Freedom9 freeGuard 100 Administration Manual

freeGuard 100 Administration Guide

freeGuard 100

UTM Firewall

ADMINISTRATION GUIDE

P/N: F0025000

Rev. 1.1

Copyright and Trademark Information

part of this document may be photocopied, reproduced, or translated into another language without

express prior to written consent of Freedom9 Inc.

Microsoft Corporation. Other trademarks or registered trademarks are the property of their respective

holders.

ii

TABLE OF CONTENTS

1 INTRODUCTION......................................................................................................1

1.1 ABOUT FREEGUARD 100 UTM FIREWALLS........................................................................................1

1.1.1 ANTIVIRUS PROTECTION.........................................................................................................1

1.1.2 WEB CONTENT FILTERING.......................................................................................................2

1.1.3 SPAM FILTERING.....................................................................................................................2

1.1.4 FIREWALL..............................................................................................................................2

1.1.5 VLANS AND VIRTUAL DOMAINS ...............................................................................................4

1.1.6 INTRUSION PREVENTION SYSTEM (IPS) ..................................................................................4

1.1.7 VPN .....................................................................................................................................4

1.1.8 HIGH AVAILABILITY..................................................................................................................5

1.1.9 SECURE INSTALLATION, CONFIGURATION, AND MANAGEMENT....................................................5

1.2 DOCUMENT CONVENTIONS ...............................................................................................................6

1.3 FREEDOM9 DOCUMENTATION ............................................................................................................7

2 WEB-BASED MANAGER........................................................................................9

2.1 BUTTON BAR FEATURES ...................................................................................................................9

2.1.1 CONTACT CUSTOMER SUPPORT ...........................................................................................10

2.1.2 EASY SETUP WIZARD...........................................................................................................10

2.1.3 CONSOLE ACCESS...............................................................................................................10

2.1.4 LOGOUT ..............................................................................................................................11

2.2 WEB-BASED MANAGER PAGES ........................................................................................................11

2.2.1 WEB-BASED MANAGER MENU................................................................................................12

2.2.2 LISTS ..................................................................................................................................12

2.2.3 ICONS .................................................................................................................................13

2.2.4 STATUS BAR.........................................................................................................................14

2.3 ORGANIZATION OF THIS MANUAL .....................................................................................................14

3 SYSTEM STATUS..................................................................................................15

3.1 STATUS .........................................................................................................................................15

3.1.1 VIEWING SYSTEM STATUS .....................................................................................................15

3.1.2 CHANGING UNIT INFORMATION ..............................................................................................18

3.2 SESSION LIST ................................................................................................................................20

3.3 CHANGING THE FREEGUARD 100 FIRMWARE...................................................................................21

3.3.1 UPGRADING TO A NEW FIRMWARE VERSION............................................................................22

3.3.2 REVERTING TO A PREVIOUS FIRMWARE VERSION ....................................................................23

3.3.3 INSTALLING FIRMWARE IMAGES FROM A SYSTEM REBOOT USING THE CLI.................................25

3.3.4 TESTING A NEW FIRMWARE IMAGE BEFORE INSTALLING IT........................................................27

4 SYSTEM NETWORK .............................................................................................30

4.1 INTERFACE....................................................................................................................................30

4.1.1 INTERFACE SETTINGS...........................................................................................................31

4.1.2 CONFIGURING INTERFACES...................................................................................................36

4.2 ZONE............................................................................................................................................40

4.2.1 ZONE SETTINGS...................................................................................................................41

4.3 MANAGEMENT ...............................................................................................................................42

4.4 DNS.............................................................................................................................................43

4.5 ROUTING TABLE (TRANSPARENT MODE)..........................................................................................44

4.5.1 ROUTING TABLE LIST ............................................................................................................44

4.5.2 TRANSPARENT MODE ROUTE SETTINGS .................................................................................44

4.6 CONFIGURING THE MODEM INTERFACE............................................................................................45

freeGuard 100 Administration Guide

iii

4.6.1 CONNECTING A MODEM TO THE FREEGUARD 100...................................................................46

4.6.2 CONFIGURING MODEM SETTINGS ..........................................................................................46

4.6.3 REDUNDANT MODE CONFIGURATION......................................................................................47

4.6.4 STANDALONE MODE CONFIGURATION ....................................................................................48

4.6.5 ADDING FIREWALL POLICIES FOR MODEM CONNECTIONS.........................................................48

4.6.6 CONNECTING AND DISCONNECTING THE MODEM ....................................................................49

4.6.7 CHECKING MODEM STATUS ...................................................................................................49

4.7 VLAN OVERVIEW...........................................................................................................................49

4.7.1 FREEGUARD 100S AND VLANS ............................................................................................50

4.8 VLANS IN NAT/ROUTE MODE ........................................................................................................50

4.8.1 RULES FOR VLAN IDS.........................................................................................................51

4.8.2 RULES FOR VLAN IP ADDRESSES.........................................................................................51

4.8.3 ADDING VLAN SUB INTERFACES...........................................................................................52

4.9 VLANS IN TRANSPARENT MODE .....................................................................................................53

4.9.1 RULES FOR VLAN IDS.........................................................................................................54

4.9.2 TRANSPARENT MODE VIRTUAL DOMAINS AND VLANS .............................................................54

4.9.3 TRANSPARENT MODE VLAN LIST ..........................................................................................54

4.9.4 TRANSPARENT MODE VLAN SETTINGS..................................................................................55

4.10 FREEGUARD 100 IPV6 SUPPORT....................................................................................................56

5 SYSTEM DHCP......................................................................................................57

5.1 SERVICE .......................................................................................................................................57

5.1.1 DHCP SERVICE SETTINGS....................................................................................................57

5.2 SERVER ........................................................................................................................................59

5.2.1 DHCP SERVER SETTINGS.....................................................................................................60

5.3 EXCLUDE RANGE ...........................................................................................................................61

5.3.1 DHCP EXCLUDE RANGE SETTINGS........................................................................................62

5.4 IP/MAC BINDING ...........................................................................................................................62

5.4.1 DHCP IP/MAC BINDING SETTINGS .......................................................................................63

5.5 DYNAMIC IP ..................................................................................................................................63

6 SYSTEM CONFIG..................................................................................................64

6.1 SYSTEM TIME ................................................................................................................................64

6.2 OPTIONS.......................................................................................................................................65

6.3 HA................................................................................................................................................67

6.3.1 HA OVERVIEW......................................................................................................................67

6.3.2 HA CONFIGURATION.............................................................................................................69

6.3.3 CONFIGURING AN HA CLUSTER.............................................................................................74

6.3.4 MANAGING AN HA CLUSTER..................................................................................................78

6.4 SNMP..........................................................................................................................................81

6.4.1 CONFIGURING SNMP ..........................................................................................................82

6.4.2 SNMP COMMUNITY..............................................................................................................83

6.4.3 FREEGUARD 100 MIBS........................................................................................................85

6.4.4 FREEGUARD 100 TRAPS.......................................................................................................86

6.4.5 FREEDOM9 MIB FIELDS........................................................................................................87

6.5 REPLACEMENT MESSAGES .............................................................................................................89

6.5.1 REPLACEMENT MESSAGES LIST.............................................................................................90

6.5.2 CHANGING REPLACEMENT MESSAGES...................................................................................91

7 SYSTEM ADMIN....................................................................................................93

7.1 ADMINISTRATORS ..........................................................................................................................94

7.1.1 ADMINISTRATORS LIST..........................................................................................................94

7.1.2 ADMINISTRATORS OPTIONS...................................................................................................95

7.2 ACCESS PROFILES.........................................................................................................................96

7.2.1 ACCESS PROFILE LIST ..........................................................................................................97

iv

7.2.2 ACCESS PROFILE OPTIONS ...................................................................................................97

8 SYSTEM MAINTENANCE .....................................................................................99

8.1 BACKUP AND RESTORE...................................................................................................................99

8.1.1 BACKING UP AND RESTORING............................................................................................ 100

8.2 UPDATE CENTER......................................................................................................................... 101

8.2.1 UPDATING ANTIVIRUS AND ATTACK DEFINITIONS................................................................... 103

8.2.2 ENABLING PUSH UPDATES ................................................................................................. 106

9 SYSTEM VIRTUAL DOMAIN...............................................................................109

9.1 VIRTUAL DOMAIN PROPERTIES ..................................................................................................... 109

9.1.1 EXCLUSIVE VIRTUAL DOMAIN PROPERTIES .......................................................................... 109

9.1.2 SHARED CONFIGURATION SETTINGS....................................................................................110

9.1.3 ADMINISTRATION AND MANAGEMENT ...................................................................................111

9.2 VIRTUAL DOMAINS........................................................................................................................111

9.2.1 ADDING A VIRTUAL DOMAIN .................................................................................................112

9.2.2 SELECTING A VIRTUAL DOMAIN ............................................................................................113

9.2.3 SELECTING A MANAGEMENT VIRTUAL DOMAIN.......................................................................113

9.3 CONFIGURING VIRTUAL DOMAINS ..................................................................................................114

9.3.1 ADDING INTERFACES, VLAN SUB INTERFACES, AND ZONES TO A VIRTUAL DOMAIN..................114

9.3.2 CONFIGURING ROUTING FOR A VIRTUAL DOMAIN...................................................................115

9.3.3 CONFIGURING FIREWALL POLICIES FOR A VIRTUAL DOMAIN....................................................115

9.3.4 CONFIGURING IPSEC VPN FOR A VIRTUAL DOMAIN ..............................................................117

10 ROUTER ..............................................................................................................118

10.1 STATIC ........................................................................................................................................118

10.1.1 STATIC ROUTE LIST............................................................................................................ 120

10.1.2 STATIC ROUTE OPTIONS..................................................................................................... 121

10.2 POLICY ...................................................................................................................................... 122

10.2.1 POLICY ROUTE LIST........................................................................................................... 122

10.2.2 POLICY ROUTE OPTIONS.................................................................................................... 123

10.3 RIP............................................................................................................................................ 124

10.3.1 NETWORKS LIST................................................................................................................ 125

10.3.2 NETWORKS OPTIONS......................................................................................................... 126

10.3.3 INTERFACE LIST ................................................................................................................ 126

10.3.4 INTERFACE OPTIONS ......................................................................................................... 127

10.3.5 DISTRIBUTE LIST............................................................................................................... 128

10.3.6 DISTRIBUTE LIST OPTIONS ................................................................................................. 129

10.3.7 OFFSET LIST..................................................................................................................... 130

10.3.8 OFFSET LIST OPTIONS ....................................................................................................... 131

10.4 ROUTER OBJECTS....................................................................................................................... 131

10.4.1 ACCESS LIST .................................................................................................................... 131

10.4.2 NEW ACCESS LIST............................................................................................................. 132

10.4.3 NEW ACCESS LIST ENTRY .................................................................................................. 133

10.4.4 PREFIX LIST...................................................................................................................... 133

10.4.5 NEW PREFIX LIST.............................................................................................................. 134

10.4.6 NEW PREFIX LIST ENTRY.................................................................................................... 135

10.4.7 ROUTE-MAP LIST............................................................................................................... 136

10.4.8 NEW ROUTE-MAP.............................................................................................................. 136

10.4.9 ROUTE MAP LIST ENTRY..................................................................................................... 137

10.4.10 KEY CHAIN LIST................................................................................................................. 138

10.4.11 NEW KEY CHAIN................................................................................................................ 138

10.4.12 KEY CHAIN LIST ENTRY ...................................................................................................... 139

10.5 MONITOR ................................................................................................................................... 140

freeGuard 100 Administration Guide

v

10.5.1 ROUTING MONITOR LIST..................................................................................................... 140

11 FIREWALL...........................................................................................................142

11.1 POLICY ...................................................................................................................................... 142

11.1.1 HOW POLICY MATCHING WORKS......................................................................................... 143

11.1.2 POLICY LIST...................................................................................................................... 143

11.1.3 POLICY OPTIONS............................................................................................................... 144

11.1.4 ADVANCED POLICY OPTIONS .............................................................................................. 147

11.1.5 CONFIGURING FIREWALL POLICIES ..................................................................................... 149

11.1.6 POLICY CLI CONFIGURATION ............................................................................................. 150

11.2 ADDRESS................................................................................................................................... 151

11.2.1 ADDRESS LIST .................................................................................................................. 152

11.2.2 ADDRESS OPTIONS ........................................................................................................... 152

11.2.3 CONFIGURING ADDRESSES................................................................................................ 153

11.2.4 ADDRESS GROUP LIST....................................................................................................... 154

11.2.5 ADDRESS GROUP OPTIONS................................................................................................ 154

11.2.6 CONFIGURING ADDRESS GROUPS....................................................................................... 155

11.3 SERVICE .................................................................................................................................... 155

11.3.1 PREDEFINED SERVICE LIST ................................................................................................ 156

11.3.2 CUSTOM SERVICE LIST ...................................................................................................... 158

11.3.3 CUSTOM SERVICE OPTIONS ............................................................................................... 159

11.3.4 CONFIGURING CUSTOM SERVICES...................................................................................... 160

11.3.5 SERVICE GROUP LIST ........................................................................................................ 161

11.3.6 SERVICE GROUP OPTIONS ................................................................................................. 161

11.3.7 CONFIGURING SERVICE GROUPS........................................................................................ 162

11.4 SCHEDULE ................................................................................................................................. 163

11.4.1 ONE-TIME SCHEDULE LIST ................................................................................................. 163

11.4.2 ONE-TIME SCHEDULE OPTIONS .......................................................................................... 164

11.4.3 CONFIGURING ONE-TIME SCHEDULES................................................................................. 164

11.4.4 RECURRING SCHEDULE LIST .............................................................................................. 164

11.4.5 RECURRING SCHEDULE OPTIONS ....................................................................................... 165

11.4.6 CONFIGURING RECURRING SCHEDULES.............................................................................. 166

11.5 VIRTUAL IP................................................................................................................................. 166

11.5.1 VIRTUAL IP LIST ................................................................................................................ 167

11.5.2 VIRTUAL IP OPTIONS ......................................................................................................... 167

11.5.3 CONFIGURING VIRTUAL IPS................................................................................................ 169

11.6 IP POOL ..................................................................................................................................... 171

11.6.1 IP POOL LIST..................................................................................................................... 171

11.6.2 IP POOL OPTIONS.............................................................................................................. 172

11.6.3 CONFIGURING IP POOLS.................................................................................................... 172

11.6.4 IP POOLS FOR FIREWALL POLICIES THAT USE FIXED PORTS.................................................. 172

11.6.5 IP POOLS AND DYNAMIC NAT............................................................................................. 173

11.7 PROTECTION PROFILE................................................................................................................. 173

11.7.1 PROTECTION PROFILE LIST ................................................................................................ 174

11.7.2 DEFAULT PROTECTION PROFILES........................................................................................ 174

11.7.3 PROTECTION PROFILE OPTIONS ......................................................................................... 174

11.7.4 CONFIGURING PROTECTION PROFILES................................................................................ 179

11.7.5 PROFILE CLI CONFIGURATION............................................................................................ 180

12 USER ...................................................................................................................183

12.1 SETTING AUTHENTICATION TIMEOUT............................................................................................. 183

12.2 LOCAL........................................................................................................................................ 183

12.2.1 LOCAL USER LIST .............................................................................................................. 184

12.2.2 LOCAL USER OPTIONS ....................................................................................................... 184

12.3 RADIUS.................................................................................................................................... 185

vi

12.3.1 RADIUS SERVER LIST ...................................................................................................... 185

12.3.2 RADIUS SERVER OPTIONS................................................................................................ 185

12.4 LDAP........................................................................................................................................ 186

12.4.1 LDAP SERVER LIST........................................................................................................... 186

12.4.2 LDAP SERVER OPTIONS.................................................................................................... 187

12.5 USER GROUP.............................................................................................................................. 188

12.5.1 USER GROUP LIST............................................................................................................. 188

12.5.2 USER GROUP OPTIONS...................................................................................................... 189

13 VPN......................................................................................................................191

13.1 PHASE 1 .................................................................................................................................... 191

13.1.1 PHASE 1 LIST.................................................................................................................... 192

13.1.2 PHASE 1 BASIC SETTINGS.................................................................................................. 192

13.1.3 PHASE 1 ADVANCED SETTINGS........................................................................................... 194

13.2 PHASE 2 .................................................................................................................................... 196

13.3 PHASE 2 LIST ............................................................................................................................. 196

13.3.1 PHASE 2 BASIC SETTINGS.................................................................................................. 197

13.3.2 PHASE 2 ADVANCED OPTIONS ............................................................................................ 197

13.4 MANUAL KEY .............................................................................................................................. 199

13.4.1 MANUAL KEY LIST.............................................................................................................. 200

13.4.2 MANUAL KEY OPTIONS....................................................................................................... 200

13.5 CONCENTRATOR......................................................................................................................... 202

13.5.1 CONCENTRATOR LIST ........................................................................................................ 202

13.5.2 CONCENTRATOR OPTIONS ................................................................................................. 202

13.6 PING GENERATOR....................................................................................................................... 203

13.6.1 PING GENERATOR OPTIONS ............................................................................................... 203

13.7 MONITOR ................................................................................................................................... 204

13.7.1 DIALUP MONITOR .............................................................................................................. 204

13.7.2 STATIC IP AND DYNAMIC DNS MONITOR ............................................................................. 205

13.8 PPTP........................................................................................................................................ 205

13.8.1 PPTP RANGE ................................................................................................................... 205

13.9 L2TP......................................................................................................................................... 206

13.9.1 L2TP RANGE.................................................................................................................... 206

13.10 CERTIFICATES ............................................................................................................................ 207

13.10.1 LOCAL CERTIFICATE LIST.................................................................................................... 207

13.10.2 CERTIFICATE REQUEST...................................................................................................... 208

13.10.3 IMPORTING SIGNED CERTIFICATES...................................................................................... 209

13.10.4 CA CERTIFICATE LIST ........................................................................................................ 209

13.10.5 IMPORTING CA CERTIFICATES............................................................................................ 210

13.11 VPN CONFIGURATION PROCEDURES............................................................................................ 210

13.11.1 ADDING FIREWALL POLICIES FOR IPSEC VPN TUNNELS........................................................211

13.11.2 PPTP CONFIGURATION PROCEDURES ................................................................................ 212

13.11.3 L2TP CONFIGURATION PROCEDURES................................................................................. 212

14 IPS........................................................................................................................213

14.1 SIGNATURE ................................................................................................................................ 213

14.1.1 PREDEFINED..................................................................................................................... 214

14.1.2 CUSTOM........................................................................................................................... 217

14.2 ANOMALY ................................................................................................................................... 219

14.3 CONFIGURING AN ANOMALY ......................................................................................................... 220

15 ANTIVIRUS..........................................................................................................223

15.1 FILE BLOCK ................................................................................................................................ 224

15.1.1 FILE BLOCK LIST................................................................................................................ 224

freeGuard 100 Administration Guide

vii

15.2 CONFIG...................................................................................................................................... 225

15.2.1 VIRUS LIST........................................................................................................................ 226

15.2.2 CONFIG............................................................................................................................ 226

15.2.3 GRAYWARE....................................................................................................................... 227

15.2.4 GRAYWARE OPTIONS......................................................................................................... 227

15.3 CLI CONFIGURATION................................................................................................................... 228

15.3.1 CONFIG ANTIVIRUS HEURISTIC............................................................................................ 228

15.3.2 CONFIG ANTIVIRUS SERVICE HTTP....................................................................................... 229

15.3.3 CONFIG ANTIVIRUS SERVICE FTP......................................................................................... 230

15.3.4 CONFIG ANTIVIRUS SERVICE POP3...................................................................................... 232

15.3.5 CONFIG ANTIVIRUS SERVICE IMAP....................................................................................... 233

15.3.6 CONFIG ANTIVIRUS SERVICE SMTP ...................................................................................... 234

16 WEB FILTER........................................................................................................236

16.1 CONTENT BLOCK ........................................................................................................................ 237

16.1.1 WEB CONTENT BLOCK LIST ................................................................................................ 237

16.1.2 WEB CONTENT BLOCK OPTIONS ......................................................................................... 237

16.1.3 CONFIGURING THE WEB CONTENT BLOCK LIST .................................................................... 238

16.2 URL BLOCK................................................................................................................................ 239

16.2.1 WEB URL BLOCK LIST....................................................................................................... 239

16.2.2 WEB URL BLOCK OPTIONS ................................................................................................ 239

16.2.3 CONFIGURING THE WEB URL BLOCK LIST ........................................................................... 240

16.2.4 WEB PATTERN BLOCK LIST................................................................................................. 240

16.2.5 WEB PATTERN BLOCK OPTIONS .......................................................................................... 241

16.2.6 CONFIGURING WEB PATTERN BLOCK................................................................................... 241

16.3 URL EXEMPT.............................................................................................................................. 241

16.3.1 URL EXEMPT LIST............................................................................................................. 241

16.3.2 URL EXEMPT LIST OPTIONS ............................................................................................... 242

16.3.3 CONFIGURING URL EXEMPT.............................................................................................. 242

16.4 CATEGORY BLOCK ...................................................................................................................... 242

16.4.1 FREEGUARD 100 MANAGED WEB FILTERING SERVICE .......................................................... 243

16.4.2 CATEGORY BLOCK CONFIGURATION OPTIONS...................................................................... 243

16.4.3 CONFIGURING WEB CATEGORY BLOCK................................................................................ 244

17 SPAM FILTER......................................................................................................246

17.1 FREEGUARD SP ANTI SPAM ........................................................................................................ 248

17.1.1 FREEGUARD SP SPAM FILTERING ...................................................................................... 248

17.1.2 FREEGUARD SP OPTIONS.................................................................................................. 249

17.1.3 CONFIGURING THE FREEGUARD SP CACHE........................................................................ 250

17.2 IP ADDRESS................................................................................................................................ 250

17.3 IP ADDRESS LIST......................................................................................................................... 250

17.3.1 IP ADDRESS OPTIONS........................................................................................................ 250

17.3.2 CONFIGURING THE IP ADDRESS LIST .................................................................................. 251

17.4 DNSBL & ORDBL..................................................................................................................... 251

17.4.1 DNSBL & ORDBL LIST..................................................................................................... 252

17.4.2 DNSBL & ORDBL OPTIONS.............................................................................................. 252

17.4.3 CONFIGURING THE DNSBL & ORDBL LIST........................................................................ 252

17.5 EMAIL ADDRESS.......................................................................................................................... 253

17.5.1 EMAIL ADDRESS LIST ......................................................................................................... 253

17.5.2 EMAIL ADDRESS OPTIONS .................................................................................................. 253

17.5.3 CONFIGURING THE EMAIL ADDRESS LIST............................................................................. 254

17.6 MIME HEADERS ......................................................................................................................... 254

17.6.1 MIME HEADERS LIST......................................................................................................... 255

17.6.2 MIME HEADERS OPTIONS.................................................................................................. 255

17.6.3 CONFIGURING THE MIME HEADERS LIST ............................................................................ 255

viii

17.7 BANNED WORD........................................................................................................................... 256

17.7.1 BANNED WORD LIST .......................................................................................................... 256

17.7.2 BANNED WORD OPTIONS ................................................................................................... 257

17.7.3 CONFIGURING THE BANNED WORD LIST .............................................................................. 258

17.8 USING PERL REGULAR EXPRESSIONS........................................................................................... 258

18 LOG & REPORT..................................................................................................261

18.1 LOG CONFIG............................................................................................................................... 262

18.1.1 LOG SETTING OPTIONS...................................................................................................... 262

18.1.2 ALERT E-MAIL OPTIONS..................................................................................................... 263

18.1.3 LOG FILTER OPTIONS......................................................................................................... 265

18.1.4 CONFIGURING LOG FILTERS ............................................................................................... 267

18.1.5 ENABLING TRAFFIC LOGGING ............................................................................................. 267

18.2 LOG ACCESS .............................................................................................................................. 268

18.2.1 VIEWING LOG MESSAGES................................................................................................... 268

18.2.2 SEARCHING LOG MESSAGES .............................................................................................. 269

18.3 FREEGUARD 100 CATEGORIES .................................................................................................... 270

19 GLOSSARY .........................................................................................................277

freeGuard 100 Administration Guide

1

1 Introduction

freedom9 Unified Threat Management (UTM) Firewalls support network-based deployment of

application-level services, including antivirus protection and full-scan content filtering. freedom9 UTM

Firewalls improve network security, reduce network misuse and abuse, and help you use

communications resources more efficiently without compromising the performance of your network.

This chapter introduces you to freedom9 UTM Firewalls and the following topics:

• About freedom9 UTM Firewalls

• Document conventions

• freedom9 documentation

• Related documentation

• Customer service and technical support

1.1 About freeGuard 100 UTM Firewalls

The freeGuard 100 is a dedicated, easily managed security device that delivers a full suite of

capabilities that include:

• application-level services such as virus protection and content filtering,

• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.

The freeGuard 100 uses a unique ASIC-based architecture which analyzes content and behavior in

real-time, enabling key applications to be deployed right at the network edge where they are most

effective at protecting your networks.

The freeGuard 100 is ideally suited for small businesses, remote offices, retail stores, and

telecommuters. The freeGuard 100 features dual WAN link support for redundant internet

connections, and an integrated 4-port switch that eliminates the need for an external hub or switch.

The freeGuard 100 also supports advanced features such as 802.1Q VLANs, virtual domains, high

availability (HA), and the RIP and OSPF routing protocols.

1.1.1 Antivirus protection

freeGuard 100 antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3,

and IMAP) content as it passes through the freeGuard 100. freeGuard 100 antivirus protection uses

pattern matching and heuristics to find viruses. If a virus is found, antivirus protection removes the file

containing the virus from the content stream and forwards a replacement message to the intended

recipient.

For extra protection, you can configure antivirus protection to block specified file types from passing

through the freeGuard 100. You can use the feature to stop files that might contain new viruses.

freeGuard 100 antivirus protection can also identify and remove known grayware programs. Grayware

programs are usually unsolicited commercial software programs that get installed on PCs, often

without the user’s consent or knowledge. Grayware programs are generally considered an annoyance,

but these programs can cause system performance problems or be used for malicious means.

The freeGuard 100 can send email alerts to system administrators when it detects and removes a

virus from a content stream. The web and email content can be in normal network traffic or encrypted

IPSec VPN traffic.

2

1.1.2 Web content filtering

freeGuard 100 web content filtering can scan all HTTP content protocol streams for URLs, URL

patterns, and web page content. If there is a match between a URL on the URL block list, or a web

page contains a word or phrase that is in the content block list, the freeGuard 100 blocks the web

page. The blocked web page is replaced with a message that you can edit using the freeGuard 100

web-based manager.

1.1.3 Spam filtering

freeGuard SPam filtering can scan all POP3, SMTP, and IMAP email content for spam. You can

configure spam filtering to filter mail according to IP address, email address, mime header, and

contect. Mail message can be identified as spam or clear.

freeGuard 100 has an antispam system from freedom9 that includes an IP address black list, a URL

black list, and spam filtering tools. The IP address black list contains IP address of email servers

known to be used to generate spam. The URL black list containes URLs of websites found in spam

email.

You can also add the names of known third party DNS based Blackhole lists (DNSBL) and Open

Relay Database List (ORDBL) servers. These services contain lists of known spam sources.

If an email message is found to be spam, the freeGuard 100 adds an email tag to the subject line of

the email. The recipient can use their mail client software to filter messages based on the email tag.

Spam filtering can also be configured to delete SMTP email messages identified as spam.

1.1.4 Firewall

freeGuard 100 web content filtering also supports freeGuard 100 web category blocking. Using web

category blocking you can restrict or allow access to web pages based on content ratings of web

pages.

You can configure URL blocking to block all or some of the pages on a web site. Using this feature,

you can deny access to parts of a web site without denying access to it completely.

To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that

overrides the URL blocking and content blocking lists. The exempt list also exempts web traffic this

address from virus scanning.

Web content filtering also includes a script filter feature that can block unsecure web content such as

Java applets, cookies, and ActiveX.

freeGuard SPam filtering can scan all POP3, SMTP, and IMAP email content for spam. You can

configure spam filtering to filter mail according to IP address, email address, mime headers, and

content. Mail messages can be identified as spam or clear.

freeGuard 100 is an antispam system from freedom9 that includes an IP address black list, a URL

black list, and spam filtering tools. The IP address black list contains IP addresses of email servers

known to be used to generate Spam. The URL black list contains URLs of websites found in Spam

email.

You can also add the names of known third-party DNS-based Blackhole List (DNSBL) and Open

Relay Database List (ORDBL) servers. These services contain lists of known spam sources.

If an email message is found to be spam, the freeGuard 100 adds an email tag to the subject line of

the email. The recipient can use their mail client software to filter messages based on the email tag.

Spam filtering can also be configured to delete SMTP email messages identified as spam.

freeGuard 100 Administration Guide

3

The freeGuard 100 firewall protects your computer networks from Internet threats. After basic

installation of the freeGuard 100, the firewall allows users on the protected network to access the

Internet while blocking Internet access to internal networks. You can configure the firewall to put

controls on access to the Internet from the protected networks and to allow controlled access to

internal networks.

freeGuard 100 policies include a range of options that:

• control all incoming and outgoing network traffic,

• control encrypted VPN traffic,

• apply antivirus protection and web content filtering,

• block or allow access for all policy options,

• control when individual policies are in effect,

• accept or deny traffic to and from individual addresses,

• control standard and user defined network services individually or in groups,

• require users to authenticate before gaining access,

• include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,

• include logging to track connections for individual policies,

• include Network Address Translation (NAT) mode and Route mode policies,

• include mixed NAT and Route mode policies.

The freeGuard 100 firewall can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, the freeGuard 100 is a Layer 3 device. This means that each of its interfaces is

associated with a different IP subnet and that it appears to other devices as a router. This is how a

firewall is normally deployed.

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

NAT mode policies use network address translation to hide the addresses in a more secure network

from users in a less secure network.

Route mode policies accept or deny connections between networks without performing address

translation.

Transparent mode

In Transparent mode, the freeGuard 100 does not change the Layer 3 topology. This means that all of

its interfaces are on the same IP subnet and that it appears to other devices as a bridge. Typically, the

freeGuard 100 is deployed in Transparent mode to provide antivirus and content filtering behind an

existing firewall solution.

Transparent mode provides the same basic firewall protection as NAT mode. The freeGuard 100

passes or blocks the packets it receives according to firewall policies. The freeGuard 100 can be

inserted in the network at any point without having to make changes to your network or its

components. However, some advanced firewall features are available only in NAT/Route mode.

4

1.1.5 VLANs and virtual domains

The freeGuard 100 supports IEEE 802.1Q-compliant virtual LAN (VLAN) tags. Using VLAN

technology, a single freeGuard 100 can provide security services to, and control connections between,

multiple security domains according to the VLAN IDs added to VLAN packets. The freeGuard 100 can

recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between

each security domain. The freeGuard 100 can also apply authentication, content filtering, and antivirus

protection to VLAN-tagged network and VPN traffic.

The freeGuard 100 supports VLANs in NAT/Route and Transparent mode. In NAT/Route mode, you

enter VLAN sub interfaces to receive and send VLAN packets.

freeGuard 100 virtual domains provide multiple logical firewalls and routers in a single freeGuard 100.

Using virtual domains, one freeGuard 100 can provide exclusive firewall and routing services to

multiple networks so that traffic from each network is effectively separated from every other network.

You can develop and manage interfaces, VLAN sub interfaces, zones, firewall policies, routing, and

VPN configuration for each virtual domain separately. For these configuration settings, each virtual

domain is functionally similar to a single freeGuard 100. This separation simplifies configuration

because you do not have to manage as many routes or firewall policies at one time.

1.1.6 Intrusion Prevention System (IPS)

The freeGuard 100 Intrusion Prevention System (IPS) combines signature and anomaly based

intrusion detection and prevention. The freeGuard 100 can record suspicious traffic in logs, can send

alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or

sessions. Both the IPS predefined signatures and the IPS engine are upgradeable through the

freeGuard SP Distribution Network (FSDN). You can also create custom signatures.

1.1.7 VPN

Using freeGuard 100 virtual private networking (VPN), you can provide a secure connection between

widely separated office networks or securely link telecommuters or travellers to an office network.

freeGuard 100 VPN features include the following:

• Industry standard IPSec VPN, including:

o IPSec VPN in NAT/Route and Transparent mode,

o IPSec, ESP security in tunnel mode,

o DES, 3DES (triple-DES), and AES hardware accelerated encryption,

o HMAC MD5 and HMAC SHA1 authentication and data integrity,

o AutoIKE key based on pre-shared key tunnels,

o IPSec VPN using local or CA certificates,

o Manual Keys tunnels,

o Diffie-Hellman groups 1, 2, and 5,

o Aggressive and Main Mode,

o Replay Detection,

o Perfect Forward Secrecy,

freeGuard 100 Administration Guide

5

o XAuth authentication,

o Dead peer detection,

o DHCP over IPSec,

o Secure Internet browsing.

• PPTP for easy connectivity with the VPN standard supported by the most popular operating

systems.

• L2TP for easy connectivity with a more secure VPN standard, also supported by many popular

operating systems.

• Firewall policy based control of IPSec VPN traffic.

• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to

an IPSec VPN tunnel.

• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to

another through the freeGuard 100.

• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote

network.

1.1.8 High availability

freedom9 achieves high availability (HA) using redundant hardware and the freeGuard Clustering

Protocol (FCP). Each freeGuard 100 in an HA cluster enforces the same overall security policy and

shares the same configuration settings. You can add up to 32 freeGuard 100s to an HA cluster. Each

freeGuard 100 in an HA cluster must be the same model and must be running the same OS firmware

image.

freeGuard 100 HA supports link redundancy and device redundancy.

freeGuard 100s can be configured to operate in active-passive (A-P) or active-active (A-A) HA mode.

Active-active and active-passive clusters can run in either NAT/Route or Transparent mode.

An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a primary

freeGuard 100 that processes traffic, and one or more subordinate freeGuard 100s. The subordinate

freeGuard 100s are connected to the network and to the primary freeGuard 100 but do not process

traffic.

Active-active (A-A) HA load balances virus scanning among all the freeGuard 100s in the cluster. An

active-active HA cluster consists of a primary freeGuard 100 that processes traffic and one or more

secondary units that also process traffic. The primary freeGuard 100 uses a load balancing algorithm

to distribute virus scanning to all the freeGuard 100s in the HA cluster.

1.1.9 Secure installation, configuration, and management

The first time you power on the freeGuard 100, it is already configured with default IP addresses and

security policies. Connect to the web-based manager, set the operating mode, and use the Setup

wizard to customize freeGuard 100 IP addresses for your network, and the freeGuard 100 is ready to

protect your network. You can then use the web-based manager to customize advanced freeGuard

100 features.

You can also create a basic configuration using the freeGuard 100 command line interface (CLI).

6

Web-based manager

Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can

configure and manage the freeGuard 100. The web-based manager supports multiple languages. You

can configure the freeGuard 100 for HTTP and HTTPS administration from any freeGuard 100

interface.

You can use the web-based manager to configure most freeGuard 100 settings. You can also use the

web-based manager to monitor the status of the freeGuard 100. Configuration changes made using

the web-based manager are effective immediately without resetting the firewall or interrupting service.

Once you are satisfied with a configuration, you can download and save it. The saved configuration

can be restored at any time.

Command line interface

You can access the freeGuard 100 command line interface (CLI) by connecting a management

computer serial port to the freeGuard 100 RS-232 serial console connector. You can also use Telnet or

a secure SSH connection to connect to the CLI from any network that is connected to the freeGuard

100, including the Internet.

The CLI supports the same configuration and monitoring functionality as the web-based manager. In

addition, you can use the CLI for advanced configuration options that are not available from the web-

based manager.

This Administration Guide contains information about basic and advanced CLI commands. For a more

complete description about connecting to and using the freeGuard 100 CLI, see the freeGuard 100

CLI Reference Guide.

Logging and reporting

The freeGuard 100 supports logging for various categories of traffic and configuration changes. You

can configure logging to:

• report traffic that connects to the firewall,

• report network services used,

• report traffic that was permitted by firewall policies,

• report traffic that was denied by firewall policies,

• report events such as configuration changes and other management events, IPSec tunnel

negotiation, virus detection, attacks, and web page blocking,

• report attacks detected by the IPS,

• send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN

events or violations.

Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and

Firewall Suite server using the WebTrends enhanced log format. You can also configure the freeGuard

100 to log the most recent events and attacks detected by the IPS to the system memory.

1.2 Document conventions

This guide uses the following conventions to describe command syntax:

freeGuard 100 Administration Guide

7

• angle brackets < > to indicate variable keywords.

For Example:

execute restore config <filename_str>

You can enter restore config myfile.bak

<xxx_str> indicates an ASCII string variable.

<xxx_integer> indicates an integer variable.

<xxx_ip> indicates an IP address variable.

• vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords

For example:

set system opmode {nat | transparent

You can enter set system opmode nat or set system opmode transparent.

• square brackets [ ] to indicate that a keyword is optional

For example:

get firewall ipmacbinding [dhcpipmac]

You can enter get firewall ipmacbinding or get firewall ipmacbinding

dhcpipmac

1.3 freedom9 documentation

Information about freeGuard 100 products is available from the following freeGuard 100 User Manual

volumes:

freeGuard 100 Quick Install Guide

Each Quick Start Guide provides the basic information required to connect and install a freeGuard

100.

freeGuard 100 Installation Guide

Each Installation Guide provides detailed information required to install a freeGuard 100. Includes

hardware reference, default configuration, installation procedures, connection procedures, and basic

configuration procedures.

freeGuard 100 Administration Guide

Each Administration Guide describes how to configure a freeGuard 100. Configuration information

includes how to use freeGuard 100 firewall policies to control traffic flow through the freeGuard 100

and how to configure VPN, IPS, antivirus, web filtering, spam filtering. The administration guide also

describes how to use protection profiles to apply intrusion prevention, antivirus protection, web content

filtering, and spam filtering to traffic passing through the freeGuard 100.

freeGuard 100 CLI Reference Guide

Describes how to use the freeGuard 100 CLI and contains a reference to all freeGuard 100 CLI

commands.

8

freeGuard 100 Log Message Reference Guide

Describes the structure of freeGuard 100 log messages and provides information on all log messages

generated by the freeGuard 100.

freeGuard 100 Administration Guide

9

2 Web-based manager

Using HTTP or a secure HTTPS connection from any computer running a web browser, you can

configure and manage the freeGuard 100. The web-based manager supports multiple languages. You

can configure the freeGuard 100 for HTTP and HTTPS administration from any freeGuard 100

interface.

Figure 1: Web-based manager screen

You can use the web-based manager to configure most freeGuard 100 settings. You can also use the

web-based manager to monitor the status of the freeGuard 100. Configuration changes made using

the web-based manager are effective immediately without resetting the firewall or interrupting service.

Once you are satisfied with a configuration, you can back it up. The saved configuration can be

restored at any time.

For information about connecting to the web-based manager, see “Connecting to the web-based

manager” in the Installation Guide.

This chapter includes:

• Button bar features

• Web-based manager pages

2.1 Button bar features

The button bar in the upper right corner of the web-based manager provides access to several

important freeGuard 100 features.

10

Figure 2: Web-based manager button bar

• Contact Customer Support

• Easy Setup Wizard

• Console Access

• Logout

2.1.1 Contact Customer Support

The Contact Customer Support button opens the freedom9 support web page in a new browser

window. From this page you can

• Register your freeGuard 100 (Product Registration).

• Read frequently asked questions.

• Read about freedom9 and its products.

2.1.2 Easy Setup Wizard

The freeGuard 100 setup wizard provides an easy way to configure basic initial settings for the

freeGuard 100. The wizard walks through the configuration of a new administrator password,

freeGuard 100 interfaces, DHCP server settings, internal servers (web, FTP, etc.), and basic antivirus

settings. For detailed instructions on the initial setup of your freeGuard 100, see the Installation Guide.

2.1.3 Console Access

An alternative to the web-based manager user interface is the text-based command line interface

(CLI). There are some options that are configurable only from the CLI.

The Console Access button opens a Java-based terminal application. The management computer

must have Java version 1.3 or higher installed.

Page is loading ...

Freedom9 freeGuard 100 Administration Manual

Freedom9 freeGuard 100 Administration Manual

Related papers

Other documents