliary device will pull the updates from the primary device.
Go to Configure > System Services > High Availability and click Sync Auxiliary to manually synchronize the auxiliary device with the primary device.
The matrix illustrates the HA state transitions from which synchronization is possible between HA peers. For example, synchronization is possible when the device in Primary state goes in Fault state but not when it goes in
Auxiliary state.
From/To
Standalone
Primary
Auxiliary**
Fault
Standalone
No
Yes
Yes
No
Primary
Yes
No
No
No
Auxiliary**
Yes*
No
No
Yes
Fault
No
Yes
Yes
No
| Configure | 453
*Possible when dedicated link goes down and comes back again
**When device transits into Backup mode, it will soft boot
Manual synchronization gets the data and configuration updates except reports from the primary device.
Services Support
All the services except below listed services will not running on auxiliary device.
• Routing service
• VPN service
• Network service
• Logon server
Traffic Shaping Settings
This page allows you to configure default Traffic Shaping settings. All the bandwidth-related data are displayed only in KBps (1000 bytes per second).
The settings are as follows:
Total Available WAN Bandwidth
Specify maximum bandwidth limit in KBps. It is generally a sum of all WAN links' maximum limits.
Default: 100000 KBps
Acceptable Range (KBps): 1 to 2560000
Optimize for Real-Time (VoIP)
Enable to give priority to real-time traffic like VOIP over all other traffic.
If disabled, priority will be applicable only for excess bandwidth i.e. bandwidth remaining after guaranteed bandwidth allocation.
Enforce Guaranteed Bandwidth
The Administrator can enforce the handling of all internet-bound traffic by any Traffic Shaping
Policy applied to it. If there is no policy applied to the traffic, it will be handled by the Default
Policy.
Enable to enforce bandwidth restriction on the traffic to which the Traffic Shaping Policy is not applied.
Disable if you do not want to enforce bandwidth restriction on the traffic to which the Traffic
Shaping Policy is not applied. It will only handle traffic on which the Traffic Shaping Policy is applied.
Default Policy
The Default Policy will be applicable to the traffic which does not have any Traffic Shaping Policy applied.
Guarantee
Specify bandwidth which is the minimum guaranteed bandwidth that the user can use.
Default: 1 KBps
Acceptable Range (KBps): 1 to 2560000
Limit
Specify bandwidth which is the maximum bandwidth that the user can use, if available.
Default: 100000 KBps
Acceptable Range (KBps): 1 to 2560000
Priority
Show Bandwidth Usage
Click to view Bandwidth Usage.
Set the bandwidth priority. Priority can be set from 1 (highest) to 7 (lowest) depending on the traffic required to be shaped.
Available Options:
1 – Business Critical2 to 5 – Normal6 – Bulky -
FTP7 – Best Effort – e.g. P2P
| Configure | 454
Figure 419: Traffic Shaping Settings
Related information
How to setup application filter
RED
This page describes how to enable RED.
RED is short for Remote Ethernet Device and is a means to connect remote sites, e.g., branch offices, to your main office as if the remote site was part of your local network.
The setup consists of the Sophos XG Firewall in your main office and a Remote Ethernet Device (RED) in your remote office. Establishing a connection between the two is utmost easy as the RED device itself does not need to be configured at all. As soon as the RED device is connected to your device it behaves like any other Ethernet device on your device. All traffic of your branch office is safely routed via your device which means that your branch office is as secure as your local network.
These types of RED devices are currently available:
• RED 10: RED solution for small remote offices
• RED 15: RED solution for medium remote offices
• RED 15w: RED solution for small remote offices, including WiFi.
• RED 50: RED solution for bigger remote offices which comes with two uplink interfaces.
Additionally, you have the choice to establish a RED Site-to-Site tunnel between two SF devices which are connected through the RED technology on Layer 2. One device acts as server while the other is the client. For more information,
Configure RED Site-to-Site Tunnel
.
Each RED device or SF device that is configured here is able to establish a connection to your SF device.
Note: For RED devices to be able to connect, you need to enable RED support on the Configure > System
Services > RED page first.
RED setup example
| Configure | 455
Related tasks
This page allows you to configure a Remote Ethernet Device (RED) at a remote office.
Configure RED
This page describes how to configure RED.
1. Go to Configure > System Services > RED and enable RED.
2. Specify the following:
Organization Name
Specify the name of the organization.
City
Specify the city where the organization is located.
Country
Select the country where the organization is located.
Specify an email address.
Figure 420: Enable RED
3. Click Apply.
Note: If the message "Registering with RED service failed. Please make sure that this device can connect to the Internet on port 3400" appears, some kind of network problem is indicated. You should first check if you can reach red.astaro.com through port 3400 (via console command telnet red.astaro.com 3400). If so, the error might be due to a high network load. Retry to connect later.
The RED status is now activated. Sophos XG Firewall is now registered at the RED Provisioning Service (RPS) of
Sophos to act as a RED hub. You can now continue by adding one or more RED devices at System > Network >
Interfaces.
You can enable the Automatic Device Deauthorization.
Related tasks
This page allows you to configure a Remote Ethernet Device (RED) at a remote office.
| Configure | 456
Force TLS 1.2
This page describes how to force TLS 1.2.
For security reasons it is recommended to force the RED device to use only TLS 1.2. This option is disabled by default to ensure that new RED devices can connect to the Firewall and first have a firmware updgrade to support
TLS 1.2.
Note: If you want to add new RED devices, first disable TLS to ensure that the RED devices are able to connect to the Firewall.
1. Ensure that RED is enabled.
2. In the Force TLS 1.2 area select Enable.
3. Click Apply.
Automatic Device Deauthorization
This page describes how to deauthorize a RED device.
When RED is enabled, you can specify if disconnected RED devices should automatically be deauthorized after a certain time span. With this feature, you can prevent stolen RED devices from connecting to Sophos XG Firewall.
Note: The Automatic Device Deauthorization does not work for a RED tunnel between 2 Sophos XG
Firewall devices.
1. Ensure that RED is activated.
2. Select Enable next to Automatic Device Deauthorization.
3. Enter a time span for Deauthorize After.
4. Click Apply.
Automatic Device Deauthorization will now be successfully configured.
When a RED device reconnects after being disconnected for a time span longer than the defined time span, it will automatically be disabled.
Disable RED
This page describes how to disable RED.
Disabling RED will not cause the deletion of the REDs. If you disable the RED functionality, RED devices will be deactivated and lose their connection. If you re-enable the RED functionality, the REDs will be activated again.
1. Click the toggle switch of the RED Status.
2. Confirm deactivation by clicking on the Confirm removal of RED configuration button.
RED is now deactivated. All RED devices will be disconnected.
Log Settings
Device provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network abuse. To view logs, relevant modules must be subscribed.
Device can log many different network activities and traffic including:
• Firewall Rules log
• Anti Virus infection and blocking
• Web filtering, URL and HTTP content blocking
• Signature and anomaly attack and prevention
• Spam filtering
• Administrator logs
• User Authentication logs
• SSL VPN logs
• Web Server Protection logs
| Configure | 457
• Advanced Threat Protection logs
• Heartbeat logs
Device can either store logs locally or send logs to external syslog servers for storage and archival purposes. Traffic
Discovery logs can be stored locally only.
Syslog is an industry standard protocol/method for collecting and forwarding Logs from devices to a server running a syslog daemon usually via UDP Port 514. Logging to a central syslog server helps in aggregation of logs and alerts.
If configured, device sends a detailed log to an external syslog server in addition to the standard event log. Device
Syslog support requires an external server running a syslog daemon on any of the UDP Port. When configuring logging to a syslog server, one needs to configure the facility, severity and log file format. One can also specify logging location if multiple syslog servers are defined.
Device logs all activity and includes every connection source and destination IP Address (IPv4 / IPv6), IP service, and number of bytes transferred.
A Syslog service simply accepts messages, and store them in files or prints. This form of logging is the best as it provides a central logging facility and a protected long-term storage for logs. This is useful both in routine troubleshooting and in incident handling.
Use this page to configure below settings:
• Syslog Servers - Configure Syslog server for logs storage and archival purposes.
• Log Settings - Configure logs to be sent to the Syslog server.
Syslog Servers
The Syslog Servers section displays list of configured syslog servers. You can sort the list based on server name. The page also provides option to add, update, or delete the server.
Log Settings
After configuring syslog server, configure logs to be sent to the syslog server by selecting checkbox against the log under Syslog. If multiple syslog servers are configured, you can send various logs on different servers.
To record logs you must enable the respective log and specify logging location. Administrator can choose between
On-Device (local) logging or Syslog logging. Administrator can also disable logging temporarily. Below are the different log types with their description:
Firewall
Firewall Log records following events:
• Firewall Rules
Log records the entire traffic for Firewall.
• Invalid Traffic
Log records the dropped traffic that does not follow the protocol standards, invalid fragmented traffic and the traffic whose packets or device is not able to relate to any connection.
• Local ACLs
Log records the entire (allowed and dropped) incoming traffic.
• DoS Attack
The DoS Attack Log records attacks detected and prevented by the device i.e. dropped TCP, UDP and ICMP packets.
To generate logs, go to System > System Services > DoS & Spoof Protection and click Apply Flag against SYN
Flood, UDP Flood, TCP Flood, and ICMP/ICMPv6 Flood individually.
• Dropped ICMP Redirected Packet
Log records all the dropped ICMP redirect packets.
| Configure | 458
To generate log, go to System > System Services > DoS & Spoof Protection and click Apply Flag against
Disable ICMP/ICMPv6 Redirect Packet.
• Dropped Source Routed Packet
Log records all the dropped source routed packets.
To generate log, go to System > System Services > DoS & Spoof Protection and click Apply Flag against Drop
Source Routed Packets.
• Dropped Fragmented Traffic
Log records the dropped fragmented traffic.
• MAC Filtering
Log records the dropped packets when filtering is enabled from Spoof prevention.
• IP-MAC Pair Filtering
Log records the dropped packets when filtering is enabled from Spoof prevention.
• IP Spoof Prevention
Log records the dropped packets when filtering is enabled from Spoof prevention.
• SSL VPN Tunnel
Log records of SSL VPN traffic.
• Protected Application Server
Log records of protected application server traffic.
• Heartbeat
Log records of Heartbeat traffic.
• ICMP Error Message
Log records of ICMP error messages such as network/host/port unreachable, destination network/host unknown and so on.
Figure 421: Firewall Rule
IPS
Records detected and dropped attacks based on unknown or suspicious patterns (anomaly) and signatures.
Figure 422: IPS
Anti Virus
Virus detected in HTTP, SMTP, FTP, POP3, IMAP4, HTTPS, SMTPS, IMAPS and POPS traffic.
| Configure | 459
Figure 423: Anti-Virus
Anti Spam
SMTP, POP3, IMAP4, SMTPS, POPS, IMAPS spam and probable spam mails.
Figure 424: Anti-Spam
Content Filtering
Web filtering and Application Filtering logs.
Log records of the name of applications/URLs accessed and their categories.
Note:
To view the logs:
• Web Filter and Application Filter Policies should be applied in Firewall Rule.
• Log Firewall Traffic under Firewall page should be enabled.
Figure 425: Content Filtering
Events
Admin Events: Log records of configurations done through Admin Console.
Authentication Events: Log records of all authentication related events.
System Events: Log records of all system related events like Gateway Up/Down, Anti Virus updates etc.
| Configure | 460
Figure 426: Events
Web Server Protection
Web Server Protection Events.
Note: Web Server Protection logs are not available in CR10iNG, CR15i, CR15wi, CR15iNG, CR15wiNG,
CR25ia, CR25wi, CR35ia and CR35wi Sophos Devices.
Figure 427: Web Server Protection
Advanced Threat Protection
ATP Events: Log records of drop or alert event.
Figure 428: Advanced Threat Protection
Wireless
Access Points & SSID: Log records of the connected APs and SSID.
Figure 429: Wireless
Heartbeat
Endpoint Status: Log records of the health status of the endpoint.
Figure 430: Heartbeat
System Health
Usage: Log records of CPU usage, memory usage, no. of live users, interface and disk partition information.
Figure 431: System Health
Sandstorm
Sandstorm Event: Log records of all Sandstorm events.
Figure 432: Sandstorm
Add Syslog Server
This page describes how to add a syslog server.
1. Go to Configure > System Services > Log Settingsand click Add under the Syslog Servers section.
2. Enter server details.
Name
Enter a unique name for the syslog server.
IP Address / Domain
Specify the IP address (IPv4 / IPv6) or domain name of the syslog server. Logs from the device will be sent to the server.
Port
Specify the port number for communication with the syslog server. The device will send logs using the configured port.
Facility
Select syslog facility for logs to be sent to the syslog server.
Facility indicates to the syslog server the source of a log such as operating system, the process or an application. It is defined by the syslog protocol.
The device supports several syslog facilities for received log.
Available Options:DAEMON
Daemon logs (information of services running in device as daemon).
KERNEL
Kernel log
LOCAL0 - LOCAL7
Log level information.
USER
Logging based on users who are connected to the server.
Severity Level
Specify severity levels of logs.
Severity level is the severity of the log that has been generated.
The device logs all the messages at and above the logging severity level you select. For example, select ERROR to log all messages tagged as ERROR, as well as any messages tagged with
CRITICAL, ALERT and EMERGENCY and select DEBUG to log all messages.
The device supports following severity levels:EMERGENCY - System is not usableALERT
- Action must be taken immediatelyCRITCAL - Critical conditionERROR - Error conditionWARNING - Warning conditionNOTIFICATION - Normal but significant conditionINFORMATION - InformationalDEBUG - Debug level messages.
Format
The device produces logs in the specified format. The device currently produces logs in device standard format.
| Configure | 461
| Configure | 462
Figure 433: Add Syslog Server
Note: You can configure maximum five syslog servers.
3. Click Save.
Once you add the server, go to the System > System Services > Log Settings page and enable all those logs, which are to be sent to the syslog server in the section Log Settings.
Data Anonymization
This page allows you to enable/disable data anonymization and select authorizer administrators, also to de-anonymize all the user identities - Username, IP Address, MAC Address and Email Address in all logs /activities / reports.
View the report from Configure > System Services > Data Anonymization.
Once Data Anonymization is enabled, the Device anonymizes all the user identities. It means user identities in all the logs and reports are displayed in encrypted form.
To view the actual details, IT Administrator has to de-anonymize the same. To de-anonymize, approval from one of the authorizers configured on the Configure > System Services > Data Anonymization page is required.
Data Anonymization Setting
Enable data anonymization for the IT administrator to view or download user-specific activities, logs or reports. Apart from the IT administrator, at least one independent authorizer with the administrative privileges is required.
Once enabled:
1. All the user identities - username, IP address (IPv4 / IPv6), MAC address and email address in all logs /activities / reports are anonymized.
2. If an IT administrator wants to de-anonymize above mentioned user details, approval is required from at least one of the Authorizers.
3. Similarly, to disable data anonymization, approval from at least one of the Authorizers is required.
Note: To enable/disable data anonymization if you are logged in as one of the Authorizers, approval from at least one of the other Authorizers is required.
This section provides the following options:
Enable Data Anonymization
Click to enable Data Anonymization.
Select Authorizer
• Administrator List displays all the administrators.
• Click the check-box given under Select Authorizer menu to select the administrator. All the selected administrators are displayed under Selected Authorizer list.
| Configure | 463
Exceptions
This section allows to de-anonymize all the user identities - Username, IP Address, MAC Address and Email Address in all logs /activities / reports.
Depending on whether you want to de-anonymize the user identities in all logs /activities / reports or in particular log /activity / report, there are two ways to de-anonymize the user identities:
• From Data Anonymization page
• From Log Viewer page or Reports module
Follow the steps below to de-anonymize all the user identities - Username, IP Address, MAC Address and Email
Address in all logs /activities / reports:
1. Select Username(s) to be de-anonymized from user(s) listed under the User parameter.
2. Specify IP Address(s) (IPv4 / IPv6) to be de-anonymized.
3. If required, specify MAC Address(s) and Email Address(s) to be de-anonymized from Advanced Settings section.
4. Click Apply. An Authorization Window shall pop-up. Given below are the parameters and their description:
a. User Name: Select the Authorizer configured from Configure > System Services > Data Anonymization page.
b. Password: Specify password for the selected Authorizer and click OK.
5. Once approved, user identities in all logs and reports are decrypted and displayed with the actual user details.
| Configure | 464
Figure 434: Exceptions
From Log Viewer page or Reports module
Follow the steps below to de-anonymize a particular user identity in a particular log /activity / report:
1. To access the Log Viewer page, go to
. Else, you can view a report containing anonymized (encrypted) user identities from the Reports module.
2. Click the icon against an anonymized (encrypted) string. A new window titled De-Anonymize shall pop up.
Given below are the parameters and their description:
a. Anonymized String: Displayed the encrypted string. This is the string you want to decrypt.
b. De-Anonymized String: Displays the decrypted user identity i.e. actual user identity detail.
Note: This field is displayed blank until you specify password for the selected Authorised Username and click OK. Once approved, user identity in the log / report is decrypted and displayed with the actual user detail.
c. Authorised Username: Displays the Authorizer list configured from Configure > System Services > Data
Anonymization page. Select the desired Authorizer from the drop-down list.
| Configure | 465
Note: If you are logged in as one of the Authorizers, the drop-down list does not display your
Username. Else, all the Authorizers are displayed.
d. Password: Specify password for the selected Authorizer.
e. De-Anonymize: Select the desired option:
• For this Search: Select to de-anonymize the user identity from the anonymized (encrypted) string selected in step 2, for this particular search only.
• Session: Select to de-anonymize the user identity from the anonymized (encrypted) string selected in step
2, until you log out of the Admin Console.
• Permanently: Select to permanently de-anonymize the user identity from the anonymized (encrypted) string selected in step 2.
Note: This is similar to the first method i.e. De-Anonymizing the user identities from the De-
Anonymize page, where all the user identities in all logs and reports are decrypted and displayed with the actual user details.
f. Type: The drop-down list displays the type of user identity. Possible options are:
• Username
• IP Address
• MAC Address
• Email Address
Note: By default, it displays the user identity associated with the anonymized (encrypted) string, selected in step 2. For example, if the anonymized string is a Host, the type would be displayed as
IP Address.
3. Click Save. The De-Anonymized String should now display the decrypted user identity i.e. actual user identity detail.
4. Click Cancel to close the De-Anonymize window. Now the selected log / report should display the decrypted user identity in place of the Anonymized String.
Traffic Shaping
The Traffic Shaping tab displays a list of predefined and custom policies and provides the option to create a new traffic shaping policy, schedule traffic shaping policies, update parameters or delete policies.
You can also clone a policy. Select an existing policy and click the icon to create a copy of the selected policy.
You can edit the cloned policy as per your requirements.
Create New Traffic Shaping Policy
This page describes how to quickly configure a new traffic shaping policy. All the bandwidth-related data are displayed only in KBps (1000 bytes per second).
1. Go to System > Profiles > Traffic Shaping and click Add.
2. Specify the Traffic Shaping Policy details.
Name
Specify a unique name for the Policy.
Policy Association
Select an option to specify for whom the policy is to be created.
Available Options:Users: Restricts the bandwidth for a particular user or for a user group.Rules:
Restricts the bandwidth of any entry to which the firewall rule is applied.Web Categories: Restricts the bandwidth for the URL categorized under the web categories.Applications: Restricts the bandwidth for the applications categorized under the application categories.
Rule Type
Select the type of policy.
Available Options:Limit: In this type of policy, the user cannot exceed the defined bandwidth limit.Guarantee: In this type of policy, the user is allocated the guaranteed amount of bandwidth and can draw the bandwidth up to the defined Limit, if available.
It enables to assign fixed minimum and maximum amounts of bandwidth to the users. By borrowing excess bandwidth when available, users are able to burst above guaranteed minimum limits, up to the defined Limit. Guaranteed rates also assure minimum bandwidth to critical users to receive constant levels of bandwidth during peak and non-peak traffic periods.
Guarantee represents the minimum guaranteed bandwidth and Limit represents the maximum bandwidth that the user can use, if available.
Limit Upload/Download Separately
Select from the available options.
Available Options:
Disable: Limits total (upload + download) bandwidth.
Enable: Limits upload and download bandwidth separately.
Priority
Set the bandwidth priority. Priority can be set from 0 (highest) to 7 (lowest) depending on the traffic required to be shaped.
0 - Real Time for example, VOIP 1 - Business Critical 2 to 5 - Normal 6 - Bulky - FTP 7 - Best
Effort for Example, P2P
By default, priority is given to the real time traffic.
Note: However, if the administrator does not want this preference, the feature can be disabled from Configure > System Services > Traffic Shaping Settings page.
If Optimize for Real-Time (VoIP), under Configure > System Services > Traffic Shaping
Settings page is disabled the priority will be applicable only for excess bandwidth i.e. bandwidth remaining after guaranteed bandwidth allocation.
If Optimize for Real-Time (VoIP), under Configure > System Services > Traffic Shaping
Settings page is enabled the real-time traffic (Traffic Shaping policy with priority 0) like VOIP will be given precedence over all other traffic.
As priority is given to the real time traffic, it is possible that some non real-time traffic will not get their minimum guaranteed bandwidth. Specifically, if sum of Limit (max allowed) of all Traffic
Shaping policies (real-time and non real-time) is greater than total max-limit then guaranteed bandwidth of the real-time policies will be fulfilled but non real-time might not get the minimum guaranteed bandwidth.
Limit (in KBps) (only if Rule Type is Limit and Limit Upload/Download Separately is disabled)
Specify the allowed total bandwidth.
Total bandwidth range: 2 – 2560000 KBps
Limit bandwidth should be greater than or equal to guaranteed bandwidth.
Upload Bandwidth (in KBps) (only if Rule Type is Limit and Limit Upload/Download Separately is
enabled)
Specify the upload bandwidth.
Total bandwidth range: 2 – 2560000 KBps
Download Bandwidth (in KBps) (only if Rule Type is Limit and Limit Upload/Download Separately is
enabled)
Specify the download bandwidth.
Total bandwidth range: 2 - 2560000 KBps
| Configure | 466
Guarantee - Limit (in KBps) (only if Rule Type is Guarantee and Limit Upload/Download Separately is
disabled)
Specify the range for guaranteed bandwidth limit.
Total bandwidth range: 2 – 2560000 KBps
Guarantee - Limit Upload (in KBps) (only if Rule Type is Guarantee and Limit Upload/Download
Separately is enabled)
Specify the range for guaranteed upload bandwidth.
Total bandwidth range: 2 – 2560000 KBps
Guarantee - Limit Download (in KBps) (only if Rule Type is Guarantee and Limit Upload/Download
Separately is enabled)
Specify the range for guaranteed download bandwidth.
Total bandwidth range: 2 - 2560000 KBps
Bandwidth Usage Type
Select the type of bandwidth usage.
Available Options:Individual: Allocated bandwidth is for the particular User/Rule/Web Category/
Application only.Shared: Allocated bandwidth is shared among all the Users/Rules/Web
Categories/Applications who have been assigned this policy.
Description
Specify a description for the policy.
| Configure | 467
Figure 435: Add Traffic Shaping (QoS) Policy
3. Click Add under Add Schedule wise Traffic Shaping Policy Details to override default Traffic Shaping
Policy Details to Add Schedule wise Traffic Shaping Policy Details to override default Traffic Shaping Policy
Details. Refer
Schedule Traffic Shaping Policy
for details.
4. Click Save.
Schedule Traffic Shaping Policy
This page describes how to schedule a traffic shaping policy. All the bandwidth-related data are displayed only in
KBps (1000 bytes per second).
| Configure | 468
The page allows you to add a schedule-wise traffic shaping policy to override default traffic shaping policy details.
1. Go to System > Profiles > Traffic Shaping.
2.
Click on the icon of the requested policy.
3. Click Add.
4. Specify the Traffic Shaping Policy details.
Name
Displays the policy name.
Rule Type
Displays the default policy type set at the time of creation of policy. Modify if required.
Note: The configured policy type will override the default policy and will be applicable only for the selected scheduled time interval.
Limit Upload/Download Separately
Displays the default implementation strategy set at the time of creation of the policy. Modify if required.
Note: The configured policy type will override the default policy and will be applicable only for the selected scheduled time interval.
Limit (in KBps) (only if Rule Type is Limit and Limit Upload/Download Separately is disabled)
Displays the allocated total bandwidth. Modify if required.
Note: The modified bandwidth restriction is applicable only for the selected time interval.
Upload Bandwidth (in KBps) (pnly if Rule Type is Limit and Limit Upload/Download Separately is
enabled)
Displays the allocated individual upload bandwidth. Modify if required.
Note: The modified bandwidth restriction is applicable only for the selected time interval.
Download Bandwidth (in KBps) (only if Rule Type is Limit and Limit Upload/Download Separately is
enabled)
Displays the allocated individual download bandwidth. Modify if required.
Note: The modified bandwidth restriction is applicable only for the selected time interval.
Guarantee - Limit (in KBps) (only if Rule Type is Guarantee and Limit Upload/Download Separately is
disabled)
Displays the range for the total guaranteed bandwidth. Modify if required.
Total bandwidth range: 2 – 2560000 KBps
Guarantee - (only if Rule Type is Guarantee and Limit Upload/Download Separately is enabled)
Displays the range for the guaranteed upload bandwidth. Modify if required.
Total bandwidth range: 2 – 2560000 KBps
Guarantee - Limit Download (in KBps) (only if Rule Type is Guarantee and Limit Upload/Download
Separately is enabled)
Displays the range for the guaranteed download bandwidth. Modify if required.
Total bandwidth range: 2 - 2560000 KBps
Schedule
Select a schedule from the available list during which the traffic shaping policy will be applied.
Only recurring schedule can be applied.
If you are not sure about the schedule details, check
to view the details.
| Configure | 469
Figure 436: Add Traffic Shaping (QoS) Policy Detail
5. Click Save.
Services
Services page allows you to view and manage the status of configured services.
You can view the current status and manage all the configured services:
• Anti-Spam
• Anti-Spam Center Connectivity
• Anti-Virus
• Authentication
• DNS Server
• IPS
• Web Proxy
• WAF
• DHCP Server
• DHCPv6 Server
• Router Advertisement Service
• Hotspot
Parameters
Services
Name of the configured service.
Status
Current status of the service.
Manage
Click to start or stop or restart the respective service.
Actions
Start
Start the service whose status is Stopped.
Stop Button
Stop the service whose status is Running.
Restart Button
Restart service: Only for authentication service and web proxy service.
Status
No Web Server configured
Indicates that no web server is configured.
Note: The Start button is disabled in this case.
Connected
Displayed when Internet connectivity is available for the gateway.
Running
Indicates that service has successfully started.
Disconnected
Displayed when Internet connectivity is unavailable for the gateway.
Stopped
Displayed when a service is stopped or when the respective subscription module is not subscribed.
| System | 470
Figure 437: Services
Related concepts
on page 404
This page allows you to configure authentication for firewall, VPN and admin traffic.
on page 120
This page displays the list of all the pre-defined and custom IPS policies.
The Authentication Policies menu allows you to configure policies for direct authentication.
The Hotspots menu allows you to enable the Hotspots feature and define users who are allowed to view and distribute hotspot access information.
System
Profiles
This section covers the following topics:
| System | 471
•
- Schedule defines a time schedule for applying Firewall Rule or Web & Application Filter policy. This page displays a list of schedules and also provides various options to manage it.
•
- Schedule Internet access for individual users by defining Access Time policy. This page displays list of all the default as well as custom policies.
•
- Control individual user surfing time by defining Surfing Quota policy. This page displays the list of all policies and also provides option to add, update or delete surfing quota policies.
•
- Limit total as well as individual upload and/or download data transfer by defining
Network Traffic Quota. This page displays default as well as custom policies. The page also provides option to manage these policies.
•
- The Network Address Translation page displays list of all the NAT policies
and you can sort the list based on policy name.The page also provides option to add a new policy, update the parameters of the existing policy, or delete a policy.
•
- Traffic Shaping policy allocates & limits the maximum bandwidth usage of the user and
controls the web and network traffic. This page displays list of predefined and custom policies and also provides various options to manage it.
•
- This page shows the default and custom profiles and also provides options to manage these profiles.
Schedule
Schedules allow you to control the time period for which firewall rules and web and application filter policies are in effect. Create schedules for specific time periods and days of the week. You can then apply these schedules to the rules and policies. A schedule also controls the system-triggered Rogue AP Scan.
Predefined and custom schedules can be applied to rules and policies. The device is shipped with the following predefined schedules:
• Work hours (5 Day week)
• Work hours (6 Day week)
• All Time on Weekdays
• All Time on Weekends
• All Time on Sunday
• All Days 10:00 to 19:00
Types of Schedules
• Recurring:Policy recurs during the specified time periods on specified days of the week.
• One-time:Policy is effective once during the specified days and time period. You can apply one-time schedules to control policies related to one-time events like conferences and guest user access. One-time schedules cannot be applied to web and application policies. Hence, they are not visible on these pages.
The schedule page displays the full list of predefined and custom policies.
• You cannot delete a schedule that is currently applied to a policy. To do so, you must apply a different schedule to the policy or delete the policy itself.
• To view the policies to which a schedule is attached, to apply a schedule to a policy or to change the applied schedule, go to the corresponding policy page.
• For details of policies and rules to which the schedule can be applied, view the following diagram.
Add a New Schedule
The device allows you to add a custom schedule. This can be applied to firewall rules and web and application filter policies to specify the time period and days of the week during which they are effective.
The Add Schedule page allows you to add a new schedule.
1. Go to System > Profiles > Schedule and click Add on the upper right side.
2. Enter the details.
Name
Enter a unique name to identify the schedule.
Description
Enter a description for the schedule.
Recurrence
Click to choose the type of recurrence.
| System | 472
Available Options:Recurring: Makes the policy recur during the specified time periods on specified days of the week. Select the days of the week. Specify the start time and stop time of the schedule. Stop time cannot be earlier than the start time.One Time: Makes the policy effective once during the specified days and time period. You can apply it to a policy on the Policies page. Click on +Add Firewall Rule and select User / Network Rule. One time schedules cannot be applied to web and application policies. Hence, they are not visible on these pages.Start Date & End Date:
(Available only if Recurrence selected is One Time) Select both date and time in the corresponding calendars.To specify a different start and stop time for a particular day within the range, select the day of the week from the drop-down list. Specify the start time and stop time. Stop time cannot be earlier than the start time.
| System | 473
Figure 438: Add Schedule
3. Click Save.
Access Time
Access time enables you to Allow or Deny Internet access during a predefined time period and days of the week.
While
allows you to define the time period and the days of the week for a firewall rule or web and
application filter policies, access time allows you to apply an Allow or Deny policy to the selected schedule.
Two Access Time options are available:
Allow: Allows access during the selected schedule
Deny: Denies access during the selected schedule
The device is shipped with the following predefined Access Time policies:
• Allowed all the time
• Denied all the time
• Allowed only during work hours (5 day week)
• Denied during work hours (5 day week)
You can create custom access time policies to define differing levels of Internet access for different users and groups based on existing schedules. The access time page displays the full list of predefined and custom policies.
Note:
1. You can alter only the description and schedule of an existing policy. To change the schedule of an access time policy, it is recommended that you create a new policy to ensure that the selected schedule matches the Name of the policy.
2. Access time policies can be applied only to recurring schedules. Hence, one time schedules do not appear in the drop-down list.
3. Users generally belong to a group. If the access time policy applied to the user differs from the one applied to the user’s group, the user’s policy takes priority.
4. For details of policies and rules to which the schedule can be applied, view the following diagram.
| System | 474
Add a New Access Time Policy
To allow or deny Internet access to users or a group of users during specific time periods and days of the week, you can create access time policies. These policies are applied to existing schedules (Profiles > Schedule), users
(Authentication > Users) and groups (Authentication > Groups). You can create custom schedules on Profiles >
Schedule.
The Add Access Time Policy page allows you to add an access time policy.
1. Go to Objects > Policies > Access Time and click Add on the upper right side.
2. Enter the details.
Name
Enter a unique name to identify the policy.
Description
Enter the policy description.
Action
Click to choose the action to apply to the scheduled time period.
Available Options:Allow: Allows Internet access during the scheduled time period.Deny: Denies
Internet access during the scheduled time period.
Schedule
Select a schedule from the available options. You can apply access time policies only to recurring schedules. Hence, one time schedules do not appear in the drop-down list.
Available Options:All the TimeWork hours (5 Day Week)Work hours (6 Day Week)All time on
WeekdaysAll time on WeekendsAll time on Sunday
Based on the chosen action, Internet access is allowed or denied during the scheduled time period.
Note: Changes made in the access time policy become effective the instant you click Save.
| System | 475
Figure 439: Add Access Time Policy
3. Click Save.
Surfing Quotas
Surfing quota policy allows you to assign the duration of Internet surfing time to users and groups.
• Duration of Internet access can be cyclic or non-cyclic.
• You can apply the surfing quota policy to users.
The device is shipped with the following predefined policies. Predefined policies can be applied straight away to users and groups.
• Unlimited Internet Access
• 1 Month Unlimited Access
• 1 Month 100 hours
• Monthly 100 hours Cyclic
• Daily 1 hour Cyclic
• Weekly 7 hours Cyclic
Note:
1. Users generally belong to a group. If the surfing quota policy applied to the user differs from the one applied to the user’s group, the user’s policy takes priority.
2. For details of policies and rules to which the surfing quota policy can be applied, view the following diagram.
| System | 476
Add Surfing Quota
To assign the duration of Internet surfing time to users and groups, you can create surfing quota policies. These policies are then applied to users (Configure > Authentication > Users) and groups (Configure > Authentication >
Groups).
The Add Surfing Quota Policy page allows you to create a surfing quota policy.
1. Go to Protect > Web > Surfing Quotas or System > Profiles > Surfing Quotas and click Add on the upper right side.
Note: Surfing Quota policies can also be created when applying the policy to users or groups from the respective pages. The Surfing Quota page displays the full list of predefined and custom policies.
2. Enter the details.
Name
Enter a unique name to identify the policy.
Description
Enter a description for the surfing quota policy.
Cycle Type
Select the cycle type.
Available Options:Cyclic: Duration of Internet access recurs for each cycle.Non-Cyclic: When the specified time limit ends, the user is disconnected.
Cycle Hours (available only if Cycle Type is Cyclic)
Specify the cycle hours in hours and minutes. Select the cycle from the drop-down list. Cycle hours define the upper limit of surfing hours for daily, weekly, monthly or yearly cycles.
At the end of each cycle, cycle hours are reset to zero.
Example: If cycle hours specified are 7 hours 30 minutes for a daily cycle, they are reset to zero at the end of each day whether cycle hours are fully or partially used or remain unused.
Validity
Select Unlimited if you do not want to restrict the validity period. Clear the check box to specify the validity period of Internet access.
Maximum Hours
Select Unlimited if you do not want to restrict the maximum allowed surfing duration. Clear the check box to specify the maximum duration (in hours and minutes) of surfing time allowed across the validity period.
Example: Cyclic Policy
Cycle Hours: 5 hours per day
Validity: 5 days
Maximum Hours: 20 hours
If the user accesses Internet for 5 hours each day, the user will have used 20 hours of Internet access by the end of the fourth day and hence will be disconnected.
Example: Non-Cyclic Policy
Validity: 10 days
Maximum Hours: 10 hours
The user is disconnected at the end of 10 hours even if the validity period does not expire.
| System | 477
| System | 478
Figure 440: Add Surfing Quota Policy
3. Click Save.
Network Traffic Quota
The device offers two types of controls to limit bandwidth usage:
• Network Traffic Quota allows you to specify the data transfer limit. Example: User X is limited to 10 GB data transfer in a week.
• Traffic Shaping Policy (Configure > System Services > Traffic Shaping) allows you to control the speed of data transfer. Example: User X receives guaranteed 1 Mbps bandwidth during work hours.
Use the network traffic quota policy to specify differing types and levels of data transfer controls. Data transfer limits can be cyclic or non-cyclic. These can be based on:
• Total Data transfer (Upload + Download)
• Individual limits for Upload and Download
The device is shipped with the following predefined policies:
• 100 MB Total Data Transfer policy
• Daily 10 MB
Predefined policies are available for immediate use. You can create custom policies to specify differing data transfer limits to different users and groups.
For the policy to take effect, you must apply the network traffic quota policy to users (Configure > Authentication >
Users) or groups (Configure > Authentication > Groups) . Users generally belong to a group. If the network traffic quota policy applied to the user differs from the one applied to the user’s group, the user’s policy takes priority.
Create a New Network Traffic Quota Policy
To control data transfer by users and groups, you can create network traffic quota policies. For the policy to take effect, you must then apply it to users (Configure > Authentication > Users) and groups (Configure >
Authentication > Groups).
You can create the following types of policies:
•
Total Network Traffic - Cyclic Policy
•
Total Network Traffic - Non-Cyclic Policy
•
Individual Network Traffic - Cyclic Policy
•
Individual Network Traffic - Non-Cyclic Policy
1. Go to System > Profiles > Network Traffic Quota and click Add on the upper right side.
2. Enter the details.
Name
Enter a unique name to identify the policy.
Description
Enter a description for the network traffic quota policy.
Restriction Based On
Click to select the restriction based on the following options:
Available Options:Total Network Traffic: Specifies a single limit for data upload and download.
Individual Network Traffic (Upload and Download): Specifies different limits for data upload and download.
Cycle Type
Click to select the cycle type.
Available Options:Cyclic: Data transfer quota resets to zero at the beginning of each cycle. The user receives the full quota for each cycle. Unused quota is not carried forward to the next cycle.
Non-Cyclic: When data transfer reaches the specified limit, the policy expires and the user is disconnected.
Note: To restart the user's Internet access, go to Configure > Authentication >
Users and
.
3. Based on the selection made in Restriction based on and Cycle Type, you can create any one of the following four types of policies: a) Policy 1: Total Network Traffic - Cyclic Policy
Cycle Period
Select the cycle period from the drop-down list. Cycle period specifies the duration of cyclic policies, that is, day, week, month and year.
Cycle Network Traffic
Specify the network traffic limit (in MB) per cycle. It specifies the data transfer allowed during each cycle to the user. When data transfer reaches the limit, the user is disconnected.
Maximum Network Traffic
By default, the check box is selected to Unlimited and no restriction is placed on the maximum data transfer for the duration of the policy. Clear the check box to specify the maximum data transfer (in
MB) allowed by the policy. When total data transfer reaches this limit, the user is disconnected.
Example: Cycle Period: Week
Cycle Network Traffic: 5 MB (5 MB data transfer is allocated to the user each week. The user is disconnected when this limit is reached during the week.)
Maximum Network Traffic: 10 MB (10 MB data transfer is allocated to the user for the duration of the policy. The user is disconnected when this limit is reached.)
| System | 479
Figure 441: Total Network Traffic - Cyclic Policy
b) Policy 2: Total Network Traffic - Non-Cyclic Policy
Maximum Network Traffic
By default, the check box is selected to Unlimited and no restriction is placed on the maximum data transfer for the duration of the policy. Clear the check box to specify the maximum data transfer (in
MB) allowed by the policy. When total data transfer reaches this limit, the user is disconnected.
Figure 442: Total Network Traffic - Non-Cyclic Policy
c) Policy 3: Individual Network Traffic - Cyclic Policy
Cycle Period
Select the cycle period from the drop-down list. Cycle period specifies the duration of cyclic policies, that is, day, week, month and year.
Cycle Upload Network Traffic
By default, the check box is selected to Unlimited and no restriction is placed on data upload during the cycle period. Clear the check box to specify the data upload limit (in MB) per cycle. The user cannot upload data once the cycle upload network traffic reaches the limit.
Cycle Download Network Traffic
| System | 480
By default, the check box is selected to Unlimited and no restriction is placed on data download during the cycle period. Clear the check box to specify the data download limit (in MB) per cycle.
The user cannot download data once the cycle download network traffic limit is reached.
Maximum Upload Network Traffic
By default, the check box is selected to Unlimited and no restriction is placed on data upload for the duration of the policy. Clear the check box to specify the maximum data upload allowed by the policy. The user cannot upload data once the upload network traffic limit is reached.
Example: Cycle Period: Week
Cycle Upload Network Traffic: 5 MB (5 MB data upload is allocated to the user each week. The user cannot upload data when this limit is reached during the week.)
Maximum Upload Network Traffic: 10 MB (10 MB data upload is allocated to the user for the duration of the policy. The user cannot upload data when this limit is reached.)
Maximum Download Network Traffic
By default, the check box is selected to Unlimited and no restriction is placed on data download for the duration of the policy. Clear the check box to specify the maximum data download allowed by the policy. The user cannot download data once the download network traffic limit is reached.
Example: Cycle Period: Week
Cycle Download Network Traffic: 5 MB (5 MB data download is allocated to the user each week.
The user cannot download data when this limit is reached during the week.)
Maximum Download Network Traffic: 10 MB (10 MB data download is allocated to the user for the duration of the policy. The user cannot download data when this limit is reached.)
| System | 481
Figure 443: Individual Network Traffic - Cyclic Policy
d) Policy 4: Individual Network Traffic - Non-Cyclic Policy
Maximum Upload Network Traffic
By default, the check box is selected to Unlimited and no restriction is placed on data upload for the duration of the policy. Clear the check box to specify the maximum data upload allowed by the policy. The user cannot upload data once the upload network traffic limit is reached.
Maximum Download Network Traffic
By default, the check box is selected to Unlimited and no restriction is placed on data download for the duration of the policy. Clear the check box to specify the maximum data download allowed by the policy. The user cannot download data once the download network traffic limit is reached.
| System | 482
Figure 444: Individual Network Traffic - Non-Cyclic Policy
4. Click Save.
Note: Cycle Network Traffic limit cannot be greater than Maximum Network Traffic limit.
Network Address Translation
Network Address Translation (NAT) enables multiple hosts within your network to access Internet through a single public IP address. In doing so, NAT not only conserves the pool of public IP addresses, it also conceals the addressing scheme of your network.
When a client within the network sends a request to the Internet, the router forwards the request to the device. NAT translates the sender’s address to the device’s public IP address before forwarding the request to the Internet. When a response is received from an external source, NAT translates the public IP address into the client’s private IP address before forwarding the packet to the client.
The device is shipped with a predefined NAT policy named MASQ which cannot be updated or deleted. The MASQ policy automatically masquerades traffic using the IP address that is bound to the device’s WAN port.
For it to take effect, the NAT policy must be applied to a Firewall Rule (Protect > Firewall). For further details, go to
Device Access
The device allows you to create role-based administrator privileges which offer granular access control. It allows you to assign some of the super administrator's capabilities to others through Device Access Profiles. You can create profiles for special-purpose administrators based on their work role. Example: Policy administration, network administration, administration of logs.
The Profiles allow three categories of access control:
• None
• Read-Only
• Read-Write
The device is shipped with the following default profiles:
• Administrator: Super administrator with full privileges. Administrator can create custom administrators and assign restricted or full privileges to them. Custom administrators with restricted privileges can update only their email address and password.
• Audit Admin: Read-write privileges only to Logs & Reports.
• Crypto Admin: Read-write privileges only for configuration of security certificate.
• HAProfile: Read-only privileges. If High Availability (HA) is configured, administrators accessing the Admin
Console of the auxiliary device have the privileges that are defined in the HA Profile.
• Security Admin: Read-write privileges to all features, not including Profiles and Logs & Reports.
Note:
• You cannot modify or delete the default profiles.
• You cannot delete a profile that is currently assigned to an administrator.
Add Profile
The device allows you to create multiple administrator profiles with differing levels of access control.
1. Go to System > Profiles > Device Access and click Add.
2. Enter the profile details.
Profile Name
Enter a unique name to identify the profile.
Configuration
Click to select the level of access to be given to a profile. You can select from the following levels of access:
Available Options:
None: No access to any page Read-Only: View the pages Read-Write: Modify the details
To set a common access level for all the menus, select the options at the top (None, Read-Only or
Read-Write). To set different access levels, select the option against the menu.
Click on the left side of a menu to view the sub-menu. To set differing access levels for submenus, select the option against the sub-menu.
Example: If you set the access level to Read-Only against Licensing, the profile user can view the
Licensing page but cannot make any modifications. To allow modifications, set the access level to
Read-Write.
Note:
Access Denied page
When an administrator tries to access a page or perform an operation that is not allowed by the assigned profile, the Access Denied page is displayed.
| System | 483
Figure 445: Add Profile
3. Click Save.
Hosts and Services
| System | 484
| System | 485
Hosts and Services allows defining and managing system hosts and services.
This section covers the following topics:
•
host, update the existing host, or delete a host.
•
- Host Group is a grouping of hosts. Security Policies can be created for the individual host or host groups. This page displays the list of all the host groups. It also provides options to manage these host groups.
•
- Device allows creating a host based on MAC Address. One can create a MAC Host of either a single
MAC Address or multiple MAC Addresses. This page displays the list of all the available MAC host. The page also provides option to add a new MAC host, update the existing host, or delete a host.
•
- This page displays the list of all the available FQDN host.
•
- FQDN Host Group is a grouping of FQDN hosts. This page displays the list of all the
available FQDN host groups.
•
- Country Group is a grouping of Countries. Multiple countries can be selected to block or allow incoming traffic by using Country Group. This page displays the list of all the available Country groups.
•
displays the list of all the default and custom services. It also provides options to manage services.
•
- Service Group is a grouping of services. Custom and default services can be grouped in a single group. The page displays the list of all the default and custom groups.
IP Host
The IP Host page displays the list of all the dynamic hosts, default hosts and manually added hosts.
Hosts allow the entities to be defined once, which can be re-used in multiple referential instances throughout the configuration. For example, consider an internal Mail Server with an IP Address 192.168.1.15. Rather than repeated use of the IP Address while configuring Security Policies or NAT Policies, it allows to create a single entity Internal
Mail Server as a Host name with an IP Address 192.168.1.15. This host, Internal Mail Server can then be selected in any configuration that uses Host as a defining criterion.
By using host name instead of numerical address, you only need to make changes in a single location, rather than in each configuration where the IP Address appears.
Using Hosts, reduces the error of entering incorrect IP Addresses, makes it easier to change IP Addresses, and increases readability.
You can group multiple entities performing the same function within a single hostname.
The IP Host page displays the list of all the dynamic hosts which are automatically added on creation of VPN Remote access connections (IPsec and SSL) and the default hosts (IPv6 and IPv4) for remote access connection - ##ALL_RW,
##WWAN1, ##ALL_IPSEC_RW and ##ALL_SSLVPN_RW along the manually added hosts. The page also provides option to add a new host, update the existing host, or delete a host.
Note:
• System hosts cannot be updated or deleted.
• Dynamic hosts which are automatically added on creation of VPN Remote Access connections cannot be deleted.
• Default hosts (IPv6 and IPv4) for remote access connection - ##ALL_RW, ##WWAN1,
##ALL_IPSEC_RW and ##ALL_SSLVPN_RW cannot be updated or deleted.
Add IP Host
Add IP Host allows you to assign a hostname to a network, IP address, range or list.
1. Go to System > Hosts and Services > IP Host and click Add.
2. Enter the hostname.
3. Select the IP Family.
Available Options:
| System | 486
• IPv4
• IPv6
4. Select the host Type.
Available Options:
• IP
• Network
• IP Range
• IP List (IP addresses which belong to different networks or are not within a range.)
5. If the selected host type is IP, Network or IP Range:
1. Enter the IP address, subnet or range based on the host type.
2. Select an IP Host Group or create a new one.
Note: A single host can be the member of multiple host groups. A host group cannot include both IPv4 and IPv6 hosts.
6. If the selected host type is IP List, enter the List of IP Addresses.
Note: Only Class B IP addresses can be added to an IP list. You can add or remove an IP address from the
IP list.
Figure 446: Add IP Host
7. Click Save.
IP Host Group
The IP Host Grouppage displays the list of all the host groups.
Host Group is a grouping of hosts. Security policies can be created for the individual host or host groups.
Note: Dynamic host groups which are automatically added on creation of VPN Remote Access Connections cannot be deleted.
The page also provides option to add a new host group, update the parameters of the existing host group, add members to the existing host group, or delete a host group.
Add a IP Host Group
Use the Add IP Host Group page to create a new host group.
The Add IP Host Group page allows you to configure an IP host group.
1. Go to System > Hosts and Services > IP Host Group and click Add.
2. Enter IP host group details.
Name
Enter a name to identify the IP host group.
Description
Enter a description for the IP host group.
IP Family
Select the type of IP family from the options available:
Available Options:
• IPv4
• IPv6
Select Host
The host list displays all the hosts including default hosts. Click the corresponding checkbox(es) to select the host(s). A single host can be a member of multiple host groups. A group with IPv4 and
IPv6 hosts cannot be created.
| System | 487
Figure 447: Add IP Host Group
3. Click Save.
The IP host group has been created and appears on the IP Host Group page.
MAC Host
The device allows you to assign a hostname to one or more MAC addresses.
Add a MAC Host
Use the Add MAC Host page to create a MAC Host.
The Add MAC Host page allows you to manually create a MAC Host of either a single MAC Address or multiple
MAC Addresses.
1. Go to System > Hosts and Services > MAC Host and click Add.
2. Enter MAC Host details.
Name
Enter a name to identify a MAC Host.
Type
Select the MAC Host Type.
Available Options:MAC Address - Select to add a single MAC Address.MAC List - Select to add multiple MAC Addresses.
MAC Address (Applicable only if Type is selected as MAC Address)
Specify MAC Address based on the Host Type selected in the form of 00:16:76:49:33:CE or
00-16-76-49-33-CE.
List of MAC Addresses (Applicable only if Type is selected as MAC List)
Specify MAC Address based on the Host Type selected in the form of 00:16:76:49:33:CE or
00-16-76-49-33-CE.
Use comma to configure multiple MAC Addresses.
| System | 488
Figure 448: Add MAC Host
3. Click Save.
The MAC Host has been created and appears on the MAC Host page.
FQDN Host
The FQDN Host page displays the list of all the available FQDN host.
FQDN (Fully Qualified Domain Name) Hosts allow entities to be defined once and be re-used in multiple referential instances throughout the configuration. For example,
www.example.com
has an IP Address as 192.168.1.15.
Rather than remembering the IP Address of the intended website while accessing it, you can simply provide
www.example.com
in the browser. The FQDN
www.example.com
will now be mapped to its respective IP Address, and the intended webpage opens.
The page also provides option to add a new FQDN host, update the existing host, or delete a host.
Add a FQDN Host
Use the Add FQDN Host page to create a new FQDN host.
The Add FQDN Host page allows you to manually configure a new FQDN host.
1. Go to System > Hosts and Services > FQDN Host and click Add.
2. Enter FQDN host details.
Name
Specify a name to identify the FQDN host.
FQDN
Specify a FQDN address.
FQDN Host Group
Select a FQDN host group or add a new one. A single FQDN host can be member of multiple host groups. You can add a new FQDN host group on this page or on the System > Hosts and
Services > FQDN Host Group page.
Figure 449: Add FQDN Host
3. Click Save.
FQDN Host Group
FQDN Host Group allows you to add individual FQDN hosts to one or more host groups.
Add a FQDN Host Group
Use the Add FQDN Host Group page to create a new FQDN host group.
The Add FQDN Host Group page allows you to configure a new FQDN host group.
1. Go to System > Hosts and Services > FQDN Host Group and select Add.
2. Enter FQDN host group details.
Name
Enter a name to identify the FQDN host group.
Description
Enter a description for the FQDN host group.
Select Host
The host list displays all the hosts including default hosts. Click the corresponding checkbox(es) to select the host(s). A single host can be a member of multiple host groups.
Figure 450: Add FQDN Host Group
3. Click Save.
Country Group
| System | 489
| System | 490
The device offers predefined country groups based on their continent. It also offers the list of countries which appears when you create a firewall rule. You can create custom country groups.
Note: On factory reset, the device resets to predefined country groups.
Note: You can edit or delete predefined and custom country groups.
Add a Country Group
Use the Add Country Group page to create a new country group.
The Add Country Group page allows you to manually configure parameters to add a new country group.
1. Go to System > Hosts and Services > Country Group and click Add.
2. Enter Country Group details.
Name
Enter a name to identify the Country group.
Description
Country Group description.
Select Country
Click Add New Item to select and add countries in the group.
A country can be a member of multiple country groups.
Figure 451: Add Country Group
3. Click Save.
Services
The Services page displays the list of all the default and custom services.
Services are definitions of certain types of network traffic and combine information about a protocol such as TCP,
ICMP or UDP as well as protocol-related options such as port numbers. You can use services to determine the types of traffic allowed or denied by the firewall.
Certain well-known traffic types have been predefined in services. These predefined services are defaults, and cannot be updated or deleted. If you require service definitions that are different from the predefined services, you can add them as custom services.
The page also provides option to add a new service, update the parameters of the existing service, or delete a service.
Note:
• Service used by Security Policies cannot be deleted.
• Default Services can neither be updated nor deleted.
Add a New Service
Use the Add Service page to add a new Service.
The Add Service page allows you to manually configure parameters to add a new Service.
1. Go to System > Hosts and Services > Services and click Add.
2. Enter Service parameters.
Name
Enter a name to identify the Service.
Type
Select a protocol for the service.
Available Options:TCP/UDP - Enter Source and Destination port. You can enter multiple ports for the same service.IP - Select Protocol Number for the Service. You can select multiple ports for the same service.ICMP - Select ICMP Type and Code. You can enter multiple types and codes for the same service. Use Add icon and Remove icon to add and delete the parameters respectively.
ICMPv6 - Select ICMPv6 Type and Code. You can enter multiple types and codes for the same service.
Use Add and Remove to add and delete the parameters.
| System | 491
Figure 452: Add Service
3. Click Save.
Service Group
The Service Group page displays the list of all the default and custom service groups.
Service Group is a grouping of services. Custom and default services can be grouped in a single group.
Use to configure Security Policies to:
• block group of services for specific zone
• limit some or all users from accessing group of services
• allow only specific user to communicate using group of service
Create groups of services and then add one firewall to allow or block access for all the services in the group. A service group can contain default services as well as custom services in any combination. A single service can be a member of multiple service groups.
The page also provides option to add a new group, update the parameters of the existing group, add members to the existing group, or delete a group.
Note:
• Default Service Groups can neither be updated nor deleted.
• Service Group used by the Security Policies cannot be deleted.
Add a Service Group
Use the Add Service Group page to add a new customized Service Group.
The Add Service Group page allows you to manually enter details and configure a new service group.
1. Go to System > Hosts and Services > Service Group and click Add.
2. Enter Service Group details.
Name
Enter a name to identify the Service Group.
Description
Service Group Description.
Select Service
Service List displays all the services including default services.
Click the checkbox to select the service. All the selected services are moved to the Selected Service list.
Single service can be a member of multiple groups.
Use Search to search a service from the list.
You can create a group containing IPv4 and IPv6 services.
| System | 492
Figure 453: Add Service Group
3. Click Save.
Administration
Administration allows you to manage device licenses and time, administrator access, centralized updates, network bandwidth and device monitoring and user notifications.
You can configure the following:
•
: Synchronization and renewal of device and module subscriptions
•
: Administrator access to device services
•
: Port and login security settings for administrators
•
: Centralized synchronization and signature updates
•
•
: Mail server and email settings to send and receive alerts
•
•
: Network bandwidth monitoring
•
: User notifications and administrator disclaimer
Licensing
All the modules remain unsubscribed when you deploy the device for the first time. Licensing displays the device registration information and the subscription status. You can activate or evaluate subscription modules.
Cyberoam and UTM 9 customers can migrate their licenses to SF-OS.
Basic Information
The device offers two types of modules:
• Basic module: Firewall, VPN, Wireless.
• Subscription modules:
• Base Firewall - Includes Firewall, VPN, Wireless
• Network Protection - Includes Intrusion Prevention System, RED, Advanced Threat Protection
• Web Protection - Includes Web Categorization, Anti Virus, Application Control
• Email Protection - Includes Anti Spam, Anti Virus, Email Encryption, DLP
• Webserver Protection - Includes WAF, Anti Virus, Reverse Proxy
• Sandstorm - Includes the Sandstorm service and all related settings
• Enhanced Support - 8 x 5
• Enhanced Plus Support - 24 x 7
Once registered, the device can be used for an indefinite time period.
You can subscribe to any of the subscription modules:
• without key for free 30-days trial subscription
• with key
Device Registration Details
Model
Device model number which is registered and its device key.
Company Name
Name of the company under which the device is registered.
Contact Person
Name of the contact person in the company.
Registered Email Address
Email address used for device registration.
Activate Subscription
Individual modules can be subscribed using the license key.
Note: Activate Subscription will be enabled for clicking after the original license of the device will be migrated to SF-OS from CyberoamOS or UTM 9 using Migrate
License under License Upgrade section.
Module Subscription Details
Synchronize
Click to synchronize licenses with your account.
Activate Evaluations
Individual modules can be evaluated for the duration of 30 days.
Note: Activate Evaluations will be enabled for clicking after the original license of the device will be migrated to SF-OS from CyberoamOS or UTM 9 using Migrate
License under License Upgrade section.
| System | 493
| System | 494
Module
Name of the Module.
Status
Indicates the status of the module.
A module can have the following status
• Subscribed - Module is subscribed.
• Evaluating - Module is subscribed under evaluation.
• Unsubscribed - Module is not subscribed.
• Expired - Subscription is expired.
Expiration Date
Module subscription expiry date.
License Upgrade
You can migrate licenses from CyberoamOS or UTM 9 to Sophos Firewall OS (SF-OS).
Migrate UTM 9 License
Transfers your current UTM 9 license to an equivalent SF-OS installation. The migration is irreversible and you can no longer use this license on UTM 9.
Note: Migrate UTM 9 License is available only if you have migrated from UTM 9 to SF-OS.
Migrate Cyberoam license
This option will provide you with Sophos Firewall OS license of equivalent monetary value as your
Cyberoam license. All the licenses existing in Cyberoam will be migrated to SF-OS.
Note: Migrate Cyberoam License is available only if you have migrated from
Cyberoam to SF-OS.
Note: Available only when device registration is complete.
Activate Subscription
1. Go to System > Administration > Licensing and click Activate Subscription within Device Registration
Details.
2. Enter the license key.
3. Click Verify Key. Subscription is activated if the license key is found valid.
Device Access
Device Access allows you to limit administrative access to certain services from custom and default zones (LAN,
WAN, DMZ, VPN, Wi-Fi).
1. Local Service ACL: The device carries a default ACL (Access Control List) when connected and powered on for the first time. Details of the default services and ports are given below. Click to enable or disable access to the services from the specified zones.
Admin Services
LAN and Wi-Fi Zones: HTTPS (TCP port 4444), Telnet (TCP port 23) and SSH (TCP port 22)
WAN Zone: HTTPS (TCP port 443), Telnet (TCP port 23) and SSH (TCP port 22)
Authentication Services
LAN and Wi-Fi Zones: Client Authentication (UDP port 6060), Captive Portal Authentication (TCP port 8090) and RADIUS SSO.
Network Services
| System | 495
LAN, WAN, and Wi-Fi Zones: Ping/Ping6 and DNS
Other Services
LAN and Wi-Fi Zones: Wireless Protection, Web Proxy and SMTP relay
LAN, WAN, DMZ and Wi-Fi Zones: SSL VPN (TCP port 8443)
LAN and WAN Zones: User portal and dynamic routing
LAN, DMZ, VPN and Wi-Fi Zones: SNMP
Note: User authentication services are required in order to apply user-based Internet surfing, bandwidth, and data transfer restrictions. These are not required for administrative functions.
2. Local Service ACL Exception Rule: You can allow access to the device's admin services from specified networks/hosts. A list of all the configured rules is displayed.
Note: Once you upgrade SF-OS v15 to v16:
• If HTTP is enabled in SF-OS v15, all HTTP requests are redirected to HTTPS.
• HTTP rules in which the action is set to Drop are deleted.
3. Default Admin Password Settings:
a) Change the default password as soon as you deploy the device.
Note: The device is shipped with a default super admin with the username and password set to admin.
You can access the Admin Console and CLI with these credentials. This administrator is authenticated locally by the device.
b) Click Reset to Default to restore the factory default password.
Figure 454: Default Admin Password Settings
4. Public Key Authentication
a) Turn on Public key authentication for admin to allow access to the Command Line Interface (CLI) using the
SSH Key.
Note: Only Admin and Support users can add an SSH login key without authorization. All other users are required to provide a password for authorization before adding an SSH key.
b) Add the list of Authorized keys for admin. Generate these SSH keys using SSH client tools (example:
PuTTY).
Figure 455: Public Key Authentication
Related information
Disable Telnet and HTTP behavior
Add Local Service ACL Exception Rule
Use Local Service ACL Exception Rule to allow access to the device's admin services from a specified network/ host.
1. Go to System > Administration > Device Access and click Add under Local Service ACL Exception Rule.
2. Enter a name.
3. Select the Rule Position.
4. Enter a description.
5. Select the IP Family from the following options:
Available Options:
• IPv4
• IPv6
6. Select the Source Zone to which the rule applies.
7. Click Add New Item to select a host or network address to which the rule applies. Click Create New to create a new network/host.
8. Click Add New Item to select the admin Services to which the rule applies.
Available Options:
• HTTPS
• Telnet
• SSH
• Web Proxy
• DNS
• Ping/Ping6
• SSL VPN
• User Portal
• Dynamic Routing
9. Select an Action:
Available Options:
• Accept
• Drop
| System | 496
Figure 456: Add Local Service ACL Exception Rule
10. Click Save.
Admin Settings
Admin Settings allows you to modify the admin port settings and login parameters. Customize the login parameters to restrict local and remote user access based on time duration.
1. Enter host details a) Enter a name in the form of a Fully Qualified Domain Name (FQDN).
Acceptable Range: 0 to 256 characters
Example: security.sophos.com
Note: When the device is deployed for the first time, the serial ID of the device is saved as the hostname.
b) Enter the description.
| System | 497
| System | 498
Figure 457: Hostname
2. Configure Admin Port settings a) Displays the HTTP port configured in SF-OS v15 if you have upgraded from SF-OS v15 and enabled HTTP service.
Default: 80
Note: From v16 onwards, the device does not support access of Admin console on this port. Traffic on
HTTP port is automatically redirected to HTTPS port.
b) Enter the port number to configure the HTTPS port for secure Admin Console access.
Default: 4444 c) Enter the port number to configure the HTTPS port for secure User Portal access.
Default: 443 d) Select the Certificate to be used by User Portal, Captive Portal, SPX Registration Portal and SPX Reply
Portal.
Figure 458: Admin Port Settings
3. Set login security for Administrators a) Select the checkbox and configure the duration (in minutes) of inactivity for the administrative session after which the device is locked automatically. This configuration is applicable to Admin and CLI Console, IPsec
Connection Wizard, Network Wizard, Group Import Wizard.
Default: 3 minutes b) Select the checkbox and configure the period (in minutes) of inactivity after which the administrator is logged out automatically.
Default: 10 minutes
Note: The Logout Admin Session After value must be greater than the Lock Admin Session After value.
c) Select the checkbox to block login to the Admin Console and CLI. Enter the maximum number of failed login attempts and the duration (in seconds) within which the attempts can be made from a single IP address. When the failed attempts exceed the number, the administrator is locked. Specify the number of minutes for which the administratorwill not be allowed to login. The administrator account will be locked for the configured minutes if the allowed failed login attempts exceeds.
| System | 499
Figure 459: Login Security Settings
4. Select the checkbox to enable password complexity settings for Administrators and enforce the required constraints.
Figure 460: Administrator Password Complexity Settings
5. Select Enable Login Disclaimer to set messages for authentication, SMTP, administration and SMS customization, which administrators must agree to before they can log in to the Admin Console and CLI. You can customize and preview messages too.
Figure 461: Login Disclaimer Settings
6. Select Sophos Adaptive Learning to send the following application usage and threat data to Sophos: Unclassified applications (to improve network visibility and enlarge the application control library), Data for IPS alerts, detected virus (including URLs), spam, ATP threats such as threat name, threat URL/IP, source IP, and applications used.
The device sends periodic information to Sophos over HTTPS to improve stability, prioritize feature refinements, and to improve protection effectiveness. No user-specific information or personalized information is collected.
The device sends configuration and usage data by default. This includes device information (example: model, hardware version, vendor), firmware version and license information (does not include owner information), features that are in use (status, on/off, count, HA status, central management status), configured objects (example: count of hosts, policies), product errors, and CPU, memory and disk usage (in percentage).
| System | 500
Figure 462: Sophos Adaptive Learning
Central Management
Sophos Firewall Manager (Firewall Manager) centrally manages your Sophos Firewall (device). Central Management allows you to configure keep-alive requests and to enable configuration and signature updates of the device through the Firewall Manager.
1. Go to System > Administration > Central Management and select Enable Central Management.
2. Enter the IP Address/Domain of the Firewall Manager.
3. Select Device Management to enable keep-alive requests and configuration updates.
1. Specify the Communication Details. Specify the Heartbeat Protocol and Heartbeat Port to define how keep-alive information is sent to the Firewall Manager.
Note: We recommend that you set Heartbeat Protocol to Syslog.
2. Specify the Configuration Synchronization settings.
a. Select the Synchronization Mode from the following options:
Available Options:
• Central Management will push configuration changes to the device
• Device will fetch configuration changes from Central Management
b. Connection Protocol to send configuration updates is set to HTTPS.
c. Enter the Port over which configuration updates are to be sent.
Default: 443
4. Select Content Distribution to receive signature updates from the Firewall Manager.
1. Enter the Content Distribution Port over which the Firewall Manager pushes signature updates.
Default: 80
Note: Enter the same port number that is configured in Administration Settings of Firewall Manager.
Figure 463: Central Management Settings
Note: Restrictions apply if you are managing SF-OS V16 devices from SFM-OS V15. For details refer to
Appendix F - Compatibility with SFMOS 15.01.0
| System | 501
Time
You can set the time and date to the device's clock or synchronize the device with a Network Time Protocol (NTP) server.
1. Go to System > Administration > Time.
2. Current Time displays the device time and date.
3. Select the Time Zone based on the location in which the device is deployed.
4. Select from the following options to choose how you set the time and date:
• Use pre-defined NTP server (pool.ntp.org). The device uses NTP version 3 (RFC 1305). Click to Sync Now.
• Use Custom NTP server. Enter the IPv4 address or IPv6 address or domain name. You can configure up to 10
NTP servers. At the time of synchronization, the device queries the configured NTP servers sequentially until it receives a valid reply from a server. Click to Sync Now.
• Select Do not use NTP Server to configure the date and time based on the device’s clock. Set the date and time.
Figure 464: Setting Device's Date and Time
Notification Settings
Notification Settings allows you to configure the mail server IP address, port, and email address to send and receive alert emails.
The device allows you to configure email notifications for system-generated events and reports to inform the administrator about:
• Change in gateway status
• Change in HA (high availability) link status (if HA cluster is configured)
• Change in the state of IPsec tunnels
1. Mail Server Settings
Click to Send Notifications Via:
Built-in Email Server
Select if you want to use the built-in Email Server in the Device to send system-generated emails.
External Email Server
Select to configure an External Email Server to send system-generated emails.
1. Specify the Mail Server IPv4 Address or FQDN Address and Port Number. Default Port: 25
2. Select Authentication Required to authenticate the user before sending an email. Specify Username and
Password.
3. Select Connection Security mode to be used for establishing a secured connection between an SMTP client and the SMTP server for SMTP mail notification. Available Options:
• None
• STARTTLS
• SSL/TLS
Default: None
4. Select a Certificate to be used for authentication by the SMTP client and the SMTP server.
Default: ApplicanceCertificate
| System | 502
Figure 465: Mail Server Settings
2. Email Settings
Enter the sender and recipient email addresses.
Figure 466: Email Settings
3. Email Notification
Select IPsec Tunnel UP/Down to enable receipt of email notifications if IPsec VPN tunnel connectivity is lost.
Email alerts are sent to the configured email address.
An email is sent only when Host-to-Host and Site-to-Site tunnel connections are disconnected for one of the following reasons:
• A peer is found dead (DPD)
• Failed to re-establish connection after Dead Peer Detection (DPD)
• IPsec Security Association (SA) is expired and is required to be re-established.
• IPsec tunnel comes up without administrator intervention after losing the connectivity.
Note:
• An email is sent for each subnet pair in case of Site-to-Site connections with multiple local/remote networks.
• An email sent when the IPsec tunnel comes up do not have any reason mentioned within.
• Description of IPsec tunnel connection is included in the email only if the administrator has provided the information.
| System | 503
Figure 467: The email contains the following Notification
4. Test Mail
Click to preview and edit the email address details.
Click Send.
Note: Mail server configuration changes automatically when the changes are made from the Network
Configuration Wizard and vice versa.
Netflow
Netflow allows you to add, update, or delete Netflow servers. The device offers Netflow, a network protocol, to monitor network bandwidth usage and traffic flow. Netflow records of source, destination and volume of traffic are exported to the Netflow server. The records help you identify the protocols, policies, interfaces and users consuming high bandwidth. Data analyzing tools like Open Source Data Analyzer and PRTG software can generate reports from the Netflow records.
Netflow Configuration
1. Enter the Netflow Server Name.
2. Enter the Netflow Server IP/Domain. You can enter IPv4 or IPv6 addresses.
3. Enter the Netflow Server Port number (UDP port). Records are sent to the Netflow server over the specified port.
Default: 2055
Figure 468: Netflow
Note: Traffic of only those firewall rules that have Log Firewall Traffic enabled is sent to the Netflow server.
Note: You can configure up to five Netflow servers.
Note: Sophos supports Netflow v5. You can export all the parameters of v5.
Messages
Use Messages to notify users and issue administrative alerts.
You can send messages of up to 256 characters to a single user or multiple users simultaneously.
You can edit ( ) the message, save the changes or reset ( ) to the default message.
You can send notifications related to the following events:
• Authentication: Login and logout confirmation, login failure and disconnection
| System | 504
• SMTP: Blocked and received emails
• Administration: Disclaimer for admin login
• SMS Customization: Login information to guest users
SNMP
SNMP (Simple Network Management Protocol) allows you to configure the Sophos Firewall device as an SNMP agent. The device responds to multiple SNMP managers within the predefined communities. You can monitor multiple firewall devices on IP networks for device availability, CPU, memory and disk utilization, availability of critical services and more. The device stores information in a Management Information Base (MIB) and replies to
SNMP Get commands for MIB. Click
here
to download the Sophos MIB file. It also sends SNMP traps (alerts) to the
SNMP manager.
SNMP collects information in two ways:
• SNMP manager polls the agents.
• Agents send traps to the SNMP manager.
SNMP Community consists of a manager and a group of agents. Agents can belong to more than one SNMP community. The community defines where information is sent. An agent does not respond to requests from managers that do not belong to its communities. You must specify a trap version for each community. Each community can support SNMPv1 and SNMPv2c. Sophos Firewall device supports IPv4 and IPv6 addresses.
Agent Configuration allows you to configure the agent details.
Community displays a list of all the communities. You can sort, add, update, or delete communities.
SNMP Agent Configuration
SNMP Agent Configuration allows you to configure the device as an SNMP agent.
1. Go to System > Administration > SNMP.
2. Select to enable the SNMP Agent.
3. Enter a name.
4. Enter the description.
5. Enter the physical location of the device.
6. Enter the contact information of the person responsible for maintaining the device.
7. The Agent Port uses UDP port 161. This port receives GET requests from the SNMP managers.
8. Specify the Manager Port over which the SNMP manager receives alerts/traps from the SNMP agent.
Default: 162
| System | 505
Figure 469: Agent Configuration
Add Community
You can add an SNMP community.
1. Go to System > Administration > SNMP and click Add.
2. Enter a name.
3. Enter the description.
4. Enter the IP address (IPv4/IPv6) of the SNMP manager.
5. Select the SNMP protocol version. SNMP v1 and v2c-compliant SNMP managers have read-only access to device system information and can receive device traps.
6. Select the version for trap support. Traps are sent only to SNMP managers that support the specified versions.
7. Click Save.
Figure 470: Add SNMP Community
Backup & Firmware
Backup & Firmware provides following options:
•
: Backup and restore system data.
•
: Application Programming Interface (API) allows third party applications to communicate with the device.
•
: Import/export device configuration from/to a text file.
•
: Allows you to upload/view firmware versions downloaded.
•
: Update patterns for various modules like Sophos AV, IPS, WAF or set auto-update interval.
Backup & Firmware
Backup is the essential part of data protection. No matter how well your system is treated, no matter how much it is taken care of, you cannot guarantee that your data is safe, if it exists only at one place.
Backups are necessary in order to recover data from loss due to disk failure, accidental deletion or file corruption.
There are many ways of taking backup and just as many types of media to use as well.
Backup consists of all the policies and all other user related information.
Device facilitates to take back-up only of the system data, either through scheduled automatic backup or using a manual backup.
Once the backup is taken, the file for restoring the backup must be uploaded for restoring the configuration.
Below are the screen elements with their description:
Backup
Backup Mode
Select how and to whom backup files should be sent.
Available Options:
Local - Backup is taken and stored on the Device itself.FTP - Configure FTP server IP Address
(IPv4/IPv6), login credentials and FTP path. Email - Configure Email Address on which backup is to be mailed. You can configure multiple Email Addresses.
Backup Prefix
Specify backup file name (prefix). The backup file name format is as follows:
• With Prefix: <Prefix>_Backup_<Device Key>_<timestamp>
For example:
Dallas_Backup_ABCDEY190_26Nov2014_12.09.24
NY_Backup_ABCDEY190_26Nov2014_12.09.24
• Without Prefix(Default): Backup_<Device Key>_<timestamp>
For example:
Backup_ABCDEY190_26Nov2014_12.09.24
If prefix is not provided, the default format is used for backup file.
Backup Prefix will be useful in case you need to take backup from multiple devices.
Frequency
Select the system data backup frequency.
In general, it is best to schedule backup on regular basis. Schedule can be determined depending on how much information is added or modified.
| System | 506
Available Options:
Never - Backup will not be taken at all Daily - Backup will be taken every day Weekly - Backup will be taken every week Monthly - Backup will be taken every month
Schedule
Specify the day/date and time for Daily, Weekly and Monthly backup.
Backup Now
Click to take the backup of system data till date.
Download (Only for Local Backup Mode)
Click to download the latest backup that is available for uploading.
| System | 507
Figure 471: Backup
Backup Restore
Restore Configuration
To select the complete path of the backup file to be restored, click the file selection button against
Restore Configuration.
Upload and Restore
Click to upload and restore the configuration.
Figure 472: Backup Restore
Note: Restoring data older than the current data results in the loss of current data.
API
Application Programming Interface (API) is an interface which allows third party applications to communicate with the device. This page allows the Administrator to log on and log off users.
API Configuration
API Configuration
Enable to allow only authorized third-party solution providers like ISP, and system integrators to use
API for log-on and log-off process.
Default - Disabled
Allowed IP Address
Add the IP addresses allowed to place the XML log-on and log-off requests.
You will be able to add IP Address only if API Configuration is enabled.
Figure 473: API Configuration
API Explorer
Request XML String
Specify the XML content containing the configurations to enable user log on or log off.
Parse and apply
Click to parse the XML content and apply the configurations.
Figure 474: API Explore
Sample XML Request Code
For all the requests, XML response will be displayed in a pop-up window.
<Request><LiveUserLogin><UserName>sophos</UserName><Password>sophos</
Password><IPAddress>10.21.18.15</IPAddress><MacAddress>00:0C:29:2D:D3:AC</
MacAddress> </LiveUserLogin></Request>
<Request><LiveUserLogout><Admin><UserName>admin</UserName><Password>admin</
Password></Admin><UserName>sophos</UserName><IPAddress>10.21.18.15</
IPAddress></LiveUserLogout></Request>
For versions prior to 10.6.1 MR-1
<Request><LiveUserLogout><UserName>sophos</UserName><IPAddress>10.21.18.15</
IPAddress></LiveUserLogout></Request>
Please use the below link to use API: https://<Sophos IP>:<port>/webconsole/APIController?reqxml=<Add the XML
request here>
| System | 508
Note: Port you mention in above URL should be same as the port you have configured as Admin Console
HTTPS Port from System > Administration > Admin Settings.
For example: https://<Sophos IP>:4444/webconsole/APIController?
reqxml=<Request><LiveUserLogin><UserName>sophos</UserName><Password>sophos</
Password><IPAddress>10.21.18.15</IPAddress><MacAddress>00:0C:29:2D:D3:AC</
MacAddress></LiveUserLogin></Request>
Note: When the user logs on using API, the client type of the users will display API Client on the Live
Users page.
Import Export
This page allows administrator to export device configuration to a text file and import configuration from a text file to device. The contents of the text file are in human readable XML format and hence the contents could be updated offline. The updated configurations could then be imported on another compatible device.
Administrators can choose to export/import all/few of the device configurations. Also, configurations exported from one device can be imported on same/another device model.
Below are the screen elements with their description:
Import
Import File
To select the complete path of the tar file to be imported, click the file selection button against
Import File.
Import
Click to import the configuration on the device.
Device existing configuration will be preserved. Entities with same name in existing configuration will be updated with the imported entity configuration and new Entities will be added.
For example:
If you have a Network Traffic Quota Policy with name “Daily 10 MB” in both the existing and imported configuration then the existing policy configuration will be updated with the imported configuration. Any new policies in the imported configuration will also get added.
| System | 509
Figure 475: Import Configuration
Export
Export full configuration
Select to export all the entities configuration to a text file.
Export selective configuration
Select to export only selected entities configuration. Click Add New Item to select entities and apply to add the selected entities.
Dependent entities for the selected entity will also be exported if Include dependent entity is selected.
Export
Click to export the configuration from the device.
| System | 510
Figure 476: Export Configuration
Firmware
This feature is not available in Sophos Firewall Manager (SFM).
The Firmware page allows you to manage the firmware versions on your device. It also enables you to install hotfixes and to choose the default configuration language of your device.
The Firmware section displays the list of firmware versions that have been downloaded. A maximum of two firmware versions are available simultaneously and one of the versions is active.
Upload firmware
Click to upload new firmware. Click Browse in the pop-up window. Click Upload firmware to upload the firmware image file. The uploaded firmware becomes active after the next reboot.
Click Upload & Boot to upload the firmware image file and boot the device. The action upgrades the device to the new version, closes all sessions, restarts the device, and displays the login page.
The process may take a few minutes since it involves migrating the entire configuration.
At the time of uploading new firmware, the error "New Firmware could not be uploaded" might occur due to one of the following reasons:
1. Wrong upgrade file - You are trying to upload wrong upgrade file i.e. a previous version firmware.
2. Incorrect firmware image - You are trying to upload incorrect firmware image for your appliance model. All the firmware's are model specific and are not inter-changeable. Hence, firmware of one model is not applicable on another model. For example, an error is displayed, if appliance model XG125 is upgraded with firmware for model XG750.
3. Incompatible firmware - You are trying to upload incompatible firmware.
4. Changes in Appliances Hardware - Your appliance hardware configuration is not the standard hardware configuration. Contact support for assistance.
5. Corrupt firmware - There are chances that the firmware you have downloaded is corrupt.
Boot firmware image
Click to upgrade the device to the uploaded firmware image. The action upgrades the device to the new version, closes all sessions, restarts the device and displays the login page.
Boot with factory default configuration
Click to reboot the device and to activate the default configuration.
Note: If you boot with factory default configuration, the current configuration will be lost. Take a backup before you click this option.
Active
The Active icon against a firmware version indicates that the device currently uses this firmware.
Latest Available Firmware (not available in SFM)
Check For new Firmware
Click to view the new firmware, if available.
Firmware Version
Displays the list of firmware versions available for download.
Type
Displays the type of each firmware.
Available Options:BetaGA
Actions
Click Download to download the firmware. Once the download is complete, click Install to install the firmware.
| System | 511
Figure 477: Available Latest Firmware
SF-OS Hot-fix
Allow auto-install of important Hot-fixes
Hot-fixes are installed automatically when they are available. Clear the check box if you do not want to apply them automatically.
Click Apply to save your selection.
Default: Enabled
Figure 478: SF-OS Hot-Fix
Factory Reset with Default Configuration Language
Default Configuration Language
Select a default language for configuration. When you choose a different language, the device reboots and goes back to the factory default settings. It removes all customizations.
The Admin Console Language can differ from the Default Configuration Language. Choosing a different Admin Console Language displays menus and labels in the selected language while choosing a different Default Configuration Language displays menus, labels as well as default policies and their description in the selected language.
| System | 512
Default: English
Available Options:
• English
• Hindi
• Chinese - Traditional
• Chinese - Simplified
• French
• Japanese
Note: Take a backup before you choose a different language since the entire configuration will be lost. The device restores the backup in the language that was operational at the time of taking the backup.
Figure 479: Factory Reset with Default Configuration Language
Pattern Updates
This page displays the status of patterns used by various modules of your device like Sophos AV, IPS and Application
Signature, WAF. The page also provides options to update patterns or set an auto-update time interval. By default pattern are updated automatically.
Updates Status
Pattern
Name of the pattern.
Current Version
Version of the pattern in use.
Available Version
Upgrade version if available
Last Successful Update
Status along with the date of the last update.
Update Pattern Now
Click to update the pattern definitions.
Figure 480: Update Status
Pattern Download/Installation
Auto Update
To update pattern definitions automatically click Auto Update switch.
Firmware updates for RED and Access Points are automatically downloaded and a notification is displayed. You have to manually install those updates. Usually, after installation the RED or
AP reboots. Connections to REDs or APs will be interrupted during that time and re-established afterwards.
Interval (Available only if Auto Update is set ON)
Set the time limit in which you want to receive updates.
Available Options:
• Every hour
• Every 2 hours
• Every 4 hours
• Every 12 hours
• Daily
• Every 2 days
Figure 481: Pattern download/installations
| System | 513
Certificates
Certificates allows you to add certificates, certificate authorities and certificate revocation lists.
•
•
•
Certificates
Digital certificates provide verification of ownership of a user or computer (example: VPN) or an organization
(example: websites) over the Internet, and are issued by a Certificate Authority (CA). Certificate Signing Requests
(CSR) enable you to provide the information required for the CA to issue a certificate. CAs issue certificates which can include the owner's public key, the certificate's validity period, owner information and the private key.
Verification is completed through the private key which is held by the owner.
Certificates are revoked when the private key is lost, stolen or updated. CAs maintain a list of valid and revoked certificates. Self-signed certificates that are revoked are automatically added to the Certification Revocation List
(CRL).
The device allows you to:
• generate a self-signed certificate, upload a third-party certificate, or to generate a CSR.
• use the device as the CA or add an external CA.
• revoke a self-signed certificate or upload an external CRL.
Add Certificate
Add Certificate allows you to upload a certificate, generate a self-signed certificate, or to generate a Certificate
Signing Request (CSR).
1. Go to System > Certificates > Certificates and click Add.
2. Select from the following options.
Generate self-signed Certificate
Generate Certificate Signing Request
Upload Certificate
1. Enter the Certificate Name.
2. Select the format of certificate file.
PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
PEM (.pem): Base64 encoded form of DER certificate. Certificate and private key are stored in different files.
DER (.der): Binary form of PEM certificate used on Java platform. Certificate and private key are stored in different files.
CER (.cer): Binary form. Contains certificate owner information and public and private keys.
PKCS7 (.p7b): ASCII code. Contains the certificate but not the private key.
PKCS12 (.pfx or .p12): Binary form used on Windows platforms. Stores the private key with the public key.
3. Upload certificate and private key.
4. Enter the CA passphrase and re-enter to confirm.
5. Click Save.
| System | 514
Generate Self-Signed Certificate
1. Go to System > Certificates > Certificates and click Add.
2. Set Action to Generate self-signed certificate.
3. Ceritificate Details
a) Enter the Certificate Name.
b) Specify the certificate's validity period.
Default: 1 day c) Select the number of bits used to construct the key from the list.
Note: Larger keys offer greater security, but take longer to encrypt and decrypt data.
Default: 2048 d) Select to encrypt the key. Enter a passphrase or the pre-shared key and re-confirm e) Specify the certificate ID for one of the following options:
• DNS
• IP Address (IPv4/IPv6 Address)
• DER ASN1 DN (X.509)
4. Identification Attributes
a) Select the country in which the device is deployed.
b) Enter the state within the country.
c) Enter the locality in which the certificate is to be used.
d) Enter the name of the certificate owner (example: Sophos Group).
e) Enter the name of the department to which the certificate is to be assigned (example: marketing).
f) Enter the common name or FQDN (example: marketing.sophos.com).
g) Enter the contact person's email address.
5.
Generate Certificate Signing Request
The device allows you to generate a Certificate Signing Request (CSR) which can be sent to a CA.
1. Go to System > Certificates and click Add.
2. Set Action to Generate Certificate Signing Request (CSR).
3. Ceritificate Details
a) Enter the Certificate Name.
b) Specify the certificate's validity period.
Default: 1 day c) Select the number of bits used to construct the key from the list.
Note: Larger keys offer greater security, but take longer to encrypt and decrypt data.
Default: 2048 d) Select to encrypt the key. Enter a passphrase or the pre-shared key and re-confirm e) Specify the certificate ID for one of the following options:
• DNS
• IP Address (IPv4/IPv6 Address)
• DER ASN1 DN (X.509)
4. Identification Attributes
a) Select the country in which the device is deployed.
| System | 515
| System | 516 b) Enter the state within the country.
c) Enter the locality in which the certificate is to be used.
d) Enter the name of the certificate owner (example: Sophos Group).
e) Enter the name of the department to which the certificate is to be assigned (example: marketing).
f) Enter the common name or FQDN (example: marketing.sophos.com).
g) Enter the contact person's email address.
5. Click Save.
Once the certificate is created, you need to download and send this certificate to the remote peer with whom the connection is to be established.
Download Certificate
The device allows you to download self-signed certificates and certificate signing requests.
1. Go to System > Certificates > Certificates.
2.
Go to the Manage column and click against the certificate. The certificate is downloaded as a .tar.gz file.
Revoke Certificate
1. Go to System > Certificates > Certificates.
2.
Go to the Manage column and click signed certificates.
against the certificate. You can revoke lost, stolen or updated self-
Revoked certificates are automatically added to the Certificate Revocation List (CRL).
Certificate Authorities
Certificate Authorities (CA) are trusted entities which issue digital certificates that verify the ownership of a user, host or organization. Ownership is verified through a public key, owner information and a private key.
The device allows you to generate a local CA or to import external CAs. Among external CAs, it provides Verisign,
Entrust and Microsoft.
The default CA is regenerated automatically when it is updated.
Add Certificate Authority
1. Go to System > Certificates > Certificate Authorities and click Add.
2. Enter the name of the CA.
3. Select the format of the root certificate. The certificate and private key are stored in different files.
4. Upload the certificate and private key.
5. Enter the CA passphrase and re-enter to confirm.
Figure 482: Add Certificate Authority
6. Click Save.
Download CA
You can download local CAs in order to forward these to the remote peer for the verification process.
1. Go to System > Certificates > Certificate Authorities.
2.
Click to download the zip file.
Update Default CA
Edit Default CA Parameters allows you to edit the default certificate authority details.
1. Go to System > Certificates > Certificate Authorities.
2.
Go to the Manage column and click against the default certificate.
3. The name of the CA cannot be changed for default CA.
4. Select the country in which the device is deployed.
5. Enter the state within the country.
6. Enter the locality in which the certificate is to be used.
7. Enter the name of the certificate owner (example: Sophos Group).
8. Enter the name of the department to which the certificate is to be assigned (example: marketing).
9. Enter the common name or FQDN (example: marketing.sophos.com).
10. Enter the contact person's email address.
11. Enter the CA passphrase and re-enter to confirm.
12. Click Save.
Regenerate Certificate Authority
1. Go to System > Certificates > Certificate Authorities.
2.
To regenerate the default certificate, go to the Manage column and click .
Note: When you update the default CA, it is automatically regenerated.
Certificate Revocation Lists
Certificates can be revoked when the key or CA has been compromised, or the certificate is no longer valid for the original purpose. CAs maintain a list of revoked certificates.
You can upload Certificate Revocation List (CRL) of an external CA. Self-signed certificates that are revoked are automatically added to the CRL.
| System | 517
| Appendix A - Logs | 518
Add CRL
Add CRL allows you to upload the Certificate Revocation List (CRL) of an external certificate authority.
1. Go to System > Certificates > Certificate Revocation Lists and click Add.
2. Enter the CRL Name and upload the CRL file.
3. Click Save.
Download CRL
When you add a CA, a default CRL file default.tar.gz, is generated.
1. Go to System > Certificates > Certificate Revocation Lists.
2. Click Download against the CRL to download the .zip file.
Appendix A - Logs
Device provides extensive logging capabilities for traffic, system, and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.
Device provides following logs:
• System Logs
• Web Filter Logs
• Application Filter Logs
• Malware Logs
• Email Logs
• Firewall Logs
• IPS Logs
• Authentication Logs
• Admin Logs
• Sandstorm Logs
• WAF Logs
• Advanced Threat Protection Logs
• Security Heartbeat Logs
To view logs for all modules, go to
page.
Log Viewer
Use Log Viewer to view the logs for modules like System, Web filter, Application Filter, Malware, Email, Firewall,
IPS, Authentication, Admin, Sandstorm, Web Application Protection, Advanced Threat Protection, and Security
Heartbeat. This page gives consolidated information about all the events logged by your device.
You can also open multiple live packet capture windows with different filers from this page. To view them, you need to enable Packet Capture from Monitor & Analyze > Diagnostics > Packet Capture. It is recommended to enable
Wrap Capture Buffer Once Full on
page to continue capturing packets after the buffer is full.
Click Open PCAP link under Live PCAP column to view packet capture in a new window. It will display the packet captures that are automatically filtered based on the values of the currently selected packet. Click Display Filter in the packet capture window to modify the filters. You cannot open packet capture window for the following modules:
System and Admin.
| Appendix A - Logs | 519
Using this page, you can:
• Set Refresh Interval – Select refresh interval for refreshing the logs automatically. Select time from Set Refresh
Interval drop down list or click Refresh to refresh the logs.
• De-anonymize - To view actual (de-anonymized) user identities in all logs which are in encrypted from
(anonymized), if Data Anonymization is enabled.
Note: To enable Data Anonymization go to Configure > System Services > Data Anonymization page.
• View logs for all modules:
•
•
– Web filter logs provide web surfing details like accessed/blocked sites, users trying to access the blocked websites etc. and the action taken by the device (Allowed or Blocked).
•
– Application filter logs provide details about applications to which access was denied by
the device.
•
– Malware logs provide information about the viruses identified by the device.
•
– Email logs provide information about the mail traffic processed by the device.
•
– Firewall logs provide information about how much traffic passes through a particular firewall rule and through which interfaces.
•
– IPS logs provide information about the intrusion attempts detected/blocked by the device.
•
– Authentication logs provide information about all the authentication logs including firewall,
VPN and User Portal authentication.
•
– Admin logs provide information about administrator event and tasks.
•
– WAF logs provide information about HTTP/S requests and action taken on the same.
•
- ATP logs provide information related to threats detected/blocked by the device.
•
- Security Heartbeat logs provide information on Heartbeat connection and status.
View List of System Events
Time
Time when the event occurred.
Log Comp
Displays the log components of the system event.
Log component types – HTTP, HA, central management, IPSec, L2TP, PPTP, SSL VPN, Device,
DHCP Server, Interface, Gateway, DDNS, WebCat, IPS, anti-virus, quarantine, WLAN, HTTPS, guest user, protected application server, CTA, PPPoE, wireless protection, RED, ATP, SSL VPN
Client, IPSec client, authentication clients, RED firmware, AP firmware and Up2Date.
Status
Successful: Displays event is successful.
Failed: Displays event is failed.
Username
Username of the user.
Message
Message for the type of system event.
Message ID
Message ID of the message.
| Appendix A - Logs | 520
Figure 483: System Log
View List of Web Filter Events
Logs are displayed only if the Web Protection module is subscribed.
Time
Time when the event occurred.
Action
Allowed: Displays websites allowed by the device.
Denied: Displays websites blocked by the device.
Username
Username of the user that accessed the URL.
Source IP
Source IP address (IPv4 / IPv6).
Destination IP
Destination IP address (IPv4 / IPv6).
Category
Web Category under which the URL is categorized by the device.
URL
URL accessed.
Bytes Transfer
Number of bytes transferred.
Message ID
Message ID of the message.
Policy ID
Policy ID applicable to the message.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Source IP, Policy ID and
Username.
| Appendix A - Logs | 521
Figure 484: Web Filter Log Viewer
View List of Application Filter Events
Logs are displayed only if the Web Protection module is subscribed.
Time
Time when event occured.
Action
Denied.
Username
Username of the user that accessed the application.
Source IP
Source IP address (IPv4 / IPv6).
Destination IP
Destination IP address (IPv4 / IPv6).
Application Category
Category under which the application is categorized.
Application
Name of the application denied.
Message ID
Message ID of the message.
Policy ID
Policy ID applicable to the message.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Source IP, Policy ID and
Username.
| Appendix A - Logs | 522
Figure 485: Application Filter Log Viewer
View List of Malware Events
HTTP, HTTPS, and FTP logs are displayed only if the Web Protection module is subscribed.
POP, POPS, IMAP, IMAPS, SMTP and SMTPS logs are displayed only if Email Protection module is subscribed.
Time
Time when the event occurred.
Protocol
Displays name of the protocol.
Types of protocol: HTTP, HTTPS, FTP, POP, POPS, IMAP, IMAPS, SMTP and SMTPS.
Username
Username of the user on whose system, virus was detected.
Source IP
Source IP address (IPv4 / IPv6).
Destination IP
Destination IP address (IPv4 / IPv6).
Virus
Name of the virus detected.
Message
Message for the virus detected.
Message ID
Message ID of the message.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Source IP and Username.
Figure 486: Malware Log Viewer
| Appendix A - Logs | 523
View List of Email Events
Logs are displayed only if the Email Protection module is subscribed.
Time
Time when the event occurred.
Log Comp
Displays the log components of the email events.
Types of log components: SMTP, SMTPS, POP, POPS, IMAP and IMAPS.
Action
Displays action taken against any email events.
Actions: Reject, Drop, Accept, Change Recipient, Prefix Subject, Tmp Reject and Accept with SPX.
Username
Username of the user on whose system, spam was detected.
Source IP
Source IP address (IPv4 / IPv6).
Destination IP
Destination IP address (IPv4 / IPv6).
Email Sender
Email address of the sender.
Email Receiver
Email address of the recipient.
Email Subject
Subject of the email.
Message
Message related to action taken by the device for the email event.
Message ID
Message ID of the message.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Source IP and Username.
Figure 487: Email Log Viewer
| Appendix A - Logs | 524
View List of Firewall Events
Time
Time when the event occurred.
Log Comp
Displays the log components of the firewall events.
Examples: firewall rule, invalid traffic, local ACL, DoS attack, ICMP redirection, source routed, fragmented traffic, MAC filter, IPMAC filter, IP spoof , protected application server heartbeat and
ICMP error message.
Action
Allowed: Permits the traffic.
Denied: Restrict the traffic.
Username
Username of the user on which the firewall rule is applied.
Firewall Rule
Firewall rule ID.
In Interface
Interface through which the traffic is coming in.
Out Interface
Interface through which the traffic is going out.
Source IP
Source IP address (IPv4 / IPv6).
Destination IP
Destination IP address (IPv4 / IPv6).
Rule Type
Type of firewall rule.
Message ID
Message ID of the message.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Source IP, Firewall Rule
ID and Username.
Figure 488: Firewall Log Viewer
View List of IPS Events
Logs are displayed only if the Network Protection module is subscribed.
Time
Time when the event occurred.
Log Comp
Displays the log components of IPS events.
Types of log components: anomaly and signatures.
Action
Detect: Intrusion attempts detected by the device.
Drop: Intrusion attempts dropped by the device.
Username
Username of the user that triggered the signature.
Source IP
Source IP address (IPv4 / IPv6).
Destination IP
Destination IP address (IPv4 / IPv6).
Signature ID
Signature ID of the signature.
Signature Name
Name for the detected signature.
Category
Category of the signature.
Platform
Platform of the signature.
Target
Target of the signature.
Policy Rule
Firewall rule applied.
Message ID
Message ID of the message.
Live PCAP
| Appendix A - Logs | 525
| Appendix A - Logs | 526
Click Open PCAP link to view packet capture in a new window based on Source IP and Username.
Figure 489: IPS Log Viewer
View List of Authentication Events
Time
Date and time when the event occurred.
Log Comp
Displays the log components of the authentication events.
Type of log components: external authentication, firewall authentication, VPN authentication, SSL
VPN authentication, My Account authentication, Dial-In authentication and NTLM authentication.
Status
Successful: Displays the successful events.
Failed: Displays the failed events.
Username
Username of the user.
IP Address
IP address of the user.
Auth Client
Authentication client that is used for authentication.
Auth Mechanism
Type of authentication mechanism: local or external server (AD, LDAP or RADIUS).
Message
Message for the type of authentication event.
Message ID
Message ID of the message.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Source IP and Username.
| Appendix A - Logs | 527
Figure 490: Authentication Log Viewer
View List of Admin Events
Time
Time when the event occurred.
Log Comp
Displays type of log components of admin events. Types of log components: GUI, CLI, API and central management.
Status
Successful: Displays the successful events.
Failed: Displays the failed events.
Username
Username of the admin user.
IP Address
IP address of the admin user.
Message
Message for the type of admin event.
Message ID
Message ID of the message.
Figure 491: Admin Log Viewer
View List of Web Server Protection (WAF) Events
Logs are displayed only if Web Server Protection module is subscribed.
Time
Time when the event occurred.
Web Server Name
Displays the name of the web server.
| Appendix A - Logs | 528
Source IP/Name
Source IP address or name.
URL
URL accessed.
Reason
Reason for the action taken on any web application.
Message
Message for the WAF event.
Status Code
Status code of the action taken on the web application.
Bytes Received
Displays the information of bytes received by the device.
Bytes Transmitted
Displays the information of bytes transmitted by the device.
Message ID
Message ID of the message.
Policy ID
Policy ID applicable to the WAF event.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Source IP and Policy ID.
Figure 492: WAF Log Viewer
View List of Advanced Threat Protection Events
Logs are displayed only if the Network Protection module is subscribed.
Time
Time when the event occurred.
Host (Source IP)
IP address of the host from where the threat derives.
User
Username of the user.
Destination IP
Destination IP address (IPv4 / IPv6).
Threat
Name of the threat detected by the device.
Threat URL/IP
| Appendix A - Logs | 529
URL/IP of the threat detected.
Origin
Displays the type of source from where the threat comes (Firewall, DNS, IPS, web).
Action
Action taken on the detection of the threat (log only, log and drop).
Message ID
Message ID of the message.
Login User
Name of the login user.
Process User
Name of the process user.
Executable
Name of executable files possibly infected with threats.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Source IP and User.
Figure 493: ATP Log Viewer
View List of Security Heartbeat Events
Time
Time when the event occurred.
Endpoint Name
Name of the endpoint.
Endpoint IP
IP address of the endpoint.
Endpoint Health
Status of endpoint health (red, yellow, green).
Message ID
Message ID of the message.
Live PCAP
Click Open PCAP link to view packet capture in a new window based on Endpoint IP.
| Appendix A - Logs | 530
Figure 494: Security Heartbeat Log Viewer
Log ID Structure
Log is identified by Log ID. Log ID is a unique 12 characters code c1c2c3c4c5c6c7c8c9c10c11c12
Where: c1c2 - Log Type ID c3c4 - Log Component ID c5c6 - Log Sub Type ID c7 - Priority c8c9c10c11c12 - Message ID
For example, if the Log ID is 010101600001.
c1c2 – 01 c3c4 – 01 c5c6 – 01 c7 - 6 c8c9c10c11c12 - 00001
Hence, from the Log ID, we derive:
(01) = Allowed
Message (00001) = Firewall Traffic Allowed (to be seen under appropriate type of logs. Here, since Log Type is
Firewall, Message is found under Firewall Logs)
Log Type
Log Type ID identifies the type of log.
Type ID
01
02
03
04
05
Log Type
Security Policy
IPS
Anti Virus
Anti Spam
Content Filtering
Type ID
10
11
12
13
06
07
08
09
Log Type
Event
WAF
ATP
EATP
Wireless Protection
HeartBeat
System Health
Sandbox
Log Component
Log Component ID identifies the component of the log.
Comp ID
13
14
15
16
09
10
11
12
05
06
07
08
01
02
03
04
21
22
23
24
17
18
19
20
Component
Firewall Rule
Invalid Traffic
Appliance Access
DoS Attacks
ICMP Redirection
Source Routed
Anomaly
Signatures
HTTP
FTP
SMTP
POP3
IMAP4
Fragmented Traffic
Invalid Fragmented Traffic
HA
CLI
LCD
CCC
IM
Foreign Host
IPMAC Filter
IP Spoof
GUI
| Appendix A - Logs | 531
Comp ID
53
54
55
56
49
50
51
52
57
58
59
60
45
46
47
48
41
42
43
44
37
38
39
40
33
34
35
36
29
30
31
32
25
26
27
28
Component
IPsec
L2TP
PPTP
SSL VPN
Firewall Authentication
VPN Authentication
SSL VPN Authentication
My Account Authentication
Appliance
DHCP Server
Interface
Gateway
DDNS
WebCat
IPS
AV
Dial-In Authentication
Dial-In
Quarantine
Application Filter
Landing Page
WLAN
ARP Flood
HTTPS
Guest User
WAF
Virtual Host
CTA
NTLM
Appliances Deactivated
PPPoE
External Authentication
API
ICAP
SMTPS
Wireless Controller
| Appendix A - Logs | 532
Comp ID
73
74
75
76
69
70
71
72
65
66
67
68
61
62
63
64
81
82
83
77
78
79
80
Log Subtype
Log Subtype ID
05
06
07
08
01
02
03
04
09
10
Component
POPS
IMAPS
Firewall
DNS
Web Proxy
Heartbeat
End Point
RED
ATP
SSL VPN Client
IPsec Client
Authentication Client
RED Firmware
AP Firmware up2date
CPU
Memory
Disk
Live User
Missing Heartbeat
Enhanced app control
ICMP related packets
Mail proxy
Sub type
Allowed
Denied
Detect
Drop
Clean
Virus
Spam
Probable Spam
Admin
Authentication
| Appendix A - Logs | 533
Priority
Priority
6
7
4
5
2
3
0
1
Log Subtype ID
23
24
25
26
19
20
21
22
27
28
15
16
17
18
11
12
13
14
Common Fields for all Logs
Data Fields
device date time
Type
date time
Sub type
System
OB Clean
OB Spam
OB Probable Spam
No Modification
Modified Headers
Modified Body
4xx Error
5xx Error
Alert
DLP
SPX
DOS
Override
Information
Usage
Warned
Pending
Description
Emergency
Alert
Critical
Error
Warning
Notification
Information
Debug
Description
Date (yyyy-mm-dd) when the event occurred
Time (hh:mm:ss) when the event occurred
| Appendix A - Logs | 534
Data Fields
timezone device_name device_id deployment_mode log_id
Type
string string string string log_type log_component log_subtype priority string string string string
System Logs
Log Component
HA
DHCP Server
Message ID
60012
60013
60014
60015
60016
60017
60018
60019
17838
60020
| Appendix A - Logs | 535
Description
Time zone set on the appliance e.g. IST
Model number of the device
Serial number of the device
Mode in which appliance is deployed
Possible values: Route, Bridge
Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11) e.g. 0101011, 0102011 c1c2 - Log Type e.g. 01 for firewall log c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack etc.
c5c6 - Log Sub Type i.e. allow/violation c7 - Priority e.g. 0 for Emergency c8c9c10c11 - Message ID e.g. 00001 for traffic allowed by firewall
Type of event e.g. firewall event
Component responsible for logging e.g. Firewall rule
Sub type of event
.
Severity level of traffic
Message
Appliance becomes standalone
Appliance goes in fault
Appliance becomes auxiliary
Appliance becomes primary
Appliance becomes standalone at appliance start up
Appliance goes in fault at appliance start up
Appliance becomes auxiliary at appliance start up
Appliance becomes primary at appliance start up
HA was disabled
DHCP lease renew
Log Component
Appliance
Interface
Gateway
DDNS
WebCat
AV
IPS
Interface
Dial-In
17817
17920
17819
17922
17921
17820
17821
17822
17905
17943
17944
17813
17814
18036
17815
17923
17924
17931
17932
17933
17934
17941
17942
Message ID
60021
60022
17807
17808
17809
17810
17811
17812
17816
17904
| Appendix A - Logs | 536
Message
DHCP lease release
DHCP lease expired
CPU usage exceeded the threshold
Physical memory usage exceeded the threshold
SWAP memory usage exceeded the threshold
Config disk usage exceeded the threshold
Signature disk usage exceeded the threshold
Reports disk usage reached the higher threshold
Appliance started successfully
Reserved for OPCODE failure snmp trap (logs will be added later)
Reserved for Service failure snmp trap (logs will be added later)
Scheduled backup was successfully taken (Information)
Failed to send scheduled backup
Fan Speed has decreased below the desirable level
Temperature has increased above the desired level
Report disk usage reached lower than the lower threshold
Report disk usage exceeded the lower threshold
The audit subsystem has successfully shut down.
Fail to send certificate passphrase .
Connectivity to ConnectWise Server has been lost.
Fail to send test mail : <Reason>
Interface UP/Interface Down
Gateway live/ Gateway dead
Up/down gateway detail to SFM
DDNS Update successful/failed
WebCat Database upgraded from <old version> to <new version>
WebCat Database upgrade failed
AV Definitions upgraded from <old version> to <new version>
AV Definitions upgrade failed
IPS Signatures upgrade failed
Primary Link down/Up and link failover/failback to backup/ primary link
Dial-In client connected
Dial-In client disconnected
Log Component
Quarantine
SSL VPN
L2TP
PPTP
IPSec
17840
17841
17842
17843
17844
17832
17833
17834
17835
17836
17936
17937
17803
17804
17805
17806
17801
17802
Message ID
17823
17824
17825
17826
17827
17828
17829
17830
17831
17837
17839
| Appendix A - Logs | 537
Message
Quarantined email could not be released because <reason>
SSL VPN Connection (Tunnel Access) Established
SSL VPN Connection (Tunnel Access) Terminated
SSL VPN Connection (Web Access) Established
SSL VPN Connection (Web Access) Terminated
SSL VPN Connection (Application Access) Established
SSL VPN Connection (Application Access) Terminated
SSL VPN resource access allowed
SSL VPN resource access denied
User Certificate <certificate_name> was created for user
<username>
All User Certificates deleted
L2TP Connection Established
L2TP Connection Terminated
PPTP Connection Established
PPTP Connection Terminated
IPSec Connection Established
IPSec Connection Terminated
Failover group Activation successful. A particular connection/
No connection established
Failover successful
Failover failed. Connection will be established on next failback event
Failback successful
Failback failed, revert back to current running connection successful
Failback failed, revert back to current running connection also failed. Connection will be established on next failback event
<connectionname>, activation: Connection activated successfully
<connectionname>, activation: Failed to activate this connection. Reason: <reason>
<connectionname>, activation: Trying to deactivate/initiate/ terminate an inactive connection. Probable DB sync problem
<connectionname>, EST-P1-MM: Response to establishment request from <peeris> peer <peerrequesterip> successful
<connectionname>, EST-P1-MM: Response to establishment request from <peerrequesterip> failed because <reason>
<connectionname>, EST-P1-AM: Responding to establishment request from <peerrequesterip>, state # <state>
Log Component Message ID
17845
17846
17847
17848
17849
17850
17851
17852
17853
17854
17855
17856
17857
17858
17859
17860
17861
| Appendix A - Logs | 538
Message
<connectionname>, EST-P1-AM: Response to establishment request from <peerrequesterip> failed because <reason>
<connectionname>, EST-P1-MM: Connection being initiated on request
<connectionname>, EST-P1-AM: Connection with state
<state> being initiated on request
<connectionname>, EST-P1-MM: Peer ID is <peerid>
<connectionname>, EST-P1-AM: Peer ID is <peerid>
<connectionname>, EST-P1: Phase-1 ID mismatch.
Configured peer id is <remoteid> and received peer id is
<peerid>. System is initiator. Verify ID configuration at both the ends is in sync.
<connectionname>, EST-P1: Phase-1 ID mismatch. No suitable connection for peer id <peerid>. System is responder.
Verify ID configuration at both the ends is in sync.
<connectionname2>, EST-P1: switched the connection from <connectionname> to <connectionname2> because a
<connection name2>'s configuration matches the request better.
<connectionname>, EST-P1: Peer did not accept any proposal sent. Reconfigure the connection on either of the ends
<connectionname>, EST-P1: System did not accept any proposal received. Need to reconfigure the connection on either of the ends.
<connectionname>, EST-P1: An error (mostly related to network) has occurred while sending a packet to advance the
IKE state machine from state <state>.
<connectionname>, EST-P1: max number of retransmissions
<count> reached STATE_MAIN_I1. No response (or no acceptable response) to first IKE message
<connectionname>, EST-P1: max number of retransmissions
<count> reached STATE_MAIN_I3. Possible authentication failure or NAT device in between: no acceptable response to first encrypted message
<connectionname>, EST-P1: Malformed payload in packet.
probable authentication failure (mismatch of preshared secrets). Verify pre-shared secrets are same at both the ends.
<connectionname>, EST-P1: unexpected message received in state <state>. payload received from the peer do not lead the
System to the next expected IKE state
<connectionname>, EST-P1: Informational Exchange message is invalid because it has a previously used Message ID
<messageid>
<connectionname>, EST-P1-MM: Phase-1 SA initiated by peer is established
Log Component Message ID
17865
17866
17867
17868
17869
17870
17871
17876
17877
17878
17879
17872
17873
17874
17875
17880
17881
| Appendix A - Logs | 539
Message
<connectionname>, EST-P2: Initiating Phase-2 (protected by
Phase-1 SA with <state>) on request with policy <policybits>
<connectionname>, EST-P2: Initiating Phase-2 SA re-keying using Phase-1 SA <state>
<connectionname>, EST-P2: Responding to a Phase-2 establishment request with Message id <MESSAGE ID>
<connectionname>, EST-P2: max number of retransmissions
<count> reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
<connectionname>, EST-P2: System require Perfect Forward
Secrecy(PFS) but peer proposed not to use PFS
<connectionname>, EST-P2: Local subnet – Remote subnet configuration of the connection being initiated conflicts with that of an already established connection
<establishedconnectionname>. Terminate connection
<establishedconnectionname> before initiating.
<connectionname>, EST-P2: System received a Phase-2 connection request whose Local subnet – Remote subnet configuration conflicts with that of an already established connection <establishedconnectionname>. System is terminating connection <establishedconnectionname> to honour the incoming request.
<connectionname>, EST-P2: A Phase-2 SA initiated by
System is established.
<connectionname>, EST-P2: A Phase-2 SA initiated by peer is established
<connectionname>, NAT-T: No NAT device detected between
Local Server and Remote Server
<connectionname>, NAT-T: Local server is behind a NAT device
<connectionname>, NAT-T: Remote server is behind a NAT device
<connectionname>, NAT-T: Both Local and remote server are behind NAT devices
<connectionname>, SA-MGT: Peer requested to delete
Phase-1 SA. Deleting ISAKMP state <state>
<connectionname>, SA-MGT: Peer requested to delete
Phase-2 SA. Deleting IPSec state <state>
<connectionname>, SA-MGT: Peer requested to delete
Phase-2 SA. Deleting existing SA and re-inititate a new one.
Replacing IPSEC State #<state>
<connectionname>, SA-MGT: Deleting remote access connection instance with peer <remoteinterfaceip>, isakmp=#<isakmp>, ipsec=#<ipsec>
Log Component
17901
17902
17903
17939
17895
17896
17897
17898
17899
17900
17885
17886
17887
17888
17889
17890
17891
17892
17893
17894
Message ID
17882
17883
17884
| Appendix A - Logs | 540
Message
<connectionname>, SA-MGT: Deleting connection
<connectionname>, SA-MGT: On deletion of connection, corresponding SA <state> is being deleted
<connectionname>, SA-MGT: Initiating Re-keying of connection 's Phase-1 (main mode) SA <state>
<connectionname>, SA-MGT: Initiating Re-keying of connection 's Phase-1 (aggresive mode) state <oldstate> to state <newstate>
<connectionname>, SA-MGT: Phase 1 SA is being re-keyed
<connectionname>, SA-MGT: Phase 2 SA is being re-keyed
<connectionname>, SA-MGT: Phase 1 SA has expired
<connectionname>, SA-MGT: Phase 1 SA has expired.
Connection is configured not to re-key
<connectionname>, SA-MGT: Phase 2 SA has expired
<connectionname>, SA-MGT: Phase 2 SA has expired.
Connection is configured not to re-key
<connectionname>, DPD: Dead peer detection enabled
<connectionname>, DPD: Peer was unreachable and was marked as dead for this connection
<connectionname>, DPD: Connection was
<actiononpeerdead> because peer was dead
<connectionname>, DPD: Connection was scheduled to be rekeyed because peer was unreachable and connection was reinitiated
<connectionname>, XAUTH: Sending username/password request
<connectionname>, XAUTH: User <user> attempting to login
<connectionname>, XAUTH: User <user> authenticated successfully
<connectionname>, XAUTH: User <user> failed to authenticate because <reason>
<connectionname>, XAUTH: received MODECFG message when in state <STATE NAME>, and Appliance is not
XAUTH client
<connectionname>, XAUTH: Username/password requested but connection configured as XAUTH client cannot be rekeyed. Turn off rekey for the connection
<connectionname>, XAUTH: XAUTH: Answering XAUTH challenge with user <user>
<connectionname>, XAUTH: Successfully authenticated.
Appliance is XAUTH Client
Failed to send IPSec tunnel UP/Down notification mail
Log Component
Landing Page
WLAN
CCC
Appliance Access
HTTPS
Guest User
Virtual Host
CTA
PPPoE
Message ID
17938
17906
17907
17908
17909
17911
17910
17912
17918
17919
17927
17928
17929
17930
17935
17940
17953
17913
17914
17915
17916
17917
17925
17926
17954
17955
17956
17957
17958
| Appendix A - Logs | 541
Message
IPSec tunnel UP/Down notification mail sent successfully
Landing page accepted
Landing page declined
Rogue AP scan successfully completed
Rogue AP scan failed
System triggered Rogue AP Scan was initiated
Failed to send heartbeat from appliance to CCC (reserved for use with CCC, no log is generated) heartbeat sent from appliance to CCC (reserved for use with
CCC, no log is generated)
Failed to send keep-alive from appliance to CCC (reserved for use with CCC, no log is generated) keep-alive sent from appliance to CCC (reserved for use with
CCC, no log is generated)
System blocked administrator account for login because of too may wrong login attempts
System unblocked administrator account
System locked administrator's session
Unknown protocol traffic was denied
Invalid Certificate was blocked
Guest user is added in system
Access details SMS sent to the SMS gateway for delivery to guest user
One or more Guest user expired and auto-purged successfully
One or more Guest user expired and auto-purged failed
One or more Guest user expired and auto-purge partially failed
Failed to send Access details SMS
Mapped Server <server_ipaddress> is UP/Mapped Server
<server_ipaddress> is DOWN
CTA started with active collectors
<interface name: PADO packet timeout no response from server.
<interface name>: Terminating Session, Reattempting in
<seconds> Sec.
<interface name>: Discovery process completed
<interface name>: LCP link established
<interface name>: ISP not supporting LCP
<interface name>: Authentication successful
Log Component
PPTP
L2TP
17977
17978
17979
17980
Message ID
17959
17960
17961
17962
17963
17964
17965
17966
17967
17969
17972
17973
17974
17975
17976
17981
17982
17983
17984
17985
17986
17987
17988
| Appendix A - Logs | 542
Message
<interface name>: Authentication Fail. Please check username and password
<interface name>: Set interface IP < local IP>
<interface name>: Set gateway IP < remote IP>
<interface name>: Set Primary DNS < DNS IP if enable>
<interface name>: Set Aux DNS < DNS IP>
<interface name>: PPPoE Link Up
<interface name>: PPPoE Link Down
<interface name>: Disconnect PPPoE due to LCP timeout
<interface name>: Disconnect PPPoE due to Idle timeout
<interface name>: Reconnected on schedule event.
LCP : Negotiation Opening for < Client IP >
LCP : Link Established for < Client IP >
< PAP/CHAP/MS-CHAPv2 > : Starting Authentication
< PAP/CHAP/MS-CHAPv2 > : Authentication Successful for
User < user name >
< PAP/CHAP/MS-CHAPv2 > : Authentication Failed for User
< user name >
IPCP : IP allocated : < IP allocated >, IPCP : Set DNS : <
Primary/secondary DNS Server >, IPCP : Set WINS : <
Primary/secondary WINS Server >
LCP : Disconnect due to LCP timeout
STATS : Connect time : < connection time >, STATS : Sent < no. of bytes > bytes, received < no. of bytes > bytes
IPCP : Taking IPCP down for < Client IP > : < Reason >,
LCP : Negotiation Closing for <Client IP > : < Reason >,
LCP : Negotiation Closed for < Client IP >
IPCP : Taking IPCP down for < Client IP > : < Reason >,
LCP : Negotiation Closing for <Client IP > : < Reason >,
LCP : Negotiation Closed for < Client IP >
LCP : Negotiation Opening for < Client IP >
LCP : Link Established for < Client IP >
< PAP/CHAP/MS-CHAP > : Starting Authentication
< PAP/CHAP/MS-CHAP > : Authentication Successful for
User < user name >
< PAP/CHAP/MS-CHAP > : Authentication Failed for User < user name >
IPCP : IP allocated : < IP allocated >, IPCP : Set DNS : <
Primary/secondary DNS Server >, IPCP : Set WINS : <
Primary/secondary WINS Server >
LCP : Disconnect due to LCP timeout
Log Component Message ID
17989
17990
System
WC
RED
ATP
SSLVPN clients
IPSEC clients
Authentication clients
RED firmware
18017
18018
18019
18020
18021
18022
18023
18024
18025
18001
18002
18003
18004
18005
18006
18007
18008
18014
18015
18016
18032
17991
18000
17998
17999
| Appendix A - Logs | 543
Message
STATS : Connect time : < connection time >, STATS : Sent < no. of bytes > bytes, received < no. of bytes > bytes
IPCP : Taking IPCP down for < Client IP > : < Reason >,
LCP : Negotiation Closing for <Client IP > : < Reason >,
LCP : Negotiation Closed for < Client IP >
IPCP : Taking IPCP down for < Client IP > : < Reason >,
LCP : Negotiation Closing for <Client IP > : < Reason >,
LCP : Negotiation Closed for < Client IP >
Event new firmware detected for <type>: <version>
[ <AP-ID>] unknown AP model encountered: <type>, dropping.
[<AP-ID>] no firmware available for AP type '<type>', dropping.
[ <AP-ID> ] device not authorized yet, dropping.
[ <AP-ID> ] Corrupt payload. Device may have wrong key.
Delete device to re-register it.
[ <AP-ID>] sent firmware <firmware> to device, releasing connection.
[ <AP-ID> ] failed to send <firmware> to device, dropping.
[MASTER] sending notification about offline AP <AP>
Successfully sent config to AP [ <AP-ID> ].
Failed to send config to AP [ <AP-ID> ].
RED is connected
RED in disconnected
RED interim event
Red devices: Disabled: 5 Enabled: 15 Connected: 12
Disconnected 3
ATP Definitions upgraded from <old version> to <new version>
ATP Definitions upgrade failed
SSLVPN clients upgraded from <old version> to <new version>
SSLVPN clients upgrade failed
IPSEC clients upgraded from <old version> to <new version>
IPSEC clients upgrade failed
Authentication clients upgraded from <old version> to <new version>
Authentication clients upgrade failed
RED firmware upgraded from <old version> to <new version>
| Appendix A - Logs | 544
Log Component
AP firmware up2date
WAF
Message ID
18026
18027
18028
18029
18030
18033
18034
Message
RED firmware upgrade failed
AP firmware upgraded from <old version> to <new version>
AP firmware upgrade failed
Failed to checked for updates
Failed to download file <MODULE>
WAF Rules upgraded from <old version> to <new version>
WAF Rules upgrade failed
Sample Logs:
device="SFW" date=2017-01-31 time=13:54:44 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.17972 newversion=1.0.17974
message="Avira AV definitions upgraded from 1.0.17972 to 1.0.17974."
Web Filter Logs
Logs are displayed only if Web Protection Module is subscribed.
Message ID
16001
16002
16003
16004
16005
16006
16007
16008
16009
Message
web site/file/application access is allowed according to the internet access policy web site/file/application access is blocked according to the internet access policy
HTTP File upload allowed
Token override
Website/file/application access is warned allowed according to the Internet access policy
Website/file/application access is warned blocked according to the Internet access policy
HTTP file upload warned allowed
Sandbox file allowed
Sandbox file denied
Sample Logs:
device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com
exceptions= activityname="" reason="" device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP"
| Appendix A - Logs | 545 log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=""
Module-specific Fields
Data Fields
fw_rule_id
Type
integer user_name user_gp iap category category_type url content_type httpresponsecode src_ip dst_ip protocol src_port dst_port sent_bytes recv_bytes domain string string integer string string string string string string string integer integer integer integer integer string
Description
Firewall Rule ID which is applied on the traffic
User name
Group name to which the user belongs.
Web Filter policy ID applied on the traffic
Name of the category under which website falls
Type of category under which website falls
URL of the webpage accessed
Type of the content code of HTTP response
Original Source IP address of traffic
Original Destination IP address of traffic
Protocol number of traffic
Original Source Port of TCP and UDP traffic
Original Destination Port of TCP and
UDP traffic
Total number of bytes sent
Total number of bytes received
Domain of the website accessed
Application Filter Logs
Logs are displayed only if Web Protection Module is subscribed.
Message ID
17051
Message
Application access was denied according to application filter policy
Sample Logs
device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8
| Appendix A - Logs | 546 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15
src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message=""
Module-specific Fields
Data Fields
fw_rule_id
Type
integer user_name user_group application_filter_policy category application_name application_risk application_technology application_category src_ip src_country_code dst_ip dst_country_code protocol src_port dst_port sent_bytes string string integer string string integer string string string string string integer integer integer integer integer
Description
Firewall Rule ID which is applied on the traffic
User name
Group name to which the user belongs.
Application Filter Policy ID applied on the traffic
Name of the category under which application falls
Name of the application accessed
Risk level assigned to the application
1 - VERY LOW
2 - LOW
3 - MEDIUM
4 - HIGH
5 - VERY HIGH
Technology of the application
Browser Based
Client Server
Network Protocol
P2P
Name of the category under which application falls
Original Source IP address of traffic
Code of the country to which the source
IP belongs
Original Destination IP address of traffic
Code of the country to which the destination IP belongs
Protocol number of traffic
Original Source Port of TCP and UDP traffic
Original Destination Port of TCP and
UDP traffic
Total number of bytes sent
| Appendix A - Logs | 547
Data Fields
recv_bytes status message
Type
integer string string
Description
Total number of bytes received
Ultimate state of traffic – accept/deny
Message displayed
Malware Logs
HTTP, HTTPS, FTP Logs are displayed only if Web Protection Module is subscribed.
POP, POPS, IMAP, IMAPS, SMTP and SMTPS Logs are displayed only if Web Protection Module is subscribed.
Message ID
08001
08002
09001
09002
10001
10002
11001
11002
12001
12002
Message
The URL has been blocked as it contained a virus
Access to URL is allowed as it does not contain any virus
FTP data transfer was blocked as it contained a virus
FTP data transfer didn’t have any virus and completed successfully
The mail is infected with a virus detected by the Device
Mail doesn’t contain any virus
The mail is infected with a virus detected by the Device
Mail doesn’t contain any virus
The mail is infected with a virus detected by the Device
Mail doesn’t contain any virus
Log Component
HTTP
HTTP
FTP
FTP
SMTP
SMTP
POP3
POP3
IMAP4
IMAP4
Sample Logs:
device="SFW" date=2017-01-31 time=15:35:15 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="jsmith" iap=1 av_policy_name="" virus="EICAR-AV-Test" url=http://www.eicar.org/download/eicar.com" domainname="
www.eicar.org
" src_ip=10.198.47.71 src_country_code=R1 dst_ip=213.211.198.62 dst_country_code=DEU protocol="TCP" src_port=11013 dst_port=80 sent_bytes=0 recv_bytes=353
Module-specific Fields
Data Fields
status
Type
string fw_rule_id integer
Description
Ultimate status of traffic – Allowed or
Denied
Firewall Rule ID which is applied on the traffic
Type
string integer string string string string string string string string string string integer string string string string string string string string string string string integer integer integer integer integer quarantine src_domainname dst_domainname src_ip src_country_code dst_ip dst_country_code protocol src_port dst_port sent_bytes recv_bytes
Data Fields
user_name iap av_policy_name from_email_address to_email_address subject mailid mailsize virus
FTP_url
FTP_direction filename filesize filepath ftpcommand url domainname
Description
User name
Policy Code of the Internet Access Policy applied
Malware scanning policy name which is applied on the traffic
Sender email address
Receipeint email address
Signature messsage
Signature classification
Priority of IPS policy
Virus name
FTP URL from which virus was downloaded
Direction of FTP transfer: Upload or
Download
Name of the file that contained virus
Size of the file that contained virus
Path of the file containing virus
FTP command used when virus was found
URL from which virus was downloaded
Domain from which virus was downloaded
Path and filename of the file quarantined
Sender domain name
Receiver domain name
Original Source IP address of traffic
Code of the country to which the source
IP belongs
Original Destination IP address of traffic
Code of the country to which the destination IP belongs
Protocol number of traffic
Original Source Port of TCP and UDP traffic
Original Destination Port of TCP and
UDP traffic
Total number of bytes sent
Total number of bytes received
| Appendix A - Logs | 548
| Appendix A - Logs | 549
Email Logs
Logs are displayed only if Email Protection Module is subscribed.
Message ID
13009
13010
13011
13012
13013
13014
14001
14002
13001
13002
13003
13004
13005
13006
13007
13008
14003
15001
15002
15003
Message
A mail considered to be a SPAM.
A mail considered to be a PROBABLE SPAM.
A mail was not considered SPAM or PROBABLE SPAM.
Sender IP address is blacklisted.
A mail considered to be an Outbound SPAM
A mail considered to be an Outbound Probable SPAM
Flagged clean by both IBS/OBS
Message is marked clean by outbound
DLP detected in mail
SPX successfully applied
SPX failed
SMTP DOS
Email is marked Clean by Sophos Sandstorm.
Email is marked Malicious by Sophos Sandstorm.
A mail considered to be a SPAM.
A mail considered to be a PROBABLE SPAM.
A mail was not considered SPAM or PROBABLE SPAM.
A mail considered to be a SPAM.
A mail considered to be a PROBABLE SPAM.
A mail was not considered SPAM or PROBABLE SPAM.
Sample Logs
device="SFW" date=2017-01-31 time=15:46:45 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=041101613013 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="jsmith" av_policy_name="jsmith235" from_email_address="[email protected]" to_email_address="[email protected]" email_subject="GP235" mailid="c000000a-1485857789" mailsize=391 spamaction="SANDSTORM ALLOW" reason="Mail is marked Clean by Sophos Sandstorm." src_domainname="iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=11255 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" device="SFW" date=2017-01-31 time=15:47:01 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=041205614003 log_type="Anti-Spam" log_component="POP3" log_subtype="Clean" status="" priority=Information fw_rule_id=0 user_name="jsmith" av_policy_name="None" from_email_address="[email protected]" to_email_address="[email protected]" email_subject="GP235" mailid="<b884459b-279a-7ba6-3991-fc26ad659488@
iview.com
>" mailsize=877 spamaction="Accept" reason="" src_domainname="
iview.com
" dst_domainname="
iview.com
" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=11434 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other"
| Appendix A - Logs | 550 device="SFW" date=2017-01-31 time=18:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="jsmith" av_policy_name="jsmith235" from_email_address="jsmith@
iview.com
" to_email_address="[email protected]" email_subject="RPD Spam Test:
Spam" mailid="c000000b-1485867502" mailsize=400 spamaction="DROP" reason="" src_domainname="
iview.com
" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22258 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="jsmith" av_policy_name="jsmith" from_email_address="[email protected]" to_email_address="[email protected]" email_subject="RPD Spam
Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@
iview.com
>" mailsize=574 spamaction="Accept" reason="" src_domainname="
iview.com
" dst_domainname="
iview.com
" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="jsmith" av_policy_name="jsmith123" from_email_address="[email protected]" to_email_address="[email protected]" email_subject="RPD Spam Test: Spam" mailid="<[email protected]>" mailsize=405 spamaction="Accept" reason="" src_domainname="
iview.com
" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" device="SFW" date=2017-01-31 time=18:36:22 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=0 user_name="jsmith" av_policy_name="None" from_email_address="[email protected]" to_email_address="jsmith1@
iview.com
" email_subject="EMAIL" mailid="<5ab27db7-7bac-82e2-ba40-83ce90577c7f@
iview.com
>" mailsize=398 spamaction="Accept" reason="" src_domainname="
iview.com
" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22477 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" device="SFW" date=2017-01-31 time=18:36:29 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=041205614003 log_type="Anti-Spam" log_component="POP3" log_subtype="Clean" status="" priority=Information fw_rule_id=0 user_name="jsmith" av_policy_name="None" from_email_address="[email protected]" to_email_address="jsmith1@
iview.com
" email_subject="EMAIL" mailid="<5ab27db7-7bac-82e2-ba40-83ce90577c7f@
iview.com
>" mailsize=1208 spamaction="Accept" reason="" src_domainname="
iview.com
" dst_domainname="
iview.com
" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22479 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other"
Module-specific Fields
Data Fields Type
status firewall_rule_id user_name av_policy_name string integer string string from_email_address string
Description
Ultimate status of traffic – Allowed or Denied
Firewall Rule ID which is applied on the traffic
User name
Spam policy name which is applied on the traffic
Sender email address
Data Fields
to_email_address email_subject mailid mailsize spam_action
Type
string string string string string
Reason src_domainname dst_domainname src_ip src_country_code dst_ip dst_country_code protocol src_port dst_port sent_bytes recv_bytes string string integer string string string string integer integer integer integer integer
Description
Recipient email address
Email subject
Email ID
Email size
Action performed on the message
Possible values:
Reject
Drop
Accept
Change Recipient
Prefix subject
Sandstorm Allow
Sandstorm Deny
Reason why email was detected as spam/malicious
Sender domain name
Receiver domain name
Original Source IP address of traffic
Code of the country to which the source IP belongs
Original Destination IP address of traffic
Code of the country to which the destination IP belongs
Protocol number of traffic
Original Source Port of TCP and UDP traffic
Original Destination Port of TCP and UDP traffic
Total number of bytes sent
Total number of bytes received
Firewall Rule Logs
Message ID
00001
00002
00003
00004
00005
00007
01001
Message
Firewall traffic allowed
Firewall traffic denied
Firewall traffic dropped by Galileo Heartbeat
ICMP-related packets denied
ICMP-related packets allowed
Allowed missing heartbeat traffic in case of no restriction
Invalid traffic dropped
| Appendix A - Logs | 551
| Appendix A - Logs | 552
Message ID
01301
01601
02001
02002
03001
04001
05001
05051
05101
05151
05201
05301
05401
Message
Fragmented traffic denied
Invalid fragmented traffic denied
Local ACL traffic allowed
Local ACL traffic denied
DoS attack dropped
ICMP-redirected packet dropped
Source-routed packet dropped
Foreign host denied
IPMAC pair denied
IP Spoof denied
SSL VPN resource access denied
ARP Flood traffic denied
Traffic for virtual host <virtualhostname> is denied. No
Internal server is available to process the traffic.
Sample Logs:
device="SFW" date=2017-01-31 time=14:16:19 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=010101600001 log_type="Firewall" log_component="Firewall
Rule" log_subtype="Allowed" status="Allow" priority=Information duration=30 fw_rule_id=2 policy_type=2 user_name="jsmith" user_gp="Open Group" iap=1 ips_policy_id=0 appfilter_policy_id=1 application="Youtube
Video Streaming" application_risk=3 application_technology="Browser Based" application_category="Streaming
Media" in_interface="PortA" out_interface="PortB" src_mac=00: 0:00: 0:00: 0 src_ip=10.198.47.71
src_country_code=R1 dst_ip=4.2.2.2 dst_country_code=USA protocol="UDP" src_port=59859 dst_port=53 sent_pkts=1 recv_pkts=1 sent_bytes=77 recv_bytes=105 tran_src_ip=125.18.184.56 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="185246656" vconnid="" hb_health="No Heartbeat"
Module-specific Fields
Data Fields
status duration fw_rule_id user_name user_group iap ips_policy_id appfilter_policy_id application
Type
string integer integer string string integer integer
Integer string
Description
Ultimate status of traffic – Allowed or Denied
Durability of traffic (seconds)
Firewall Rule ID which is applied on the traffic
User name
Group name to which the user belongs
Internet Access policy ID applied on the traffic
IPS policy ID applied on the traffic
Application Filter policy applied on the traffic
Application name
Data Fields
application_risk application_technology
Type
integer string application_category in_interface out_interface src_ip src_mac src_country_code dst_ip dst_country_code protocol src_port dst_port icmp_type icmp_code sent_pkts received_pkts sent_bytes recv_bytes trans_src_ ip integer integer integer integer integer integer integer integer integer integer string string string string string string string string
| Appendix A - Logs | 553
Description
Risk level assigned to the application
Possible values:
1 - VERY LOW
2 - LOW
3 - MEDIUM
4 - HIGH
5 - VERY HIGH
Technology of the application
Possible values:
Browser Based
Client Server
Network Protocol
P2P
Name of the category under which application falls
Interface for incoming traffic, e.g., Port A
Interface for outgoing traffic, e.g., Port B
Original source IP address of traffic
Original source MAC address of traffic
Code of the country to which the source IP belongs
Original destination IP address of traffic
Code of the country to which the destination IP belongs
Protocol number of traffic
Original source port of TCP and UDP traffic
Original destination port of TCP and UDP traffic
ICMP type of ICMP traffic
ICMP code of ICMP traffic
Total number of packets sent
Total number of packets received
Total number of bytes sent
Total number of bytes received
Translated source IP address for outgoing traffic. It is applicable only in route mode.
Possible values
"" - When appliance is deployed in Bridge mode or source IP translation is not done.
IP Address - IP address with which the original source IP is translated.
| Appendix A - Logs | 554
Data Fields
trans_src_port trans_dst_ip trans_dst_port srczonetype srczone dstzonetype dstzone dir_disp conn_event conn_id vconn_id
Type
integer integer integer string string string string string integer integer
Description
Translated source port for outgoing traffic. It is applicable only in route mode.
Possible values
"" - When appliance is deployed in Bridge mode or source port translation is not done.
Port - Port with which the original port is translated.
Translated destination IP address for outgoing traffic. It is applicable only in route mode.
Possible values
"" - When appliance is deployed in Bridge mode or destination IP translation is not done.
IP Address - IP address with which the original destination IP is translated.
Translated destination port for outgoing traffic. It is applicable only in route mode.
Possible values
"N/A" - When appliance is deployed in Bridge mode or destination port translation is not done.
Port - Port with which the original port is translated.
Type of source zone, e.g., LAN
Name of source zone
Type of destination zone, e.g., WAN
Name of destination zone
Packet direction. Possible values:“org”, “reply”, “”
Event on which this log is generated
Unique identifier of connection
Connection ID of the master connection
IPS Logs
Logs are displayed only if Network Protection Module is subscribed.
Message ID
06001
06002
07001
07002
Message
IPS Anomaly detected
IPS Anomaly dropped
IPS Signature detected
IPS Signature dropped
Sample Logs:
device="SFW" date=2017-02-01 time=12:51:35 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=020804407002 log_type="IDP" log_component="Signatures"
| Appendix A - Logs | 555 log_subtype="Drop" status="" priority=Warning idp_policy_id=2 fw_rule_id=1 user_name="" signature_id=1151209031 signature_msg="Autodesk Design Review GIF GlobalColorTable DataSubBlock
Buffer Overflow" classification="Unknown" rule_priority=3 src_ip=203.190.124.15 src_country_code=HKG dst_ip=10.198.47.71 dst_country_code=R1 protocol="TCP" src_port=80 dst_port=40575 platform="Windows" category="Application and Software" target="Client"
Module-specific Fields
Data Fields
status
Type
string idp_policy_id idp_policy_name fw_rule_id user_name signature_id signature_msg classification rule_priority src_ip src_country_code dst_ip dst_country_code protocol src_port dst_port icmp_type icmp_code integer integer integer string string string string string string string string string integer integer integer integer integer
Description
Ultimate status of traffic – Allowed or
Denied
IPS policy ID which is applied on the traffic
IPS policy name i.e. IPS policy name which is applied on the traffic
Firewall Rule ID which is applied on the traffic
User name
Signature ID
Signature messsage
Signature classification
Priority of IPS policy
Original Source IP address of traffic
Country Code of country from where traffic has originated.
Original Destination IP address of traffic
Country Code of country to where traffic is destined.
Protocol number of traffic
Original Source Port of TCP and UDP traffic
Original Destination Port of TCP and
UDP traffic
ICMP type of ICMP traffic
ICMP code of ICMP traffic
Data Fields
platform category target
Type
string string string
Description
Platform of the traffic.
Possible values:
Windows
Linux
Unix
MAC
Solaris
BSD
Other
IPS signature category.
Possible values:
Apache HTTP Server
Application and Software
Browsers
Database Management Systems
DNS
ERP Systems
Exchange Mail Server
FTP
Industrial Control Systems
Malware Communication
Microsoft IIS Web Server
Misc
Multimedia
Office Tools
Operating System and Services
Other Mail Server
Other Web Server
Reconnaissance
Sendmail
VoIP and Instant Messaging
Web Services and Applications
IPS traffic target.
Possible values:
Client
Server
| Appendix A - Logs | 556
| Appendix A - Logs | 557
Authentication Logs
Log Component
Firewall Authentication
My Account Authentication
VPN Authentication
SSL VPN Authentication
Dial-In Authentication
NTLM
External Authentication
Message ID
17701
17702
17703
17945
17704
17705
17706
17947
17707
17708
17709
17710
17711
17712
17946
17713
17714
17715
17948
17949
17950
17951
17952
17968
Message
User logged in successfully to firewall
User failed to login to firewall
User logged out from firewall
Received challenge from <Auth Mech> server via
<Client Type>.
User logged in successfully to My Account
User failed to login to My Account
User logged out from Account
Received challenge from <Auth Mech> server via
<Client Type>.
User logged in successfully to VPN
User failed to login to VPN
User logged out from VPN
User logged in successfully to SSL VPN
User failed to login to SSL VPN
User logged out from SSL VPN
Received challenge from <Auth Mech> server via
<Client Type>.
User logged in using Dial-In
User failed to login using Dial-In
User logged out of Dial-In
NTLM enabled but AD server not configured
Cannot establish NTLM authentication channel with
<server name>
NTLM authentication channel established successfully with <server name>
Cannot establish NTLM authentication channel with
<server name>
NTLM authentication disabled from appliance access connection to ADS/LDAPS <server ip/fqdn> failed because <reason>
Sample Logs
device="SFW" date=2017-01-31 time=18:13:38 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=062910617701 log_type="Event" log_component="Firewall
Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="jsmith" usergroupname="Open Group" auth_client="Web Client" auth_mechanism="Local" reason="" src_ip=10.198.47.71
| Appendix A - Logs | 558 message="User jsmith of group Open Group logged in successfully to Firewall through Local authentication mechanism from 10.198.47.71" name="jsmith" src_mac= device="SFW" date=2017-01-31 time=18:13:40 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=062910617703 log_type="Event" log_component="Firewall
Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="jsmith" usergroupname="Open Group" auth_client="Web Client" auth_mechanism="N/A" reason="" src_ip=10.198.47.71
src_mac= start_time=1485866617 sent_bytes=1233 recv_bytes=1265 message="User jsmith was logged out of firewall" name="jsmith" timestamp=1485866620
Module-specific Fields
Data Fields
status user_name usergroupname auth_client reason src_ip src_mac sent_bytes recv_bytes message timestamp
Type
string string string string string string integer integer string integert
Description
Ultimate status of traffic – Allowed or
Denied
User name
Group name to which the user belongs.
Original Source IP address of traffic
Original Source MAC address of traffic
Total number of bytes sent
Total number of bytes received
Message displayed timestamp
Admin Logs
Message ID
17501
17502
17503
17504
17505
17506
17507
17504
17970
17971
17504
Message
Add operation
Update
Delete
Other management action
System - Maintenance actions
Wizard
Admin login logout
<interface name>: Disconnect PPPoE due to Admin event
Ha enable event
Ha disable event
PPTP/L2TP Service Enabled/Disabled
Successfully
| Appendix A - Logs | 559
Sample Logs:
device="SFW" date=2017-01-31 time=18:15:43 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.198.47.71
message="Log Settings were changed by 'admin' from '10.198.47.71' using
'GUI'" device="SFW" date=2017-01-31 time=18:15:50 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=062009617507 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.198.47.71
message="Administrator 'admin' logged out of Web Admin Console."
Module-specific Fields
Data Fields
status user_name src_ip message
Type
string string string string
Description
Ultimate status of traffic – Allowed or
Denied
User name
Original Source IP address of traffic
Message displayed
Sandbox Report Logs
Message ID
13013
13014
18041
18042
18043
16005
16006
16007
16008
16009
18009
18010
18012
18013
Message
Sandbox allowed
Sandbox denied
Sandbox file allowed
Sandbox file denied
Sandbox file pending
Website/file/application access is warned allowed according to the Internet access policy
Website/file/application access is warned blocked according to the Internet access policy
HTTP file upload warned allowed
Sandbox file allowed
Sandbox file denied
Alert by ATP
Drop by ATP
Heartbeat status
Endpoint status
Sample Logs
device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail"
| Appendix A - Logs | 560 log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="[email protected]" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="[email protected]" reason="cached malicious" destination="" subject="" device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject="
Web Application Firewall (WAF) Logs
Logs are displayed only if Web Server Protection Module is subscribed.
Message ID
17071
17072
Message
A web request is allowed by WAF
A web request is blocked by WAF
Sample logs
device="SFW" date=2017-01-31 time=17:20:29 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PAA log_id=075000617071 log_type="WAF" log_component="Web Application
Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254
localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254
responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 device="SFW" date=2017-01-31 time=17:28:48 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=075000617071 log_type="WAF" log_component="Web Application
Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254
localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=302 reason="-" extra="-" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=23113 bytessent=765 bytesrcv=510 fw_rule_id=3 device="SFW" date=2017-01-31 time=18:03:30 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=075000617071 log_type="WAF" log_component="Web
| Appendix A - Logs | 561
Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/ eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974;
_pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http:// www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-
AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101
Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6
Advanced Threat Protection (ATP) Logs
Logs are displayed only if Network Protection Module is subscribed.
Message ID
18009
18010
Message
Alert by ATP
Drop by ATP
Sample Logs:
device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path=""
Heartbeat Logs
Logs are displayed only if Network Protection Module is subscribed.
Message ID
18012
18013
Message
Heartbeat status
Endpoint status
Sample Logs
device="SFW" date=2017-02-01 time=17:01:55 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=116725518013 log_type="Heartbeat" log_component="Endpoint" log_subtype="Information" priority=Notice ep_name=Heartbeat206-PC ep_uuid=54d320ef-7c6c-4cc7b900-8aabcc9ca04b ep_ip=10.198.47.206 ep_health=Green ep_event_time=1485948715 device="SFW" date=2017-02-01 time=17:01:47 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=116725518013 log_type="Heartbeat" log_component="Endpoint" log_subtype="Information" priority=Notice ep_name=Heartbeat206-PC ep_uuid=54d320ef-7c6c-4cc7b900-8aabcc9ca04b ep_ip=10.198.47.206 ep_health=Red ep_event_time=1485948707 device="SFW" date=2017-02-01 time=17:24:38 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=116725518013 log_type="Heartbeat" log_component="Endpoint" log_subtype="Information" priority=Notice ep_name=Heartbeat206-PC ep_uuid=54d320ef-7c6c-4cc7b900-8aabcc9ca04b ep_ip=10.198.47.206 ep_health=Missing ep_event_time=1485950078
| Appendix B - IPS - Custom Pattern Syntax | 562
System Health Logs
Message ID
18031
Message
CPU, Memory, Disk, Live User, Interface Usage
Sample Logs:
6/9/2015 1:29 PM,Info,10.20.22.172,timezone=""IST"" device_name=""SG135"" device_id=SFDemo1234567890 log_id=127826618031 log_type=""System Health"" log_component=""Disk"" log_subtype=""Usage"" priority=Information Configuration=13.00% Reports=0.00% Signature=16.00% Temp=0.00%
Appendix B - IPS - Custom Pattern Syntax
Keyword
srcaddr/dstaddr srcport/dstport content nocase Can be used with content keyword only rawbytes Can be used with content keyword only depth Can be used with content keyword only offset Can be used with content keyword only
Value
<ipaddress>;
<Number>;
"<content string>"; A string quoted within double quotes.
NULL
NULL
<number>; e.g. depth:5;
<number>; e.g. content:”cgi-bin/ phf”;offset:4;depth:20;
Usage
The source/destination IP address
The source/destination port
Multiple contents can be specified in one rule. The value can contain mixed text and binary data. The binary data is generally enclosed within the pipe (|) character.
Ignore case in the content value
Ignore any decoding. Look at the raw packet data
Look for the contents within the specified number of bytes of the payload. If the value of the depth keyword is smaller than the length of the value of the content keyword, this signature will never be matched
Start looking for the contents after the specified number of bytes of the payload. This tag is an absolute value in the payload. Follow the offset tag with the depth tag to stop looking for a match after the value specified by the depth tag. If there is no depth specified, continue looking for a match until the end of the payload.
| Appendix B - IPS - Custom Pattern Syntax | 563
Keyword
distance Can be used with content keyword only within Can be used with content keyword only uricontent isdataat
Value Usage
<number>; For example content :"ABC";content:"DEF"; distance:1;
Search for the contents the specified number of bytes relative to the end of the previously matched contents. The distance tag could be followed with the within tag. If there is no value specified for the within tag, continue looking for a match until the end of the payload.
<number>; For example Look for the contents within the specified number of bytes of the payload. Use with the distance tag.
uricontent:<content string>; For exampleuricontent:"%3F";
Search for the normalized request
URI field. Binary data can be defined as the URI value.
<value> [,relative]; For Verify that the payload has data at a examplecontent:"PASS";isdataat:50,relative; for data relative to the end of the previous content match.
Keyword
pcre
| Appendix B - IPS - Custom Pattern Syntax | 564
Value
pcre:[!]"(/<regex>/|m/<regex>/)
[ismxAEGRUB]"; For examplepcre:"/BLAH/i";
Usage
The pcre keyword allows rules to be written using perl compatible regular expressions.
i - Case insensitive
s - Include newlines in the dot metacharacter
m - By default, the string is treated as one big line of characters^ and
$ match at the start and end of the string. When m is set, ^ and $ match immediately following or immediately before any newline in the buffer, as well as the very start and very end of the buffer.
x - Whitespace data characters in the pattern are ignored except when escaped or inside a character class
A - The pattern must match only at the start of the buffer (same as ^ )
E - Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline (but not before any other newlines)
G - Inverts the "greediness" of the quantifiers so that they are not greedy by default, but become greedy if followed by "?"
R - Match relative to the end of the last pattern match (similar to distance:0;) U Match the decoded
URI buffers (similar to the uri keyword)
B - Do not use the decoded buffers
(similar to the raw keyword)
Keyword
byte_test
| Appendix B - IPS - Custom Pattern Syntax | 565
Value Usage
<bytes to convert>, [!]<operator>,
<value>, <offset> [,relative]
[,<endian>] [,<number type>, string]; oct,dec,hex used with string only
For examplemsg:"AMD procedure
7 plog overflow"; content:"|00 04
93 F3|";content:"|00 00 00 07|";
Test a byte field against a specific value (with operator). Capable of testing binary values or converting representative byte strings to their binary equivalent and testing them.
bytes_to_convert - The number of bytes to pick up from the packet distance:4.within:4;byte_test:4,>,1000,20,relative; to test the value (<,>,=,!,&)
value - The value to test the converted value against
offset - The number of bytes into the payload to start processing
relative - Use an offset relative to last pattern match
big - Process the data as big
endian (default) little - Process the data as little endian
string - The data is stored in string format in the packet
hex - The converted string data is represented in hexadecimal
dec - The converted string data is represented in decimal
oct - The converted string data is represented in octal
ttl tos id
Keyword
byte_jump
| Appendix B - IPS - Custom Pattern Syntax | 566
Value Usage
<bytes_to_convert>, <offset>
[,relative] [,multiplier <multiplier value>] [,big] [,little][,string]
[,hex] [,dec] [,oct] [,align]
[,from_beginning]; oct,dec,hex used with string only For examplecontent:"|00 00 00
bytes_to_convert - The number of bytes to pick up from the packet.
multiplier value - multiply the number of calculated bytes by value and skip forward that number of byte
operator - The operation to perform to test the value (<,>,=,!,&)
value - The value to test the converted value against
offset - The number of bytes into the payload to start processing
relative - Use an offset relative to last pattern match
big - Process the data as big
endian (default) little - Process the data as little endian
string - The data is stored in string format inthe packet
hex - The converted string data is represented in hexadecimal
dec - The converted string data is represented in decimal
oct - The converted string data is represented in octal
align – round the number of converted bytes upto the next 32 bit boundary
from_beginning– Skip forward from the beginning of the packet payload instead of from the current position in the packet
<number>;><number>;<<number>; Check the IP time-to-live value against the specified value
<number>; Check the IP TOS field for the specified Value
<number>; Check the IP ID field for the specified Value
Keyword
ipopts fragoffset fragbits dsize
| Appendix B - IPS - Custom Pattern Syntax | 567
Value
{rr | eol | nop | ts | sec | lsrr |ssrr | satid
| any}
<number>;
[+*!]<[MDR]>;
[<|>] <number>[ <> number]; For exampledsize:300<>400;
Usage
rr - Check if IP RR (record route) option isPresent
eol - Check if IP EOL (end of list) option is present
nop - Check if IP NOP (no op) option is present
ts - Check if IP TS (time stamp) option is present
sec - Check if IP SEC (IP security) option is present
lsrr - Check if IP LSRR (loose source routing) option is present
ssrr - Check if IP SSRR (strict source routing) option is present
satid - Check if IP SATID (stream identifier) option is present
any - Check if IP any option is present
Allows to compare the IP fragment offset field against the decimal value
Check if IP fragmentation and reserved bits are set in the IP header.
M - The More Fragments bit
D - The Don't Fragment bit
R - The Reserved Bit
+ - Match on the specified bits, plus any others
* - Match if any of the specified bits are set
! - Match if the specified bits are not set
Test the packet payload size.
With data_size specified, packet reassembly is turned off automatically so a signature with data_size and only_stream values set is wrong. dsize will fail on stream rebuilt packets, regardless of the size of the payload
flow seq ack window itype icode icmp_id icmp_seq
Keyword
flags
| Appendix B - IPS - Custom Pattern Syntax | 568
Value
[!|*|
+]<FSRPAU120>[,<FSRPAU120>];
For exampleFlags:SF,12
Usage
Specify the TCP flags to match in a packet.
S - Match the SYN flag
A- Match the ACK flag
F - Match the FIN flag
R - Match the RST flag
U - Match the URG flag
P - Match the PSH flag
1 - Match Reserved bit
1 2 - Match Reserved bit
2 0 - Match No TCP flags set
+ - Match on the specified bits, plus any others
* - Match if any of the specified bits are set
! - Match if the specified bits are not set to_client|to_server|from_client| from_server ];established;bi_direction;
[no_stream|only_stream];
TCP only. The to_server value is equal to the from_client value.
The to_client value is equal to the from_server value. The bi_direction tag makes the signature match traffic for both directions. For example, if you have a signature with "--dst_port
80", and with bi_direction set, the signature checks traffic from and to port 80.
<number>;
<number>;
Check for the specified TCP sequence number
Check for the specified TCP acknowledge number
<number>;
[<|>]<number>[<>number];
[<|>]<number>[<>number];
<number>;
Check for the specified TCP window
Size
Specify the ICMP type to match
Specify the ICMP code to match
<number>;
Check for the specified ICMP ID value
Check for the specified ICMP sequence Value
| Appendix C - Default File Type Categories | 569
Keyword
rpc ip_proto samip
Value Usage
<application number>,[<version number>|*],[<procedure number>|
*>;
Check for RPC application, version,and procedure numbers in
SUNRPCCALL requests. The * wildcard can be used for version and procedure numbers
<number>;
[!]<number>;><number>;<<number>;
Check the IP protocol header
NULL The source and the destination have the same IP addresses
Appendix C - Default File Type Categories
File Type Category Name
Audio Files
File Extensions
gsm, sd2, qcp, kar, smf, midi, mid, ulw, snd, aifc, aif, aiff, m3url, m3u, wav, rm, au, ram, mp3, wmv
Backup Files (The Backup Files category includes individual file backups and files related to backup software. Individual backup files are often generated automatically by software programs. Backup software files include incremental backups and full system backups.)
Compressed Files(Compressed files use file compression in order to save disk space. Compressed archive formats can also be used to compress multiple files into a single archive.) asd, bak, bkp, bup, dba, dbk, fbw, gho, nba, old, ori, sqb, tlg, tmp
7z, alz, deb, gz, pkg, pup, rar, rpm, sea, sfx, sit, sitx, tar.gz, tgz, war, zip, zipx
MIME Headers
audio/x-gsm, audio/vnd.qcelp, audio/ x-midi, application/x-midi, audio/ midi, audio/x-mid, x-music/x-midi, audio/basic, audio/x-adpcm, audio/ aiff, audio/x-aiff, audio/x-mpequrl, audio/wav, audio/x-wav, application/ vnd.rn-realmedia, audio/x-au, audio/ x-pn-realaudio, audio/mpeg3, audio/ x-mpeg-3, audio/x-ms-wmv application/octet-stream application/x-7z-compressed, application/x-alz, application/x-deb, application/x-gzip, application/xnewton-compatible-pkg, application/ x-rar-compressed, application/sea, application/x-sea, application/x-sit, application/x-stuffit, application/ gnutar, application/x-compressed, application/x-zip-compressed, application/zip, multipart/x-zip
| Appendix C - Default File Type Categories | 570
File Type Category Name
Configuration Files(Settings files store settings for the operating system and applications. These files are not meant to be opened by the user, but are modified by the corresponding application when the program preferences are changed.
Settings files may also be called preference files or configuration files.)
Database Files(Database files store data in a structured format, organized into tables and fields. Individual entries within a database are called records. Databases are commonly used for storing data referenced by dynamic websites.)
Developer Files (The Developer Files category contains files related to software development. These include programming project files, source code files, code libraries, header files, and class files. Compiled objects and components are also included in this category.)
File Extensions
cfg, clg, dbb, ini, keychain, prf, prx, psf, rdf, reg, thmx, vmx, wfc accdb, db, dsn, mdb, mdf, pdb, sql, sqlite
MIME Headers
application/pics-rules, application/ octet-stream, application/vnd.msofficetheme application/msaccess, application/xmsaccess, application/vnd.msaccess, application/vnd.ms-access, application/mdb, application/x-mdb, chemical/x-pdb as, asc, c, cbl, cc, class, cp, cpp, cs, csproj, dev, dtd, f, fs, fsproj, fsx, ftl, gem, h, hpp, ise, ism, java, m, ocx, pas, pod, pro, py, r, rb, sh, src, tcl, trx, v, vbproj, vcproj, vtm, xcodeproj text/plain, text/x-c, application/ java, application/java-byte-code, application/x-java-class, text/xml, text/x-fortran, text/x-h, text/xjava-source, text/x-m, application/ octet-stream, text/pascal, text/xscript.phyton, application/x-bsh, application/x-sh, application/x-shar, text/x-script.sh, application/x-waissource, application/x-tcl, text/xscript.tcl
application/x-cdlink Disk Image Files (Disk image files contain an exact copy of a hard disk or other type of media. They include all the files, as well as the file system information. This allows disk images to be used for duplicating disks, CDs, and DVDs. They are often used for backup purposes as well.) dmg, iso, mdf, nrg, nri, pvm, toast, vcd, vmdk
| Appendix C - Default File Type Categories | 571
File Type Category Name
Document Files(Document file format could be described as a text, or binary data file type, used to store formatted documents (texts, pictures, cliparts, tables, charts, multiple pages, multiple documents etc.).)
Dynamic Files
Encoded Files (Encoded files are files that store data in an encoded format. These include encrypted files, uncompressed archives, and binary-encoded text files. Files are often encoded for security purposes and to keep them from being corrupted during data transfers.)
File Extensions MIME Headers
doc, docx, wbk, xls, xlsx, ppt, pptx, oft, pub, msg, one, xsf, xsn, grv, mpp, mpt, acl, pip, thmx, aw, bld, blg, bvp, cdd, cdf, contact, csv, dat, dif, dmsp, efx, epub, epw, exif, exp, fdb, fxp, gbr, gpi, hdf, id2, lib, mat, mcd, menc, mw, ndx, not, notebook, out, ovf, pdx, pfc, pps, ppsx, pptm, prj, qbw, sdf, svf, tar, tsv, vcf, vdb, vxml, windowslivecontact, wlmp, xfd, xml, xsl, xslt, lit, log, lst, odt, opml, pages, rtf, sig, tex, txt, wpd, wps, pdf application/msword, application/ vnd.openxmlformatsofficedocument.wordprocessingml.document, application/excel, application/ vnd.ms-excel, application/xexcel, application/x-msexcel, application/vnd.openxmlformatsofficedocument.spreadsheetml.sheet, application/mspowerpoint, application/powerpoint, application/vnd.ms-powerpoint, application/x-mspowerpoint, application/vnd.openxmlformatsofficedocument.presentationml.presentation, application/x-mspublisher, application/onenote, application/ octet-stream, application/vnd.msproject, application/x-project, application/vnd.ms-officetheme, application/cdf, application/xcdf, application/x-netcdf, text/ comma-separated-values, text/ csv, application/csv, video/x-dv, application/x-hdf, application/ mcad, application/x-mathcad, application/vnd.openxmlformatsofficedocument.presentationml.slideshow, application/vnd.mspowerpoint.presentation.macroEnabled.12, image/vnd.dwg, image/x-dwg, application/x-tar, text/tab-separatedvalues, text/x-vcard, application/ xml, text/xml, application/x-msreader, text/plain, application/rtf, application/x-rtf, text/richtext, application/x-tex, application/ wordperfect, application/xwpwin, application/vnd.ms-works, application/pdf pl, jsp, asp, php, cgi, shtml text/x-script.perl, text/asp, text/xserver-parsed-html, text/html bin, enc, hex, hqx, mim, mime, uue application/mac-binary, application/ macbinary, application/octet-stream, application/x-binary, application/ x-macbinary, application/binhex, application/binhex4, application/ mac-binhex, application/macbinhex40, application/x-binhex40, application/x-mac-binhex40, message/rfc822, www/mime, text/xuuencode
| Appendix C - Default File Type Categories | 572
File Type Category Name
Executable Files
Image Files
Web Files (The Web Files category includes files related to websites and Web servers. These include static and dynamic webpages, Web applications, and files referenced by webpages.)
File Extensions
exe, cmd, bat, com bmp, gif, jpeg, jpg, pcx, png
Page Layout Files (Page layout files are documents that may contain both text and image data. They also include formatting information, which defines the page size, margins, and how content is organized on the page. Page layout documents are often used for creating printable publications, such as newspapers, magazines, and brochures.)
Plugin Files (Plugin files provide extra features and functionality to existing programs. They are commonly used by image, video, and audio editing applications, as well as Web browsers. Plugins are also referred to as add-ons and extensions.)
System Files(The System Files category includes files related to
Mac, Windows, and Linux operating systems. Some examples include system libraries, icons, themes, and device drivers. Files output by the system are also included in this category.)
Video Files idml, indd, inx, isd, mdi, pct, pdf, pmd, ptx, pub, qxb, qxd, qxp, rels, xps
8bi, arx, crx, plugin, vst, xll bashrc, cab, cpl, cur, dll, dmp, drv, hlp, ico, key, lnk, msp, prf, profile, scf, scr, sys dat, mov, avi, qt, smi, sml, smil, flc, fli, vfw, mpeg, mpg, m15, m1u, m1a, m75, mls, mp2, mpm, mp, rm, wmv, flv, swf alx, asax, asmx, aspx, atom, att, axd, chm, dwt
MIME Headers
application/bat, application/x-bat, application/x-msdos-program, application/textedit, application/ octet-stream, text/plain image/bmp, image/x-windows-bmp, image/gif, image/pjpeg, image/jpeg, image/x-pcx, image/png image/x-pict, application/pdf, application/x-mspublisher, application/octet-stream, application/ vnd.ms-xpsdocument application/x-visio, application/ excel,application/vnd.ms-excel, application/x-excel application/vnd.ms-cab-compressed, application/octet-stream, application/ x-msdownload, application/hlp, application/x-helpfile, application/xwinhelp, image/x-icon application/octet-stream, application/ x-troff-msvideo, video/avi, video/ msvideo, video/x-msvideo, video/ quicktime, application/smil, application/x-simile, Video/flc, video/fli, video/x-fli, video/mpeg, video/x-mpeg, video/x-mpeq2a, application/vnd.rn-realmedia, video/ flv, application/x-shockwave-flash application/atom+xml
Appendix D - Supported Micro-Apps
List of Micro-Apps Supported:
• SkyDrive File Upload
• SkyDrive File Upload
• SkyDrive File Download
• Google Drive File Upload
• Google Drive File Download
• Hotmail Webmail File Attach
• Yahoo Webmail File Attach
• AIM File Transfer
• Facebook Games
• FarmVille-Facebook Games
• Bejeweled-Facebook Games
• Google Drive Base
• Google Earth Application
• YouTube Video Search
• WLM WebChat
• Gmail WebChat
• Facebook Chat
• Google Plus Web Chat
• Freegate Proxy
• Gmail Video Chat Streaming
• YouTube Website
• Youtube Video Streaming
• Facebook Video Playback
• Youtube Video Upload
• Dropbox Download
• Gmail WebMail
• Yahoo WebMail
• Facebook Applications
• Facebook Plugin
• Twitter Website
• Facebook Website
• LinkedIN Compose Webmail
• Facebook Video Chat
• Google Plus Website
• Facebook Pics Download
• Facebook Pics Upload
• Facebook Video Upload
• Facebook Status Update
• LinkedIN Mail Inbox
• LinkedIN Status Update
• LinkedIN Job Search
• LinkedIN Company Search
• Twitter Upload
• Twitter Message
| Appendix D - Supported Micro-Apps | 573
• Twitter Status Update
• Facebook Message
• Facebook Like Plugin
• NinjaSaga FacebookApp
• Gmail Attachment (Browser Only)
• Guilt
• Gmail Android Application
• Google Hangout Android App (Msg Send Only)
• Facebook Post Attachment
• Facebook Questions
• Facebook Commenting
• Facebook Posting
• Facebook Events
• Angry Birds Friends
• Avataria
• Baseball Heroes
• Battlefront Heroes
• BINGO Blitz
• Boule & Bill
• Bubble Island
• Bubble Safari
• Bubble Witch Saga
• Cafeland
• Candy Crush Saga
• Car Town
• ChefVille
• CityVille
• Coco Girl
• Contract Wars
• Cookie Jam
• Criminal Case
• DEAD TRIGGER 2
• Deer Hunter 2014
• Diamond Dash
• Disney City Girl
• DoubleDown Casino - Free Slots
• Dragon City
• 8 Ball Pool
• Buggle
• Bingo Bash
• Marvel: Avengers Alliance
• TeenPatti
• Extreme Road Trip 2
• Family Farm
• Farm Epic
• Farm Heroes Saga
• FarmVille 2
• Fashland – Dress UP for Fashion
• Fish Epic
• Happy Family
| Appendix D - Supported Micro-Apps | 574
• Hit It Rich! Casino Slots
• Jelly Glutton
• Jelly Splash
• Jetpack Joyride
• Juice Cubes
• Jurassic Park Builder
• Kitchen Scramble
• Lost Bubbles
• Lost Jewels
• Mahjong Trails
• Marketland
• Marvel Avengers Alliance Tactics
• Megapolis
• Monster World
• Monster Busters
• Monster Legends
• Mutants: Genetic Galdiators
• Ninja Kingdom
• UNO & Friends
• Online Soccer Manager
• Panda Jam
• Papa Pear Saga
• Pearl's Peril
• Pepper Panic Saga
• Pet City
• Pet Rescue Saga
• Pengle
• Pig & Dragon
• Pudding Pop
• Royal Story
• Suburbia
• Zoo World
• Pool Live Tour
• Puzzle Charms
• Palnts vs. Zombies Advanture
• Red Crucible 2
• Safari Escape
• School of Dragons
• Shadow Fight
• Slotomania Slot Machines
• Social Empires
• Social Wars
• Soliter Arena
• SongPop
• Stardoll
• Stick Run
• StreetRace Rivals
• Tetris Battle
• Texas HoldEm Poker
• Flow Game
| Appendix D - Supported Micro-Apps | 575
| Appendix E - USB Compatibility List | 576
• Logo Games
• The Smurfs & Co
• Train Station
• Throne Rush
• Top Eleven Be a Football Manager
• Trial Xtreme 3
• Trivia Crack
• Vector
• Village Life
• Words With Friends
Appendix E - USB Compatibility List
Manufacturer Model
Alcatel AL300
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
AL720
OneTouch
L100V
OneTouch
L100V
OneTouch
L800
OneTouch
L800MA
OneTouch
L850
OneTouch
X060S
OneTouch
X070S
OneTouch
X080C
OneTouch
X080S
OneTouch
X085C
OneTouch
X090S
OneTouch
X200
OneTouch
X210D
Vendor
Dodo AU
Dodo AU
Smart PH
3G Standard Default Id
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
LTE CAT3
1bbb:f000
1bbb:f000
1bbb:f000
LTE CAT3
LTE CAT3
1bbb:f017
1bbb:f000
LTE CAT3
LTE CAT3
1bbb:f017
1bbb:f000
HSDPA
3.6/0.38
HSDPA
3.6/0.38
CDMA EV-
DO Rev.A
HSDPA
3.6/0.38
CDMA EV-
DO Rev.A
HSDPA
3.6/0.38
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
1bbb:f000
1bbb:f000
1bbb:00ca
1bbb:f000
1bbb:0012
1bbb:f000
1bbb:f000
1bbb:f017
1bbb:0000
1bbb:0000
1bbb:00ca
1bbb:0000
1bbb:0012
1bbb:0000
1bbb:0000
1bbb:0017
Modem Id
1bbb:0000
1bbb:0017
1bbb:011e
1bbb:011e
1bbb:0195
1bbb:0203
1bbb:0195
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Probable
Compatibility
Probable
Probable
Possible
Probable
Possible
Possible
Possible
| Appendix E - USB Compatibility List | 577
Manufacturer Model
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
Alcatel
OneTouch
X300D
OneTouch
X310D
OneTouch
X310E
OneTouch
X500D
OneTouch
X500E
OneTouch
X500M
OneTouch
X500U
OneTouch
X515
OneTouch
X520
OneTouch
X600
OneTouch
X602D
OneTouch
X715
OneTouch
W800
OneTouch
X220D
OneTouch
X220L
OneTouch
X220L
OneTouch
X221L
OneTouch
X225S
OneTouch
X228L
OneTouch
X230E
OneTouch
X230L
Vendor 3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
28.8/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
28.8/5.76
Telekom DE LTE CAT3
1bbb:f017
1bbb:f000
1bbb:f052
1bbb:f000
1bbb:f000
1bbb:f000
1bbb:f000
1bbb:f017
1bbb:f000
1bbb:f000
1bbb:f000
1bbb:f000
1bbb:f000
1bbb:f000
1bbb:f000
1bbb:f000
1bbb:
1bbb:f000
1bbb:022c
1bbb:f000
1bbb:f000
1bbb:0017
1bbb:0017
1bbb:0017
1bbb:0017
1bbb:0017
1bbb:0017
1bbb:0017
1bbb:0017
Modem Id
1bbb:0017
1bbb:0017
1bbb:0052
1bbb:0017
1bbb:0017
1bbb:0017
1bbb:0017
1bbb:0017
1bbb:0000
1bbb:00b7
1bbb:022c
1bbb:0191
1bbb:0195
Probable
Unknown
Probable
Possible
Unknown
Possible
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 578
Manufacturer Model
Alcatel
Alcatel
Alcatel
Anydata
Anydata
Anydata
Anydata
Anydata
Anydata
Anydata
Anydata
Anydata
Anydata
Anydata
Axesstel
Axesstel
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Speedstick
LTE II
Speedstick
LTE IV
XSStick W100 4G Systems LTE CAT3
ADU-300A CDMA EV-
DO
ADU-310A
ADU-500A
CDMA EV-
DO
CDMA EV-
DO
ADU-510A
ADU-510L
ADU-520A
ADU-520C
ADU-555C
ADU-620UW
ADU-635WA
ADU-890WH
MU130
MV110H
C-100
C-100
C-100
C-120
C-120
C-170
Vendor
Telekom DE
Telekom DE
MTS
3G Standard Default Id
LTE CAT3
LTE CAT3
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA
3.6/0.38
CDMA EV-
DO
CDMA EV-
DO
CDMA 1x EV-
DO Rev.A
CDMA 1x EV-
DO Rev.A
CDMA 1x EV-
DO Rev.A
HSDPA 7.2
CDMA EV-
DO & HSDPA
CDMA EV-
DO & HSDPA
HSDPA 7.2
HSUPA 5.76
CDMA2000
1xEV-DO
HSDPA
7.2/0.38
HSDPA
7.2/0.38
1bbb:f017
1bbb:f000
1bbb:f000
16d5:6501
16d5:6501
05c6:1000
05c6:1000
05c6:1000
05c6:1000
05c6:6503
16d5:6502
16d5:6202
16d5:6202
16d5:f000
1726:f00e
1726:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
16d5:6502
16d5:6502
16d5:6502
16d5:6202
16d5:6202
16d5:6603
1726:a000
1726:1000
1a8d:1001
1a8d:1002
1a8d:1003
1a8d:1001
1a8d:1002
1a8d:1009
Modem Id
1bbb:011e
1bbb:0195
1bbb:011e
16d5:6501
16d5:6501
16d5:6502
16d5:6502
16d5:6502
Unlikely
Probable
Unlikely
Possible
Probable
Possible
Possible
Probable
Probable
Probable
Probable
Unlikely
Unlikely
Unlikely
Compatibility
Probable
Possible
Possible
Unlikely
Unlikely
Probable
Probable
Probable
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Bandrich
Manufacturer Model
Bandrich C-177
Bandrich
Bandrich
C-178
C-179
Bandrich
Bandrich
Bandrich
Bandrich
C-180
C-209
C-270
C-278
C-339
C-360
C-370
C-500
C-501
C-502
C-505
C-506
C-508
M150
C-320
C-321
C-330
C-331
M152
M250
M280
| Appendix E - USB Compatibility List | 579
Vendor
Cellcom
3G Standard Default Id
Movistar PER HSDPA
3.6/0.38
Telsec BR HSDPA
3.6/0.38
Singtel HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA
3.6/0.38
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:2000
1a8d:2000
1a8d:2000
1a8d:
1a8d:
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1000
1a8d:1008
1a8d:1000
1a8d:100c
1a8d:100d
1a8d:2006
1a8d:2006
1a8d:2006
1a8d:
1a8d:
1a8d:100d
1a8d:100d
1a8d:100d
1a8d:100d
1a8d:100d
1a8d:100d
1a8d:
1a8d:
1a8d:1008
1a8d:
Modem Id
1a8d:1009
1a8d:1009
1a8d:1009
1a8d:1009
1a8d:1002
1a8d:1007
1a8d:1009
Possible
Probable
Possible
Possible
Possible
Unknown
Unknown
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Possible
Unlikely
Possible
Compatibility
Probable
Probable
Probable
Probable
Probable
Possible
Probable
| Appendix E - USB Compatibility List | 580
Manufacturer Model
Bandrich M290
Bandrich
ChangHong
PHS101
AC327U
Vendor
Prolink
Netgear
ChangHong CH690
ChangHong DG-BA3370 Digisol
ChangHong DWM-155
ChangHong DWM-163
ChangHong DWM-163
ChangHong DWM-168
D-Link
D-Link
D-Link
D-Link
ChangHong DWM-168
ChangHong MV242
ChangHong W-160
ChangHong W-260
Cmotech
Cmotech
Cmotech
Cmotech
BP3-USB
BP3-EXT
CBU-450D
CCM-650
D-Link
AxessTel
Nucom
Nucom
Maxon
Maxon
SK Korea
Cmotech
Cmotech
Cmotech
Cmotech
CCU-550
CCU-650
CCU-650U
CCU-670 Viettel
2077:7010
2077:7011
2077:7011
2077:8000
2077:9000
2077:a000
16d8:6280
16d8:6280
Modem Id
1a8d:
1a8d:1007
2077:a003
2077:7001
2077:a000
2077:9062
2077:7010
16d8:700b
16d8:
16d8:5533
16d8:6532
16d8:6523
16d8:
3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
HSDPA
3.6/0.38
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 5.76
CDMA 1x EV-
DO
CDMA 1x EV-
DO
CDMA 1x EV-
DO
CDMA 1x EV-
DO
CDMA 1x EV-
DO
1a8d:1000
1a8d:1000
2077:f000
2077:1000
2077:f000
2077:f000
05c6:1000
2077:1000
05c6:1000
2077:1000
2077:1000
2077:f000
2077:f000
16d8:6280
16d8:6280
16d8:700b
16d8:
16d8:5533
16d8:6532
16d8:6523
16d8:
Possible
Possible
Possible
Possible
Probable
Possible
Unlikely
Unlikely
Probable
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Unknown
Compatibility
Possible
Possible
Possible
Probable
Possible
Possible
Possible
| Appendix E - USB Compatibility List | 581
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Manufacturer Model
Cmotech CCU-680
Cmotech
Cmotech
CCU-700
CDM-650
Cmotech
Cmotech
Cmotech
Cmotech
CDU-550
CDU-650
CDU-680
CDU-685A
CGU-628
CGU-628A
CGU-629
CGU-629C
CGU-629S
CHE-628
CHE-628S
CHM-628
CHS-628
CHU-628
CHU-628S
CHU-629K
CHU-629S
CHU-720S
CHU-720I
Vendor
CAT TH
Franklin
SK Korea
SK Korea
KT Korea
SK Korea
SK Korea
16d8:6281
16d8:6006
16d8:7006
16d8:7006
16d8:
16d8:
16d8:6007
16d8:6280
Modem Id
16d8:6803
16d8:4000
16d8:
16d8:5553
16d8:6522
16d8:6803
16d8:6804
16d8:6280
16d8:6280
16d8:6281
16d8:7003
16d8:700a
16d8:7001
16d8:7211
3G Standard Default Id
CDMA 1x EV-
DO Rev.A
16d8:6803
16d8:4000
16d8:
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA
7.2/0.38
HSDPA
7.2/0.38
CDMA 1x EV-
DO
CDMA 1x EV-
DO
CDMA 1x EV-
DO
CDMA 1x EV-
DO Rev.A
CDMA 1x EV-
DO Rev.A
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
16d8:5553
16d8:6522
16d8:6803
16d8:6804
16d8:6281
16d8:f000
16d8:7006
16d8:7006
16d8:
16d8:
16d8:6007
16d8:6280
16d8:6280
16d8:6280
16d8:6281
16d8:7003
16d8:700a
16d8:7001
16d8:7211
Unlikely
Unknown
Unknown
Unlikely
Unlikely
Unlikely
Unlikely
Probable
Compatibility
Probable
Unknown
Not
Compatible
Not
Compatible
Not
Compatible
Probable
Probable
Probable
Probable
Unlikely
Unlikely
Probable
Unlikely
Unlikely
| Appendix E - USB Compatibility List | 582
Curitel
(Pantech)
Curitel
(Pantech)
Curitel
(Pantech)
Curitel
(Pantech)
Curitel
(Pantech)
Curitel
(Pantech)
Curitel
(Pantech)
Curitel
(Pantech)
Curitel
(Pantech)
Datang
Datang
Datang
Dell
Manufacturer Model
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
Cmotech
CMU-300
CMU-301
CNM-650
CNM-680
CNU-510
CNU-550
CNU-650
CNU-680
Vendor
Franklin
Franklin
3G Standard Default Id
CDMA 1x EV-
DO Rev.A
CDMA 1x EV-
DO Rev.A
CDMA 1x EV-
DO
CDMA 1x EV-
DO Rev.A
CDMA 1x EV-
DO
CDMA 1x EV-
DO
CDMA 1x EV-
DO
CDMA 1x EV-
DO Rev.A
CNU-680E CDMA 1x EV-
DO Rev.A
XSStick W12 4G Systems HSDPA
7.2/0.38
P4200 Beemo LTE CAT 3
16d8:6002
16d8:6008
16d8:6533
16d8:6803
16d8:5141
16d8:5543
16d8:6543
16d8:6803
16d8:6002
16d8:f000
106c:3b14
UM-150
UM-175VW
UM-175AL
UM-185C
UM-185E
UM-190VW
Verizon
Verizon
AllTel
Cricket
AllTel
Verizon
UML-290VW Verizon
UMW-190
Aircard 901
DTM5730
DTM5731
5500
Verizon
Hummer
EV-DO Rev.A 106c:3711
EV-DO Rev.A 106c:3714
EV-DO Rev.A 106c:3b03
CDMA 1xEV–
DO
CDMA 1xEV–
DO
CDMA 1xEV–
DO
CDMA 1xEV–
DO
CDMA 1xEV–
DO
HSDPA
HSDPA
HSDPA
HSDPA 1.8
106c:3b06
106c:3b06
106c:3b05
106c:3b11
106c:3b06
1ab7:5700
1ab7:5700
1ab7:5700
413c:8115
16d8:680a
16d8:6002
16d8:6006
106c:3721
106c:3711
106c:3714
106c:3715
106c:3717
106c:3717
106c:3716
106c:3718
106c:3717
1ab7:2000
1ab7:5730
1ab7:5731
Modem Id
16d8:6002
16d8:6008
16d8:6533
16d8:6803
16d8:5141
16d8:5543
16d8:6543
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Unlikely
Probable
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Probable
Possible
Probable
Unlikely
Compatibility
Unlikely
Unlikely
Not
Compatible
Probable
| Appendix E - USB Compatibility List | 583
D-Link
D-Link
D-Link
D-Link
D-Link
Dell
Dell
Dell
Dell
Dell
Dell
Dell
Dell
Dell
Dell
Dell
Dell
Dell
D-Link
Manufacturer Model
Dell
Dell
Dell
Dell
Dell
Dell
5505
5510
5520
5520
5520
5530
Dell
Dell
5620
5630
Vendor
Cingular
Vodafone
Vodafone
Vodafone
5700
5700
5700
5700
Sprint
Telus
5720
5720
5720
5730
5730
5730
5800
5800v2
5804
DWM-151 A1
Verizon
Sprint
Telus
Sprint
Telus
Verizon
Verizon
Verizon
Verizon
DWM-152 A1
DWM-152 A3
DWM-152 C1
DWM-156 A1
DWM-156 A2
3G Standard Default Id
HSDPA 1.8
HSDPA 7.2
HSDPA 7.2
HSDPA 7.2
HSDPA 7.2
HSDPA 7.2
HSUPA 2.0
HSDPA
CDMA EV-
DO & HSPA
CDMA EV-
DO
413c:8116
413c:8118
413c:8136
413c:8137
413c:8138
413c:8147
413c:8186
413c:8194
413c:8114
CDMA EV-
DO
CDMA EV-
DO
413c:8117
413c:8128
CDMA EV-
DO
413c:8129
EV-DO Rev.A 413c:8133
EV-DO Rev.A 413c:8134
EV-DO Rev.A 413c:8135
HSDPA 413c:8180
HSDPA
HSDPA
413c:8181
413c:8182
LTE CAT3
LTE CAT3
LTE CAT3
HSDPA
3.6/0.38
413c:8195
413c:8196
413c:819b
07d1:f000
HSDPA
3.6/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA
3.6/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
07d1:a800
07d1:a804
07d1:a800
07d1:a800
07d1:a800
Modem Id
07d1:7e07
07d1:3e01
07d1:7e11
07d1:3e01
07d1:3e02
07d1:7e0c
Possible
Probable
Possible
Probable
Possible
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Compatibility
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
| Appendix E - USB Compatibility List | 584
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
D-Link
Manufacturer Model
D-Link DWM-156 A3
Vendor
D-Link
D-Link
DWM-156 A5
DWM-156 A6
D-Link
D-Link
D-Link
D-Link
DWM-156 A7
DWM-156 A8
DWM-156 C1
DWM-157 A1
DWM-157 B1
DWM-157 B1
DWM-157 C1
DWM-158 B1
DWM-158 D1
DWM-167 A1
DWM-221 A1
DWM-221 B1
DWM-221 B1 Vivo BR
DWP-156 B1
DWP-157 B1
DWR-510
DWR-710
DWR-730
DWR-830
DWR-910 B1
3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
LTE CAT3
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
42/11.5
LTE CAT3
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 5.76
DC-HSPA+
42.2/11.5
CDMA EV-
DO
LTE CAT3
LTE CAT3
07d1:a804
2001:a80b
2001:a80b
2001:a706
2001:a403
2001:a809
2001:00a6
2001:a707
2001:a407
07d1:a804
2001:a708
2001:a405
2001:98ff
2001:a401
2001:a406
2001:a403
2001:a403
2001:a805
2001:7d09
2001:7d05
2001:7d06
Modem Id
07d1:7e11
2001:7d00
2001:7d00
2001:7d01
2001:7d0b
2001:7901
2001:7d02
2001:7d02
2001:7d0e
07d1:7e11
2001:7d03
2001:7d0d
2001:7e16
2001:7e19
2001:7e19
2001:7d0b
2001:7d0c
2001:7e12
2001:7d09
2001:7d05
2001:7d06
2001:7e18
Compatibility
Probable
Probable
Probable
Possible
Not
Compatible
Unknown
Unlikely
Not
Compatible
Possible
Not
Compatible
Probable
Possible
Not
Compatible
Unlikely
Unlikely
Unlikely
Not
Compatible
Not
Compatible
Probable
Unlikely
Unlikely
Unlikely
Unlikely
| Appendix E - USB Compatibility List | 585
Manufacturer Model
D-Link
D-Link
Ericson
DWR-910
DWR-932 D1
F3307
Ericson
Ericson
Ericson
Ericson
Ericson
Ericson
Ericson
Ericson
Ericson
Ericson
Ericson
Franklin
Wireless
Franklin
Wireless
Haier
Haier
Haier
Haier
Haier
Haier
F3307
F3307
F3307
F3507g
F3507g
F3607gw
F3607gw
F3607gw
F3607gw
F5221gw
F5221gw
U210
U600
CE81B
CE100
CE210
CE682
CE782
V-ME101
Vendor
Lenovo
Lenovo
Lenovo
Sprint
Sprint
3G Standard Default Id
LTE CAT3
LTE CAT3
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
Smartfren
Smartfren
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
Smartfren CDMA EV-
DO Rev.A
Olive Telecom CDMA EV-
DO Rev.A
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSPA+
21.6/5.76
HSPA+
21.6/5.76
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
2001:a40d
2001:
0bdb:1909
0bdb:190a
0bdb:190e
0bdb:190f
0bdb:1900
0bdb:1902
0bdb:1904
0bdb:1905
0bdb:1906
0bdb:1907
0bdb:190d
0bdb:1910
1fac:0032
1fac:0150
05c6:f000
201e:2009
201e:2009
201e:1023
201e:1023
201e:2009
0bdb:1905
0bdb:1906
0bdb:1907
0bdb:190d
0bdb:1910
1fac:0032
1fac:0151
201e:10f8
Modem Id
2001:7e38
2001:7e36
0bdb:1909
0bdb:190a
0bdb:190e
0bdb:190f
0bdb:1900
0bdb:1902
0bdb:1904
201e:2009
201e:2009
201e:1022
201e:1022
201e:2009
Probable
Probable
Probable
Probable
Probable
Compatibility
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Possible
Unlikely
Unlikely
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Possible
Possible
| Appendix E - USB Compatibility List | 586
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Haier V-ME110
Huawei
Huawei
B81
D01HW
Huawei
Huawei
Huawei
Huawei
D02HW
D03HW
D12HW
D21HW
D22HW
D23HW
D24HW
D25HW
D26HW
D31HW
D32HW
D33HW
D41HW
E122
E150
E153
E156B
E156G
Vendor 3G Standard Default Id
Olive Telecom CDMA EV-
DO Rev.A
M-Budget SW HSDPA 7.2
HSUPA 5.76
E-Mobile JP HSDPA
3.6/0.38
E-Mobile JP HSDPA
7.2/0.38
E-Mobile JP HSDPA
7.2/0.38
E-Mobile JP HSDPA
7.2/0.38
E-Mobile JP HSDPA 7.2
HSUPA 1.4
E-Mobile JP HSDPA 7.2
HSUPA 1.4
E-Mobile JP HSDPA 7.2
HSUPA 1.4
E-Mobile JP HSDPA 7.2
HSUPA 5.76
E-Mobile JP HSDPA 7.2
HSUPA 5.76
E-Mobile JP HSDPA 7.2
HSUPA 1.4
E-Mobile JP HSPA+
21.6/5.76
E-Mobile JP HSPA+
21.6/5.76
E-Mobile JP HSPA+
21.6/5.76
E-Mobile JP DC-HSPA+
42.2/11.5
HSDPA
7.2/2.0
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
201e:2009
12d1:1446
12d1:1003
12d1:1003
12d1:1003
12d1:1003
12d1:1003
12d1:1003
12d1:1003
12d1:1446
12d1:1446
12d1:1003
12d1:1446
12d1:
12d1:1446
12d1:1505
12d1:1446
12d1:1446
12d1:1446
12d1:1003
12d1:1446
12d1:1003
12d1:1003
12d1:1408
12d1:1408
12d1:1003
12d1:1429
12d1:
12d1:1506
Modem Id
201e:2009
12d1:14ac
12d1:1003
12d1:1003
12d1:1003
12d1:1003
12d1:1003
12d1:1506
12d1:1001
12d1:1001
12d1:14ac
12d1:1003
12d1:140c
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Possible
Probable
Possible
Unknown
Probable
Compatibility
Probable
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 587
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei E160
Huawei
Huawei
E160E
E160G
Huawei
Huawei
Huawei
Huawei
E161
E166
E169
E169G
E173
E173
E173
E173s
E173s-6
E173s
E173s
E173u-1
E171
E172
E173
E173
E169U
E169V
E170
E171
Vendor
O2 DE
Vodafone
MTS
Movistar
Viettel 3G
12d1:1436
12d1:1001
12d1:1003
12d1:1506
12d1:1506
12d1:1003
12d1:140c
12d1:14a5
12d1:1c23
12d1:14a8
12d1:14d2
12d1:1c05
12d1:1c07
12d1:1c08
12d1:1c10
12d1:1436
Modem Id
12d1:1003
12d1:1001
12d1:1001
12d1:1001
12d1:1001
12d1:1001
12d1:1001
3G Standard Default Id
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 1.44
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA
HSPA
HSPA
HSPA
HSDPA 7.2
HSUPA 5.76
12d1:1003
12d1:1001
12d1:1001
12d1:1446
12d1:1001
12d1:1001
12d1:1001
12d1:1446
12d1:1001
12d1:1003
12d1:14fe
12d1:155b
12d1:1003
12d1:1446
12d1:1557
12d1:1c24
12d1:14b5
12d1:14ba
12d1:1c0b
12d1:1c0b
12d1:1c0b
12d1:1c0b
12d1:1446
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 588
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei E173u-2
Huawei
Huawei
E176
E176G
Huawei
Huawei
Huawei
Huawei
Huawei
E177
E180
E180V
E181
E182E
E270+
E272
E303
E303s
E200
E216
E219
E220
E220BIS
E226
E230
E261
E270
E303F
E352-R1
E352
Vendor
Play PL
Swisscom
3G Standard Default Id
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSPA+
21.6/5.76
HSDPA 3.6
HSDPA 3.6
Vodafone
Vodafone
Vodafone HSDPA 7.2
HSUPA 2.0
HSPA+
21.6/5.76
HSPA+
21.6/5.76
TrueMove TH HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 5.76
T-Mobile NL HSPA+
21.6/5.76
HSDPA 3.6
HSDPA 3.6
HSDPA
HSDPA 7.2
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 2.0
HSPA+
21.6/5.76
12d1:1446
12d1:1003
12d1:1003
12d1:14ba
12d1:1414
12d1:1446
12d1:1001
12d1:14d1
12d1:1446
12d1:1001
12d1:1003
12d1:1003
12d1:1004
12d1:1003
12d1:1003
12d1:1446
12d1:1003
12d1:1446
12d1:1003
12d1:1f01
12d1:1f01
12d1:14fe
12d1:1449
12d1:14fe
12d1:140c
12d1:1001
12d1:1003
12d1:1003
12d1:1004
12d1:1003
12d1:1003
12d1:140c
12d1:1003
12d1:14ac
12d1:1003
12d1:14dc
12d1:14db
12d1:1506
12d1:1444
12d1:1506
Modem Id
12d1:1001
12d1:1003
12d1:1003
12d1:14d2
12d1:1003
12d1:140c
12d1:1001
12d1:14c9
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Probable
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei E353W-u1
Huawei
Huawei
E353Ws-2
E353s-2
Huawei
Huawei
Huawei
Huawei
E353s-H2
E353s-H2
E355
E355s-1
E367
E367
E367
E367
E367
E372
E372
E389
E392
E392u-12
E398
E398u-15
E510
E583C
E585
E586
Vendor
3.se
O2
| Appendix E - USB Compatibility List | 589
12d1:14ac
12d1:1506
12d1:1506
12d1:150c
12d1:150f
12d1:1506
12d1:1506
12d1:1506
12d1:1506
12d1:151b
12d1:1506
12d1:1506
12d1:1411
12d1:142d
12d1:1432
12d1:1c1e
Modem Id
12d1:1506
12d1:14db
12d1:1506
12d1:151a
12d1:151d
12d1:1c1e
12d1:14db
3G Standard Default Id
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
42.2/5.76
DC-HSPA+
42.2/5.76
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
12d1:1446
12d1:1f01
12d1:14fe
12d1:151a
12d1:151a
12d1:14fe
12d1:1f01
12d1:1446
12d1:1446
12d1:1505
12d1:1446
12d1:1505
12d1:1446
12d1:1505
12d1:1505
12d1:1505
12d1:151a
12d1:1446
12d1:1505
12d1:1411
12d1:1446
12d1:1446
12d1:14fe
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Not
Compatible
Probable
Possible
Probable
Probable
Probable
Possible
Probable
Possible
| Appendix E - USB Compatibility List | 590
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei E586
Huawei
Huawei
Huawei
Huawei
E587
E589u-12
E600
E620
E1552
E1553
E1612
E1630
E1690
E630
E630
E800
E870
E1550
E1552
E1691
E1691
E1692
E1705
E1731Bu-1
E1750
E1750
E1750
Vendor
Telia SE
Modem Id
12d1:1c1f
12d1:1506
12d1:14db
12d1:1001
12d1:1001
12d1:1003
12d1:1003
12d1:1001
12d1:1003
12d1:1001
12d1:1406
12d1:140c
12d1:1001
12d1:1406
12d1:1001
12d1:140c
12d1:140c
12d1:1436
12d1:140c
12d1:1001
12d1:1506
12d1:1001
12d1:1406
12d1:1436
3G Standard Default Id
HSPA+
21.6/5.76
HSPA
42.2/5.76
LTE CAT3
12d1:14fe
12d1:1c1b
12d1:1f01
12d1:1001
12d1:1446 HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSDPA 7.2
HSDPA
HSDPA 7.2
HSUPA 2.0
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA 7.2
HSDPA 7.2
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
1033:0035
12d1:1003
12d1:1001
12d1:1003
12d1:1446
12d1:1446
12d1:1446
12d1:1553
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Possible
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 591
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei E1750
Huawei
Huawei
E1752
E1752
Huawei
Huawei
Huawei
Huawei
E1752C
E1756
E1756
E1756C
E1782
E1800
E1800
E1815
E1762
E1762
E1762V
E1780
E1820
E1823
E1831
E3131h-2
E3131s-2
E3131s-2
Vendor
AT&T
Orange Ro
3G Standard Default Id
Viettel 3G HSDPA 7.2
HSUPA 5.76
Telmore DK HSDPA 7.2
HSUPA 5.76
Orange HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
Vodafone HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
12d1:14b5
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1520
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:15ca
12d1:14fe
12d1:14fe
12d1:140c
12d1:14ac
12d1:1465
12d1:1001
12d1:1001
12d1:1436
12d1:14ac
12d1:14ac
Modem Id
12d1:14aa
12d1:1003
12d1:141b
12d1:1417
12d1:1406
12d1:1417
12d1:1433
12d1:14ac
12d1:14ac
12d1:1404
12d1:1506
12d1:1506
12d1:151d
Probable
Probable
Possible
Possible
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Possible
Probable
Possible
Probable
| Appendix E - USB Compatibility List | 592
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei E3131s-2
Huawei
Huawei
E3131s-H2
E3131s-H2
Huawei
Huawei
Huawei
Huawei
E3231
E3236
E3251
E3251
Vendor
E3331
E3372
E3372h-153
E3372h-153
E3372s-153
E3372s-153
E3372s-153
E3531s-1
E3256
E3272s-153
E3272s-503
3 UK
E3272s-503
E3276
E3276s-150
E3276s-150
E3276s-150 Swisscom
E3276s-151 Orange
E3276s-210
E3331
12d1:14db
12d1:14dc
12d1:157d
12d1:14dc
12d1:1506
12d1:15cd
12d1:1506
12d1:1506
12d1:14db
12d1:1506
12d1:157c
12d1:1506
12d1:1506
12d1:1506
12d1:1506
12d1:1598
12d1:156c
12d1:1506
12d1:157d
Modem Id
12d1:14db
12d1:151a
12d1:151d
12d1:14db
12d1:14dc
12d1:156b
12d1:14db
LTE CAT4
LTE CAT4
LTE CAT4
LTE CAT4
LTE CAT4
LTE CAT4
LTE CAT4
HSPA+
21.6/5.76
HSPA+
21.6/5.76
LTE CAT4
LTE CAT4
3G Standard Default Id
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
42.2/11.5
DC-HSPA+
42.2/11.5
DC-HSPA+
42.2/11.5
LTE CAT4
LTE CAT4
12d1:1f01
12d1:151a
12d1:151a
12d1:1f01
12d1:156a
12d1:1f01
12d1:1f01
12d1:14fe
12d1:157c
12d1:157c
12d1:14fe
12d1:14fe
12d1:157c
12d1:1597
12d1:156a
12d1:14fe
12d1:157d
12d1:157d
12d1:1f01
12d1:157d
LTE CAT4
LTE CAT4
LTE CAT4
LTE CAT4
HSPA+
21.6/5.76
12d1:157d
12d1:14fe
12d1:15cd
12d1:15cd
12d1:15ca
Compatibility
Probable
Not
Compatible
Probable
Probable
Possible
Possible
Probable
Probable
Probable
Not
Compatible
Unlikely
Probable
Probable
Unlikely
Unlikely
Probable
Probable
Not
Compatible
Unlikely
Possible
Not
Compatible
Unlikely
Probable
Not
Compatible
Unlikely
Possible
| Appendix E - USB Compatibility List | 593
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei E3531s-2
Huawei
Huawei
E3531s-2
E3531s-6
Huawei
Huawei
Huawei
Huawei
Huawei
E3531s-6
E3531
E3772
E3772
E5220s-2
E5830s
E5832
E5832s
E8131
E5251
E5330
E5331
E5332
E5372
E5375
E5377s-32
E5756
E5776s-22
E5776s-32
E5786
E5786s-32a
E5830
Vendor
tre IT
3G Standard Default Id
HSPA+
21.6/5.76
Meditel MA HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
LTE CAT4
12d1:14fe
12d1:15ce
12d1:15cd
12d1:15cd
12d1:15e7
12d1:157d
AIS TH tre IT
LTE CAT4
DC-HSPA+
42.2/11.5
LTE CAT4
LTE CAT4
LTE CAT6
LTE CAT4
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
LTE CAT4
HSPA+
21.6/5.76
DC-HSPA+
42.2/11.5
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
LTE CAT4
LTE CAT4
12d1:157d
12d1:14fe
12d1:14fe
12d1:14fe
12d1:14fe
12d1:14fe
12d1:14fe
12d1:14fe
12d1:1f02
12d1:14fe
12d1:14fe
12d1:14fe
12d1:
12d1:14fe
12d1:1446
12d1:1446
12d1:1446
12d1:1446
12d1:1f01
12d1:1506
12d1:1506
12d1:1c1f
12d1:1506
12d1:1506
12d1:1506
12d1:14dc
12d1:1506
12d1:1506
12d1:1506
12d1:1506
12d1:1506
12d1:1401
12d1:142d
12d1:1401
12d1:142d
12d1:14dc
Modem Id
12d1:1506
12d1:15b1
12d1:15cd
12d1:1506
12d1:1506
12d1:157d
12d1:14db
12d1:1506
Possible
Probable
Probable
Probable
Unlikely
Probable
Probable
Probable
Possible
Probable
Probable
Possible
Possible
Possible
Possible
Compatibility
Probable
Unlikely
Not
Compatible
Unlikely
Unlikely
Not
Compatible
Unlikely
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 594
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei E8231
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
E8278
E8278s-602
E8372
EC27
EC121
EC122
EC150
EC152
EC156
EC156
EC159
EC167
EC168
EC168
EC168C
EC169
EC176-2
EC178
EC189
EC226
EC228
EC306
EC321
EC325
Vendor
Reliance
Reliance
Reliance
AllTel
Reliance
Smartfren
Reliance
3G Standard Default Id
HSPA+
21.6/5.76
LTE CAT4
LTE CAT4
LTE CAT4
HSDPA/
HSUPA
12d1:1f01
12d1:14fe
12d1:1583
12d1:1f01
CDMA2000 12d1:1411
CDMA2000 12d1:1446
CDMA 2000 12d1:1446
CDMA
1XHSIA
12d1:1446
12d1:1446 CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
12d1:1505
CDMA 2000 12d1:1446
CDMA EV-
DO Rev.A
12d1:1446
12d1:1446 CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
12d1:1413
12d1:1446 CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
12d1:1001
12d1:1505
12d1:1505
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.B
12d1:1505
12d1:1001
12d1:1001
12d1:1505
CDMA2000 12d1:1001
CDMA2000 12d1:1001
Modem Id
12d1:14db
12d1:1506
12d1:1589
12d1:14db
12d1:140c
12d1:140c
12d1:140c
12d1:1001
12d1:1001
12d1:1506
12d1:1001
12d1:1001
12d1:1411
12d1:140c
12d1:140b
12d1:140b
12d1:140b
12d1:140b
12d1:140b
12d1:1001
12d1:1412
12d1:1413
12d1:1412
12d1:1001
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Unlikely
Probable
Unknown
Probable
Probable
Probable
Probable
Possible
Possible
Possible
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 595
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei
Huawei
EC328
EC360
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
EC500
EC821
EC1260
EC1260
EC1261
EC1261
EC1262
EC1270
EC1561
GD01
GL01P
GP01
GP02
HWD12
K3520
K3770
K3771
K3772
K3773
K3565
K3565-2
K3715
K3765
Vendor 3G Standard Default Id
Reliance
CDMA2000
CDMA EV-
DO Rev.0
12d1:1001
CDMA EV-
DO Rev.A
12d1:1001
CDMA2000 12d1:1001
HSD Rev.A
12d1:1446
MTS
E-Mobile JP
HSD Rev.A
12d1:1505
HSD Rev.A
12d1:1446
HSD Rev.A
12d1:1505
12d1:1446
CDMA EV-
DO Rev.A
12d1:1446
HSPA+
21.6/5.76
E-Mobile JP HSPA+
21.6/5.76
E-Mobile JP HSPA+
21.6/5.76
12d1:1505
12d1:1446
12d1:1f01
12d1:14fe
12d1:1c1b E-Mobile JP HSPA+
21.6/5.76
KDDI Jpn
Vodafone
LTE CAT4
HSDPA 7.2
HSUPA 5.76
Vodafone
Vodafone
HSDPA 3.6
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
Vodafone
Vodafone
Vodafone
Vodafone
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
12d1:1f03
12d1:1520
12d1:1001
12d1:1003
12d1:1001
12d1:1520
12d1:14d1
12d1:14c4
Vodafone
Vodafone
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
12d1:1526
12d1:1f11
Modem Id
12d1:1001
12d1:1001
12d1:1001
12d1:140b
12d1:140b
12d1:140b
12d1:140b
12d1:140b
12d1:140c
12d1:140b
12d1:1506
12d1:14db
12d1:1c1e
12d1:1506
12d1:14db
12d1:1465
12d1:1001
12d1:1003
12d1:1001
12d1:1465
12d1:14c9
12d1:14ca
12d1: 14cf
12d1:14bc
Probable
Possible
Probable
Probable
Probable
Compatibility
Unknown
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei K3806
Huawei
Huawei
K4201
K4201
Huawei
Huawei
Huawei
Huawei
K4202
K4202
K4203
K4203
K4606
K4606
K4606
K5005
K5007
K5150
K5150
K5150
K4505
K4510
K4511
K4605
K4203
K4305
K4305
K4305
| Appendix E - USB Compatibility List | 596
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vendor
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
12d1:1590
12d1:1400
12d1:1f15
12d1:14f7
12d1:1464
12d1:14cb
12d1:14cc
12d1:14c6
12d1:1f19
12d1:14fa
12d1:1578
12d1:14c8
12d1:156c
12d1:14f8
12d1:1f16
12d1:1575
Modem Id
12d1:14ae
12d1:1f17
12d1:1576
12d1:1f18
12d1:1577
12d1:1f1c
12d1:157a
3G Standard Default Id
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
42.2/11.5
DC-HSPA+
42.2/11.5
DC-HSPA+
42.2/11.5
DC-HSPA+
42.2/11.5
LTE CAT3
LTE CAT4
LTE CAT4
LTE CAT4
12d1:14ad
12d1:1f17
12d1:1f17
12d1:1f18
12d1:1f18
12d1:1f1c
12d1:1f1c
12d1:1f1c
12d1:1f15
12d1:1f15
12d1:1f15
12d1:1521
12d1:14c5
12d1:14b7
12d1:14c1
12d1:1f19
12d1:1f19
12d1:1f19
12d1:14c3
12d1:156a
12d1:1f16
12d1:1f16
LTE CAT4 12d1:1f16
Compatibility
Probable
Not
Compatible
Probable
Not
Compatible
Unlikely
Not
Compatible
Possible
Possible
Unlikely
Not
Compatible
Unlikely
Probable
Probable
Probable
Probable
Not
Compatible
Unlikely
Unlikely
Probable
Probable
Unlikely
Not
Compatible
Unlikely
| Appendix E - USB Compatibility List | 597
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Manufacturer Model
Huawei K5160
Huawei
Huawei
Huawei
K5160
K5160
K5188
Huawei
Huawei
Huawei
Huawei
Kxxxx
Kxxxx
ME906E
R201
R205
R206
R206_MR
R207
R208
R210
R215
R215_MR
R216
R226
R226
S4011
Speedstick
LTE
Speedstick
LTE III
Speedstick
LTE V
SU-6200
U725
U2800A
U6150
Vendor
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
3G Standard Default Id
LTE 4G 12d1:1f1e
LTE 4G
LTE 4G
DC-HSPA+
28.8/5.76
LTE 4G
LTE 4G
LTE CAT3 -
12d1:1f1e
12d1:1f1e
12d1:
12d1:1f1b
12d1:1f1d
Vodafone
Vodafone
Vodafone
Vodafone
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
HSPA+
21.6/5.76
DC-HSPA+
42.2/5.76
LTE CAT3
LTE CAT4
LTE CAT4
LTE CAT4
Vodafone
Vodafone
LTE CAT6
LTE CAT6
MedionMobile HSDPA 3.6
Telekom DE LTE CAT3
12d1:1523
12d1:155a
12d1:1527
12d1:1f04
12d1:1f05
12d1:1581
12d1:1580
12d1:1582
12d1:1f06
12d1:1f09
12d1:1f07
12d1:1f07
12d1:1003
12d1:1505
Telekom DE LTE CAT4
Telekom DE LTE CAT4
SpeedUp
Vodafone
CDMA
12d1:14fe
12d1:15cd
12d1:1446
12d1:1009
12d1:1805
12d1:1805
12d1:14cd
12d1:1594
12d1:15bc
12d1:15bd
12d1:1587
12d1:1585
12d1:1588
12d1:15c7
12d1:1c50
12d1:15bf
12d1:15c8
12d1:1003
12d1:1506
Modem Id
12d1:1f1e
12d1:157f
12d1:1592
12d1:
12d1:1579
12d1:157b
12d1:1570
12d1:1491
12d1:1506
12d1:15cd
12d1:1001
12d1:1009
12d1:1805
12d1:1805
Compatibility
Not
Compatible
Unlikely
Unlikely
Unknown
Not
Compatible
Not
Compatible
Not
Compatible
Probable
Probable
Unknown
Unlikely
Unlikely
Unknown
Unknown
Unlikely
Unknown
Unlikely
Unlikely
Unlikely
Probable
Probable
Probable
Not
Compatible
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 598
Linktop
Linktop
Linktop
Linktop
Linktop
Linktop
Linktop
Linktop
Longcheer
Manufacturer Model
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Huawei
Infomark
Kyocera
Kyocera
Kyocera
LG
LG
LG
LG
LG
LG
LG
U8110
U8220
UMG366
UMG1691
UMG1831
UML397
W5101
T-Mobile US HSPA+
21.6/5.76
Celluar US
Vodafone
IMW-C910W Clear Spot
Voyager
KPC650
LTE
LTE CAT4
KPC680
W06K
L-02C
L-03D
L-05A
L-07A
L-08C
LUU-2100TI
LUU-2110TI
LW272
LW272
LW272
LW273
LW273
IT-ST3G
Zoom 3G
Zoom 3G
3.5G
Vendor
T-Mobile
T-Mobile
T-Mobile US HSPA+
21.6/5.76
T-Mobile US HSDPA
Docomo
Docomo
Docomo
Docomo
Docomo
AT&T
AT&T
BSNL
Teracom
Visiontek
BSNL
Visiontek
Intex
Nuton
3G Standard Default Id
CDMA 1xEV-
DO
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 3.6
12d1:1031
12d1:1030
12d1:1446
12d1:1446
12d1:1446
12d1:1583
19f2:1700
0c88:17da
0c88:180a
0482:024d
1004:61dd
1004:6327
1004:613a
1004:614e
1004:61eb
1004:613f
1004:6156
230d:0001
230d:0003
230d:0007
230d:0001
230d:0007
230d:000d
230d:0001
230d:000b
1c9e:1001
Modem Id
12d1:1035
12d1:1034
12d1:1506
12d1:140c
12d1:1404
12d1:1589
19f2:1700
0c88:17da
0c88:180a
0482:024d
1004:618f
1004:6326
1004:6124
1004:6135
1004:61ea
1004:6141
1004:6157
230d:0001
230d:0003
230d:0007
230d:0001
230d:0007
230d:000d
230d:0001
230d:000b
1c9e:6061
Unlikely
Unlikely
Possible
Probable
Probable
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Unlikely
Possible
Unlikely
Probable
Compatibility
Probable
Probable
Probable
Probable
Probable
Unknown
Unlikely
Unlikely
| Appendix E - USB Compatibility List | 599
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Manufacturer Model
Longcheer 4595
Longcheer
Longcheer
4596
4597
Longcheer
Longcheer
Longcheer
CBM-300
CBM-400
CE200
C01LC
C02LC
C5300
C5300V
D01LC
D02LC
D11LC
D12LC
D21LC
EU930
Emobile
Yitong
HSPA-820
IV-2010u iFox
Ivio
MBD-100HU Mobidata
MBD-200HU Mobidata
MBD-220HU Mobidata
MBD-230HU Mobidata
MBD-300HU Mobidata
MBD-400HU Mobidata
MBD-500HU Mobidata
Softbank
Softbank
Longsung
Longsung
Emobile
Emobile
Emobile
Emobile
Vendor
Zoom
Zoom
Zoom
ChangBao
ChangBao
Capitel
1c9e:9404
1c9e:6000
1c9e:6061
1c9e:6000
1c9e:6061
1c9e:9000
1c9e:9603
1c9e:9603
1c9e:
1c9e:9605
1c9e:9603
1c9e:9603
1c9e:9900
1c9e:9e00
1c9e:9e00
1c9e:
1c9e:
1c9e:6061
1c9e:9104
Modem Id
1c9e:9603
1c9e:9603
1c9e:9607
1c9e:9603
1c9e:9603
1c9e:9e00
3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO
CDMA EV-
DO
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO Rev.A
HSDPA 3.6
CDMA EV-
DO Rev.A
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:9e00
1c9e:f000
1c9e:f000
1c9e:9e00
1c9e:9e00
1c9e:
1c9e:
1c9e:1001
1c9e:9101
1c9e:9401
1c9e:6000
1c9e:1001
1c9e:6000
1c9e:1001
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
Unlikely
Unlikely
Probable
Unlikely
Probable
Probable
Probable
Probable
Unknown
Probable
Probable
Probable
Possible
Probable
Probable
Possible
Possible
Probable
Unlikely
Compatibility
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 600
Manufacturer Model
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Vendor
MBD-600HU Mobidata
MBD-700HU Mobidata
MBD-800HU Mobidata
MMX 300G
MMX 310C
MMX 310G
MMX 351G
MMX 352G
MMX 353G
Micromax
Micromax
Micromax
Micromax
Micromax
Micromax
3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 3.6
CDMA EV-
DO
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 3.6
HSDPA 3.6
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:9e00
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:1001
1c9e:1001
MMX 372G Micromax
NT36HD
OneTouch
X020
OneTouch
X030
PCM100
Nuton
Alcatel
Alcatel
PHS301
S3gm-646
S3gm-690
SEV759
SU-7300U
SU-8200U
SU-8300U
SU-8600U
SU-8650U
SU-8900U
SU-9000U
HSDPA 3.6
1c9e:1001
Prolink
Prolink
CDMA 1x EV-
DO Rev.A
HSDPA 7.2
HSUPA 5.76
HSDPA 3.6
1c9e:9d00
1c9e:f000
Solomon
Solomon HSDPA 7.2
HSUPA 5.76
1c9e:f000
1c9e:f000
Chong King CDMA 2000 1c9e:3197
SpeedUP CDMA EV-
DO
1c9e:9e00
SpeedUP
SpeedUP
SpeedUP
SpeedUP
SpeedUP
SpeedUP
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
HSDPA 7.2
HSUPA 2.1
1c9e:1001
1c9e:1001
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
Modem Id
1c9e:9603
1c9e:
1c9e:
1c9e:9603
1c9e:9e00
1c9e:9605
1c9e:9607
1c9e:9605
1c9e:9605
1c9e:6061
1c9e:6061
1c9e:6061
1c9e:9d00
1c9e:9605
1c9e:9603
1c9e:9603
1c9e:3197
1c9e:9e00
1c9e:6061
1c9e:6061
1c9e:9603
1c9e:9605
1c9e:9605
1c9e:9000
Probable
Probable
Probable
Unlikely
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Probable
Unlikely
Compatibility
Probable
Unknown
Unknown
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 601
Manufacturer Model
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Longcheer
Mediatek
Mediatek
SU-9500U
SU-9800U
TFDG888
TU930
TW-3G
USB303
U12
U1-TF
U3501
U6300V
WL72B
WM66a
WM66e
Vendor 3G Standard Default Id
SpeedUP
SpeedUP
Taifeng
Telewell
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSDPA 3.6
CDMA EV-
DO Rev.A
HSPA+
21.6/5.76
VKOM
Flyer
CSL
HSPA+
21.6/5.76
HSDPA 3.6
HSDPA 3.6
I Mobile,TH HSDPA 7.2
HSUPA 5.76
Longsung HSDPA 7.2
HSUPA 5.76
Omega
SmartBro
SmartBro
HSDPA 3.6
HSDPA 3.6
HSPA+
21.6/5.76
WM669
WM71
WM72
WM81
D-Link
Smartbro
Smartbro
Mecer
HSDPA 3.6
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
X270
XSStick P14
Nexon
4G Systems
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
XSStick TV 4G Systems HSDPA 7.2
HSUPA 5.76
XSStick W14 4G Systems HSDPA 7.2
HSUPA 5.76
XSStick W21 4G Systems HSPA+
21.6/5.76
ZX-200 Alltronix CDMA EV-
DO Rev.A
DC_1COM
HSDPA 7.2
HSUPA 5.76
1c9e:f000
1c9e:9800
1c9e:f000
1c9e:6000
1c9e:98ff
1c9e:98ff
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:6061
1c9e:1001
1c9e:98ff
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:f000
1c9e:98ff
1c9e:6000
0e8d:0002
0e8d:0002
1c9e:9603
1c9e:9603
1c9e:9605
1c9e:9603
1c9e:6061
1c9e:6061
1c9e:9803
1c9e:9603
1c9e:9603
1c9e:9605
Modem Id
1c9e:9607
1c9e:9800
1c9e:9605
1c9e:6000
1c9e:9801
1c9e:9801
1c9e:9605
1c9e:9607
1c9e:9605
1c9e:9a00
1c9e:9603
1c9e:9801
1c9e:6000
0e8d:00a0
0e8d:00a1
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Unlikely
Probable
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Unlikely
Possible
Probable
| Appendix E - USB Compatibility List | 602
Nokia
Nokia
Nokia
Nokia
Netgear
Netgear
Netgear
Netgear
Nokia
Nokia
Nokia
Nokia
Nokia
Nokia
Nokia
Nokia
Manufacturer Model
Mediatek
Mediatek
Mediatek
Mediatek
Mediatek
Modmen
Netgear
DC_5COM
DC_4COM
DC_4COM2
S4222
Vendor 3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
0e8d:0002
0e8d:0002
0e8d:0002
0e8d:0002
0e8d:0002
LM-700r
AC778S
JOA Telecom CDMA EV-
DO Rev.A
Virgin US LTE CAT3/
CDMA EV-
DO
AC781S
AC782S
AC785S-100 Netgear
AC785S-200 Netgear
CS-10
Netgear
Netgear
LTE CAT4
LTE CAT4
LTE CAT4
LTE CAT4
CS-10
CS-11
CS-11
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
CS-12
CS-15
CS-15
CS-17
CS-17
CS-18
CS-19
7M-01
HSPA+
14.4/5.76
HSDPA 10.2
HSUPA 5.76
HSDPA 10.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 5.76
198a:0003
0846:0fff
0846:68e1
0846:68e1
0846:68e1
0846:68e1
0421:060c
0421:060c
0421:061d
0421:061d
0421:0618
0421:0610
0421:0610
0421:0622
0421:0622
0421:0627
0421:062c
0421:0632
Modem Id
0e8d:00a2
0e8d:00a4
0e8d:00a5
0e8d:00a7
0e8d:00a5
198a:0002
0846:68d3
0846:68e1
0846:68e1
0846:68e1
0846:68e1
0421:060d
0421:060e
0421:061e
0421:061f
0421:0619
0421:0611
0421:0612
0421:0623
0421:0624
0421:0629
0421:062d
0421:0632
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Possible
Possible
Unlikely
Possible
Unlikely
Possible
Possible
Unlikely
Possible
Possible
Possible
Compatibility
Probable
Possible
Not
Compatible
Possible
Not
Compatible
Probable
Unlikely
Manufacturer Model
Nokia 7M-02
Nokia
Nokia
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
21M-02
21M-02
C777
E362
E371
E396
E396U
EU740
EU850D
EU860D
EU870D
MC545
MC547
MC551
MC679
MC727
MC760
MC930D
MC935B
MC935D
Vendor
| Appendix E - USB Compatibility List | 603
1410:a023
1410:2410
1410:2420
1410:2420
1410:2420
1410:7042
1410:7042
1410:b001
Modem Id
0421:0638
0421:0638
0421:0639
1410:6000
1410:9010
1410:9011
1410:a021
1410:7031
1410:4100
1410:6002
1410:4400
1410:7001
1410:7001
3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
CDMA EV-
DO Rev.A
LTE CAT3
0421:0637
0421:0637
0421:0639
1410:6000
1410:
LTE CAT3
HSPA+
14.4/5.76
HSPA+
14.4/5.76
CDMA EV-
DO Rev.A
HSDPA
7.2/2.1
HSDPA
7.2/2.1
HSDPA
7.2/2.1
DC-HSPA+
42.2/5.76
DC-HSPA+
42.2/5.76
LTE CAT3
LTE CAT3
1410:
1410:
1410:
1410:2410
1410:2420
1410:2420
1410:2420
1410:5059
1410:5059
1410:b001
1410:5059
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
HSDPA
7.2/2.1
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
1410:5010
1410:5031
1410:5010
1410:5020
1410:5020
Probable
Probable
Probable
Probable
Probable
Probable
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Probable
Probable
Unlikely
Compatibility
Possible
Possible
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
| Appendix E - USB Compatibility List | 604
Manufacturer Model
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
MC950D
MC990D
MC996D
MC998D
MiFi 2200
MiFi 2352
MiFi 2352
MiFi 2372
MiFi 4082
MiFi 4620L
MiFi 5510L
MiFi 5792
U547
U620L
U679
U720
U727
U730
U740
U760
U950D
Vendor
Bell
Vodafone
Sprint
Verizon
Verizon
AT&T
1410:7001
1410:6032
1410:b005
1410:b00b
1410:b009
1410:7042
1410:9020
1410:7031
Modem Id
1410:4400
1410:7001
1410:7030
1410:7030
1410:6000
1410:7001
1410:7003
1410:2110
1410:4100
1410:1400
1410:1410
1410:6000
1410:4400
DC-HSPA+
42.2/5.76
LTE CAT4
LTE CAT3
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
HSDPA
7.2/2.1
3G Standard Default Id
HSDPA
7.2/2.1
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
DC-HSPA+
28.8/5.76
CDMA EV-
DO Rev.A
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO Rev.A
LTE CAT3
1410:5010
1410:5020
1410:5023
1410:5010
1410:5030
1410:5041
1410:5041
1410:5041
1410:5055
1410:b005
LTE CAT3
LTE CAT3
1410:b00b
1410:b009
1410:5059
1410:9020
1410:5059
1410:2110
1410:5010
1410:1400
1410:1410
1410:5030
1410:5010
Unlikely
Probable
Unlikely
Unlikely
Probable
Probable
Probable
Unlikely
Unlikely
Unlikely
Unlikely
Probable
Unlikely
Probable
Compatibility
Probable
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 605
Onda
Onda
Onda
Olivetti
Onda
Onda
Onda
Olivetti
Olivetti
Olivetti
Olivetti
Olivetti
Olivetti
Olivetti
Olivetti
Olivetti
Manufacturer Model
Novatel
Wireless
Novatel
Wireless
Novatel
Wireless
Olivetti
U998
USB551L
USB1000
Olicard 100
Olivetti
Olivetti
Olicard 120
Olicard 140
Olicard 145
Olicard 155
Olicard 160
Olicard 200
Vendor
Verizon
Verizon
Olicard 310
Olicard 315
Olicard 400
Olicard 500
Olicard 600
Olicard 700
CM201
FM301
MDC655
MDC655
MDC655
Coop
FastWeb
Ducati
Ducati
Ducati
MDC835UP Ducati
0b3c:c004
0b3c:c00a
0b3c:c005
0b3c:
0b3c:
0b3c:
0b3c:c00b
0b3c:
0b3c:
1ee8:0065
1ee8:0069
1ee8:0044
1ee8:0049
1ee8:004e
1ee8:0011
Modem Id
1410:7030
1410:b001
1410:a001
0b3c:c000
0b3c:c001
0b3c:c002
0b3c:c003
3G Standard Default Id
DC-HSPA+
28.8/5.76
LTE CAT3
1410:5010
1410:b001
LTE CAT3
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
42.2/11.5
LTE CAT3
LTE CAT3
1410:a001
0b3c:c700
0b3c:c700
0b3c:c700
0b3c:f000
0b3c:f000
0b3c:f00c
0b3c:f000
0b3c:
0b3c:
0b3c:
0b3c:f017
0b3c:
0b3c:
1ee8:0063
1ee8:0068
1ee8:0045
1ee8:004a
1ee8:004f
1ee8:0013
Possible
Unlikely
Possible
Unlikely
Unlikely
Probable
Unlikely
Possible
Unknown
Unknown
Not
Compatible
Unlikely
Not
Compatible
Unknown
Unlikely
Compatibility
Probable
Unlikely
Unlikely
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 606
Onda
Onda
Onda
Onda
Onda
Onda
Onda
Onda
Onda
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Onda
Onda
Onda
Onda
Manufacturer Model
Onda MO835UP
Onda
Onda
MSA 14.4
MT655
MT825UP
MT833UP
MT835UP
MV815UP
MW823UP
MW825UP
MW833UP
MW835UP
MW836UP
MW875UP
PM1051
TM201
WM301
Globesurfer
Icon 7.2
Globetrotter
Icon 31
Globetrotter
Icon 225
Globetrotter
Icon 225
Globetrotter
Icon 225
Wind
Wind
Wind
Wind
Wind
Wind
Vendor
Coop
TIM BZ
TIM
TIM
TIM
TIM
Vodafone
TIM
Wind
1ee8:000b
1ee8:000b
1ee8:0012
1ee8:0014
1ee8:003e
1ee8:0053
1ee8:000b
1ee8:0064
Modem Id
1ee8:0017
1ee8:005f
1ee8:0049
1ee8:000b
1ee8:0014
1ee8:0014
1ee8:0004
1ee8:0069
0af0:6901
0af0:c031
0af0:6911
0af0:6951
0af0:6971
3G Standard Default Id
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSDPA
7.2/0.38
HSDPA
1ee8:0018
1ee8:0060
1ee8:0048
1ee8:0009
1ee8:0013
1ee8:0013
1ee8:0003
1ee8:0009
1ee8:0009
1ee8:0013
1ee8:0013
1ee8:0040
1ee8:0054
1ee8:0007
1ee8:0063
1ee8:0068
05c6:1000
0af0:c031
HSDPA
7.2/0.38
HSDPA
7.2/0.38
HSDPA
7.2/0.38
0af0:6911
0af0:6951
0af0:6971
Possible
Probable
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Unlikely
Possible
Compatibility
Unlikely
Possible
Unlikely
Possible
Possible
Possible
Unlikely
| Appendix E - USB Compatibility List | 607
Manufacturer Model
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Globetrotter
Icon 461
Globetrotter
Icon 461
Globetrotter
Icon 505
Globetrotter
Icon 505
Globetrotter
Icon 515m
Globetrotter
Icon 643
Globetrotter
Icon 701
Globetrotter
Icon 711
Globetrotter
Icon 321
Globetrotter
Icon 322
Globetrotter
Icon 401
Globetrotter
Icon 411
Globetrotter
Icon 431
Globetrotter
Icon 451
Globetrotter
Icon 451
Globetrotter
Icon 452
Globetrotter
Icon 1215
Globetrotter
Icon 1215
Globetrotter
Icon 1515
Globetrotter
Icon XY
GTM378
Vendor
Vodafone
Vodafone
AT&T
Orange UK
3G Standard Default Id
HSPA 3.6/1.46 0af0:d031
HSPA 3.6/1.46 0af0:d033
HSDPA
7.2/2.0
HSDPA
7.2/2.0
HSDPA
7.2/2.0
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA
7.2/2.0
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
0af0:7401
0af0:7501
0af0:7501
0af0:7701
0af0:7706
0af0:7901
0af0:7a01
0af0:7a05
0af0:d055
0af0:d057
0af0:d157
0af0:8700
0af0:c100
HSPA+
21.6/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSDPA 7.2
HSUPA 5.76
HSDPA
7.2/0.38
0af0:4007
0af0:d001
0af0:d001
0af0:d001
0af0:8300
0af0:6901
Probable
Unlikely
Unlikely
Probable
Possible
Unlikely
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Possible
Compatibility
Possible
Possible
Possible
Possible
Possible
Possible
Possible
0af0:7901
0af0:7a01
0af0:7a05
0af0:d055
0af0:d057
0af0:d157
0af0:8701
0af0:c100
Modem Id
0af0:d031
0af0:d033
0af0:7401
0af0:7501
0af0:7501
0af0:7701
0af0:7706
0af0:4005
0af0:d255
0af0:d257
0af0:d157
0af0:8300
0af0:6901
| Appendix E - USB Compatibility List | 608
Manufacturer Model
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Option
Wireless
Pirelli
GTM378E
GTM380
GTM380
GTM380
GTM380
GTM382
GTM382
GTM382W
GTM501
GTM601
GTM609
GTM661
GTM669
GTM671
GTM679
8E4455
Puchuang
Puchuang
Puchuang
Puchuang
Puchuang
SEW838
SEW858
SEW868
SEW898
Speed 3.5G
Puchuang
Puchuang
TE W120
TE W130
Vendor
Digicom
Inovia
Inovia
Inovia
Inovia
Intex
Haier
Haier
0af0:7601
0af0:d035
0af0:8800
0af0:8800
0af0:9000
0af0:
0af0:9200
0af0:8900
1266:1009
20a6:1105
20a6:1105
20a6:1105
20a6:1105
20a6:1105
20a6:1105
20a6:1106
Modem Id
0af0:6911
0af0:7201
0af0:7211
0af0:7251
0af0:7271
0af0:7501
0af0:7601
3G Standard Default Id
HSDPA
7.2/0.38
HSDPA
7.2/2.0
HSDPA
7.2/2.0
HSDPA
7.2/2.0
HSDPA
7.2/2.0
HSDPA
7.2/2.0
HSDPA
7.2/2.0
HSDPA
7.2/2.0
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSDPA 7.2
HSDPA 7.2
HSDPA 7.2
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
0af0:6911
0af0:7201
0af0:7211
0af0:7251
0af0:7271
0af0:7501
0af0:7601
0af0:7601
0af0:d035
0af0:8800
0af0:8800
0af0:9000
0af0:
0af0:9200
0af0:8900
1266:1000
20a6:f00e
20a6:f00e
20a6:f00e
20a6:f00e
20a6:f00e
20a6:f00e
20a6:f00e
Possible
Possible
Possible
Possible
Possible
Unknown
Possible
Possible
Probable
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Compatibility
Possible
Unlikely
Possible
Possible
Possible
Possible
Possible
| Appendix E - USB Compatibility List | 609
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Manufacturer Model
Qualcomm 3GU
Qualcomm
Qualcomm
Qualcomm
Qualcomm
3GU
3GU
CM405
DWM-151
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
DWM-151 D-Link
DWM-162 C1 D-Link
DWM-162R D-Link
DWM-162U5 D-Link
DWM-162U5
A1
E-G03
E-G05
D-Link
Promate
Promate
Vendor
A-Link
A-Link
A-Link
BSNL
D-Link
EM600
Icon 210
Icon 210
LM-75
Simcom
Option
Option
Siptune
MM-5100
MM-5500
Maxon
Maxon
MMX 300C Micromax
MMX 300C Micromax
MMX 372G Micromax
MUB417Q
MV241
Bointec
AxessTel
1e0e:cefe
1e0e:9000
1e0e:9200
05c6:9000
05c6:3100
05c6:3196
1e0e:ce16
1e0e:cefe
05c6:9000
1e0e:9200
05c6:00a0
Modem Id
1e0e:9000
1e0e:9100
1e0e:9200
05c6:3197
05c6:9000
1e0e:9000
1e0e:ce17
1e0e:ce16
1e0e:ce16
1e0e:ce1e
05c6:3100
1e0e:9000
3G Standard Default Id
HSDPA
3.6/0.38
HSDPA
3.6/0.38
CDMA EV-
DO
CDMA EV-
DO
1e0e:f000
1e0e:f000
HSDPA
3.6/0.38
1e0e:f000
CDMA 2000 05c6:1000
HSDPA 7.2
HSUPA 5.76
05c6:f000
1e0e:f000 HSDPA
3.6/0.38
CDMA EV-
DO
2077:1000
05c6:2001
05c6:2001
CDMA EV-
DO
05c6:2001
CDMA 2000 05c6:3100
HSDPA
3.6/0.38
1e0e:f000
05c6:2001 CDMA EV-
DO
HSDPA
3.6/0.38
1e0e:f000
HSDPA
3.6/0.38
HSDPA 7.2
HSUPA 5.76
1e0e:f000
05c6:f000
CDMA 2000 05c6:3100
CDMA 2000 05c6:3196
05c6:2001 CDMA EV-
DO
CDMA EV-
DO
05c6:2001
05c6:f000 HSDPA 7.2
HSUPA 5.76
HSDPA
3.6/0.38
CDMA EV-
DO
1e0e:f000
05c6:0010
Probable
Probable
Probable
Probable
Unlikely
Unlikely
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Possible
Probable
Unlikely
Probable
Probable
Unlikely
Probable
Probable
Probable
Unlikely
Probable
| Appendix E - USB Compatibility List | 610
Manufacturer Model
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Qualcomm
Quanta
P2000
PEM330
PHS100
PHS300
SEV-759
SEV-859
SG-75
SU-6500U
SU-6600U
SU-7000U
SU-8100U
TR8881
UC20
UC128
VT-80n
1K3M
Quanta
Quanta
Quanta
Quanta
Quanta
Quanta
Quanta
Quanta
1K6E
1KR
GKE
GLE
GLX
M100-1
MobileGenie
MU-Q101
Quanta
Quanta
Quanta
Quanta
MU-Q110
SU-8500U
SU-8500U
TS-1K6
Sierra Wireless AC250U
Vendor 3G Standard Default Id
Prolink
Prolink
Prolink
Prolink
CDMA2000
1x
HSDPA
7.2/5.76
HSDPA
3.6/0.38
HSDPA
3.6/0.38
05c6:1000
1e0e:f000
1e0e:f000
1e0e:f000
StrongRising CDMA
StrongRising CDMA
Siemens
SpeedUP
CDMA
05c6:1000
05c6:1000
05c6:1000
CDMA 2000 05c6:1000
SpeedUP
SpeedUP
SpeedUP
Smartfren
Quectel
Honest
Venus
CDMA 2000
CDMA EV-
DO
HSDPA
3.6/0.38
CDMA
HSPA+
14.4/5.76
CDMA
CDMA EV-
DO
TD-LTE
68.0/17.0
05c6:1000
05c6:2001
1e0e:f000
05c6:1000
05c6:9003
05c6:1000
05c6:1000
0408:ea25
Megafone
SpeedUp
SpeedUp
Telsec
Sprint US
LTE CAT3
LTE CAT3
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
LTE CAT3
LTE CAT3
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
LTE CAT3
CDMA 1X,
EV-DO
0408:ea43
0408:ea17
0408:f001
0408:f001
0408:f001
0408:ea42
0408:ea43
0408:f000
0408:f000
0408:f000
0408:f001
0408:ea43
1199:0fff
Modem Id
05c6:6000
1e0e:9a00
1e0e:9000
1e0e:9100
05c6:6000
05c6:6000
05c6:6000
05c6:3197
05c6:3197
1e0e:ce28
1e0e:9000
05c6:6000
05c6:9003
05c6:6000
05c6:6500
0408:ea26
0408:ea45
0408:ea16
0408:ea05
0408:ea06
0408:ea04
0408:ea42
0408:ea47
0408:ea02
0408:ea03
0408:ea03
0408:ea04
0408:ea49
1199:0301
Compatibility
Probable
Possible
Probable
Possible
Probable
Probable
Probable
Unlikely
Unlikely
Unlikely
Probable
Probable
Unlikely
Probable
Unlikely
Probable
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Possible
Possible
Possible
Unlikely
Unknown
Probable
| Appendix E - USB Compatibility List | 611
Manufacturer Model
Sierra Wireless AC305U
Sierra Wireless AC306U
Sierra Wireless AC307U
Sierra Wireless AC308U
Sierra Wireless AC309U
Sierra Wireless AC310U
Sierra Wireless AC312U
Sierra Wireless AC313U
Sierra Wireless AC318U
Sierra Wireless AC319U
Sierra Wireless AC320U
Sierra Wireless AC326U
Sierra Wireless AC330U
Sierra Wireless AC340U
Sierra Wireless AC341U
Sierra Wireless AC341U
Sierra Wireless AC402
Sierra Wireless AC501
Sierra Wireless AC502
Sierra Wireless AC503
Sierra Wireless AC504
Sierra Wireless AC580
Sierra Wireless AC595
Vendor
AT&T US
Telus CA
DNA
Optus AU
Telstra AU
AT&T US
O2
AT&T US
TNZ NZ
AT&T US
AT&T US
Sprint US
Telstra AU
AT&T US
Sprint US
Sprint US
Modem Id
1199:68a3
1199:68a3
1199:68a3
1199:68a3
1199:68a3
1199:68a3
1199:68a3
0f3d:68aa
1199:
1199:68a3
0f3d:68aa
1199:
0f3d:68aa
1199:9051
1199:9055
1199:9057
1199:0027
1199:6880
1199:6880
1199:68a3
1199:68a3
1199:0112
1199:0019
3G Standard Default Id
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
42.2/5.76
LTE CAT3
HSPA+
21.6/5.76
DC-HSPA+
42.2/5.76
LTE CAT3
HSPA+
21.6/5.76
LTE CAT3
LTE CAT3
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
LTE CAT3
LTE CAT3
CDMA EV-
DO Rev.A
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
Possible
Not
Compatible
Unlikely
Unlikely
Probable
Possible
Possible
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Not
Compatible
Probable
Possible
Possible
| Appendix E - USB Compatibility List | 612
Manufacturer Model
Sierra Wireless AC595U
Sierra Wireless AC597E
Sierra Wireless AC598U
Sierra Wireless AC753S
Sierra Wireless AC753S
Sierra Wireless AC754S
Sierra Wireless AC754S
Sierra Wireless AC760S
Sierra Wireless AC760S
Sierra Wireless AC762S
Sierra Wireless AC763S
Sierra Wireless AC770S
Sierra Wireless AC771S
Sierra Wireless AC875
Sierra Wireless AC875E
Sierra Wireless AC875U
Sierra Wireless AC875U
Sierra Wireless AC880
Sierra Wireless AC880E
Sierra Wireless AC880U
Sierra Wireless AC881
Sierra Wireless AC881E
Sierra Wireless AC881U
Sierra Wireless AC885E
Vendor
Sprint US
Sprint US
3G Standard Default Id
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
Sprint US CDMA EV-
DO Rev.A
Bigpond AU DC-HSPA+
42.2/5.76
Telstra AU DC-HSPA+
42.2/5.76
AT&T US
Rogers US
LTE CAT3
LTE CAT3
Bigpond AU LTE CAT3
Telstra AU LTE CAT3
AT&T US
Bell US
AT&T US
LTE CAT3
LTE CAT3
LTE CAT3
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:9053
Sprint US
Sprint US
LTE CAT3 1199:9053
Sprint US
Sprint US
Sprint US
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:9053
1199:6820
1199:6822
1199:6812
1199:6821
1199:6850
1199:6852
1199:6855
Modem Id
1199:0120
1199:0021
1199:0025
1199:68a3
1199:68a3
1199:68aa
1199:68aa
1199:68a3
1199:68a3
1199:68a3
1199:68a3
1199:9053
1199:6851
1199:6853
1199:6856
1199:6859
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Possible
Probable
Probable
Possible
Possible
Probable
Probable
Probable
Probable
Not
Compatible
Not
Compatible
Probable
| Appendix E - USB Compatibility List | 613
Manufacturer Model
Sierra Wireless AC885E
Vendor
Sierra Wireless AC890
Sierra Wireless C01SW
Sierra Wireless C02SW
Softbank JP
Softbank JP
Sierra Wireless Compass 597 Sprint US
Sierra Wireless Compass 885
Sierra Wireless Compass 888
Sierra Wireless Compass 889
Sierra Wireless EM5625
Sierra Wireless EM5725
Sierra Wireless EM7305
Sierra Wireless EM7305
Sierra Wireless EM7330
Sierra Wireless EM7340
Sierra Wireless EM7345
Sierra Wireless EM7355
Sierra Wireless EM7700
Sierra Wireless EM8805
Sierra Wireless MC5720
Sierra Wireless MC5720
Sierra Wireless MC5725
JP
AT&T US
3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO Rev.A
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
LTE CAT4
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:9041
LTE CAT4
LTE CAT4
1199:9063
1199:
LTE CAT3
LTE CAT3
1199:a000
1199:a001
LTE CAT4/
EV-DO Rev.A
LTE CAT3
1199:901f
1199:0fff
DC-HSPA+
42.2/5.76
HSDPA
2.4/0.38
HSDPA
2.4/0.38
CDMA EV-
DO Rev.A
1199:9041
1199:0fff
1199:0fff
1199:0fff
1199:68a3
1199:0017
1199:0022
1199:9041
1199:9063
1199:
1199:a000
1199:a001
Modem Id
1199:685a
1199:68a3
1199:6890
1199:68a3
1199:0023
1199:6880
1199:6890
1199:901f
1199:901c
1199:9041
1199:0018
1199:0218
1199:0020
Compatibility
Probable
Probable
Possible
Probable
Probable
Possible
Possible
Probable
Probable
Probable
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Not
Compatible
Probable
Probable
Probable
Manufacturer Model
Sierra Wireless MC5725
Sierra Wireless MC5727
Sierra Wireless MC5727
Sierra Wireless MC5728
Sierra Wireless MC7304
Sierra Wireless MC7305
Sierra Wireless MC7330
Sierra Wireless MC7350
Sierra Wireless MC7354
Sierra Wireless MC7355
Sierra Wireless MC7700
Sierra Wireless MC7710
Sierra Wireless MC7750
Sierra Wireless MC7750
Sierra Wireless MC7750
Sierra Wireless MC7770
Sierra Wireless MC8305
Sierra Wireless MC8355
Sierra Wireless MC8700
Sierra Wireless MC8704
Sierra Wireless MC8705
Sierra Wireless MC8705
Sierra Wireless MC8755
Vendor
JP
| Appendix E - USB Compatibility List | 614
1199:
1199:
1199:68c0
1199:9041
0f3d:68a2
1199:68a2
1199:68a2
1199:68a9
114f:68a2
1199:901b
Modem Id
1199:0220
1199:0024
1199:0224
1199:0028
1199:68c0
1199:9041
1199:9011
1199:9013
1199:68a3
1199:68a3
1199:68a3
1199:68a5
1199:6802
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSDPA
1.8/0.38
3G Standard Default Id
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
CDMA EV-
DO Rev.A
LTE CAT4
LTE CAT4
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:68c0
1199:9041
LTE CAT4 1199:
LTE CAT4/
EV-DO Rev.A
LTE CAT4/
EV-DO Rev.A
LTE CAT4
1199:
1199:68c0
1199:9041
LTE CAT3
LTE CAT3
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:901b
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
Not
Compatible
Not
Compatible
Not
Compatible
Unlikely
Not
Compatible
Unlikely
Not
Compatible
Not
Compatible
Not
Compatible
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Probable
Possible
Not
Compatible
Not
Compatible
Not
Compatible
Possible
Manufacturer Model
Sierra Wireless MC8755
Sierra Wireless MC8755
Sierra Wireless MC8765
Sierra Wireless MC8765
Sierra Wireless MC8765
Sierra Wireless MC8775
Sierra Wireless MC8775
Sierra Wireless MC8775
Sierra Wireless MC8775V
Sierra Wireless MC8780
Sierra Wireless MC8780
Sierra Wireless MC8780
Sierra Wireless MC8781
Sierra Wireless MC8781
Sierra Wireless MC8781
Sierra Wireless MC8785
Sierra Wireless MC8785V
Sierra Wireless MC8790
Sierra Wireless MC8790V
Sierra Wireless MC8791
Sierra Wireless MC8792V
Vendor
| Appendix E - USB Compatibility List | 615
1199:6816
1199:6812
1199:6832
1199:6834
1199:6838
1199:6833
1199:6835
1199:6839
Modem Id
1199:6804
1199:6808
1199:6803
1199:6805
1199:6809
1199:6813
1199:6815
1199:683a
1199:683b
1199:683c
1199:683c
1199:683d
1199:683c
3G Standard Default Id
HSDPA
1.8/0.38
HSDPA
1.8/0.38
HSDPA
1.8/0.38
HSDPA
1.8/0.38
HSDPA
1.8/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 2.1
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
1199:0fff
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 616
Manufacturer Model
Sierra Wireless MC8795V
Sierra Wireless MC8801
SK Teletech
SK Teletech
SK Teletech
Techfaith
Techfaith
Techfaith
Techfaith
Techfaith
Techfaith
Telit
Telit
TP-Link
Vendor
MHS291LVW Pantech
Sony Ericsson EC400
Sony Ericsson MD300
Sony Ericsson MD400
Sony Ericsson MD400G
ST-Ericsson ABS-T920
ST-Ericsson ABS-T930
Techfaith
Techfaith
Telit
Telit
Toshiba
UML-295
UML-295
Aiko 81D
Flying Angel
Pantech
Pantech
Flying
Angel46
Flying Lark
Flying Lark46
LN-72
SSW03A
Venus VT-18
DE910
HE910
LE910
UE910v2
G450
MA180
HSDPA 7.2
HSUPA 2.0
HSDPA 3.6
Leoxsys HSDPA
7.2/0.38
DongHeXing HSDPA 7.2
CDMA EV-
DO
CDMA EV-
DO
HSPA+
21.6/5.76
LTE CAT3
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
DC-HSPA+
42.2/5.76
LTE
LTE
LTE
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
1199:0fff
1199:0fff
10a9:606f
10a9:606f
10a9:6080
0fce:d0df
0fce:d0cf
0fce:d0e1
0fce:d103
WCDMA
HSDPA 7.2
HSUPA2.0
HSDPA 7.2
04cc:2251
04cc:225c
1d09:1021
1d09:1025
1d09:1025
1d09:1025
1d09:1025
1d09:1000
1d09:1025
05c6:1000
1bc7:1010
1bc7:0021
1bc7:1201
1bc7:1012
0930:0d46
2357:0200
0fce:d103
04cc:2259
04cc:225c
1d09:1010
1d09:1026
1d09:1026
1d09:1026
1d09:1026
1d09:1010
1d09:1026
1d09:4306
1bc7:1010
1bc7:0021
1bc7:1201
1bc7:1012
0930:0d45
2357:0201
Modem Id
1199:683c
1199:68a3
10a9:6064
10a9:6074
10a9:6085
0fce:d0df
0fce:d0cf
0fce:d0e1
Unlikely
Unlikely
Possible
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Probable
Probable
Compatibility
Probable
Probable
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
| Appendix E - USB Compatibility List | 617
Manufacturer Model
TP-Link
TP-Link
TP-Link
Vertex
Wireless
Vertex
Wireless
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Visiontek
Wisue
MA180
MA180
MA260
VWM100
VWM110
Vertex
Wireless
VWM150
VIA Telecom 3G189C
VIA Telecom CE610
3.75G-72
82GH
ASB W720
BG64
MMX 377G
Olicard 300
RE270
Sense R41
SU-8000U
SU-9300U
TSU240
U1-TF
U2-TF
V-MW100
EDGE 733
Vendor
Tenda
Haier iBall
VisionTek
Beetel
Micromax
Olivetti
Multilaser
Rostelecom
SpeedUP
SpeedUP
Gainwise
CSL
CSL
3G Standard Default Id
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
HSDPA 3.6
HSDPA 7.2
HSUPA 5.76
HSDPA 3.6
HSDPA 3.6
HSDPA 3.6
2357:0200
2357:0200
2357:f000
05c6:1000
05c6:1000
05c6:1000
15eb:7153
15eb:7153
2020:0002
2020:f00e
2020:f00e
2020:0002
2020:0002
2020:0002
2020:0002
2020:0002
2020:f00f
2020:f00e
2020:f00f
2020:f00e
2020:f00f
Olive Telecom HSDPA 7.2
HSUPA 5.76
Hojy CDMA EV-
DO
2020:f00e
1dbc:8005
15eb:7152
2020:2000
2020:1008
2020:1005
2020:2000
2020:4010
2020:4000
2020:2000
2020:4000
2020:1005
2020:1008
2020:1005
2020:1005
2020:1005
2020:1008
1dbc:8005
Modem Id
2357:0202
2357:0203
2357:9000
1fe7:0100
1fe7:0100
1fe7:0100
15eb:7152
Probable
Probable
Probable
Probable
Probable
Not
Compatible
Not
Compatible
Probable
Not
Compatible
Unlikely
Probable
Unlikely
Probable
Not
Compatible
Probable
Unlikely
Compatibility
Possible
Possible
Probable
Possible
Possible
Possible
Probable
| Appendix E - USB Compatibility List | 618
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
Wisue MD950
Wisue
Wisue
MMX 354G
MMX 355G
Vendor
Vodafone
Micromax
Micromax
3G-910
76E
82D
83D
A353
A355
A356
A365
A371
AC560 iFox
Aiko
Aiko
Aiko
AC580
AC581
AC582
AC583
AC682
AC2710
AC2726
AC2736
AC2737
AC2738 Reliance
19d2:0094
19d2:0094
19d2:0152
19d2:0152
19d2:ffdd
19d2:ffff
19d2:fff1
19d2:fff1
19d2:fff1
19d2:ffe9
Modem Id
1dbc:0005
1dbc:0669
1dbc:0669
19d2:0031
19d2:fffe
19d2:0001
19d2:0057
19d2:0079
19d2:0079
19d2:0079
19d2:0079
19d2:0170
19d2:0094
3G Standard Default Id
CDMA EV-
DO
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA
3.6/0.38
CDMA EV-
DO
HSDPA
7.2/0.38
HSDPA
7.2/0.38
WCDMA
WCDMA
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
WCDMA
WCDMA
WCDMA
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
1dbc:0005
1dbc:0669
1dbc:0669
19d2:2000
19d2:fff5
19d2:2000
19d2:2000
19d2:0120
19d2:0120
19d2:0120
19d2:0120
19d2:0169
19d2:0026
19d2:0026
19d2:0026
19d2:0026
19d2:0026
19d2:ffde
19d2:fff5
19d2:fff5
19d2:fff5
19d2:fff5
19d2:fff5
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Compatibility
Unlikely
Unlikely
Unlikely
Probable
Probable
Probable
Possible
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 619
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
ZTE AC2746
ZTE
ZTE
AC2766
AC2787
AC2791
AC3781
AC8700
AC8710
AC8710
AC8710T
AD3812
K2525-Z
K3520-Z
K3563-Z
K3565-Z
K3565-Z
K3570-Z
K3571-Z
K3765-Z
K3770-Z
K3772-Z
K3805-Z
K3806-Z
Vendor
Reliance
Cricket
Reliance
Reliance
Vodafone
Onda
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Modem Id
19d2:fff1
19d2:fff1
19d2:fff1
19d2:fffe
19d2:ffe4
19d2:fffe
19d2:fff1
19d2:ffff
19d2:ffff
19d2:ffeb
19d2:0022
19d2:0055
19d2:0052
19d2:0052
19d2:0063
19d2:1008
19d2:1010
19d2:2002
19d2:1176
19d2:1181
19d2:1003
19d2:1015
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
3G Standard Default Id
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
CDMA EV-
DO
HSDPA
7.2/2.0
EDGE
HSDPA,
WCDMA
19d2:fff5
19d2:fff5
19d2:fff5
19d2:fff5
19d2:fff5
19d2:fff5
19d2:fff6
19d2:fff5
19d2:ffff
19d2:ffeb
19d2:0040
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:1007
19d2:1009
19d2:2000
19d2:1175
19d2:1179
19d2:1001
19d2:1013
Probable
Unlikely
Unlikely
Probable
Probable
Compatibility
Probable
Probable
Probable
Probable
Possible
Probable
Possible
Probable
Probable
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 620
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
ZTE K4201-Z
ZTE
ZTE
K4201-Z
K4201 I
K4203-Z
K4505-Z
K4510-Z
K4607-Z
K4607-Z
K5006-Z
K5008-Z
Vendor
Vodafone
Vodafone
MF66
MF70
MF80
MF90
MF91D
MC503HSA Onda
MC2716
MC2718
MDC502HS Onda
MDC525UPA Onda
MF30
MF60
MF60
True TH
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
19d2:0037
19d2:ffed
19d2:ffe8
19d2:0002
19d2:0037
19d2:0031
19d2:1402
19d2:1402
Modem Id
19d2:1023
19d2:1024
19d2:0017
19d2:1048
19d2:0104
19d2:1173
19d2:1039
19d2:1040
19d2:1018
19d2:1032
19d2:1403
19d2:1405
19d2:1402
19d2:0447
19d2:1426
3G Standard Default Id
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
28.8/5.76
DC-HSPA+
42.2/5.76
DC-HSPA+
42.2/5.76
LTE CAT3
LTE CAT3
19d2:1022
19d2:1022
19d2:1237
19d2:1046
19d2:0101
19d2:1171
19d2:1038
19d2:1038
19d2:1017
19d2:1030
HSDPA 7.2
HSUPA 2.0
CDMA EV-
DO
CDMA EV-
DO
HSDPA 7.2
HSUPA 3.6
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
42.2/5.76
LTE CAT3
LTE CAT3
19d2:2000
19d2:ffed
19d2:ffe8
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2004
19d2:1225
19d2:1225
19d2:2000
19d2:0388
19d2:0166
Unlikely
Unlikely
Probable
Probable
Probable
Probable
Unlikely
Probable
Probable
Probable
Unlikely
Possible
Compatibility
Not
Compatible
Not
Compatible
Possible
Not
Compatible
Probable
Probable
Unlikely
Unlikely
Probable
Not
Compatible
Probable
| Appendix E - USB Compatibility List | 621
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
ZTE
ZTE
ZTE
MF93E
MF93E
MF100
ZTE
ZTE
MF100
MF110
MF110
MF110
MF112
MF112
MF160J
MF170
MF190
MF190
MF190J
MF190J
MF190
MF190
MF190
MF190
MF180
MF180
MF182
MF190
Vendor
Movistar
Beeline RU
MTC
O2
3G Standard Default Id
LTE CAT3
LTE CAT3
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
Tata Docomo HSDPA 7.2
HSUPA 2.0
Cell C, SA HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 2.0
WCDMA
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSDPA
3.6/0.38
HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
19d2:1225
19d2:1225
19d2:2000
19d2:2000
19d2:0053
19d2:0083
19d2:2000
19d2:0103
19d2:0103
19d2:1542
19d2:2000
19d2:2000
19d2:2000
19d2:1225
19d2:0083
19d2:0149
19d2:0149
19d2:0154
19d2:1224
19d2:2000
19d2:2000
19d2:1536
19d2:1542
19d2:0117
19d2:2003
19d2:1405
19d2:0117
19d2:0124
19d2:0124
19d2:1254
19d2:0082
Modem Id
19d2:1403
19d2:1405
19d2:0031
19d2:0039
19d2:0031
19d2:0124
19d2:0016
19d2:0031
19d2:0117
19d2:1544
19d2:0031
19d2:0017
19d2:0042
19d2:1538
19d2:1544
Probable
Probable
Probable
Possible
Probable
Probable
Possible
Probable
Probable
Probable
Probable
Possible
Possible
Probable
Compatibility
Probable
Probable
Probable
Possible
Probable
Probable
Possible
Unlikely
Probable
| Appendix E - USB Compatibility List | 622
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
ZTE MF190S
ZTE
ZTE
MF192
MF192
MF192
MF192
MF195
MF195
MF195E
MF195E
MF196
MF197
MF200
MF205
MF210
MF210v1
MF210v2
MF212
MF220
MF260
MF591
MF620
Vendor
Korea
T-Mobile
19d2:1515
19d2:1582
19d2:1527
19d2:1405
19d2:
19d2:
19d2:2003
19d2:0117
Modem Id
19d2:0108
19d2:1217
19d2:1218
19d2:1515
19d2:1519
19d2:1211
19d2:1212
19d2:2003
19d2:2003
19d2:1300
19d2:
19d2:1525
19d2:0001
3G Standard Default Id
HSPA
WCDMA
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSDPA
3.6/0.38
HSDPA
7.2/5.76
HSDPA
7.2/5.76
HSDPA
7.2/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
14.4/5.76
HSDPA
3.6/0.38
HSDPA
7.2/5.76
HSPA+
14.4/5.76
HSDPA
21.6/5.76
HSPA+
21.6/5.76
HSDPA
7.2/0.38
19d2:0154
19d2:1216
19d2:1216
19d2:1514
19d2:1517
19d2:1210
19d2:1210
19d2:1514
19d2:1580
19d2:1528
19d2:1225
19d2:
19d2:
19d2:2003
19d2:0117
19d2:2003
19d2:2003
19d2:1300
19d2:
19d2:1523
19d2:2000
Unlikely
Unlikely
Unlikely
Unknown
Possible
Probable
Possible
Unlikely
Possible
Probable
Unknown
Unknown
Unlikely
Unlikely
Compatibility
Possible
Possible
Possible
Possible
Possible
Unlikely
Unlikely
| Appendix E - USB Compatibility List | 623
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
ZTE MF622
ZTE
ZTE
MF626
MF626
MF626
MF627
MF627
MF628
MF631
MF632
MF633
MF636
MF636DB
MF637
MF637U
MF638
MF645
MF651
MF652
MF652
MF656
MF662
Vendor
AU
Telstra AU
Orange UK
Orange FR
3AT
3G Standard Default Id
HSDPA
7.2/0.38
HSDPA
3.6/0.38
Onda HSDPA
3.6/0.38
BSNL India HSDPA
3.6/0.38
HSDPA 7.2
HSUPA 5.76
HSDPA
3.6/0.38
HSDPA
7.2/0.38
HSDPA 7.2
HSUPA 5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSDPA 7.2
HSUPA 3.6
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 5.76
HSDPA 7.2
HSUPA 2.0
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:0110
19d2:2000
19d2:2000
19d2:2000
19d2:0115
19d2:1520
19d2:1520
19d2:0150
19d2:2000
19d2:2003
19d2:0002
19d2:0031
19d2:0031
19d2:0033
19d2:0121
19d2:0002
19d2:0037
Modem Id
19d2:0001
19d2:0031
19d2:0066
19d2:0108
19d2:0031
19d2:0064
19d2:0015
19d2:0086
19d2:0116
19d2:0142
19d2:1522
19d2:
19d2:0017
Possible
Possible
Probable
Possible
Unknown
Probable
Probable
Probable
Probable
Probable
Possible
Probable
Probable
Probable
Compatibility
Probable
Probable
Probable
Probable
Probable
Probable
Probable
| Appendix E - USB Compatibility List | 624
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
ZTE MF667
ZTE
ZTE
MF667
MF667C
MF668
MF668
MF668
MF668A
MF683
MF691
MF710
MF710
MF668A
MF669
MF680
MF680
MF710
MF710M
MF710M
MF730M
MF730M
MF820D
MF820S
MF821
Vendor
3 IT
AIS TH
CellC SA
Telstra
T-Mobile
Viettel VN
Viettel VN
Telstra
19d2:0031
19d2:1252
19d2:0124
19d2:0017
19d2:0157
19d2:1203
19d2:1589
19d2:1592
Modem Id
19d2:1405
19d2:1268
19d2:0117
19d2:0082
19d2:0017
19d2:0082
19d2:0124
19d2:1600
19d2:1403
19d2:1405
19d2:1403
19d2:1405
19d2:0167
19d2:0199
19d2:0257
3G Standard Default Id
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
DC-HSPA+
42.2/11.5
DC-HSPA+
42.2/11.5
LTE CAT3
LTE CAT3
LTE CAT3
HSPA+
21.6/5.76
DC-HSPA+
42.2/5.76
DC-HSPA+
42.2/5.76
DC-HSPA+
42.2/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
19d2:1225
19d2:1232
19d2:2000
19d2:1224
19d2:2000
19d2:2000
19d2:0150
19d2:2000
19d2:1227
19d2:0150
19d2:2000
19d2:2000
19d2:1201
19d2:1588
19d2:1595
19d2:1595
19d2:1420
19d2:1420
19d2:1420
19d2:1420
19d2:0166
19d2:0198
19d2:0166
Unlikely
Unlikely
Unlikely
Probable
Unlikely
Possible
Probable
Probable
Probable
Probable
Probable
Possible
Unlikely
Unlikely
Not
Compatible
Unlikely
Compatibility
Probable
Possible
Probable
Probable
Probable
Possible
Probable
| Appendix E - USB Compatibility List | 625
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
MF821D
MF821D
MF821D
MF822
MF823
MF823
MF823
ZTE
ZTE
Vendor
O2
Telenor No
MF823
MF825A
MF825A
MF825A
MF826
MF826
MF827
MF831
MF880
MH600HS
Airtel
Airtel
AirTel
Onda
MSA190UP Onda
MSA405HS Onda
MSA501HS Onda
MT191UP Onda
MT503HS Onda
MT503HSA Onda
MT505UP
MT505UP
Onda
Onda
MT505UP
MT505UP
MT505UP
MT505UP
MT505UP
Onda
Onda
Onda
Onda
Onda
MT512HS Onda
3G Standard Default Id
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
19d2:0166
19d2:0325
19d2:0304
19d2:
19d2:1225
19d2:1225
19d2:1257
HSDPA 7.2
HSUPA 5.76
HSUPA
HSUPA
HSUPA
HSUPA
HSUPA
HSUPA
HSUPA
HSUPA
HSPA
WCDMA
HSDPA 7.2
HSUPA 3.6
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT3
LTE CAT4
LTE CAT3
HSDPA
7.2/0.38
HSUPA
HSDPA 7.2
HSUPA 2.0
HSDPA 7.2
HSUPA 2.0
19d2:1257
19d2:1225
19d2:1225
19d2:1238
19d2:0318
19d2:0318
19d2:0388
19d2:1225
19d2:0166
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
19d2:2000
Probable
Probable
Possible
Possible
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Probable
Compatibility
Unlikely
Probable
Probable
Probable
Unlikely
Unlikely
Unlikely
Unlikely
Possible
Probable
Probable
Probable
Unlikely
Unknown
Probable
Probable
Not
Compatible
Probable
Probable
Modem Id
19d2:0167
19d2:0326
19d2:0349
19d2:
19d2:1403
19d2:1405
19d2:1257
19d2:1405
19d2:1403
19d2:1408
19d2:0017
19d2:0317
19d2:0330
19d2:0387
19d2:1403
19d2:0284
19d2:0001
19d2:0091
19d2:0037
19d2:0037
19d2:0037
19d2:0033
19d2:0024
19d2:0015
19d2:0016
19d2:0017
19d2:0037
19d2:0052
19d2:0055
19d2:0108
19d2:0002
| Appendix F - Compatibility with SFMOS 15.01.0 | 626
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
Manufacturer Model
ZTE MT689DC
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
ZTE
MT8205
MU330
MU350
MU351
MW191UP
PHS101
PHS300
PHS600
R203
R203
R206-z
R206-z
R206-z
R209-z
R212
R212
R212
Vendor
Onda
Onda
Onda
Prolink
Prolink
Prolink
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
Vodafone
3G Standard Default Id
DC-HSPA+
42.2/5.76
LTE CAT3
TD-SCDMA 19d2:0003
TD-SCDMA 19d2:0003
HSDPA 7.2
HSUPA 5.76
HSDPA 3.6
19d2:2000
19d2:0266
19d2:0090
19d2:2000
19d2:2000
19d2: HSDPA 7.2
HSUPA 5.76
HSPA+
21.6/5.76
19d2:
19d2:1019 HSPA+
14.4/5.76
HSPA+
14.4/5.76
HSPA+
21.6/5.76
HSPA+
21.6/5.76
19d2:1020
19d2:1034
19d2:1034
19d2:1034 HSPA+
21.6/5.76
DC-HSPA+
42.2/5.76
LTE CAT3
LTE CAT3
LTE CAT3
19d2:1042
19d2:1026
19d2:1026
19d2:1026
Modem Id
19d2:0019
19d2:0265
19d2:0034
19d2:0003
19d2:0003
19d2:0016
19d2:0151
19d2:1253
19d2:1253
19d2:1021
19d2:1021
19d2:1035
19d2:1036
19d2:1037
19d2:1043
19d2:1027
19d2:1028
19d2:1029
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Compatibility
Possible
Probable
Unlikely
Probable
Probable
Probable
Possible
Unlikely
Unlikely
Unlikely
Unlikely
Unlikely
Appendix F - Compatibility with SFMOS 15.01.0
Please note that the following is applicable for Sophos Firewall device(s) above SFOS 16.01.0 if managed through
SFMOS 15.01.0:
• With SFM-OS V15, you can only manage features of SF-OS V15 from group level. To manage SF-OS V16 features use device level view of SFM-OS V15.
• The UI of SF-OS V16 device seen over SFM-OS V15 is not enhanced to match the actual UI of SF-OS V16.
Note: You will see the following warning while opening device level view of any SF-OS V16 device from
SFM-OS V15.
| Appendix G - Additional Documents | 627
Click Do not show this message again on SFM if you do not want to see this warning again.
Appendix G - Additional Documents
1.
Command Reference Guide
2.
Reports Guide
3.
Software Appliance - Getting Started Guide
4.
Virtual Appliance - Getting Started Guide
5.
API Help
6.
Web Interface Reference and Admin Guide
7.
List of RED Supported 3G/4G/LTE USB Dongles
8.
Release Notes and guides to help with Cyberoam to XG Firewall migration
9.
How-to videos and guides to get started with XG Firewall
Copyright Notice
Copyright 2016-2017 Sophos Limited. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement