2. Computers & electronics
  3. Software
  4. Rohde & Schwarz
  5. GP-E

Rohde & Schwarz GP-E, GP-S User manual

  • Hello! I am an AI chatbot trained to assist you with the Rohde & Schwarz GP-E User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
R&S
®
GP-E/GP-S
gateprotect Firewall
User Manual
User Manual
v16.2.1 ─ 01
Cybersecurity
This document describes the following R&S
®
gateprotect Firewall models:
R&S
®
gateprotect Firewall GP-E
R&S
®
gateprotect Firewall GP-S
© 2017 R&S Cybersecurity gateprotect GmbH
Augustusplatz 9, 04109 Leipzig, Germany
Phone: +49 (0) 341 392 993 43-0
Fax: +49 (0) 341 392 993 43-9
E-mail: [email protected]
Internet: https://cybersecurity.rohde-schwarz.com
Printed in Germany – Subject to change – Data without tolerance limits is not binding.
R&S
®
is a registered trademark of Rohde & Schwarz GmbH & Co. KG.
Trade names are trademarks of the owners.
The following abbreviations are used throughout this manual: R&S
®
gateprotect Firewall is indicated as gateprotect Firewall.
Contents
R&S
®
GP-E/GP-S
3User Manual v16.2.1 ─ 01
Contents
1 About This Manual.................................................................................9
1.1 Audience........................................................................................................................ 9
1.2 What’s in This Manual................................................................................................ 10
1.3 Conventions................................................................................................................ 10
1.4 Related Resources......................................................................................................11
1.5 About Rohde & Schwarz Cybersecurity................................................................... 11
2 Getting Started..................................................................................... 13
2.1 Logging On.................................................................................................................. 13
2.2 Resetting the Hardware.............................................................................................. 14
3 User Interface....................................................................................... 17
3.1 Web Interface Components........................................................................................17
3.1.1 Header Area..................................................................................................................18
3.1.2 Navigation Pane............................................................................................................19
3.1.3 Desktop......................................................................................................................... 19
3.2 Icons and Buttons.......................................................................................................21
3.3 Firewall Rule Settings.................................................................................................22
3.4 Menu Reference.......................................................................................................... 29
3.4.1 Firewall..........................................................................................................................29
3.4.1.1 Status............................................................................................................................ 29
3.4.1.2 Reports..........................................................................................................................30
3.4.1.3 Updates.........................................................................................................................33
3.4.1.4 Backup.......................................................................................................................... 34
3.4.1.5 Local Logs.....................................................................................................................38
3.4.1.6 Network Diagnostics..................................................................................................... 42
3.4.1.7 System.......................................................................................................................... 44
3.4.1.8 User Authentication.......................................................................................................47
3.4.1.9 License..........................................................................................................................53
3.4.1.10 Time Profiles................................................................................................................. 54
3.4.2 Network......................................................................................................................... 55
3.4.2.1 Firewall Rules................................................................................................................55
3.4.2.2 Static Routes.................................................................................................................56
Contents
R&S
®
GP-E/GP-S
4User Manual v16.2.1 ─ 01
3.4.2.3 Syslog Servers.............................................................................................................. 58
3.4.2.4 SSL Proxy..................................................................................................................... 59
3.4.2.5 High Availability.............................................................................................................60
3.4.2.6 Support Access............................................................................................................. 63
3.4.2.7 FTC (Forensic Traffic Capture)..................................................................................... 64
3.4.2.8 NAT Rules.....................................................................................................................66
3.4.3 LAN............................................................................................................................... 68
3.4.3.1 Ethernet Zones..............................................................................................................68
3.4.3.2 WLAN Zones.................................................................................................................72
3.4.3.3 VLAN Zones..................................................................................................................76
3.4.4 WAN..............................................................................................................................78
3.4.4.1 Connection Monitoring.................................................................................................. 78
3.4.4.2 DynDNS Accounts........................................................................................................ 80
3.4.4.3 Failover Settings........................................................................................................... 82
3.4.4.4 WAN Zone.....................................................................................................................84
3.4.4.5 Port Forwarding.............................................................................................................89
3.4.4.6 IP Forwardings.............................................................................................................. 90
3.4.4.7 Policy Based Routes..................................................................................................... 92
3.4.5 Nodes............................................................................................................................94
3.4.5.1 Custom Hosts................................................................................................................94
3.4.5.2 Network Groups............................................................................................................ 95
3.4.5.3 Custom Networks..........................................................................................................96
3.4.6 UTM.............................................................................................................................. 97
3.4.6.1 Invalid Protocols............................................................................................................97
3.4.6.2 IPS/IDS Profiles............................................................................................................ 98
3.4.6.3 Web Filter Profiles.......................................................................................................100
3.4.6.4 Antispam Settings....................................................................................................... 103
3.4.6.5 Antivirus Settings........................................................................................................ 104
3.4.6.6 Mail Filter Settings.......................................................................................................105
3.4.7 VPN.............................................................................................................................107
3.4.7.1 IPsec........................................................................................................................... 108
3.4.7.2 OpenVPN.................................................................................................................... 117
3.4.8 Certificate Management.............................................................................................. 121
Contents
R&S
®
GP-E/GP-S
5User Manual v16.2.1 ─ 01
3.4.8.1 Certificates.................................................................................................................. 122
3.4.8.2 Templates................................................................................................................... 125
3.4.8.3 OCSP/CRL Settings....................................................................................................126
3.4.8.4 Truststore.................................................................................................................... 126
4 Application Examples........................................................................129
4.1 Firewall Rule Examples............................................................................................ 129
4.1.1 Blocking Certain Websites Using Applications............................................................130
4.1.2 Blocking Certain Websites Using Web Filters.............................................................130
4.1.3 Allowing Certain Websites Using Web Filters............................................................. 132
4.1.4 Forcing Secure Communication..................................................................................134
4.1.5 Using Quality of Service..............................................................................................135
4.1.6 Using DHCP in Bridge Mode.......................................................................................136
4.2 Setting Up Single Sign-On....................................................................................... 137
4.2.1 Configuring the NTP Server........................................................................................ 137
4.2.2 Preparing the Domain Controller.................................................................................137
4.2.3 Configuring the Firewall.............................................................................................. 139
4.2.4 Configuring User-Specific Firewall Rules....................................................................142
4.2.5 Configuring the Windows Clients................................................................................ 143
4.3 Setting Up a Static Route......................................................................................... 145
4.4 Using NAT Rules....................................................................................................... 146
4.4.1 Destination NAT.......................................................................................................... 146
4.4.2 Source NETMAP.........................................................................................................146
4.5 Setting Up a Syslog Server...................................................................................... 146
4.6 Setting Up a VLAN.................................................................................................... 148
4.7 Setting Up Port Forwarding..................................................................................... 149
4.8 Sorting Policy-Based Routes...................................................................................150
4.8.1 Sorting IP Addresses.................................................................................................. 150
4.8.2 Sorting Ports and IP Addresses.................................................................................. 150
4.8.3 Overall Sorting............................................................................................................ 151
4.9 Setting Up the Mail Filter with SSL Inspection.......................................................152
4.10 Handling Certificates................................................................................................ 153
4.10.1 Creating a Certificate.................................................................................................. 153
4.10.2 Importing a Certificate................................................................................................. 153
Contents
R&S
®
GP-E/GP-S
6User Manual v16.2.1 ─ 01
4.10.3 Replacing a Certificate................................................................................................ 154
4.10.4 Exporting a Certificate.................................................................................................155
4.10.5 Exporting a Certificate Signing Request..................................................................... 155
4.10.6 Suspending a Certificate............................................................................................. 156
4.10.7 Resuming a Certificate................................................................................................156
4.10.8 Renewing a Certificate................................................................................................ 156
4.10.9 Revoking a Certificate................................................................................................. 157
4.11 Setting Up OCSP/CRL Services...............................................................................157
4.12 VPN Setup Examples................................................................................................ 158
4.12.1 Setting Up a Client-to-Site VPN via IPsec...................................................................159
4.12.1.1 Setting Up the VPN Connection..................................................................................160
4.12.1.2 Setting Up Authentication............................................................................................175
4.12.2 Setting Up a Site-to-Site VPN via IPsec......................................................................177
4.12.2.1 Creating VPN Certificates........................................................................................... 177
4.12.2.2 Setting Up the VPN Connection..................................................................................181
4.12.2.3 Setting Up IPsec Site-to-Site for Complex Networks.................................................. 185
4.12.3 Setting Up a Client-to-Site VPN via OpenVPN........................................................... 187
4.12.3.1 Creating a VPN Certificate.......................................................................................... 187
4.12.3.2 Configuring Authentication.......................................................................................... 188
4.12.3.3 Setting Up the VPN Connection..................................................................................190
4.12.4 Setting Up a Site-to-Site VPN via OpenVPN.............................................................. 192
4.12.4.1 Creating VPN Certificates........................................................................................... 193
4.12.4.2 Setting Up the Primary Box.........................................................................................196
4.12.4.3 Setting Up the Secondary Box.................................................................................... 199
4.12.4.4 Connecting the Remote Networks.............................................................................. 201
4.13 Decoder Examples.................................................................................................... 201
4.13.1 Blocking PDF Files......................................................................................................202
4.13.2 Blocking Microsoft Office Files.................................................................................... 202
4.13.3 Blocking Web Hosts.................................................................................................... 202
4.13.4 Blocking Keywords in Webmail................................................................................... 203
4.13.5 Blocking Keywords in Mail Clients.............................................................................. 203
4.13.6 Using Anchors in String Decoders.............................................................................. 204
4.13.7 Using IEC 104 Protocol Decoders.............................................................................. 205
Contents
R&S
®
GP-E/GP-S
7User Manual v16.2.1 ─ 01
Annex.................................................................................................. 209
A Decoder Reference............................................................................ 209
A.1 FTP Commands.........................................................................................................209
A.2 HTTP MIME Types..................................................................................................... 211
Index....................................................................................................231
Contents
R&S
®
GP-E/GP-S
8User Manual v16.2.1 ─ 01
About This Manual
R&S
®
GP-E/GP-S
9User Manual v16.2.1 ─ 01
1 About This Manual
The gateprotect Firewall User Manual describes the innovative next-generation firewall
solution from Rohde & Schwarz Cybersecurity. gateprotect Firewall integrates firewall,
intrusion prevention, application control, web filtering, malware protection and many
more functions in a single system.
Figure 1-1: Sample gateprotect Firewall GP-E-1200.
This document applies to two gateprotect Firewall product lines:
Extended Line - Easy to configure - the firewall solution for complex office networks
in medium-sized companies
Specialized Line - Easy to customize - the perfectly tailored solution that meets the
high demands of complex network structures in industry and enterprise environ-
ments
There are license-based features that distinguish individual product models within the
two product lines from one another. For more information about your specific gatepro-
tect Firewall, see the information on the relevant data sheet.
See the topics below for more information about this document.
1.1 Audience
This manual is for the networking or computer technician responsible for installing and
configuring gateprotect Firewall and employees that use the web interface to define
traffic filtering rules.
To use this document effectively, you have to have the following skills depending on
your responsibilities:
To install and configure the hardware, you have to be familiar with telecommunica-
tions equipment and installation procedures. You also have to have good experi-
ence as a network or system administrator.
To define filtering rules, you need to understand basic TCP/IP networking con-
cepts.
Audience
About This Manual
R&S
®
GP-E/GP-S
10User Manual v16.2.1 ─ 01
1.2 What’s in This Manual
The contents of this manual are designed to assist you in installing and configuring
gateprotect Firewall.
This document includes the following chapters and appendixes:
1. Chapter 2, "Getting Started", on page 13
Log on to gateprotect Firewall to set up the system for your network.
2. Chapter 3, "User Interface", on page 17
The sections in this chapter describe the components of the gateprotect Firewall
user interface.
3. Chapter 4, "Application Examples", on page 129
This chapter includes various examples that illustrate how to use firewall rules to
manage network traffic, set up specific features, services and VPN connections,
and configure decoders to block communication containing certain file types or
keywords.
4. Chapter A, "Decoder Reference", on page 209
The gateprotect Firewall protocol decoder can detect FTP commands and HTTP
MIME types in traffic flows.
1.3 Conventions
This topic explains the typographic conventions and other notations used to represent
information in this manual.
Elements of the web-based graphical user interface (GUI, or »web interface«) are indi-
cated as follows:
Buttons, checkboxes, list names and other controls appear in quotation marks. For
example: »Click "Save" to create the rule.«
A sequence of menu commands is indicated as follows: "Firewall > Status" . In this
case, select "Status" from the "Firewall" menu.
List options and literal text both appear in a fixed-width font. For example: »The
default filename is set to config.tar.gz
Terms that require extended definitions or explanations are indicated in italics. For
example, the term application is often used to refer to a software program. In this
manual, however, it usually means the Layer 7 protocol used by the program on
the Application Layer of the OSI reference model. With Skype traffic, for example,
the terms application and protocol are used interchangeably.
Notes
The following types of notes are used in this manual to indicate information which
expands on or calls attention to a particular point.
Conventions
About This Manual
R&S
®
GP-E/GP-S
11User Manual v16.2.1 ─ 01
This note is a little hint that can help make your work easier.
This note contains important additional information.
This note contains information that is important to consider. Non-observance can dam-
age your gateprotect Firewall or put your network security at risk.
1.4 Related Resources
This section describes additional documentation and other resources for information on
gateprotect Firewall.
Refer to these resources for more information on gateprotect Firewall:
A separate gateprotect Firewall Getting Started guide is provided with the gate-
protect Firewall hardware. The document describes the installation procedure and
first steps to start working.
Getting Started guides are also available for the virtual machines (VM) of gatepro-
tect Firewall. The platform-specific documents are provided for all types of suppor-
ted virtualization software.
How-tos describe specific configuration scenarios and solutions.
Data sheets summarize the technical characteristics of the different gateprotect
Firewall hardware models.
Release Notes provide the latest information on each release.
Our website at cybersecurity.rohde-schwarz.com provides a wealth of information
about our products and solutions and the latest company news and events.
For additional documents such as technical specifications, please visit the mygatepro-
tect portal at www.mygateprotect.com.
1.5 About Rohde & Schwarz Cybersecurity
Rohde & Schwarz Cybersecurity protects companies and public institutions worldwide
against espionage and cyber attacks.
The company develops and produces high-end encryption products, next-generation
firewalls, network traffic analytics and endpoint security software as leading-edge tech-
nical solutions for information and network security requirements.
About Rohde & Schwarz Cybersecurity
About This Manual
R&S
®
GP-E/GP-S
12User Manual v16.2.1 ─ 01
Rohde & Schwarz, active for over 20 years in the field of IT security, is now expanding
into this sector. The integration of enterprise security experts gateprotect, ipoque and
Sirrix has created the new brand »Rohde & Schwarz Cybersecurity« as the leading
European provider of cybersecurity solutions.
The trustworthy IT solutions are developed based on the »Security by Design« princi-
ple, which proactively prevents cyber attacks rather than reacting to a known threat.
This new approach even protects against complex attacks that use zero-day exploits to
expose the weakness of existing antivirus software or traditional firewalls.
For more information, visit our website at cybersecurity.rohde-schwarz.com.
About Rohde & Schwarz Cybersecurity
Getting Started
R&S
®
GP-E/GP-S
13User Manual v16.2.1 ─ 01
2 Getting Started
2.1 Logging On
Log on to gateprotect Firewall to set up the system for your network.
After having completed the installation and licensing procedure for gateprotect Firewall
as described in the gateprotect Firewall Getting Started guide, you can begin working
with the firewall:
1. On the gateprotect Firewall logon page, enter admin as the "User Name" and the
factory default "Password" gateprotect.
Figure 2-1: Logging on to gateprotect Firewall.
2. Click "Login" .
3. After your first login using the standard credentials, the system prompts you to
change your password. You cannot skip this step.
Note: If you forget the new password entered, the password can only be reset by
setting the system back to the factory default configuration as described under
Chapter 2.2, "Resetting the Hardware", on page 14.
Note: The admin password is included in a system backup.
The web interface appears.
After three unsuccessful login attempts, you will be blocked for an hour to prevent
unauthorized access. Every new attempt during that hour resets the waiting period.
After one hour without login attempts, you can log on to gateprotect Firewall again with
valid credentials.
You are automatically logged out after 10 minutes of inactivity.
Logging On
Getting Started
R&S
®
GP-E/GP-S
14User Manual v16.2.1 ─ 01
Set your browser configuration to clear all session data and cookies when the browser
is closed. Otherwise, your admin session will be restored after the computer is reboo-
ted and unauthorized persons can access the firewall.
2.2 Resetting the Hardware
If you cannot access the web interface, you can reset the system to the factory default
configuration.
Connect the ports labeled eth2 and eth3 with a patch cable, then power off and
power on.
Figure 2-2: Resetting the hardware of the gateprotect Firewall GP-S series.
With models GP-E-1000/GP-S-1800 or higher, connect the first two ports in the first
module (for example eth11 and eth12) with a patch cable, then power off and power
on.
Figure 2-3: Resetting the hardware of gateprotect Firewall models GP-E-1000/GP-S-1800 or higher.
The kind of power button (power off switch, push button or power off button) and its
location differ by hardware model.
Resetting the Hardware
Getting Started
R&S
®
GP-E/GP-S
15User Manual v16.2.1 ─ 01
The default settings are restored.
Booting to a factory reset can take up to 5 minutes.
Resetting the Hardware
Getting Started
R&S
®
GP-E/GP-S
16User Manual v16.2.1 ─ 01
Resetting the Hardware
User Interface
R&S
®
GP-E/GP-S
17User Manual v16.2.1 ─ 01
3 User Interface
The sections in this chapter describe the components of the gateprotect Firewall user
interface.
The gateprotect Firewall web interface requires a minimum display resolution of
1024 × 786 pixels (XGA).
The following browser versions (or newer) are supported, with JavaScript enabled:
Google Chrome 10
Firefox 12
The first sections provide an overview of the main components of the web interface.
The next topic explains the meaning of the icons and buttons commonly used on the
user interface and throughout this manual.
The following topic describes how a firewall rule for a connection between two desktop
nodes is set up.
The remaining topics correspond to the menu items in the navigation bar on the left
side of the user interface. For information on the available options, see the correspond-
ing section.
3.1 Web Interface Components
The gateprotect Firewall web interface uses a standard tri-pane page layout with a
common header area, a left navigation pane, and a main content pane on the right.
Web Interface Components
User Interface
R&S
®
GP-E/GP-S
18User Manual v16.2.1 ─ 01
Figure 3-1: gateprotect Firewall web interface.
The information displayed in each area is described in the following sections.
3.1.1 Header Area
The header area (1) contains the following elements (from left to right):
Figure 3-2: gateprotect Firewall web interface header area.
the button to hide or show the navigation bar (the navigation bar is displayed by
default, see Chapter 3.1.2, "Navigation Pane", on page 19),
the Rohde & Schwarz Cybersecurity logo,
the current system status information, expressing the system load and the memory
and disk usage as a percentage, so you can quickly spot system performance bot-
tlenecks,
a user menu that allows you to select the language to be used in the web interface,
a menu to change the current user's password (the new password has to be at
least eight characters long and cannot be identical with the current password) and
to end the current user session and return to the login dialog and
a link which provides access to a PDF version of the gateprotect Firewall User
Manual. Depending on your browser settings, the PDF file is either displayed in a
new tab or window, or downloaded.
In addition, the header area displays unsaved configuration changes if you close an
editor panel by pressing the Esc key on your computer keyboard (unsaved changes
Web Interface Components
User Interface
R&S
®
GP-E/GP-S
19User Manual v16.2.1 ─ 01
are not displayed if you close an editor panel by clicking the button in the upper right
corner of the panel, however).
The PDF version of the gateprotect Firewall User Manual is also available from the
logon page. Click on "User Manual" to access the file.
3.1.2 Navigation Pane
The navigation pane (2) is on the left side of the web interface and consists of two
parts. The links in the left navigation bar provide access to the gateprotect Firewall set-
tings. The item list bar on the right is used to display information on the current desktop
configuration.
Both bars contain a search field at the top which can filter the lists to help you quickly
find menus or items. Each search field works for the bar it is part of only. As you type in
the search field, gateprotect Firewall reduces the lists to show only those menus or
items that contain the characters you are typing.
The information displayed in the item list bar depends on, firstly, the menu item
selected in the navigation bar and, secondly, how much information you desire to be
displayed. You can unfold more detailed information by clicking
or reduce the
amount of information presented by clicking in the upper right corner of this pane.
To view the complete list of menus or items again, reset the search by clicking in the
search field.
See Chapter 3.4, "Menu Reference", on page 29 for details on the options available
in each view.
3.1.3 Desktop
The desktop (3) fills the main portion of the screen below the header area and to the
right of the navigation pane. The information displayed here depends on the item
selected in the navigation pane or on the desktop.
Web Interface Components
User Interface
R&S
®
GP-E/GP-S
20User Manual v16.2.1 ─ 01
Figure 3-3: gateprotect Firewall desktop.
On the desktop you always have a complete overview of your entire configured net-
work. You can edit various settings in this pane or view the details of a configuration.
A toolbar at the top of the desktop allows you to create and edit objects or connections.
To create an object on the desktop, click with the left mouse button on the desired but-
ton in the toolbar, keep the mouse button pressed and drag the object onto the desk-
top. Depending on the type of object you are creating, an editor panel automatically
opens where you can enter the required data for the object. To delete an object from
the desktop, click the object with the left mouse button and select
from the circular
menu.
If the system configuration changes, the "
Activate" button is highlighted, prompting
you to update your configuration. Click this button to save your current desktop config-
uration changes and to activate them on the firewall.
The buttons that appear in the circular menu when you click an object with the left
mouse button allow you to adjust the settings for an existing object, to create a connec-
tion between two existing objects, to hide or display objects attached to the object, to
unpin an object from a specific location on the desktop or to remove it from the desk-
top.
Web Interface Components
/