Freedom9 freeGuard 100 Administration Manual

Category
Software
Type
Administration Manual
freeGuard 100 Administration Guide
freeGuard 100
UTM Firewall
ADMINISTRATION GUIDE
P/N: F0025000
Rev. 1.1
Copyright and Trademark Information
This document contains proprietary information that is protected by copyright. All rights reserved. No
part of this document may be photocopied, reproduced, or translated into another language without
express prior to written consent of Freedom9 Inc.
© Copyright 2006, freeGuard and the freedom9 company logo are trademarks or registered
trademarks of Freedom9 Inc. All rights reserved. Windows is a trademark or registered trademark of
Microsoft Corporation. Other trademarks or registered trademarks are the property of their respective
holders.
ii
TABLE OF CONTENTS
1 INTRODUCTION......................................................................................................1
1.1 ABOUT FREEGUARD 100 UTM FIREWALLS........................................................................................1
1.1.1 ANTIVIRUS PROTECTION.........................................................................................................1
1.1.2 WEB CONTENT FILTERING.......................................................................................................2
1.1.3 SPAM FILTERING.....................................................................................................................2
1.1.4 FIREWALL..............................................................................................................................2
1.1.5 VLANS AND VIRTUAL DOMAINS ...............................................................................................4
1.1.6 INTRUSION PREVENTION SYSTEM (IPS) ..................................................................................4
1.1.7 VPN .....................................................................................................................................4
1.1.8 HIGH AVAILABILITY..................................................................................................................5
1.1.9 SECURE INSTALLATION, CONFIGURATION, AND MANAGEMENT....................................................5
1.2 DOCUMENT CONVENTIONS ...............................................................................................................6
1.3 FREEDOM9 DOCUMENTATION ............................................................................................................7
2 WEB-BASED MANAGER........................................................................................9
2.1 BUTTON BAR FEATURES ...................................................................................................................9
2.1.1 CONTACT CUSTOMER SUPPORT ...........................................................................................10
2.1.2 EASY SETUP WIZARD...........................................................................................................10
2.1.3 CONSOLE ACCESS...............................................................................................................10
2.1.4 LOGOUT ..............................................................................................................................11
2.2 WEB-BASED MANAGER PAGES ........................................................................................................11
2.2.1 WEB-BASED MANAGER MENU................................................................................................12
2.2.2 LISTS ..................................................................................................................................12
2.2.3 ICONS .................................................................................................................................13
2.2.4 STATUS BAR.........................................................................................................................14
2.3 ORGANIZATION OF THIS MANUAL .....................................................................................................14
3 SYSTEM STATUS..................................................................................................15
3.1 STATUS .........................................................................................................................................15
3.1.1 VIEWING SYSTEM STATUS .....................................................................................................15
3.1.2 CHANGING UNIT INFORMATION ..............................................................................................18
3.2 SESSION LIST ................................................................................................................................20
3.3 CHANGING THE FREEGUARD 100 FIRMWARE...................................................................................21
3.3.1 UPGRADING TO A NEW FIRMWARE VERSION............................................................................22
3.3.2 REVERTING TO A PREVIOUS FIRMWARE VERSION ....................................................................23
3.3.3 INSTALLING FIRMWARE IMAGES FROM A SYSTEM REBOOT USING THE CLI.................................25
3.3.4 TESTING A NEW FIRMWARE IMAGE BEFORE INSTALLING IT........................................................27
4 SYSTEM NETWORK .............................................................................................30
4.1 INTERFACE....................................................................................................................................30
4.1.1 INTERFACE SETTINGS...........................................................................................................31
4.1.2 CONFIGURING INTERFACES...................................................................................................36
4.2 ZONE............................................................................................................................................40
4.2.1 ZONE SETTINGS...................................................................................................................41
4.3 MANAGEMENT ...............................................................................................................................42
4.4 DNS.............................................................................................................................................43
4.5 ROUTING TABLE (TRANSPARENT MODE)..........................................................................................44
4.5.1 ROUTING TABLE LIST ............................................................................................................44
4.5.2 TRANSPARENT MODE ROUTE SETTINGS .................................................................................44
4.6 CONFIGURING THE MODEM INTERFACE............................................................................................45
freeGuard 100 Administration Guide
iii
4.6.1 CONNECTING A MODEM TO THE FREEGUARD 100...................................................................46
4.6.2 CONFIGURING MODEM SETTINGS ..........................................................................................46
4.6.3 REDUNDANT MODE CONFIGURATION......................................................................................47
4.6.4 STANDALONE MODE CONFIGURATION ....................................................................................48
4.6.5 ADDING FIREWALL POLICIES FOR MODEM CONNECTIONS.........................................................48
4.6.6 CONNECTING AND DISCONNECTING THE MODEM ....................................................................49
4.6.7 CHECKING MODEM STATUS ...................................................................................................49
4.7 VLAN OVERVIEW...........................................................................................................................49
4.7.1 FREEGUARD 100S AND VLANS ............................................................................................50
4.8 VLANS IN NAT/ROUTE MODE ........................................................................................................50
4.8.1 RULES FOR VLAN IDS.........................................................................................................51
4.8.2 RULES FOR VLAN IP ADDRESSES.........................................................................................51
4.8.3 ADDING VLAN SUB INTERFACES...........................................................................................52
4.9 VLANS IN TRANSPARENT MODE .....................................................................................................53
4.9.1 RULES FOR VLAN IDS.........................................................................................................54
4.9.2 TRANSPARENT MODE VIRTUAL DOMAINS AND VLANS .............................................................54
4.9.3 TRANSPARENT MODE VLAN LIST ..........................................................................................54
4.9.4 TRANSPARENT MODE VLAN SETTINGS..................................................................................55
4.10 FREEGUARD 100 IPV6 SUPPORT....................................................................................................56
5 SYSTEM DHCP......................................................................................................57
5.1 SERVICE .......................................................................................................................................57
5.1.1 DHCP SERVICE SETTINGS....................................................................................................57
5.2 SERVER ........................................................................................................................................59
5.2.1 DHCP SERVER SETTINGS.....................................................................................................60
5.3 EXCLUDE RANGE ...........................................................................................................................61
5.3.1 DHCP EXCLUDE RANGE SETTINGS........................................................................................62
5.4 IP/MAC BINDING ...........................................................................................................................62
5.4.1 DHCP IP/MAC BINDING SETTINGS .......................................................................................63
5.5 DYNAMIC IP ..................................................................................................................................63
6 SYSTEM CONFIG..................................................................................................64
6.1 SYSTEM TIME ................................................................................................................................64
6.2 OPTIONS.......................................................................................................................................65
6.3 HA................................................................................................................................................67
6.3.1 HA OVERVIEW......................................................................................................................67
6.3.2 HA CONFIGURATION.............................................................................................................69
6.3.3 CONFIGURING AN HA CLUSTER.............................................................................................74
6.3.4 MANAGING AN HA CLUSTER..................................................................................................78
6.4 SNMP..........................................................................................................................................81
6.4.1 CONFIGURING SNMP ..........................................................................................................82
6.4.2 SNMP COMMUNITY..............................................................................................................83
6.4.3 FREEGUARD 100 MIBS........................................................................................................85
6.4.4 FREEGUARD 100 TRAPS.......................................................................................................86
6.4.5 FREEDOM9 MIB FIELDS........................................................................................................87
6.5 REPLACEMENT MESSAGES .............................................................................................................89
6.5.1 REPLACEMENT MESSAGES LIST.............................................................................................90
6.5.2 CHANGING REPLACEMENT MESSAGES...................................................................................91
7 SYSTEM ADMIN....................................................................................................93
7.1 ADMINISTRATORS ..........................................................................................................................94
7.1.1 ADMINISTRATORS LIST..........................................................................................................94
7.1.2 ADMINISTRATORS OPTIONS...................................................................................................95
7.2 ACCESS PROFILES.........................................................................................................................96
7.2.1 ACCESS PROFILE LIST ..........................................................................................................97
iv
7.2.2 ACCESS PROFILE OPTIONS ...................................................................................................97
8 SYSTEM MAINTENANCE .....................................................................................99
8.1 BACKUP AND RESTORE...................................................................................................................99
8.1.1 BACKING UP AND RESTORING............................................................................................ 100
8.2 UPDATE CENTER......................................................................................................................... 101
8.2.1 UPDATING ANTIVIRUS AND ATTACK DEFINITIONS................................................................... 103
8.2.2 ENABLING PUSH UPDATES ................................................................................................. 106
9 SYSTEM VIRTUAL DOMAIN...............................................................................109
9.1 VIRTUAL DOMAIN PROPERTIES ..................................................................................................... 109
9.1.1 EXCLUSIVE VIRTUAL DOMAIN PROPERTIES .......................................................................... 109
9.1.2 SHARED CONFIGURATION SETTINGS....................................................................................110
9.1.3 ADMINISTRATION AND MANAGEMENT ...................................................................................111
9.2 VIRTUAL DOMAINS........................................................................................................................111
9.2.1 ADDING A VIRTUAL DOMAIN .................................................................................................112
9.2.2 SELECTING A VIRTUAL DOMAIN ............................................................................................113
9.2.3 SELECTING A MANAGEMENT VIRTUAL DOMAIN.......................................................................113
9.3 CONFIGURING VIRTUAL DOMAINS ..................................................................................................114
9.3.1 ADDING INTERFACES, VLAN SUB INTERFACES, AND ZONES TO A VIRTUAL DOMAIN..................114
9.3.2 CONFIGURING ROUTING FOR A VIRTUAL DOMAIN...................................................................115
9.3.3 CONFIGURING FIREWALL POLICIES FOR A VIRTUAL DOMAIN....................................................115
9.3.4 CONFIGURING IPSEC VPN FOR A VIRTUAL DOMAIN ..............................................................117
10 ROUTER ..............................................................................................................118
10.1 STATIC ........................................................................................................................................118
10.1.1 STATIC ROUTE LIST............................................................................................................ 120
10.1.2 STATIC ROUTE OPTIONS..................................................................................................... 121
10.2 POLICY ...................................................................................................................................... 122
10.2.1 POLICY ROUTE LIST........................................................................................................... 122
10.2.2 POLICY ROUTE OPTIONS.................................................................................................... 123
10.3 RIP............................................................................................................................................ 124
10.3.1 NETWORKS LIST................................................................................................................ 125
10.3.2 NETWORKS OPTIONS......................................................................................................... 126
10.3.3 INTERFACE LIST ................................................................................................................ 126
10.3.4 INTERFACE OPTIONS ......................................................................................................... 127
10.3.5 DISTRIBUTE LIST............................................................................................................... 128
10.3.6 DISTRIBUTE LIST OPTIONS ................................................................................................. 129
10.3.7 OFFSET LIST..................................................................................................................... 130
10.3.8 OFFSET LIST OPTIONS ....................................................................................................... 131
10.4 ROUTER OBJECTS....................................................................................................................... 131
10.4.1 ACCESS LIST .................................................................................................................... 131
10.4.2 NEW ACCESS LIST............................................................................................................. 132
10.4.3 NEW ACCESS LIST ENTRY .................................................................................................. 133
10.4.4 PREFIX LIST...................................................................................................................... 133
10.4.5 NEW PREFIX LIST.............................................................................................................. 134
10.4.6 NEW PREFIX LIST ENTRY.................................................................................................... 135
10.4.7 ROUTE-MAP LIST............................................................................................................... 136
10.4.8 NEW ROUTE-MAP.............................................................................................................. 136
10.4.9 ROUTE MAP LIST ENTRY..................................................................................................... 137
10.4.10 KEY CHAIN LIST................................................................................................................. 138
10.4.11 NEW KEY CHAIN................................................................................................................ 138
10.4.12 KEY CHAIN LIST ENTRY ...................................................................................................... 139
10.5 MONITOR ................................................................................................................................... 140
freeGuard 100 Administration Guide
v
10.5.1 ROUTING MONITOR LIST..................................................................................................... 140
11 FIREWALL...........................................................................................................142
11.1 POLICY ...................................................................................................................................... 142
11.1.1 HOW POLICY MATCHING WORKS......................................................................................... 143
11.1.2 POLICY LIST...................................................................................................................... 143
11.1.3 POLICY OPTIONS............................................................................................................... 144
11.1.4 ADVANCED POLICY OPTIONS .............................................................................................. 147
11.1.5 CONFIGURING FIREWALL POLICIES ..................................................................................... 149
11.1.6 POLICY CLI CONFIGURATION ............................................................................................. 150
11.2 ADDRESS................................................................................................................................... 151
11.2.1 ADDRESS LIST .................................................................................................................. 152
11.2.2 ADDRESS OPTIONS ........................................................................................................... 152
11.2.3 CONFIGURING ADDRESSES................................................................................................ 153
11.2.4 ADDRESS GROUP LIST....................................................................................................... 154
11.2.5 ADDRESS GROUP OPTIONS................................................................................................ 154
11.2.6 CONFIGURING ADDRESS GROUPS....................................................................................... 155
11.3 SERVICE .................................................................................................................................... 155
11.3.1 PREDEFINED SERVICE LIST ................................................................................................ 156
11.3.2 CUSTOM SERVICE LIST ...................................................................................................... 158
11.3.3 CUSTOM SERVICE OPTIONS ............................................................................................... 159
11.3.4 CONFIGURING CUSTOM SERVICES...................................................................................... 160
11.3.5 SERVICE GROUP LIST ........................................................................................................ 161
11.3.6 SERVICE GROUP OPTIONS ................................................................................................. 161
11.3.7 CONFIGURING SERVICE GROUPS........................................................................................ 162
11.4 SCHEDULE ................................................................................................................................. 163
11.4.1 ONE-TIME SCHEDULE LIST ................................................................................................. 163
11.4.2 ONE-TIME SCHEDULE OPTIONS .......................................................................................... 164
11.4.3 CONFIGURING ONE-TIME SCHEDULES................................................................................. 164
11.4.4 RECURRING SCHEDULE LIST .............................................................................................. 164
11.4.5 RECURRING SCHEDULE OPTIONS ....................................................................................... 165
11.4.6 CONFIGURING RECURRING SCHEDULES.............................................................................. 166
11.5 VIRTUAL IP................................................................................................................................. 166
11.5.1 VIRTUAL IP LIST ................................................................................................................ 167
11.5.2 VIRTUAL IP OPTIONS ......................................................................................................... 167
11.5.3 CONFIGURING VIRTUAL IPS................................................................................................ 169
11.6 IP POOL ..................................................................................................................................... 171
11.6.1 IP POOL LIST..................................................................................................................... 171
11.6.2 IP POOL OPTIONS.............................................................................................................. 172
11.6.3 CONFIGURING IP POOLS.................................................................................................... 172
11.6.4 IP POOLS FOR FIREWALL POLICIES THAT USE FIXED PORTS.................................................. 172
11.6.5 IP POOLS AND DYNAMIC NAT............................................................................................. 173
11.7 PROTECTION PROFILE................................................................................................................. 173
11.7.1 PROTECTION PROFILE LIST ................................................................................................ 174
11.7.2 DEFAULT PROTECTION PROFILES........................................................................................ 174
11.7.3 PROTECTION PROFILE OPTIONS ......................................................................................... 174
11.7.4 CONFIGURING PROTECTION PROFILES................................................................................ 179
11.7.5 PROFILE CLI CONFIGURATION............................................................................................ 180
12 USER ...................................................................................................................183
12.1 SETTING AUTHENTICATION TIMEOUT............................................................................................. 183
12.2 LOCAL........................................................................................................................................ 183
12.2.1 LOCAL USER LIST .............................................................................................................. 184
12.2.2 LOCAL USER OPTIONS ....................................................................................................... 184
12.3 RADIUS.................................................................................................................................... 185
vi
12.3.1 RADIUS SERVER LIST ...................................................................................................... 185
12.3.2 RADIUS SERVER OPTIONS................................................................................................ 185
12.4 LDAP........................................................................................................................................ 186
12.4.1 LDAP SERVER LIST........................................................................................................... 186
12.4.2 LDAP SERVER OPTIONS.................................................................................................... 187
12.5 USER GROUP.............................................................................................................................. 188
12.5.1 USER GROUP LIST............................................................................................................. 188
12.5.2 USER GROUP OPTIONS...................................................................................................... 189
13 VPN......................................................................................................................191
13.1 PHASE 1 .................................................................................................................................... 191
13.1.1 PHASE 1 LIST.................................................................................................................... 192
13.1.2 PHASE 1 BASIC SETTINGS.................................................................................................. 192
13.1.3 PHASE 1 ADVANCED SETTINGS........................................................................................... 194
13.2 PHASE 2 .................................................................................................................................... 196
13.3 PHASE 2 LIST ............................................................................................................................. 196
13.3.1 PHASE 2 BASIC SETTINGS.................................................................................................. 197
13.3.2 PHASE 2 ADVANCED OPTIONS ............................................................................................ 197
13.4 MANUAL KEY .............................................................................................................................. 199
13.4.1 MANUAL KEY LIST.............................................................................................................. 200
13.4.2 MANUAL KEY OPTIONS....................................................................................................... 200
13.5 CONCENTRATOR......................................................................................................................... 202
13.5.1 CONCENTRATOR LIST ........................................................................................................ 202
13.5.2 CONCENTRATOR OPTIONS ................................................................................................. 202
13.6 PING GENERATOR....................................................................................................................... 203
13.6.1 PING GENERATOR OPTIONS ............................................................................................... 203
13.7 MONITOR ................................................................................................................................... 204
13.7.1 DIALUP MONITOR .............................................................................................................. 204
13.7.2 STATIC IP AND DYNAMIC DNS MONITOR ............................................................................. 205
13.8 PPTP........................................................................................................................................ 205
13.8.1 PPTP RANGE ................................................................................................................... 205
13.9 L2TP......................................................................................................................................... 206
13.9.1 L2TP RANGE.................................................................................................................... 206
13.10 CERTIFICATES ............................................................................................................................ 207
13.10.1 LOCAL CERTIFICATE LIST.................................................................................................... 207
13.10.2 CERTIFICATE REQUEST...................................................................................................... 208
13.10.3 IMPORTING SIGNED CERTIFICATES...................................................................................... 209
13.10.4 CA CERTIFICATE LIST ........................................................................................................ 209
13.10.5 IMPORTING CA CERTIFICATES............................................................................................ 210
13.11 VPN CONFIGURATION PROCEDURES............................................................................................ 210
13.11.1 ADDING FIREWALL POLICIES FOR IPSEC VPN TUNNELS........................................................211
13.11.2 PPTP CONFIGURATION PROCEDURES ................................................................................ 212
13.11.3 L2TP CONFIGURATION PROCEDURES................................................................................. 212
14 IPS........................................................................................................................213
14.1 SIGNATURE ................................................................................................................................ 213
14.1.1 PREDEFINED..................................................................................................................... 214
14.1.2 CUSTOM........................................................................................................................... 217
14.2 ANOMALY ................................................................................................................................... 219
14.3 CONFIGURING AN ANOMALY ......................................................................................................... 220
15 ANTIVIRUS..........................................................................................................223
15.1 FILE BLOCK ................................................................................................................................ 224
15.1.1 FILE BLOCK LIST................................................................................................................ 224
freeGuard 100 Administration Guide
vii
15.2 CONFIG...................................................................................................................................... 225
15.2.1 VIRUS LIST........................................................................................................................ 226
15.2.2 CONFIG............................................................................................................................ 226
15.2.3 GRAYWARE....................................................................................................................... 227
15.2.4 GRAYWARE OPTIONS......................................................................................................... 227
15.3 CLI CONFIGURATION................................................................................................................... 228
15.3.1 CONFIG ANTIVIRUS HEURISTIC............................................................................................ 228
15.3.2 CONFIG ANTIVIRUS SERVICE HTTP....................................................................................... 229
15.3.3 CONFIG ANTIVIRUS SERVICE FTP......................................................................................... 230
15.3.4 CONFIG ANTIVIRUS SERVICE POP3...................................................................................... 232
15.3.5 CONFIG ANTIVIRUS SERVICE IMAP....................................................................................... 233
15.3.6 CONFIG ANTIVIRUS SERVICE SMTP ...................................................................................... 234
16 WEB FILTER........................................................................................................236
16.1 CONTENT BLOCK ........................................................................................................................ 237
16.1.1 WEB CONTENT BLOCK LIST ................................................................................................ 237
16.1.2 WEB CONTENT BLOCK OPTIONS ......................................................................................... 237
16.1.3 CONFIGURING THE WEB CONTENT BLOCK LIST .................................................................... 238
16.2 URL BLOCK................................................................................................................................ 239
16.2.1 WEB URL BLOCK LIST....................................................................................................... 239
16.2.2 WEB URL BLOCK OPTIONS ................................................................................................ 239
16.2.3 CONFIGURING THE WEB URL BLOCK LIST ........................................................................... 240
16.2.4 WEB PATTERN BLOCK LIST................................................................................................. 240
16.2.5 WEB PATTERN BLOCK OPTIONS .......................................................................................... 241
16.2.6 CONFIGURING WEB PATTERN BLOCK................................................................................... 241
16.3 URL EXEMPT.............................................................................................................................. 241
16.3.1 URL EXEMPT LIST............................................................................................................. 241
16.3.2 URL EXEMPT LIST OPTIONS ............................................................................................... 242
16.3.3 CONFIGURING URL EXEMPT.............................................................................................. 242
16.4 CATEGORY BLOCK ...................................................................................................................... 242
16.4.1 FREEGUARD 100 MANAGED WEB FILTERING SERVICE .......................................................... 243
16.4.2 CATEGORY BLOCK CONFIGURATION OPTIONS...................................................................... 243
16.4.3 CONFIGURING WEB CATEGORY BLOCK................................................................................ 244
17 SPAM FILTER......................................................................................................246
17.1 FREEGUARD SP ANTI SPAM ........................................................................................................ 248
17.1.1 FREEGUARD SP SPAM FILTERING ...................................................................................... 248
17.1.2 FREEGUARD SP OPTIONS.................................................................................................. 249
17.1.3 CONFIGURING THE FREEGUARD SP CACHE........................................................................ 250
17.2 IP ADDRESS................................................................................................................................ 250
17.3 IP ADDRESS LIST......................................................................................................................... 250
17.3.1 IP ADDRESS OPTIONS........................................................................................................ 250
17.3.2 CONFIGURING THE IP ADDRESS LIST .................................................................................. 251
17.4 DNSBL & ORDBL..................................................................................................................... 251
17.4.1 DNSBL & ORDBL LIST..................................................................................................... 252
17.4.2 DNSBL & ORDBL OPTIONS.............................................................................................. 252
17.4.3 CONFIGURING THE DNSBL & ORDBL LIST........................................................................ 252
17.5 EMAIL ADDRESS.......................................................................................................................... 253
17.5.1 EMAIL ADDRESS LIST ......................................................................................................... 253
17.5.2 EMAIL ADDRESS OPTIONS .................................................................................................. 253
17.5.3 CONFIGURING THE EMAIL ADDRESS LIST............................................................................. 254
17.6 MIME HEADERS ......................................................................................................................... 254
17.6.1 MIME HEADERS LIST......................................................................................................... 255
17.6.2 MIME HEADERS OPTIONS.................................................................................................. 255
17.6.3 CONFIGURING THE MIME HEADERS LIST ............................................................................ 255
viii
17.7 BANNED WORD........................................................................................................................... 256
17.7.1 BANNED WORD LIST .......................................................................................................... 256
17.7.2 BANNED WORD OPTIONS ................................................................................................... 257
17.7.3 CONFIGURING THE BANNED WORD LIST .............................................................................. 258
17.8 USING PERL REGULAR EXPRESSIONS........................................................................................... 258
18 LOG & REPORT..................................................................................................261
18.1 LOG CONFIG............................................................................................................................... 262
18.1.1 LOG SETTING OPTIONS...................................................................................................... 262
18.1.2 ALERT E-MAIL OPTIONS..................................................................................................... 263
18.1.3 LOG FILTER OPTIONS......................................................................................................... 265
18.1.4 CONFIGURING LOG FILTERS ............................................................................................... 267
18.1.5 ENABLING TRAFFIC LOGGING ............................................................................................. 267
18.2 LOG ACCESS .............................................................................................................................. 268
18.2.1 VIEWING LOG MESSAGES................................................................................................... 268
18.2.2 SEARCHING LOG MESSAGES .............................................................................................. 269
18.3 FREEGUARD 100 CATEGORIES .................................................................................................... 270
19 GLOSSARY .........................................................................................................277
freeGuard 100 Administration Guide
1
1 Introduction
freedom9 Unified Threat Management (UTM) Firewalls support network-based deployment of
application-level services, including antivirus protection and full-scan content filtering. freedom9 UTM
Firewalls improve network security, reduce network misuse and abuse, and help you use
communications resources more efficiently without compromising the performance of your network.
This chapter introduces you to freedom9 UTM Firewalls and the following topics:
About freedom9 UTM Firewalls
Document conventions
freedom9 documentation
Related documentation
Customer service and technical support
1.1 About freeGuard 100 UTM Firewalls
The freeGuard 100 is a dedicated, easily managed security device that delivers a full suite of
capabilities that include:
application-level services such as virus protection and content filtering,
network-level services such as firewall, intrusion detection, VPN, and traffic shaping.
The freeGuard 100 uses a unique ASIC-based architecture which analyzes content and behavior in
real-time, enabling key applications to be deployed right at the network edge where they are most
effective at protecting your networks.
The freeGuard 100 is ideally suited for small businesses, remote offices, retail stores, and
telecommuters. The freeGuard 100 features dual WAN link support for redundant internet
connections, and an integrated 4-port switch that eliminates the need for an external hub or switch.
The freeGuard 100 also supports advanced features such as 802.1Q VLANs, virtual domains, high
availability (HA), and the RIP and OSPF routing protocols.
1.1.1 Antivirus protection
freeGuard 100 antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3,
and IMAP) content as it passes through the freeGuard 100. freeGuard 100 antivirus protection uses
pattern matching and heuristics to find viruses. If a virus is found, antivirus protection removes the file
containing the virus from the content stream and forwards a replacement message to the intended
recipient.
For extra protection, you can configure antivirus protection to block specified file types from passing
through the freeGuard 100. You can use the feature to stop files that might contain new viruses.
freeGuard 100 antivirus protection can also identify and remove known grayware programs. Grayware
programs are usually unsolicited commercial software programs that get installed on PCs, often
without the user’s consent or knowledge. Grayware programs are generally considered an annoyance,
but these programs can cause system performance problems or be used for malicious means.
The freeGuard 100 can send email alerts to system administrators when it detects and removes a
virus from a content stream. The web and email content can be in normal network traffic or encrypted
IPSec VPN traffic.
2
1.1.2 Web content filtering
freeGuard 100 web content filtering can scan all HTTP content protocol streams for URLs, URL
patterns, and web page content. If there is a match between a URL on the URL block list, or a web
page contains a word or phrase that is in the content block list, the freeGuard 100 blocks the web
page. The blocked web page is replaced with a message that you can edit using the freeGuard 100
web-based manager.
1.1.3 Spam filtering
freeGuard SPam filtering can scan all POP3, SMTP, and IMAP email content for spam. You can
configure spam filtering to filter mail according to IP address, email address, mime header, and
contect. Mail message can be identified as spam or clear.
freeGuard 100 has an antispam system from freedom9 that includes an IP address black list, a URL
black list, and spam filtering tools. The IP address black list contains IP address of email servers
known to be used to generate spam. The URL black list containes URLs of websites found in spam
email.
You can also add the names of known third party DNS based Blackhole lists (DNSBL) and Open
Relay Database List (ORDBL) servers. These services contain lists of known spam sources.
If an email message is found to be spam, the freeGuard 100 adds an email tag to the subject line of
the email. The recipient can use their mail client software to filter messages based on the email tag.
Spam filtering can also be configured to delete SMTP email messages identified as spam.
1.1.4 Firewall
freeGuard 100 web content filtering also supports freeGuard 100 web category blocking. Using web
category blocking you can restrict or allow access to web pages based on content ratings of web
pages.
You can configure URL blocking to block all or some of the pages on a web site. Using this feature,
you can deny access to parts of a web site without denying access to it completely.
To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that
overrides the URL blocking and content blocking lists. The exempt list also exempts web traffic this
address from virus scanning.
Web content filtering also includes a script filter feature that can block unsecure web content such as
Java applets, cookies, and ActiveX.
freeGuard SPam filtering can scan all POP3, SMTP, and IMAP email content for spam. You can
configure spam filtering to filter mail according to IP address, email address, mime headers, and
content. Mail messages can be identified as spam or clear.
freeGuard 100 is an antispam system from freedom9 that includes an IP address black list, a URL
black list, and spam filtering tools. The IP address black list contains IP addresses of email servers
known to be used to generate Spam. The URL black list contains URLs of websites found in Spam
email.
You can also add the names of known third-party DNS-based Blackhole List (DNSBL) and Open
Relay Database List (ORDBL) servers. These services contain lists of known spam sources.
If an email message is found to be spam, the freeGuard 100 adds an email tag to the subject line of
the email. The recipient can use their mail client software to filter messages based on the email tag.
Spam filtering can also be configured to delete SMTP email messages identified as spam.
freeGuard 100 Administration Guide
3
The freeGuard 100 firewall protects your computer networks from Internet threats. After basic
installation of the freeGuard 100, the firewall allows users on the protected network to access the
Internet while blocking Internet access to internal networks. You can configure the firewall to put
controls on access to the Internet from the protected networks and to allow controlled access to
internal networks.
freeGuard 100 policies include a range of options that:
control all incoming and outgoing network traffic,
control encrypted VPN traffic,
apply antivirus protection and web content filtering,
block or allow access for all policy options,
control when individual policies are in effect,
accept or deny traffic to and from individual addresses,
control standard and user defined network services individually or in groups,
require users to authenticate before gaining access,
include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,
include logging to track connections for individual policies,
include Network Address Translation (NAT) mode and Route mode policies,
include mixed NAT and Route mode policies.
The freeGuard 100 firewall can operate in NAT/Route mode or Transparent mode.
NAT/Route mode
In NAT/Route mode, the freeGuard 100 is a Layer 3 device. This means that each of its interfaces is
associated with a different IP subnet and that it appears to other devices as a router. This is how a
firewall is normally deployed.
In NAT/Route mode, you can create NAT mode policies and Route mode policies.
NAT mode policies use network address translation to hide the addresses in a more secure network
from users in a less secure network.
Route mode policies accept or deny connections between networks without performing address
translation.
Transparent mode
In Transparent mode, the freeGuard 100 does not change the Layer 3 topology. This means that all of
its interfaces are on the same IP subnet and that it appears to other devices as a bridge. Typically, the
freeGuard 100 is deployed in Transparent mode to provide antivirus and content filtering behind an
existing firewall solution.
Transparent mode provides the same basic firewall protection as NAT mode. The freeGuard 100
passes or blocks the packets it receives according to firewall policies. The freeGuard 100 can be
inserted in the network at any point without having to make changes to your network or its
components. However, some advanced firewall features are available only in NAT/Route mode.
4
1.1.5 VLANs and virtual domains
The freeGuard 100 supports IEEE 802.1Q-compliant virtual LAN (VLAN) tags. Using VLAN
technology, a single freeGuard 100 can provide security services to, and control connections between,
multiple security domains according to the VLAN IDs added to VLAN packets. The freeGuard 100 can
recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between
each security domain. The freeGuard 100 can also apply authentication, content filtering, and antivirus
protection to VLAN-tagged network and VPN traffic.
The freeGuard 100 supports VLANs in NAT/Route and Transparent mode. In NAT/Route mode, you
enter VLAN sub interfaces to receive and send VLAN packets.
freeGuard 100 virtual domains provide multiple logical firewalls and routers in a single freeGuard 100.
Using virtual domains, one freeGuard 100 can provide exclusive firewall and routing services to
multiple networks so that traffic from each network is effectively separated from every other network.
You can develop and manage interfaces, VLAN sub interfaces, zones, firewall policies, routing, and
VPN configuration for each virtual domain separately. For these configuration settings, each virtual
domain is functionally similar to a single freeGuard 100. This separation simplifies configuration
because you do not have to manage as many routes or firewall policies at one time.
1.1.6 Intrusion Prevention System (IPS)
The freeGuard 100 Intrusion Prevention System (IPS) combines signature and anomaly based
intrusion detection and prevention. The freeGuard 100 can record suspicious traffic in logs, can send
alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or
sessions. Both the IPS predefined signatures and the IPS engine are upgradeable through the
freeGuard SP Distribution Network (FSDN). You can also create custom signatures.
1.1.7 VPN
Using freeGuard 100 virtual private networking (VPN), you can provide a secure connection between
widely separated office networks or securely link telecommuters or travellers to an office network.
freeGuard 100 VPN features include the following:
Industry standard IPSec VPN, including:
o IPSec VPN in NAT/Route and Transparent mode,
o IPSec, ESP security in tunnel mode,
o DES, 3DES (triple-DES), and AES hardware accelerated encryption,
o HMAC MD5 and HMAC SHA1 authentication and data integrity,
o AutoIKE key based on pre-shared key tunnels,
o IPSec VPN using local or CA certificates,
o Manual Keys tunnels,
o Diffie-Hellman groups 1, 2, and 5,
o Aggressive and Main Mode,
o Replay Detection,
o Perfect Forward Secrecy,
freeGuard 100 Administration Guide
5
o XAuth authentication,
o Dead peer detection,
o DHCP over IPSec,
o Secure Internet browsing.
PPTP for easy connectivity with the VPN standard supported by the most popular operating
systems.
L2TP for easy connectivity with a more secure VPN standard, also supported by many popular
operating systems.
Firewall policy based control of IPSec VPN traffic.
IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to
an IPSec VPN tunnel.
VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to
another through the freeGuard 100.
IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote
network.
1.1.8 High availability
freedom9 achieves high availability (HA) using redundant hardware and the freeGuard Clustering
Protocol (FCP). Each freeGuard 100 in an HA cluster enforces the same overall security policy and
shares the same configuration settings. You can add up to 32 freeGuard 100s to an HA cluster. Each
freeGuard 100 in an HA cluster must be the same model and must be running the same OS firmware
image.
freeGuard 100 HA supports link redundancy and device redundancy.
freeGuard 100s can be configured to operate in active-passive (A-P) or active-active (A-A) HA mode.
Active-active and active-passive clusters can run in either NAT/Route or Transparent mode.
An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a primary
freeGuard 100 that processes traffic, and one or more subordinate freeGuard 100s. The subordinate
freeGuard 100s are connected to the network and to the primary freeGuard 100 but do not process
traffic.
Active-active (A-A) HA load balances virus scanning among all the freeGuard 100s in the cluster. An
active-active HA cluster consists of a primary freeGuard 100 that processes traffic and one or more
secondary units that also process traffic. The primary freeGuard 100 uses a load balancing algorithm
to distribute virus scanning to all the freeGuard 100s in the HA cluster.
1.1.9 Secure installation, configuration, and management
The first time you power on the freeGuard 100, it is already configured with default IP addresses and
security policies. Connect to the web-based manager, set the operating mode, and use the Setup
wizard to customize freeGuard 100 IP addresses for your network, and the freeGuard 100 is ready to
protect your network. You can then use the web-based manager to customize advanced freeGuard
100 features.
You can also create a basic configuration using the freeGuard 100 command line interface (CLI).
6
Web-based manager
Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can
configure and manage the freeGuard 100. The web-based manager supports multiple languages. You
can configure the freeGuard 100 for HTTP and HTTPS administration from any freeGuard 100
interface.
You can use the web-based manager to configure most freeGuard 100 settings. You can also use the
web-based manager to monitor the status of the freeGuard 100. Configuration changes made using
the web-based manager are effective immediately without resetting the firewall or interrupting service.
Once you are satisfied with a configuration, you can download and save it. The saved configuration
can be restored at any time.
Command line interface
You can access the freeGuard 100 command line interface (CLI) by connecting a management
computer serial port to the freeGuard 100 RS-232 serial console connector. You can also use Telnet or
a secure SSH connection to connect to the CLI from any network that is connected to the freeGuard
100, including the Internet.
The CLI supports the same configuration and monitoring functionality as the web-based manager. In
addition, you can use the CLI for advanced configuration options that are not available from the web-
based manager.
This Administration Guide contains information about basic and advanced CLI commands. For a more
complete description about connecting to and using the freeGuard 100 CLI, see the freeGuard 100
CLI Reference Guide.
Logging and reporting
The freeGuard 100 supports logging for various categories of traffic and configuration changes. You
can configure logging to:
report traffic that connects to the firewall,
report network services used,
report traffic that was permitted by firewall policies,
report traffic that was denied by firewall policies,
report events such as configuration changes and other management events, IPSec tunnel
negotiation, virus detection, attacks, and web page blocking,
report attacks detected by the IPS,
send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN
events or violations.
Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and
Firewall Suite server using the WebTrends enhanced log format. You can also configure the freeGuard
100 to log the most recent events and attacks detected by the IPS to the system memory.
1.2 Document conventions
This guide uses the following conventions to describe command syntax:
freeGuard 100 Administration Guide
7
angle brackets < > to indicate variable keywords.
For Example:
execute restore config <filename_str>
You can enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable.
<xxx_integer> indicates an integer variable.
<xxx_ip> indicates an IP address variable.
vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords
For example:
set system opmode {nat | transparent
You can enter set system opmode nat or set system opmode transparent.
square brackets [ ] to indicate that a keyword is optional
For example:
get firewall ipmacbinding [dhcpipmac]
You can enter get firewall ipmacbinding or get firewall ipmacbinding
dhcpipmac
1.3 freedom9 documentation
Information about freeGuard 100 products is available from the following freeGuard 100 User Manual
volumes:
freeGuard 100 Quick Install Guide
Each Quick Start Guide provides the basic information required to connect and install a freeGuard
100.
freeGuard 100 Installation Guide
Each Installation Guide provides detailed information required to install a freeGuard 100. Includes
hardware reference, default configuration, installation procedures, connection procedures, and basic
configuration procedures.
freeGuard 100 Administration Guide
Each Administration Guide describes how to configure a freeGuard 100. Configuration information
includes how to use freeGuard 100 firewall policies to control traffic flow through the freeGuard 100
and how to configure VPN, IPS, antivirus, web filtering, spam filtering. The administration guide also
describes how to use protection profiles to apply intrusion prevention, antivirus protection, web content
filtering, and spam filtering to traffic passing through the freeGuard 100.
freeGuard 100 CLI Reference Guide
Describes how to use the freeGuard 100 CLI and contains a reference to all freeGuard 100 CLI
commands.
8
freeGuard 100 Log Message Reference Guide
Describes the structure of freeGuard 100 log messages and provides information on all log messages
generated by the freeGuard 100.
freeGuard 100 Administration Guide
9
2 Web-based manager
Using HTTP or a secure HTTPS connection from any computer running a web browser, you can
configure and manage the freeGuard 100. The web-based manager supports multiple languages. You
can configure the freeGuard 100 for HTTP and HTTPS administration from any freeGuard 100
interface.
Figure 1: Web-based manager screen
You can use the web-based manager to configure most freeGuard 100 settings. You can also use the
web-based manager to monitor the status of the freeGuard 100. Configuration changes made using
the web-based manager are effective immediately without resetting the firewall or interrupting service.
Once you are satisfied with a configuration, you can back it up. The saved configuration can be
restored at any time.
For information about connecting to the web-based manager, see “Connecting to the web-based
manager” in the Installation Guide.
This chapter includes:
Button bar features
Web-based manager pages
2.1 Button bar features
The button bar in the upper right corner of the web-based manager provides access to several
important freeGuard 100 features.
10
Figure 2: Web-based manager button bar
Contact Customer Support
Easy Setup Wizard
Console Access
Logout
2.1.1 Contact Customer Support
The Contact Customer Support button opens the freedom9 support web page in a new browser
window. From this page you can
Register your freeGuard 100 (Product Registration).
Read frequently asked questions.
Read about freedom9 and its products.
2.1.2 Easy Setup Wizard
The freeGuard 100 setup wizard provides an easy way to configure basic initial settings for the
freeGuard 100. The wizard walks through the configuration of a new administrator password,
freeGuard 100 interfaces, DHCP server settings, internal servers (web, FTP, etc.), and basic antivirus
settings. For detailed instructions on the initial setup of your freeGuard 100, see the Installation Guide.
2.1.3 Console Access
An alternative to the web-based manager user interface is the text-based command line interface
(CLI). There are some options that are configurable only from the CLI.
The Console Access button opens a Java-based terminal application. The management computer
must have Java version 1.3 or higher installed.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292

Freedom9 freeGuard 100 Administration Manual

Category
Software
Type
Administration Manual

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI