Page 1
R&S®Unified Firewalls
User Manual
(T^XJ2)
3646402602
User Manual
Version 02
Page 2
This document applies to the R&S®Unified Firewalls software version 10.2. It describes the following
R&S®Unified Firewalls models:
●
R&S®Unified Firewalls GP-U
●
R&S®Unified Firewalls GP-E
●
R&S®Unified Firewalls GP-S
●
R&S®Unified Firewalls GP-T
●
R&S®Unified Firewalls UF
●
R&S®Unified Firewalls UF-T
This product uses several valuable open source software packages. For more information, see the Open Source Acknowledgement
document, which you can obtain separately.
The open source software is provided free of charge. You are entitled to use the open source software in accordance with the
respective license conditions as provided in the Open Source Acknowledgement document.
Rohde & Schwarz would like to thank the open source community for their valuable contribution to embedded computing.
© 2018 Rohde & Schwarz Cybersecurity GmbH
Mühldorfstr. 15, 81671 Munich, Germany
Phone: +49 (0) 89 41 29 - 0
Email: cybersecurity@rohde-schwarz.com
Internet: cybersecurity.rohde-schwarz.com
Subject to change – Data without tolerance limits is not binding.
R&S® is a registered trademark of Rohde & Schwarz GmbH & Co. KG.
Trade names are trademarks of the owners.
3646.4026.02 | Version 02 | R&S®Unified Firewalls
Throughout this user manual, Rohde & Schwarz products are indicated without the ® symbol, e.g. R&S®Unified Firewalls is indicated
as R&S Unified Firewalls.
Page 3
R&S®Unified Firewalls
Contents
1 About This Manual.................................................................................7
1.1 Audience........................................................................................................................ 7
1.2 What’s in This Manual...................................................................................................8
1.3 Conventions.................................................................................................................. 8
1.4 Related Resources........................................................................................................9
2 Getting Started..................................................................................... 11
2.1 Logging On.................................................................................................................. 11
2.2 Configuring Your Internet Connection...................................................................... 12
2.3 Enabling Internet Access........................................................................................... 14
3 User Interface....................................................................................... 17
Contents
3.1 Web Client Components.............................................................................................17
3.1.1 Header Area..................................................................................................................18
3.1.2 Navigation Pane............................................................................................................19
3.1.3 Desktop......................................................................................................................... 19
3.2 Icons and Buttons.......................................................................................................21
3.3 Firewall Rule Settings.................................................................................................23
3.4 Menu Reference.......................................................................................................... 26
3.4.1 Firewall..........................................................................................................................26
3.4.1.1 Administrators............................................................................................................... 26
3.4.1.2 Backup.......................................................................................................................... 28
3.4.1.3 Command Center..........................................................................................................31
3.4.1.4 High Availability.............................................................................................................32
3.4.1.5 License..........................................................................................................................36
3.4.1.6 Server Access............................................................................................................... 37
3.4.1.7 Time Settings................................................................................................................ 39
3.4.1.8 Updates Settings...........................................................................................................40
3.4.1.9 User Authentication.......................................................................................................43
3.4.2 Monitoring & Statistics...................................................................................................56
3.4.2.1 Statistics Settings..........................................................................................................57
3.4.2.2 Connection Tracking..................................................................................................... 57
3.4.2.3 Logs.............................................................................................................................. 60
3User Manual 3646.4026.02 ─ 02
Page 4
R&S®Unified Firewalls
3.4.2.4 SNMP Settings..............................................................................................................63
3.4.2.5 Statistics........................................................................................................................65
3.4.2.6 Syslog Servers.............................................................................................................. 67
3.4.3 Network......................................................................................................................... 68
3.4.3.1 Connections.................................................................................................................. 69
3.4.3.2 DHCP Settings.............................................................................................................. 76
3.4.3.3 DNS Settings.................................................................................................................78
3.4.3.4 DynDNS Accounts........................................................................................................ 79
3.4.3.5 Interfaces...................................................................................................................... 80
3.4.3.6 Quality of Service (QoS)............................................................................................... 89
3.4.3.7 Routing..........................................................................................................................91
3.4.3.8 WLAN Settings..............................................................................................................94
3.4.4 Desktop......................................................................................................................... 96
Contents
3.4.4.1 Desktop Connections.................................................................................................... 96
3.4.4.2 Desktop Objects............................................................................................................97
3.4.4.3 Desktop Rules.............................................................................................................109
3.4.4.4 Desktop Tags...............................................................................................................110
3.4.4.5 Desktop Export............................................................................................................ 111
3.4.4.6 Services.......................................................................................................................112
3.4.5 UTM.............................................................................................................................115
3.4.5.1 Antivirus Settings.........................................................................................................115
3.4.5.2 Application Filter..........................................................................................................117
3.4.5.3 Email Security..............................................................................................................119
3.4.5.4 IDS/IPS....................................................................................................................... 121
3.4.5.5 Proxy........................................................................................................................... 123
3.4.5.6 Reverse Proxy.............................................................................................................126
3.4.5.7 URL/Content Filter...................................................................................................... 128
3.4.6 VPN.............................................................................................................................131
3.4.6.1 IPsec Settings............................................................................................................. 132
3.4.6.2 VPN SSL Settings....................................................................................................... 133
3.4.6.3 VPN Connections........................................................................................................134
3.4.7 Certificate Management.............................................................................................. 141
3.4.7.1 Certificate Signing Requests.......................................................................................141
4User Manual 3646.4026.02 ─ 02
Page 5
R&S®Unified Firewalls
3.4.7.2 Certificates.................................................................................................................. 144
3.4.7.3 OCSP/CRL..................................................................................................................147
3.4.7.4 Templates....................................................................................................................148
3.4.7.5 Trusted Proxy CAs...................................................................................................... 149
3.4.8 Diagnostic Tools..........................................................................................................150
3.4.8.1 Ping............................................................................................................................. 150
3.4.8.2 Traceroute...................................................................................................................150
Index....................................................................................................153
Contents
5User Manual 3646.4026.02 ─ 02
Page 6
R&S®Unified Firewalls
Contents
6User Manual 3646.4026.02 ─ 02
Page 7
R&S®Unified Firewalls
1 About This Manual
The R&S Unified Firewalls User Manual describes the innovative firewall solution from
Rohde & Schwarz Cybersecurity GmbH. R&S Unified Firewalls integrates firewall,
intrusion prevention, application control, web filtering, malware protection and many
more functions in a single system.
Figure 1-1: Sample R&S Unified Firewalls UF-2000.
About This Manual
Audience
This document applies to all R&S Unified Firewalls models.
There are license-based features that distinguish individual product models from one
another. For further information about your specific model, see the information on the
relevant data sheet.
See the topics below for further information about this document.
1.1 Audience
This manual is for the networking or computer technician responsible for installing and
configuring R&S Unified Firewalls systems and employees that use the web client to
define traffic filtering rules.
To use this document effectively, you must have the following skills depending on your
responsibilities:
●
To install and configure the hardware, you must be familiar with telecommunications equipment and installation procedures. You also have to have good experience as a network or system administrator.
●
To define filtering rules, you need to understand basic TCP/IP networking concepts.
7User Manual 3646.4026.02 ─ 02
Page 8
R&S®Unified Firewalls
1.2 What’s in This Manual
The contents of this manual are designed to assist you in configuring R&S Unified Firewalls.
This document includes the following chapters:
●
Chapter 2, "Getting Started", on page 11
Log on to R&S Unified Firewalls to set up the system for your network.
●
Chapter 3, "User Interface", on page 17
The sections in this chapter describe the components of the user interface of
R&S Unified Firewalls.
We are committed to providing documentation that meets your needs. To help us
improve the documentation, send any errors, suggestions, or comments to doc.ipo-
que@rohde-schwarz.com. When submitting your feedback, include the document title
and the document number located at the bottom of each chapter's page.
About This Manual
Conventions
1.3 Conventions
This topic explains the typographic conventions and other notations used to represent
information in this manual.
Elements of the web-based graphical user interface (GUI, or »web client«) are indicated as follows:
Convention Description
"Graphical user interface elements"
"Top-level menu item > submenu element"
[Keys] Key names are enclosed in square brackets.
List options, literal
text, filenames,
commands, program code
Links Links that you can click (e.g. references to other parts within this manual)
References References to parts of the product documentation are displayed in italics.
All names of graphical user interface elements on the screen, such as
menu items, buttons, checkboxes, dialog boxes, list names are enclosed
by quotation marks.
A sequence of menu commands is indicated by greater than symbols
between menu items and the whole sequence being enclosed by quotation marks. Select the submenu element from the top-level menu item.
List options, literal text, filenames, commands, coding samples and
screen output are distinguished by their fixed-width font.
are displayed in blue font.
Notes
The following types of notes are used in this manual to indicate information that
expands on or calls attention to a particular point:
8User Manual 3646.4026.02 ─ 02
Page 9
R&S®Unified Firewalls
This note is a little hint that can help make your work easier.
This note contains important additional information.
This note contains information that is important to consider. Non-observance can damage R&S Unified Firewalls or put your network security at risk.
1.4 Related Resources
About This Manual
Related Resources
This section describes additional documentation and other resources for information on
R&S Unified Firewalls.
Refer to the following related documents and resources:
●
Data Sheets summarize the technical characteristics of the different R&S Uni-
fied Firewalls hardware models.
●
Release Notes provide the latest information on each release.
●
Our website at cybersecurity.rohde-schwarz.com provides a wealth of information
about our products and solutions as well as the latest company news and events.
For additional documents such as technical specifications, please visit the myrscs por-
tal at myrscs.rohde-schwarz.com.
9User Manual 3646.4026.02 ─ 02
Page 10
R&S®Unified Firewalls
About This Manual
Related Resources
10User Manual 3646.4026.02 ─ 02
Page 11
R&S®Unified Firewalls
2 Getting Started
This document provides all the required information on how to set up and configure
your R&S Unified Firewalls device.
To get started, please follow the steps described below.
When first started after delivery or a new installation, R&S Unified Firewalls runs as a
test version for 30 days. For further information, see Chapter 3.4.1.5, "License",
on page 36.
2.1 Logging On
1. Unpack your preinstalled R&S Unified Firewalls device.
Getting Started
Logging On
2. Connect a patch cable to the port labeled "eth1" on the front of your R&S Unified Firewalls device and to the Ethernet port on your computer.
3. Configure your computer with a static IP address in the range from 192.168.1.1/24
to 192.168.1.253/24.
4. Power your R&S Unified Firewalls device on.
5. Start a web browser on your computer.
6. Enter https://192.168.1.254:3438 in the address bar of your browser.
7. Create an exception for the certificate warning.
The R&S Unified Firewalls logon page appears.
8. On the logon page of the R&S Unified Firewalls web client, enter admin as the
"User Name" and the factory default "Password" admin.
9. Click "Login".
10. After your first logon using the standard credentials, the system prompts you to
change the following two passwords:
● The admin user password ‒ You need the user password to log on to the
R&S Unified Firewalls web client.
11User Manual 3646.4026.02 ─ 02
Page 12
R&S®Unified Firewalls
● The console password ‒ You need the console password to log on to R&S Uni-
The new user password and the console password must consist of at least six and
can have up to 255 characters (allowed are letters of the English alphabet, integers
and special characters).
You cannot skip this step.
The web client appears.
2.2 Configuring Your Internet Connection
1. Connect a patch cable to the port labeled "eth0" on the front of your R&S Unified Firewalls device and to the LAN port of the device that you received from your
provider to access the Internet (e.g. your router, DSL or cable modem).
2. In the navigation pane on the left side of the web client, navigate to "Network >
Connections".
Getting Started
Configuring Your Internet Connection
fied Firewalls using SSH.
The item list bar on the right of the navigation bar opens.
3.
Click
tion is assigned to which interface.
The item list bar expands.
4.
Delete the "Default connection on eth0" by clicking (Click to delete) in the last
table column in the same row.
5. Depending on the type of your Internet access, proceed corresponding to one of
the following three approaches:
Dial-up Connection
1. Navigate to "Network > Interfaces > PPP Interfaces".
2.
In the item list bar, click
The "PPP Interface" dialog opens, allowing you to configure a PPP interface.
3. From the "Master Interface" drop-down list, select "eth0".
4. Unless stated otherwise by your provider, leave the other settings on default value.
5. Click "Create".
The "PPP Interface" dialog closes. The new interface is added to the list of available PPP interfaces in the item list bar.
in the upper right corner of the item list bar to see which network connec-
(Create a new item) to create a new PPP interface.
6. Navigate to "Network > Connections > PPP Connections".
7.
In the item list bar, click
The "PPP Connection" dialog opens, allowing you to configure a PPP connection.
(Create a new item) to create a new PPP connection.
12User Manual 3646.4026.02 ─ 02
Page 13
R&S®Unified Firewalls
8. Enter a "Name" for your PPP connection.
9. Enter the credentials predefined by your provider.
10. Unless stated otherwise by your provider, leave the other settings on default value.
11. Click "Create".
The "PPP Connection" dialog closes. The new connection is added to the list of
available PPP connections in the item list bar.
12.
Click "
tion changes.
You have successfully configured your Internet connection.
Cable or Router Connection with Dynamic IP
1. Navigate to "Network > Connections > Network Connections".
2.
In the item list bar, click (Create a new item) to create a new network connection.
Getting Started
Configuring Your Internet Connection
Activate" in the toolbar at the top of the desktop to apply your configura-
The "Network Connection" dialog opens, allowing you to configure a network connection.
3. Enter a "Name" for your network connection.
4. Under "Interface", select "eth0" from the drop-down list.
5. Under "Type", select "DHCP" from the drop-down list.
6. Select the "Obtain DNS Server" checkbox.
7. Select the "Obtain Domain" checkbox.
8. Click "Create".
The "Network Connection" dialog closes. The new connection is added to the list of
available network connections in the item list bar.
9.
Click "
tion changes.
You have successfully configured your Internet connection.
Static Internet Connection with Static IP
1. Navigate to "Network > Connections > Network Connections".
Activate" in the toolbar at the top of the desktop to apply your configura-
2.
In the item list bar, click (Create a new item) to create a new network connection.
The "Network Connection" dialog opens, allowing you to configure a network connection.
3. Enter a "Name" for your network connection.
4. Under "Interface", select "eth0" from the drop-down list.
5. Under "Type", select "Static" from the drop-down list.
13User Manual 3646.4026.02 ─ 02
Page 14
R&S®Unified Firewalls
6. Under "IP Addresses", enter the IP address and the subnet mask.
7.
Click on the right of the entry to add it to the list of IP addresses.
8. Go to the "WAN" tab.
9. Select the "Set Default Gateway" checkbox.
10. Under "Default Gateway", enter your default gateway IP address.
11. Click "Create".
The "Network Connection" dialog closes. The new interface is added to the list of
available network connections in the item list bar.
12. Navigate to "Network > DNS Settings".
The "DNS Settings" dialog opens, allowing you to configure the DNS settings of
your R&S Unified Firewalls.
13. Clear the "Acquire DNS server" checkbox.
The "1. Nameserver"/"2. Nameserver" input fields become editable.
Getting Started
Enabling Internet Access
14. Under "1. Nameserver"/"2. Nameserver", enter the IP addresses of the DNS
server(s) provided by your provider.
15. Click "Save" to store your settings.
The "DNS Settings" dialog closes.
16.
Click "
tion changes.
You have successfully configured your Internet connection.
Activate" in the toolbar at the top of the desktop to apply your configura-
2.3 Enabling Internet Access
Creating an Internet Object
1. Navigate to "Desktop > Desktop Objects > Internet Objects".
2.
In the item list bar, click (Create a new item) to create a new Internet object.
The "Internet Object" dialog opens, allowing you to configure an Internet object.
3. Under "Object Name", enter a name for your Internet object.
4. From the "Connections" drop-down list, select your Internet connection.
5. Click "Create".
The "Internet Object" dialog closes. The new object is added to the list of available
Internet objects in the item list bar.
For more information, see Chapter 3.4.4.2, "Desktop Objects", on page 97.
14User Manual 3646.4026.02 ─ 02
Page 15
R&S®Unified Firewalls
Configuring Your Local Network Connection
1. Connect a patch cable to one of the ports labeled "ethX" (except "eth0" as it is
used for the Internet connection) on the front of your R&S Unified Firewalls device
and to one of the Ethernet ports on your network switch.
2. Navigate to "Network > Connections > Network Connections".
3.
In the item list bar, click
The "Network Connection" dialog opens, allowing you to configure a network connection.
4. Enter a "Name" for your network connection.
5. Under "Interface", select the port to which you have connected your network switch
from the drop-down list.
6. Under "Type", select "Static" from the drop-down list.
7. Under "IP Addresses", enter the IP address of this connection in CIDR notation (IP
address followed by a slash »/« and the number of bits set in the subnet mask, for
example 192.168.50.1/24) to match your local network.
Getting Started
Enabling Internet Access
(Create a new item) to create a new network connection.
8. Click "Create".
The "Network Connection" dialog closes.
Creating a Network Object
1. Navigate to "Desktop > Desktop Objects > Networks".
2.
In the item list bar, click
The "Network" dialog opens, allowing you to configure a network object.
3. Enter a "Name" for the network object.
4. Select the "Interface" of the network connection that you have just edited.
5. Under "Network IP", enter the IP address of your local network.
6. Click "Create".
The "Network" dialog closes. The new object is added to the list of available network objects in the item list bar.
For more information, see Chapter 3.4.4.2, "Desktop Objects", on page 97.
Configuring Firewall Rules for Internet Access
(Create a new item) to create a new network object.
1. Set up a connection between the network object and the Internet object that you
have just created:
15User Manual 3646.4026.02 ─ 02
Page 16
R&S®Unified Firewalls
a)
b) Select the network object as the source object of the connection by clicking the
c) Select the Internet object as the target object of the connection by clicking the
You are automatically navigated to "Desktop > Desktop Connections" and the
"Connection" editor panel opens.
Alternatively, you can click the
the desktop and then select the target object.
2. Set up a firewall rule with HTTP and/or HTTPS, depending on your needs:
a) In the "Rules" tab of the "Connection" editor panel, a list of services to which
b) Click "Create".
Getting Started
Enabling Internet Access
Click the button in the toolbar at the top of the desktop.
The desktop objects which can be selected for this connection and possible
connections between them are highlighted and marked by dotted circles and
lines.
corresponding desktop object.
corresponding desktop object.
button in the circular menu of the source object on
the firewall rule can be applied are displayed in the service selection list bar on
the right side of the browser window. The list bar is subdivided into categories
of services which serve a similar purpose. Use the "Filter" input field at the top
of the service selection list bar to quickly find HTTP and/or HTTPS. As you type
in the input field, R&S Unified Firewalls reduces the list to show only those services and service groups that contain the characters you are typing.
Add "HTTP" and "HTTPS" from the "Internet" category by clicking the
in front of the services.
The selected services are removed from the service selection list bar and are
displayed in the table in the "Rules" tab.
The "Connection" dialog closes. The new desktop connection is added to the
list of available desktop connections in the item list bar.
button
For more information, see Chapter 3.3, "Firewall Rule Settings", on page 23.
Activating the Desktop Configuration
Click "
changes.
You have successfully enabled Internet access from your local network through your
R&S Unified Firewalls.
Activate" in the toolbar at the top of the desktop to apply your configuration
16User Manual 3646.4026.02 ─ 02
Page 17
R&S®Unified Firewalls
3 User Interface
The sections in this chapter describe the components of the user interface of R&S Unified Firewalls.
The web client of R&S Unified Firewalls requires a minimum display resolution of
1024 × 786 pixels (XGA).
The following browser versions (or newer) are supported, with JavaScript enabled:
●
Google Chrome 10
●
Chromium 10
●
Mozilla Firefox 12
Chapter 3.1, "Web Client Components", on page 17 provides an overview of the
main components of the web client.
Chapter 3.2, "Icons and Buttons", on page 21 explains the meaning of the icons and
buttons commonly used on the user interface and throughout this manual.
User Interface
Web Client Components
Chapter 3.3, "Firewall Rule Settings", on page 23 describes how to set up a firewall
rule for a connection between two desktop objects.
Chapter 3.4, "Menu Reference", on page 26 reflects the arrangement of the menu
items in the navigation bar on the left side of the user interface. For information on the
available options, see the corresponding section.
3.1 Web Client Components
The web client of R&S Unified Firewalls uses a standard tri-pane page layout with a
common header area, a navigation pane on the left and a main content pane (desktop)
on the right.
17User Manual 3646.4026.02 ─ 02
Page 18
R&S®Unified Firewalls
User Interface
Web Client Components
Figure 3-1: R&S Unified Firewalls web client.
1 = Header area
2 = Navigation pane
3 = Desktop
The information displayed in each area is described in the following sections.
3.1.1 Header Area
The header area (1) contains the following elements (from left to right):
Figure 3-2: R&S
●
the button to hide or show the navigation bar (the navigation bar is displayed by
default, see Chapter 3.1.2, "Navigation Pane", on page 19),
●
the Rohde & Schwarz Cybersecurity GmbH logo,
●
a language menu that allows you to select the language to be used in the web client,
●
a user menu to end the current user session and return to the logon page,
●
a system menu to reboot or shut down / power off R&S Unified Firewalls, and
●
a help menu with links that provide access to a PDF version of the R&S Uni-
fied Firewalls User Manual and to the Rohde & Schwarz Cybersecurity GmbH sup-
Unified Firewalls web client header area.
18User Manual 3646.4026.02 ─ 02
Page 19
R&S®Unified Firewalls
port website. Depending on your browser settings, the PDF file is either displayed
in a new tab or window, or downloaded.
In addition, the header area displays unsaved configuration changes if you close an
editor panel by pressing the [Esc] key on your computer keyboard. Unsaved changes
are not displayed if you close an editor panel by clicking the
corner of the panel, however.
The PDF version of the R&S
logon page. Click the "User Manual" link to access the file.
3.1.2 Navigation Pane
The navigation pane (2) is on the left side of the web client and consists of two parts.
The links in the left navigation bar provide access to the R&S Unified Firewalls settings. The item list bar on the right is used to display information on the current desktop
configuration.
User Interface
Web Client Components
button in the upper right
Unified Firewalls User Manual is also available from the
Both bars contain a "Filter" input field at the top which helps you quickly find a particular menu item or item list entry. Each input field works for the bar it is part of only. As
you type in one of the input fields, R&S Unified Firewalls reduces the corresponding list
to show only those menu items or item list entries that contain the characters you are
typing. Click in the input field to delete the search string and display an unfiltered
view of the bar.
You can expand all menus in the navigation bar at once by clicking or collapse them
by clicking in the upper right corner of the navigation bar. Furthermore, you can hide
the navigation bar to maximize the desktop area by clicking
further information, see Chapter 3.1.1, "Header Area", on page 18.
The information displayed in the item list bar depends on, firstly, the menu item
selected in the navigation bar and, secondly, how much information you desire to be
displayed. You can unfold more detailed information by clicking or reduce the
amount of information presented by clicking
bar.
See Chapter 3.4, "Menu Reference", on page 26 for details on the options available
in each view.
3.1.3 Desktop
The desktop (3) fills the main portion of the screen below the header area and to the
right of the navigation pane. The nodes and connections highlighted here depend on
the item selected in the navigation pane or on the desktop.
in the header area. For
in the upper right corner of the item list
19User Manual 3646.4026.02 ─ 02
Page 20
R&S®Unified Firewalls
User Interface
Web Client Components
Figure 3-3: R&S Unified Firewalls web client desktop.
On the desktop, you always have a complete overview of your entire configured network. You can edit various settings in this pane or view the details of a configuration.
A toolbar at the top of the desktop provides quick access to frequently used functions
(from left to right):
●
If the system configuration changes, the " Activate" button in the first section of
the toolbar is highlighted, prompting you to update your configuration. Click this
button to save your current desktop configuration changes and to activate them on
your R&S Unified Firewalls.
●
The two buttons in the second section of the toolbar allow you to switch back and
forth between the selection and the connection tool. Use the selection tool for all
actions on the desktop, such as moving objects or selecting certain functions. With
the connection tool, you can create or edit a connection between two desktop
objects. For further information, see Chapter 3.3, "Firewall Rule Settings",
on page 23.
●
You can create an object on the desktop by clicking the respective desktop object
button in the next four sections of the toolbar. An editor panel automatically opens
where you can enter the data which is required for the object.
●
You can customize the desktop layout by dragging the objects to the desired positions where they are automatically pinned. Use the buttons in the seventh section
20User Manual 3646.4026.02 ─ 02
Page 21
R&S®Unified Firewalls
of the toolbar to save and restore your customized layout or to arrange the objects
automatically.
●
The "Tags" filter input field in the last section of the toolbar helps you quickly identify desktop objects on the desktop, based on previously assigned desktop tags.
Click the input field to open a drop-down list containing the names of previously
configured desktop tags. You can either select one if the list items directly to add it
to the filter input field or use the input field to search for a particular desktop tag. As
you type in the input field, R&S Unified Firewalls reduces the drop-down list to
show only those list items that contain the characters you are typing. You can add
as many desktop tags as you like to the filter input field.
Depending on your selection of desktop tags, R&S Unified Firewalls reduces the
number of nodes on the desktop to display only those desktop objects which
include at least one of the selected desktop tags. Desktop nodes along the path
from the "Firewall" root node to a node matching the selected desktop tags are
always displayed, even if their tag set does not match the search criteria.
Click
display an unfiltered view of the desktop. For further information, see Chap-
ter 3.4.4.4, "Desktop Tags", on page 110.
User Interface
Icons and Buttons
in the input field to delete the search string or all selected desktop tags and
All toolbar buttons use mouse-over pop-up labels for easy identification.
When you left-click a desktop object, several buttons appear in the circular menu,
depending on the kind of desktop object. These buttons allow you to adjust the settings
for an existing object and to create or edit a connection between two existing objects.
Furthermore, you can hide or display objects attached to an object, unpin an object
from a specific location on the desktop or remove an object from the desktop.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
3.2 Icons and Buttons
This section explains the icons and buttons commonly used on the user interface and
throughout this manual.
Icon/Button Description
Hide and show the navigation bar.
Move objects or select objects and functions on the desktop.
Create or edit a connection between two desktop objects.
Create an Internet object.
Create a host.
Create a hosts group.
Create a network.
Create an IP range.
Create a VPN host.
21User Manual 3646.4026.02 ─ 02
Page 22
R&S®Unified Firewalls
Icon/Button Description
User Interface
Icons and Buttons
Create a VPN group.
Create a VPN network.
Create a VPN user.
Create a VPN user group.
Create a user.
Create a user group.
Discard all manual desktop layout changes and apply an automatic layout.
Save the current desktop layout.
Restore the last saved desktop layout.
Restore a backup.
Replace a certificate by importing a new certificate.
Fit the entire network to the desktop.
Marks a menu item with settings to configure in the navigation bar.
Marks a table column with actions available for a table entry.
Unpin the desktop object to be able to move it along with the desktop node that
it is associated with via drag & drop on the desktop.
View and adjust the settings for a desktop object, a list item or a table entry.
Create an item list or a table entry based on a copy of an existing entry.
Delete a desktop object or an item list entry from the system after a positive
response to the confirmation request popping up.
Permanently revoke a certificate.
Delete a custom firewall rule from the system.
Remove a firewall rule with a predefined service from the firewall rules table.
Import a certificate or a blacklist/whitelist from a file.
Sign a certificate signing request.
Export a certificate or a blacklist/whitelist to a file.
Import a backup from a file.
Export a backup to a file.
Create a list item in the item list bar.
Unfold a menu item to view subordinate items in the navigation bar.
Unfold a web filter category to view its subcategories.
Unfold a service category for firewall rules to view its subservices.
Unfold a statistics chart or table.
22User Manual 3646.4026.02 ─ 02
Page 23
R&S®Unified Firewalls
Icon/Button Description
User Interface
Firewall Rule Settings
Hide subordinate menu items in the navigation bar.
Hide subcategories of a web filter category.
Hide subservices of a service category for firewall rules.
Hide a statistics chart or table.
Unfold more detailed information in the item list bar.
Reduce the amount of information given in the item list bar.
Collapse all menus in the navigation bar.
Expand a desktop node to view the desktop objects associated with it.
Expand all menus in the navigation bar.
Collapse a desktop node to hide the desktop objects associated with it.
Indicates that a certificate is still valid.
Indicates that a certificate has expired.
Verify a certificate.
Suspend a certificate or CA temporarily.
Resume a certificate that was previously suspended.
Recreate (renew) a certificate with an updated validity range.
Close a pop-up window.
Clear all search criteria of a filter to show all results.
3.3 Firewall Rule Settings
This section describes how to create a firewall rule for a connection between two desktop objects.
Setting Up a Connection
To set up a connection between two desktop objects, perform the following steps:
1.
Click the button in the toolbar at the top of the desktop.
The desktop objects which can be selected for this connection and possible connections between them are highlighted and marked by dotted circles and lines.
2. Select the source object of the connection by clicking the corresponding desktop
object.
3. Select the target object of the connection by clicking the corresponding desktop
object.
The "Connection" editor panel opens, displaying, if applicable, already existing firewall rules for this connection.
23User Manual 3646.4026.02 ─ 02
Page 24
R&S®Unified Firewalls
Alternatively, you can click the button in the circular menu of the source object on the
desktop and then select the target object.
Setting Up a Firewall Rule
To set up a firewall rule, perform the following steps:
1. In the "Rules" tab of the "Connection" editor panel, select at least one of the services to which you want to apply the firewall rule.
The services that are available for the connection are displayed in the service
selection list bar on the right side of the browser window. The list bar is subdivided
into categories of services which serve a similar purpose. You can collapse and
expand the categories by clicking the corresponding icon.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
The "Filter" input field at the top of the service selection list bar helps you quickly
find a particular service or service group. As you type in the input field, R&S Unified Firewalls reduces the list to show only those services and service groups that
contain the characters you are typing. Click
string and display an unfiltered view of the list.
User Interface
Firewall Rule Settings
in the input field to delete the search
a) There are two ways to add services to a firewall rule:
●
To add an individual service, click the button in front of the corresponding
service in the service selection list bar.
●
To add all services belonging to a category at once, click the (Add filtered
services) button directly below the header of the respective category.
The selected services are displayed in the table in the "Rules" tab.
b)
To adjust the settings of a firewall rule, click the (Click to edit this rule) button.
An editor panel for the particular service opens.
2. The editor panel displays the following information and allows you to configure the
following elements of the firewall rule:
a) Under "Description", you can enter additional information regarding the firewall
rule for internal use.
b) In the "Ports/Protocols" tab, you can see which ports and protocols were
defined to be used for the service. For further information, see Chapter 3.4.4.6,
"Services", on page 112.
c) In the "Schedule" tab, you can specify the time when the firewall rule is active.
The tab provides the following options:
● Set specific times and weekdays using the sliders.
● Click "Always On" – the rule is always active.
● Click "Always Off" – the rule is always inactive.
24User Manual 3646.4026.02 ─ 02
Page 25
R&S®Unified Firewalls
d) The "Advanced" settings tab provides the following options:
User Interface
Firewall Rule Settings
Field Description
"Proxy" For firewall rules with predefined services only if the predefined services
allow a proxy (HTTP, HTTPS, FTP, SMTP, SMTPS, POP3 or POP3S):
Select this checkbox to activate the proxy for this rule.
For firewall rules with user-defined services only: From the drop-down
list, select a proxy for this rule. To remove the proxy, click to the right
of the selected proxy.
"NAT / Masquerading" Specify the desired direction (bidirectional, left-to-right or
right-to-left) for NAT/masquerading or disable (Off) the feature
for this rule by selecting the respective radio button. The default setting
depends on the source and target objects selected for the connection.
"New source IP" Optional: If you have multiple outgoing IP addresses, specify the IP
address to be used for Source NAT. If you do not specify the IP address,
the system automatically chooses the main IP address of the outgoing
interface.
"Enable DMZ / Port
Forwarding for this
service"
"External IP address" Optional: Specify the destination IP address of the traffic to be manipu-
"External Port" Displays the original destination port of the traffic to be manipulated,
"Destination IP
address"
"Destination Port" Optional: Specify the destination port of the traffic (after its manipula-
If the target of the firewall rule is a single host object, you can select this
checkbox to enable DMZ and port forwarding for this rule.
lated. The DMZ rule only applies to this traffic. This IP address must be
one of the firewall's IPs.
depending on the port defined in the "Ports/Protocols" tab.
Displays the new destination IP address of the traffic (after its manipulation).
tion).
e) The buttons at the bottom right of the editor panel allow you to confirm your
changes to an existing rule ("OK"), reject the editing of an existing rule ("Cancel") and discard your changes ("Reset").
The configured rule is displayed in the table in the "Rules" tab. To delete a rule
from the table, click the
(Click to remove this rule) button in the last column.
3. For further information on the "URL / Content Filter" and "Application Filter" tabs,
see Chapter 3.4.4.1, "Desktop Connections", on page 96.
4. The buttons at the bottom right of the editor panel allow you to shut ("Close") the
editor panel as long as no changes have been made and to store ("Save") or to
discard ("Reset") your changes.
5.
Click "
Activate" in the toolbar at the top of the desktop to apply your configura-
tion changes.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
25User Manual 3646.4026.02 ─ 02
Page 26
R&S®Unified Firewalls
3.4 Menu Reference
This reference chapter describes each menu item in the navigation bar on the left side
of the browser window. The license acquired from Rohde & Schwarz Cybersecurity
GmbH determines which menu items are available on R&S Unified Firewalls. Features
that are not included in your R&S Unified Firewalls license are grayed out in the navigation bar.
Refer to the sections below for information on the options available in each view.
3.4.1 Firewall
Use the " Firewall" settings to configure your R&S Unified Firewalls for your local
environment. In addition, you can set up access to R&S Unified Firewalls from external
networks or the Internet and connect your R&S Unified Firewalls to an R&S Firewall
Command Center server.
User Interface
Menu Reference
3.4.1.1 Administrators
Use the "Administrators" settings to define administrators and their access to certain
services.
For more detailed information on administrators, see the following sections.
Administrators Overview
Navigate to "Firewall > Administrators" to display the list of administrators that are currently defined on the system in the item list bar.
The plus button above the list allows you to add new administrators.
In the expanded view, the first table column displays the "Name" of the administrator.
The "Admin" column shows one of the following status indicators:
●
Green – The administrator has been granted access to the web client.
●
Orange – The administrator has not been granted access to the web client.
The buttons in the last column allow you to view and adjust the settings for an existing
administrator. Furthermore, the buttons allow you to create an administrator based on
a copy of an existing administrator or delete an administrator from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Administrators Settings
Under "Firewall > Administrators", you can add a new or edit an existing administrator.
You cannot delete or rename the default user admin. Furthermore, you cannot withdraw this user's access rights to the web client.
The "Administrator" panel allows you to configure the following elements:
26User Manual 3646.4026.02 ─ 02
Page 27
R&S®Unified Firewalls
Field Description
"Name" Enter a unique name for the administrator.
"Description" Optional: Enter additional information regarding the
On the "Client Access" tab:
Field Description
"Granting access" Select this checkbox to grant the administrator
"Password" For newly added administrators only if the "Granting
"Change" Optional and for edited administrators only if the
User Interface
Menu Reference
administrator for internal use.
access to the web client.
access" checkbox is selected: Enter a password
and confirm it.
For edited administrators only if the "Change"
checkbox is selected: Enter a password and confirm
it.
"Granting access" checkbox is selected: Select this
checkbox to change the administrator's password.
"Show Password" Optional and for newly added administrators only if
the "Granting access" checkbox is selected: Select
this checkbox to verify the password.
Optional and for edited administrators only if the
"Change" checkbox is selected: Select this checkbox to verify the password.
"Require password change after next login" Optional and for newly added administrators only if
the "Granting access" checkbox is selected: Select
this checkbox if you want the administrator to
change the password after the next logon.
Optional and for edited administrators only if the
"Change" checkbox is selected: Select this checkbox if you want the administrator to change the
password after the next logon.
On the "Webclient Permissions" tab, you can specify what the administrator is allowed
to do in specified areas of the web client.
You can choose between the following permissions by selecting the respective radio
button:
●
"Forbidden" – The administrator cannot access the specified area of the web client.
●
"Read/Open" – The administrator can open and read the entities in the specified
area of the web client but cannot change them.
●
"Write/Execute" – The administrator has full access to the entities in the specified
area of the web client.
The buttons at the bottom right of the editor panel depend on whether you add a new
or edit an existing administrator. For a newly configured administrator, click "Create" to
add the administrator to the list of available administrators or "Cancel" to discard your
changes. To edit an existing administrator, click "Save" to store the reconfigured
27User Manual 3646.4026.02 ─ 02
Page 28
R&S®Unified Firewalls
administrator or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
3.4.1.2 Backup
Your R&S Unified Firewalls stores settings in configuration files which are automatically
created whenever settings are changed in the web client. The options under "Backup"
allow you to schedule regular backups of the current system configuration, to back up
the system configuration manually and to restore previous configurations.
Backups can be created once a license has been imported (that is to say, not during
the test period of 30 days).
For more detailed information on backups, see the following sections.
Automatic Backup Settings
The "Auto Backup" settings allow you to set up a connection to a remote backup server
on which you want to store automatically created backups. Furthermore, this panel lets
you schedule how often the firewall configuration is backed up automatically. There are
no restrictions on the amount or interval of backup creation.
User Interface
Menu Reference
Before you proceed, make sure that you set the time zone for your R&S Unified Firewalls as described under Chapter 3.4.1.7, "Time Settings", on page 39. Otherwise,
the backups are created according to Europe - Berlin (CET/UTC +1) instead of the time
specified by you in the automatic backup settings.
Navigate to "Firewall > Backup > Auto Backup" to open an editor panel to display and
edit the settings for automatic backups.
The "Auto Backup" panel allows you to configure the following elements:
Field Description
"Server Address" Enter the IP address of the remote backup server on
which you want to store automatically created backups.
"Username" Enter the name of the user on the remote backup
server.
"Password" Enter the user's password for the remote backup
server if necessary.
"Show Password" Optional: Select this checkbox to verify the user's
password.
"Server Type" Select the respective radio button to specify which
network protocol is used to upload the backups to
the server. The option is set to "FTP" by default, but
you can adjust the settings to "SCP" as necessary.
"Filename" Enter a name for automatically created backup files.
28User Manual 3646.4026.02 ─ 02
Page 29
R&S®Unified Firewalls
Field Description
"Encryption Password" Enter a password for the encryption of the backup
"Show Encryption Password" Optional: Select this checkbox to verify the encryp-
"Options" Select the respective radio button to specify what is
User Interface
Menu Reference
files. The password can consist of up to 32 characters (allowed are letters of the English alphabet,
integers and the special characters
\-][/.,~!@#$%^*()_+:?><}{).
tion password.
added to the filenames to distinguish the backups
from each other. The option is set to "Append current date to filename" by default, but you can adjust
the settings to the other value as necessary:
●
"Append current date to filename" – The date
and the timestamp of the creation of a backup
is added to the filename (e.g.
Backup_20171130-1527.gp). As these filenames never repeat, old backup files are never
overwritten.
●
"Max. file count" – A number (backup number)
is added to the filename. Specify the maximum
number of backup files to be stored by entering
an integer in the input field below this option.
The option is set to 20 by default. Once the
defined number is reached, counting starts
anew and the oldest backup file is automatically
overwritten.
"Schedule" Specify how often the firewall configuration is
backed up automatically.
Under "Start", click the input field to set the date and
time of the first backup to be created automatically.
A pop-up window with a calender and input fields for
setting the date and time opens. You can enter a
date in the MM/DD/YYYY format or use the date
picker to set a date. You can also set a time by
entering the time in the hh:mm:ss format.
Under "Interval" and "Unit", define how often the
configuration is backed up automatically. Set the
interval by entering a number or using the up and
down arrows. The option is set to 1 by default.
Then, select one of the unit options from the dropdown list. The option is set to days by default, but
you can adjust the settings to one of the other values as necessary:
once
●
hours
●
days
●
months
●
Click "Add" to add the schedule to the list.
You can edit or delete single entries in the list by
clicking the corresponding button next to an entry.
For further information, see Chapter 3.2, "Icons and
Buttons", on page 21.
Note: If you edit a schedule, a check mark appears
on the right of the entry. Click the check mark to be
able to save the settings for automatic backups.
29User Manual 3646.4026.02 ─ 02
Page 30
R&S®Unified Firewalls
To check the connection to the configured backup server, click the "Test Server Settings" button at the bottom left of the editor panel. The system tries to save a test file
(file name_test) on the backup server. If this test is successful, a text file is saved
on the server and a pop-up window with a success message appears. You can delete
this text file after the test.
If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.
User Interface
Menu Reference
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
Backup Export
The "Export" settings allow you to create and export a manual backup of the current
firewall configuration. Use this function, for example, to reload a configuration after a
system update.
Navigate to "Firewall > Backup > Export" to open an editor panel to create and transfer
a manual backup in GP file format to your computer so you can restore the configuration contained in it later if necessary.
The "Export" panel allows you to configure the following elements:
Field Description
"Encryption Password" Enter a password for the encryption of the backup
file and confirm it. The password can consist of up
to 32 characters (allowed are letters of the English
alphabet, integers and the special characters
\-][/.,~!@#$%^*()_+:?><}{).
"Show Password" Optional: Select this checkbox to verify the pass-
word.
"Use auto backup password" Optional: Select this checkbox if you want to use the
encryption password set for the creation of automatic backup files (see "Automatic Backup Settings"
on page 28) instead of entering a new one.
If you want to export the backup file, click "Export". Otherwise, click "Cancel" to shut
the editor panel.
Backup Import
R&S Unified Firewalls allows you to upload a previously downloaded backup file to
restore the system configuration (e.g. after a new installation).
Navigate to "Firewall > Backup > Import" to load and activate a firewall configuration
from a backup file that was created earlier.
To upload an automatically created backup file stored on the backup server, you first
have to transfer the backup file from the backup server to your local disk.
The "Import" panel allows you to configure the following elements:
30User Manual 3646.4026.02 ─ 02
Page 31
R&S®Unified Firewalls
Field Description
"Backup File" Click "Select" to open the local disk search. Select a
"Password" Enter the encryption password which you chose for
"Show Password" Optional: Select this checkbox to verify the pass-
If you want to import the backup file, click "Import". Otherwise, click "Cancel" to shut
the editor panel.
If the upload is successful, a success message appears. Confirm that you want to
reboot the system by clicking "Reboot". The system restarts, logs you out and opens
the R&S Unified Firewalls logon page. Enter your logon credentials and click "Login".
The web client appears.
User Interface
Menu Reference
backup file in GP format to transfer from your local
disk. Click "Open" to close the local disk search.
The name of the backup file appears in the field.
the export of the file.
word.
3.4.1.3 Command Center
R&S Firewall Command Center allows you to administrate multiple R&S Unified Firewalls devices in one application.
Navigate to "Firewall > Command Center" to open an editor panel to connect your
R&S Unified Firewalls to an R&S Firewall Command Center server via a VPN connection.
To establish the VPN connection, you need VPN certificates for all devices that were
signed by the same certificate authority (CA). Therefore, it is advisable to manage the
VPN CA and the VPN certificates on one site and then to export and import the VPN
certificates from there to the other sites.
For information on how to create, export and import certificates, see Chapter 3.4.7.2,
"Certificates", on page 144.
The "Command Center" panel allows you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether the connection to R&S Firewall Command
Center is active (I) or inactive (〇). By clicking the slider switch, you can toggle
the state of the connection. The connection to R&S Firewall Command Center
is deactivated by default.
"Host" Enter the host name or IP address under which R&S Firewall Command Center
is reachable from R&S Unified Firewalls.
"Port" Enter the port number under which R&S Firewall Command Center is reachable
(usually port number 11940).
"Command Center CA" From the drop-down list, select the CA that was used to sign the R&S Firewall
Command Center certificate.
31User Manual 3646.4026.02 ─ 02
Page 32
R&S®Unified Firewalls
Field Description
"Firewall Certificate" From the drop-down list, select the VPN certificate for R&S Unified Firewalls.
"Latitude"/"Longitude" Optional: Enter the coordinates of the location of your R&S Unified Firewalls
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
For further information, see the R&S Firewall Command Center User Manual.
3.4.1.4 High Availability
The "High Availability" (HA) settings allow two independent R&S Unified Firewalls systems to be connected in a master/slave configuration on a dedicated interface. The socalled HA cluster provides failover capability. If the master machine becomes unavailable, the standby (slave) machine assumes its duties.
User Interface
Menu Reference
using decimal degrees notation, e.g. 53.555483. The coordinates are used to
display your R&S Unified Firewalls on a map in R&S Firewall Command Center.
For further information, see the R&S Firewall Command Center User Manual.
The master and slave systems are connected via a Cluster Interconnect cable that
allows them to communicate with one another and monitor the status of the paired system. The master machine synchronizes its configuration to the slave. On the slave
machine, certain rules are applied which allow network communication with the master
machine only. If the slave system fails to detect a »heartbeat« signal from the master, it
takes over the role of the master system (in the event of a power outage or hardware
failure/shutdown).
When the slave machine takes over, it removes the special block rules and sends out a
Gratuitous ARP request. The switch which is connected to R&S Unified Firewalls must
allow the arping command. On the client machine in the network, it may take a few
seconds before its ARP cache is updated and the new master is reachable.
The following figure illustrates a typical network environment with a redundant master/
slave configuration for High Availability.
32User Manual 3646.4026.02 ─ 02
Page 33
R&S®Unified Firewalls
User Interface
Menu Reference
Figure 3-4: Sample network setup for High Availability.
High Availability is not available for the R&S Unified Firewalls GP-U 50/100 product
models.
For more detailed information on High Availability, see the following sections.
High Availability Settings
Use the "High Availability" settings to specify the connection parameters for the master/
slave configuration.
The High Availability feature requires two identical systems of the same hardware type
(for example UF-200 with UF-200 or GP-U 200 with GP-U 200) and software version.
Furthermore, a free network interface (NIC) is required on both systems. In other
words, you need a network interface that is not currently used by any other interface
(like VLAN or bridge) or any network connection. For more information, see Chap-
ter 3.4.3.5, "Interfaces", on page 80 and "Network Connections" on page 69. The
same NIC must be used on both systems for Cluster Interconnection.
The master system synchronizes its initial configuration and any subsequent configuration changes to the slave system to ensure that the same configuration is used in the
event of failure.
33User Manual 3646.4026.02 ─ 02
Page 34
R&S®Unified Firewalls
High Availability can only be activated if no background processes, such as updates or
backups, are running.
Navigate to "Firewall > High Availability" to open an editor panel to set up High Availability.
The "High Availability" panel allows you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether High Availability is
"Status" Displays the High Availability status of R&S Uni-
User Interface
Menu Reference
active (I) or inactive (〇). By clicking the slider
switch, you can toggle the state of High Availability.
High Availability is deactivated by default.
fied Firewalls. The status can be one of the following:
●
Disabled – High Availability is not enabled on
the firewall.
●
No connection – High Availability is enabled
on the firewall but the other firewall cannot be
reached.
●
Not synced – High Availability is enabled on
the firewall, the other firewall can be reached
but the configuration from the master system
has not been synchronized to the standby
(slave) system yet.
●
Synchronized and ready – High Availability is enabled on the firewall, the other firewall
can be reached and is synchronized.
"Initial Role" Select the respective radio button to specify the role
which R&S Unified Firewalls is to play in the HA
cluster:
●
"Master" – R&S Unified Firewalls is active and
synchronizes its configuration to R&S Unified Firewalls being the slave.
●
"Slave" – R&S Unified Firewalls is not active (i.
e. it cannot be reached using the web client)
but the master machine synchronizes its configuration to it.
"HA Interface" From the drop-down list, select the interface to be
used for the HA cluster communication. This interface cannot be used for any other firewall services.
Note: The same interface (NIC) must be used on
both R&S Unified Firewalls systems for Cluster
Interconnection.
"Local IP" Enter the IP address which you want to assign to
the HA interface on R&S Unified Firewalls in CIDR
notation (IP address followed by a slash »/« and the
number of bits set in the subnet mask, for example
192.168.50.1/24).
"Remote IP" Enter the IP address under which R&S Unified Fire-
walls can reach the other R&S Unified Firewalls of
the HA cluster.
34User Manual 3646.4026.02 ─ 02
Page 35
R&S®Unified Firewalls
"Local IP" and "Remote IP" must be in the same subnet. HA cluster communication
over routed networks is not supported.
If you modify these settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.
User Interface
Menu Reference
Click "
changes.
Before you connect the slave system to the master with the Cluster Interconnect cable
and configure High Availability on the slave, the configuration of the master system
must be complete and activated.
Connect the slave system with the same »WAN« and »LAN« network components as
the master system (see Figure 3-4).
Only the master system can be reached and configured using the web client.
If you want to change the High Availability configuration (for example to change the HA
interface), first disable High Availability, then change the configuration. Then, turn High
Availability back on with the new configuration.
To remove the slave system from the High Availability configuration and operate it as a
standalone system, reinstall your R&S Unified Firewalls. For further information, see
"Disabling High Availability Configurations" on page 36.
Updating High Availability Configurations
Activate" in the toolbar at the top of the desktop to apply your configuration
Always update both systems (master and slave). Otherwise, High Availability does not
work correctly.
When High Availability is enabled, proceed as follows to update the master and slave
systems:
1. Disable High Availability. For more information, see "Disabling High Availability
Configurations" on page 36.
2. Update both systems separately. For more information, see Chapter 3.4.1.8,
"Updates Settings", on page 40.
3. Enable High Availability. For more information, see "High Availability Settings"
on page 33.
35User Manual 3646.4026.02 ─ 02
Page 36
R&S®Unified Firewalls
Disabling High Availability Configurations
To disable High Availability, perform the following steps:
1. Switch off the standby (slave) machine.
2. Disconnect the Cluster Interconnect cable between the master and slave systems.
3. Reinstall the standby (slave) system via USB flash drive.
4. On the master system:
a) Log on to the web client.
b) Under "Firewall > High Availability":
Note: If you disconnect the Cluster Interconnect cable without switching off the
standby (slave) machine, the slave takes over and the old master runs as master
as well. Both machines deliver the same services on the network which has unintended effects. So, it is advisable not to disconnect the Cluster Interconnect cable
while both master and slave system are still on.
User Interface
Menu Reference
● Use the slider switch to disable High Availability.
● Click "Save" to store your settings.
●
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
3.4.1.5 License
The exact feature set of R&S Unified Firewalls depends on the license acquired from
Rohde & Schwarz Cybersecurity GmbH.
When first started after delivery or a new installation, R&S Unified Firewalls runs as a
test version for 30 days. You can see that it is a test version in the notification on the
"License Manager" panel under "Firewall > License". During this period of time, it is not
possible to create backups. After this period of time, the firewall remains active with
your configuration. However, you are not able to make any changes and the HTTP and
HTTPS protocols are blocked.
The following licensable features can be included in an R&S Unified Firewalls license:
●
Antispam (UTM license)
●
Antivirus (UTM license)
●
Application Filter
●
Content Filter
●
IDS/IPS (UTM license)
●
WLAN
Navigate to "Firewall > License" to open an editor panel to view the validity period of
your R&S Unified Firewalls license and additional feature licenses or to upload a new
license.
36User Manual 3646.4026.02 ─ 02
Page 37
R&S®Unified Firewalls
In fixed intervals, the system checks the expiration dates of the license and individual
feature licenses in the license file. When a license expires, all licensable features are
deactivated until a new license is acquired via www.mygateprotect.com, downloaded to
the local disk and uploaded via the web client under "Firewall > License". The new
license has to comply with the software version number of R&S Unified Firewalls and
the hardware.
To upload a new license, perform the following steps:
1. Click "Select File" behind the "License File" input field.
The local disk search opens.
2. Select a new license file in GPLF format from the local disk.
3. Click "Open".
The local disk search closes.
4. Click "License" to upload the license file.
The license is uploaded. If the upload is successful, all licenses and the information
about them are automatically entered in R&S Unified Firewalls and a success message appears.
User Interface
Menu Reference
5. Confirm that you want to log out by clicking "OK".
The system logs you out and opens the R&S Unified Firewalls logon page.
6. Enter your logon credentials.
7. Click "Login".
The web client appears.
3.4.1.6 Server Access
The "Server Access" settings allow you to define how R&S Unified Firewalls can be
accessed from external networks or the Internet. In addition, you can determine how
R&S Unified Firewalls is to react, for example, to ping requests.
The "Server Access" settings only apply to external accesses to R&S Unified Firewalls
for defined users. Accesses from the internal network are always possible.
Navigate to "Firewall > Server Access" to open an editor panel to determine whether
and how access from external networks or the Internet to R&S Unified Firewalls is
allowed.
The "Server Access" panel allows you to configure the following elements:
37User Manual 3646.4026.02 ─ 02
Page 38
R&S®Unified Firewalls
Field Description
"Web Access from Internet" Select the respective radio button to specify external
User Interface
Menu Reference
web access from the Internet. The option is set to
Deny by default, but you can adjust the settings to
one of the other values as required:
●
Deny – Only computers from the internal network are allowed to access the R&S Unified Firewalls web client, external web access
from the Internet is denied.
●
VPN only – Same as Deny with the exception
that access from the Internet to the R&S Unified Firewalls web client using a VPN is
allowed.
●
Allow – External access to the R&S Uni-
fied Firewalls web client from the Internet is
allowed.
Note: The Allow option provides access to the web
client from the Internet. In certain circumstances,
this may grant attackers access to R&S Unified Firewalls. Therefore, we do not recommend using this
option as a permanent solution.
"SSH Access from Internet" Select the respective radio button to specify external
SSH access from the Internet. The option is set to
Deny by default, but you can adjust the settings to
one of the other values as required:
●
Deny – Only computers from the internal network are allowed to access R&S Unified Firewalls via SSH, external SSH access from the
Internet is denied.
●
VPN only – Same as Deny with the exception
that SSH access from the Internet to R&S Unified Firewalls using a VPN is allowed.
●
Allow – External SSH access to R&S Uni-
fied Firewalls from the Internet is allowed.
Note: The Allow option provides SSH access to
R&S Unified Firewalls from the Internet. The SSH
access is useful, for example, for the
Rohde & Schwarz Cybersecurity GmbH support
team. This may grant attackers access to R&S Unified Firewalls. Therefore, we do not recommend
using this option as a permanent solution.
"Ping (ICMP to Firewall)" Select the respective radio button to specify what
R&S Unified Firewalls is to do with ICMP commands
(ping) to the firewall from the internal network and
the Internet. The option is set to Allow by default,
but you can adjust the settings to the other value as
required:
●
Deny – R&S Unified Firewalls does not
respond to ICMP commands to the firewall from
the internal network and the Internet.
●
Allow – R&S Unified Firewalls reponds to
ICMP commands to the firewall from the internal network and the Internet.
Note: While blocking ICMP commands can improve
the security of R&S Unified Firewalls, it also makes
any troubleshooting in the network difficult. Therefore, if an error occurs in the network, we recommended setting this option to Allow before you
start troubleshooting.
38User Manual 3646.4026.02 ─ 02
Page 39
R&S®Unified Firewalls
If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.
User Interface
Menu Reference
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.1.7 Time Settings
R&S Unified Firewalls works with time-sensitive rules. Furthermore, the system time is
particularly important for services such as logging that rely on accurate timestamps.
Therefore, it is necessary to set the date and time correctly.
Navigate to "Firewall > Time Settings" to open an editor panel to display and edit the
system date and time settings.
The "Time Settings" panel allows you to configure the following elements:
Field Description
"Time Zone" From the drop-down list, select one of the prede-
"Current Time" Check the current system date (MM/DD/YYYY) and
"Date & Time" Optional: Click the input field to set a new system
fined time zones. The time zone is set to (+01:00)
Europe - Berlin by default, but you can adjust
the settings to one of the other values as required.
time (hh:mm:ss) of R&S Unified Firewalls.
date or time manually. A pop-up window with a calender and input fields for changing the date and
time opens. You can enter a date in the MM/DD/
YYYY format or use the date picker to set a new
date. You can also set a new time by entering the
time in the hh:mm:ss format.
Note: To set the system time manually, NTP has to
be disabled (in other words, the "NTP Client" checkbox must be cleared). Otherwise, the time will be
reset automatically as soon as the system sends the
next NTP request.
"NTP Client" Optional: Select the checkbox to use remote net-
work time protocol servers to set the system date
and time automatically.
39User Manual 3646.4026.02 ─ 02
Page 40
R&S®Unified Firewalls
Field Description
"NTP Servers" Optional and only available if the "NTP Client"
User Interface
Menu Reference
checkbox is selected: You can either use the predefined NTP servers or add your own NTP servers to
the list.
The standard NTP servers are: de.pool.ntp.org and
europe.pool.ntp.org.
You can add as many NTP servers as you like.
Enter the IP address or the fully qualified domain
name of an NTP server in the input field. Then, click
"Add" to put the NTP server on the list.
You can edit or delete single entries in the list by
clicking the corresponding button next to an entry.
For further information, see Chapter 3.2, "Icons and
Buttons", on page 21.
Note: If you edit an NTP server, a check mark
appears on the right of the entry. Click the check
mark to be able to save the settings of the NTP
server.
Note: If more than one NTP server is configured,
R&S Unified Firewalls automatically synchronizes
the system clock with the server that transmits the
best time signal.
"Serve as local NTP server" Optional and only available if the "NTP Client"
If you modify these settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.1.8 Updates Settings
The "Updates Settings" panel allows you to keep R&S Unified Firewalls up to date at
all times. New software, hotfixes, security updates and new functions can be automatically downloaded from the update server and installed on the firewall quickly and
easily. In addition, the update system is equipped with various functions for notifying
the system administrator if there are new updates available. Furthermore, you can view
the history of imported updates.
To prevent any unauthorized or malicious updates from being installed on the firewall,
all R&S Unified Firewalls updates are signed digitally. Only updates with a valid signature are displayed and installed.
checkbox is selected: Select this checkbox if you
want to make the system time of R&S Unified Firewalls available in the internal network. R&S Unified Firewalls then acts as an internal, local NTP
server.
Navigate to "Firewall > Updates Settings" to open an editor panel to display the list of
available updates with information about them and their status on the "Updates" tab.
The "Filter" input field allows you to narrow the list of results in the table below it. As
you type in the input field, R&S Unified Firewalls automatically refreshes the list to
40User Manual 3646.4026.02 ─ 02
Page 41
R&S®Unified Firewalls
show only those entries that contain the characters you are typing as a name, type or
description. Click
tered view of the list.
The table columns of the updates list contain the following information:
Column Description
"Name" Displays the name of the available update.
User Interface
Menu Reference
in the input field to delete the search string and display an unfil-
"Type" Displays the type of update.
"Description" Displays a text field with further information about
"Reboot" Indicates whether a reboot of the system is required
"Release Date" Displays the date when the update was released.
"Status" Distinguishes between new updates and updates
"Action / Dependency" If all dependencies are met, the "Install" action is
The update system differentiates between four types
of updates:
●
security – contains corrections concerning
the security of the firewall
●
recommended – contains corrections as well
as performance and stability optimizations
●
hotfix – contains corrections for the firewall
modules but also new functions
●
upgrade – contains an upgrade to the next
R&S Unified Firewalls software version
the update.
The text field can be unfolded to view all information
relating to the update by clicking it.
after the update has been installed successfully.
which have already been installed.
Note: An update cannot be installed more than
once.
allowed. Otherwise, a list of dependencies is displayed. To meet the dependencies, install the listed
updates.
Click "Refresh Updates List" to update the list of available updates with the latest versions manually.
The "Settings" tab allows you to configure the following elements:
Field Description
"Search for New Updates Automatically" Select this checkbox to refresh the list of available
updates with the latest versions automatically.
"Interval" From the drop-down list, select the desired fre-
quency with which the list of updates is refreshed.
The option is set to Daily by default, but you can
adjust the settings to one of the other values as
required:
Hourly
●
Daily
●
Weekly
●
41User Manual 3646.4026.02 ─ 02
Page 42
R&S®Unified Firewalls
Field Description
"Update Time" Enter the date and time for the first automatic
"Install Updates Automatically" Select the respective radio button to specify which
"Update Servers" The standard update server is: http://www.gatepro-
User Interface
Menu Reference
refresh of the updates list and the first automatic
update. If you click the input field, a pop-up window
with a calender and input fields for changing the
date and time opens. You can enter a date in the
format MM/DD/YYYY or use the date picker to set a
new date. You can also set a new time by entering
the time in the format hh:mm:ss.
Note: All subsequent updates are carried out at the
time set here if the automatic installation of updates
described below is enabled.
updates you want to be imported and installed automatically on R&S Unified Firewalls. This function is
limited to security and recommended hotfixes. The
option is set to None by default, but you can adjust
the settings to one of the other values as required.
tect.com/updateserver.
You can add as many update servers as you like.
Enter the URL of an update server and click "Add"
to put the update server on the list.
Note: If the URL contains a fully qualified domain
name (FQDN), you need to configure the DNS settings. Otherwise, the FQDN cannot be resolved.
You can edit or delete single entries in the list by
clicking the corresponding button next to an entry.
For further information, see Chapter 3.2, "Icons and
Buttons", on page 21.
Note: If you edit an update server, a check mark
appears on the right of the entry. Click the check
mark to be able to save the settings of the update
server.
The "History" tab displays the update history of R&S Unified Firewalls.
If you modify the settings on the "Updates Settings" panel, click "Save" to store your
changes or "Reset" to discard them. Otherwise, click "Close" to shut the panel and
return to the overview of your entire configured network.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
For information on the installation of system updates in a High Availability configuration, see "Updating High Availability Configurations" on page 35.
Important: Always update both systems (master and slave). Otherwise, High Availability does not work correctly.
42User Manual 3646.4026.02 ─ 02
Page 43
R&S®Unified Firewalls
3.4.1.9 User Authentication
The "User Authentication" settings determine the list of users who can be authorized to
utilize your network resources, such as Internet access and VPN tunnels. Furthermore,
these settings allow you to set up local users and to connect R&S Unified Firewalls to
an external directory service from where it can retrieve individual users and user
groups. This allows you to set firewall regulations not just for computers but also for
individual users and user groups.
Navigate to "Firewall > User Authentication" to display the list of users that are currently defined on the system in the item list bar.
For more detailed information on user authentication, see the following sections.
Technical Background and Preparations
Purpose of user authentication
With user authentication, firewall rules can be assigned to users when they are logged
on. Only one user per IP address can be logged on. If another user logs on from an IP
address which is already in use for a session, the other logged-on user is logged out
and the new user is logged on.
User Interface
Menu Reference
Logging on to the firewall
R&S Unified Firewalls runs a special web server which only processes user logons. It
receives the user name and password. With a user database which is created locally
on R&S Unified Firewalls, an authentication service first verifies whether the user name
and password are admissible. If this logon fails and a Microsoft Active Directory server
or an openLDAP server are configured on R&S Unified Firewalls, the authentication
service additionally queries those directory servers via Kerberos protocol to see
whether the user can be authenticated. If the authentication was successful, the IP
address from which the request was sent is assigned the firewall rules for this user.
Users who are registered in the local database of R&S Unified Firewalls can change
their password over the web server. The password can consist of up to 248 characters.
Longer passwords are accepted nevertheless, but they are cut off automatically.
Certain computers, such as terminal servers on which many users work at the same
time or servers to which only administrators log on, can be excluded from the user
authentication. Web servers and the authentication service then do not accept any
user logons from the IP addresses of these computers.
Since all users have the same IP address on a terminal server, R&S Unified Firewalls
cannot identify individual users in the network. For this purpose, Microsoft offers the
so-called Remote Desktop IP Virtualization for Server 2008 R2 and newer versions.
With this application, every user obtains their own IP address from a pool of IP
addresses, similar to DHCP.
Authentication server
For smaller companies without central user management, R&S Unified Firewalls provides local user management. You can always use the local user database. However, it
43User Manual 3646.4026.02 ─ 02
Page 44
R&S®Unified Firewalls
is also possible to use an external directory service, such as Microsoft Active Directory
server or an openLDAP server. Both Microsoft Active Directory and openLDAP use the
Kerberos protocol to validate the credentials provided by any of the user authentication
clients.
Active directory groups
If you are using a Microsoft Active Directory server for authentication, the Active Directory groups are displayed in the user authentication item list bar as well. Active Directory groups are a powerful tool to set up and maintain security policies for each user.
For example, you can allocate Active Directory users to certain Active Directory groups
and then create firewall rules for these groups on R&S Unified Firewalls.
Logging on
There are three different ways users can log on to R&S Unified Firewalls:
●
"Logging on using a web browser" on page 44
●
"Logging on using the R&S Unified Firewalls User Authentication Client"
on page 45
●
"Logging on using the R&S Unified Firewalls Single Sign-On Client" on page 47
User Interface
Menu Reference
Logging on using a web browser
Once users have been set up as desktop objects and firewall rules for these users
have been configured, they can act according to the rules using the so-called landing
page. The logon via web browser method works with any browser and is SSL-encrypted.
To log on to R&S Unified Firewalls via a web browser, perform the following steps:
1. Start a web browser.
2. Make sure cookies are activated.
3. Enter the IP address of your R&S Unified Firewalls, for example
https://192.168.12.1 (using the default port 443), in the address bar.
A special web page presenting the R&S Unified Firewalls landing page appears.
44User Manual 3646.4026.02 ─ 02
Page 45
R&S®Unified Firewalls
User Interface
Menu Reference
Figure 3-5: User authentication using a web browser.
4. Enter the "Name".
Note: If the user is an LDAP user, the user's login name has to exactly match the
user name specified in the sAMAccountName attribute of the user. Otherwise, the
name in the user-specific firewall rules will not correspond to the user logging on to
the client and the rules will not match.
5. Enter the "Password" of the user.
6. Click "Login".
The authentication is carried out.
For security reasons, the browser window that was used to log on must remain open
during the whole session. Otherwise, the user is logged out automatically after one
minute. This is to prevent unauthorized persons from accessing the firewall from a
computer where a user forgot to log out of.
Logging on using the R&S Unified Firewalls User Authentication Client
The Windows-based R&S Unified Firewalls User Authentication client provided with
R&S Unified Firewalls is located in the UAClient directory on the USB flash drive.
To log on to R&S Unified Firewalls using the R&S Unified Firewalls User Authentication
client, perform the following steps:
1. Install the R&S Unified Firewalls User Authentication client.
2. Start the R&S Unified Firewalls User Authentication client.
45User Manual 3646.4026.02 ─ 02
Page 46
R&S®Unified Firewalls
Figure 3-6: User authentication using the R&S Unified Firewalls User Authentication client.
3. Under "Server Address", enter the IP address of your R&S Unified Firewalls.
4. Enter the "User Name".
Note: If the user is an LDAP user, the user's login name has to exactly match the
user name specified in the sAMAccountName attribute of the user. Otherwise, the
name in the user-specific firewall rules will not correspond to the user logging on to
the client and the rules will not match.
User Interface
Menu Reference
5. Enter the "Password" of the user.
6. Optional: Select the "Remember password" checkbox if you want the password to
be saved for future logons.
7. Optional: Adjust the period of time for reconnection under "Settings" by right-clicking the system tray icon in the Windows taskbar.
46User Manual 3646.4026.02 ─ 02
Page 47
R&S®Unified Firewalls
8. Click "Login".
The authentication is carried out.
For security reasons, it is strongly recommended to update the R&S Unified Firewalls
User Authentication client to the latest version available. However, a compatibility
mode that allows older versions of the R&S Unified Firewalls User Authentication client
to work with R&S Unified Firewalls version 10 can be enabled. For more information,
see "User Authentication Settings" on page 50.
Logging on using the R&S Unified Firewalls Single Sign-On Client
When using Single Sign-On (SSO), domain users from the Active Directory domain log
on to a Windows client. Firewall rules configured on R&S Unified Firewalls concerning
these users are then automatically applied.
User Interface
Menu Reference
To realize SSO with R&S Unified Firewalls in an Active Directory environment, the following preconditions have to be met:
1. As Kerberos is time-critical, make sure to set the same time/NTP server for all
components of SSO (domain controller, Windows client and R&S Unified Firewalls).
2. Creating the user gpLogin
It is necessary to create a normal domain user in the user management under
"CN=Users" in the Active Directory. This user is then assigned a so-called Service
Principal Name (SPN) which is needed for the authentication of R&S Unified Firewalls on the server. The user does not need any specific rights.
47User Manual 3646.4026.02 ─ 02
Page 48
R&S®Unified Firewalls
a) Open the domain controller.
User Interface
Menu Reference
Figure 3-7: Creating a new user – user logon name.
b) Under "First name", enter gpLogin.
With this name, it is easier to find the user later in the user overview.
c) Under "User logon name", enter gpLogin/<firewall name>.
In the example above, the host name (<firewall name>) of R&S Unified Firewalls is fw10 and, therefore, the user logon name is gpLogin/fw10.
d) Under "User logon name (pre-Windows 2000)", enter gpLogin.
e) Click "Next".
f) Enter a password for the user and confirm it.
Figure 3-8: Creating a new user – user password.
g) Select the "Password never expires" checkbox.
48User Manual 3646.4026.02 ─ 02
Page 49
R&S®Unified Firewalls
h) Click "Next".
i) Verify the information relating to the new user by clicking "Finish".
The user gpLogin is created.
3. Using the gpLogin user to query the Active Directory
In the "User Name" input field under "Authentication Server", enter gpLogin.
4. Configuring the Service Principal Name (SPN)
Assign an SPN to the newly created user so that R&S Unified Firewalls is able to
create a position of trust regarding the domain controller. To do so, run the following command on the domain controller: setspn -A gpLogin/fw10 gpLogin
5. Generating a Kerberos Key
Using the R&S Unified Firewalls Single Sign-On client, a user's logon on the Windows domain can be forwarded to R&S Unified Firewalls. With the Kerberos key,
your R&S Unified Firewalls is able to check the forwarded information and activate
the user-specific firewall rules. To generate a Kerberos key, perform the following
steps:
User Interface
Menu Reference
a) Log on to R&S Unified Firewalls.
b) Navigate to "Firewall > User Authentication > Settings".
The "User Authentication Settings" editor panel opens.
c) Enable the user authentication settings by toggling the slider switch to "I".
d) On the "Kerberos" tab, click the "Create Kerberos Key" button to generate the
Kerberos key.
The Active Directory is queried to validate the specified AD user and to obtain the
relevant information, such as the Kerberos key version number. With that information, R&S Unified Firewalls is able to generate a valid Kerberos key locally.
6. Activating SSO on R&S Unified Firewalls
To enable SSO on R&S Unified Firewalls, perform the following steps:
a) On the "Kerberos" tab, select the "Active" checkbox.
b) Click "Save" to store your settings.
7. Preparing the Windows client
You can find the Windows Installer Single Sign On ZIP archive on www.mygatepro-
tect.com under "Downloads" > "Authentication Clients". There are three ways to
install the R&S Unified Firewalls Single Sign-On client:
● Copy the UAClientSSO.exe standalone application to your desired target
location
● Run the UAClientSSOSetup.exe setup program and install the
UAClientSSO.exe standalone application under C:\Program Files\R&S
Cybersecurity\UA Client\3.0\
● Deploy the client through the domain, using the UAClientSSO.msi Microsoft
installer in a group policy object
Note: In all cases, the UAClientSSO.exe standalone application will be installed
on the Windows PC. It can then be executed given the following parameters:
49User Manual 3646.4026.02 ─ 02
Page 50
R&S®Unified Firewalls
● The host name of R&S Unified Firewalls (for more information, see "User
● The IP address of R&S Unified Firewalls in the network of the client computer
Example: The host name of R&S Unified Firewalls is fw10. Its IP address in the
network of the client computer is 192.168.0.1. The target path for the installation of
the R&S Unified Firewalls Single Sign-On client then is C:\Program Files\R&S
Cybersecurity\UA Client\3.0\UAClientSSO.exe fw10 192.168.0.1.
User Authentication Settings
The "User Authentication Settings" allow you to activate and deactivate user authentication in general. Furthermore, you can specify the connection parameters for the
directory server that is used to manage the LDAP users and groups on your network.
Navigate to "Firewall > User Authentication > Settings" to open an editor panel to
define the general settings for user authentication and the directory service.
The "User Authentication Settings" panel allows you to configure the following elements:
User Interface
Menu Reference
Authentication Settings" on page 50)
Field Description
I/〇 A slider switch indicates whether user authentication
is active (I) or inactive (〇). By clicking the slider
switch, you can toggle the state of user authentication. User authentication is disabled by default.
On the "General" tab:
Field Description
"Log Logins" Select this checkbox if you want to log all logons to
R&S Unified Firewalls. You can view all logon
events under "Monitoring & Statistics > Logs > System Log".
"Login Mode" Select one of the following four options:
●
"Single Login (deny new login)" – No user can
be logged on from more than one IP address at
the same time.
●
"Single Login (disconnect old login)" – Any previous logons are first disconnected when the
user logs on from another IP address.
●
"Multiple Logins" – A user can be logged on
from up to 254 different IP addresses at the
same time.
●
"Multiple Logins (with warning in report)" – A
user can be logged on from up to 254 different
IP addresses at the same time and alerts are
recorded in the report.
"Web Login Port" Set the HTTPS port for the web logon by entering
the port number or using the up and down arrows.
The default setting is port 443.
50User Manual 3646.4026.02 ─ 02
Page 51
R&S®Unified Firewalls
Field Description
"Compatibility Mode" Select this checkbox if you are using user authenti-
"Show Landing Page" Optional: Select this checkbox to display a landing
For each IP address, only one user logon is supported, even if multiple logons are activated.
On the "Authentication Server" tab, you can specify on the type of database to be
used. You can use the local user database on R&S Unified Firewalls independently or
in addition to a Microsoft Active Directory server or an openLDAP server with Kerberos
as an external user database.
User Interface
Menu Reference
cation clients older than version 3.0.0 to log on to
R&S Unified Firewalls.
Notice: By selecting this checkbox you are putting
your network security at risk. For more information,
see Chapter 3.4.1.9, "User Authentication",
on page 43.
page when an unauthorized user tries to access the
Internet.
If you select Microsoft Active Directory Server, you can configure the following elements:
Field Description
"Host" Enter the host name or the IP address of the direc-
tory server.
Note: If you enter the host name of the directory
server, you need to configure the DNS settings. Otherwise, the host name cannot be resolved.
"Port" Enter the directory server's port number to be used
for communication. You can also select the port
number by using the up and down arrows.
"User Name" Enter the name of a user with read rights to retrieve
the list of users of the domain from the Active Directory. This field must be the sAMAccountName attribute of the user. The user has to be placed in
"CN=Users". For more information, see "Logging on
using the R&S Unified Firewalls Single Sign-On Client" on page 47.
"Password" Enter the password of the user that has read rights.
Tip:We recommend to create a dedicated user for
this purpose.
"Domain Name" Enter the domain name of the Active Directory.
To test the configured Microsoft Active Directory server settings, click "Test AD Settings".
If you select OpenLDAP Server, you can configure the following elements:
51User Manual 3646.4026.02 ─ 02
Page 52
R&S®Unified Firewalls
Field Description
"Server Address" Enter the host name or the IP address of the direc-
"Port" Enter the directory server's port number to be used
"User DN" Enter the user DN of an account that has read
"Password" Enter the password of the user that has read rights.
"Base DN" Enter a distinguished name (base DN) as a
User Interface
Menu Reference
tory server.
Note: If you enter the host name of the directory
server, you need to configure the DNS settings. Otherwise, the host name cannot be resolved.
for communication. You can also select the port
number by using the up and down arrows.
rights.
Tip: It is not mandatory to provide the full user DN.
Upon clicking "Save", the system automatically adds
the domainComponents from the "Base DN" entry.
sequence of relative distinguished names (RDN)
separated by commas, such as three domainComponents: dc=ldap,dc=example,dc=com, to
define the location within the directory from where
the directory search should start.
"User Query" Optional: Specify the filter to be used to retrieve the
list of users.
"User ID" Optional: Define the attribute where the user identi-
fier is retrieved from. The user names displayed in
the web client are actually coming from this attribute
of the LDAP User. The user ID is retrieved from the
sAMAccountName attribute by default.
"User Name" Optional: Define the attribute where the user name
is retrieved from.
"User Group" Optional: Define the attribute where the user group
is retrieved from.
"User Primary Group" Optional: Define the attribute where the user primary
group is retrieved from.
"Mail Query" Optional: Specify the filter to be used to retrieve the
list of mails.
"Mail Name" Optional: Define the attribute where the mail name
is retrieved from.
"Group Query" Optional: Specify the filter to be used to retrieve the
list of groups.
"Group Name" Optional: Define the attribute where the group name
is retrieved from.
"Group ID" Optional: Define the attribute where the group identi-
fier is retrieved from.
52User Manual 3646.4026.02 ─ 02
Page 53
R&S®Unified Firewalls
Field Description
"Group Primary ID" Optional: Define the attribute where the group pri-
"Group Parent" Optional: Define the attribute where the group
Upon clicking "Save", the system completes all optional fields which you did not specify
with default values.
If you wish to use Kerberos for Single Sign-On, the name of the user must be
gpLogin. For more information, see "Logging on using the R&S Unified Firewalls Sin-
gle Sign-On Client" on page 47.
On the "Kerberos" tab:
Field Description
"Active" Select this checkbox to activate the Kerberos ser-
User Interface
Menu Reference
mary identifier is retrieved from.
parent is retrieved from.
vice.
"Kerberos Key" Displays the service name, the host name and the
domain related to the userPrincipalName of the
most recently created Kerberos key, also known as
keytab. For more information, see "Logging on using
the R&S Unified Firewalls Single Sign-On Client"
on page 47.
"Host Name" If necessary, adjust the host name of your R&S Uni-
fied Firewalls.
"Domain" If necessary, adjust the domain of your R&S Uni-
fied Firewalls so that it matches the domain of the
Active Directory.
Users
Just like computers, users and LDAP groups can be set up on the desktop as individual users or user groups.
For these desktop objects, you then define the rules which are to be assigned to the
users as soon as they log on. If users log on from a computer to which certain rules are
assigned, the rules of this computer and their personal rules are applied to these
users. You can select users and LDAP groups from the local user database on
R&S Unified Firewalls and from the openLDAP or Active Directory authentication
server and add them to the user groups on the desktop. There is also a special
"Default User Group" which can be selected on the desktop. To this user group, no
users are added. It comprises all of the users who are able to log on but have not been
set up as individual users or members of other user groups on the desktop. If such a
default user group is set up on the desktop and if you have assigned rules to it, users
who is later created in the Active Directory server are automatically allocated to this
default user group. After logon, these new users are automatically assigned the default
rules without any additional administration effort for each individual user.
53User Manual 3646.4026.02 ─ 02
Page 54
R&S®Unified Firewalls
LDAP Groups
It is possible to connect R&S Unified Firewalls to an external directory server using the
Lightweight Directory Access Protocol (LDAP) to retrieve user groups from there. You
can include these user groups in group-specific firewall rules.
LDAP can be used by medium to large companies to access directory services and to
manage user data.
Connect to a directory server as described under "User Authentication Settings"
on page 50.
Navigate to "Firewall > User Authentication > LDAP Groups" to display the list of LDAP
groups that are currently defined on the directory server in the item list bar.
To make LDAP groups in this list available for use in connections and group-specific
firewall rules, the groups have to be assigned to a user group desktop object. For more
information, see "User Groups" on page 102.
LDAP Users
It is possible to connect R&S Unified Firewalls to an external directory server using the
Lightweight Directory Access Protocol (LDAP) to retrieve users from there. You can
include these users in user-specific firewall rules.
User Interface
Menu Reference
LDAP can be used by medium to large companies to access directory services and to
manage user data.
Connect to a directory server as described under "User Authentication Settings"
on page 50.
Navigate to "Firewall > User Authentication > LDAP Users" to display the list of LDAP
users that are currently defined on the directory server in the item list bar.
To make LDAP users in this list available for use in connections and user-specific firewall rules, the users must be assigned to a user desktop object. For more information,
see "User Groups" on page 102.
Local Users
R&S Unified Firewalls offers local user administration for smaller companies without
central administration. Use the "Local Users" settings to specify the usernames and
passwords. This way, you can define and manage users.
Navigate to "Firewall > User Authentication > Local Users" to display the list of local
users that are currently defined on the system in the item list bar.
In the expanded view, the table columns display the "Name" of the local user and a
"Description", if one was entered. The buttons in the last column allow you to view and
adjust the settings for an existing local user, create a new user based on a copy of an
existing local user, or delete a user from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Under "Firewall > User Authentication > Local Users", you can add a new or edit an
existing local user.
The "Local User Authentication" panel allows you to configure the following elements:
54User Manual 3646.4026.02 ─ 02
Page 55
R&S®Unified Firewalls
Field Description
"User Name" Enter a unique name for the local user. This name will be the logon name.
"Description" Optional: The information given here is for internal use for the administrator
"Password" Enter a password for the user and confirm it. The password must consist of at
"Show Password" Optional: Select this checkbox to verify the password.
User Interface
Menu Reference
Important: The user's logon name has to exactly match the "User Name"
(case-sensitive). Otherwise, the name in the user-specific firewall rules will not
correspond to the user logging on to the client and the rules will not match.
only.
least six characters.
"Require password
change after next login"
Optional: Select this checkbox if you want to require the user to change the
password after the next logon. If selected, the web server will redirect the user
from the logon page to a page for changing the password.
The buttons at the bottom right of the editor panel depend on whether you add a new
local user or edit an existing user. For a newly configured local user, click "Create" to
add the new user to the list of available local users or "Cancel" to reject the creation.
To edit an existing local user, click "Save" to store the reconfigured user or "Reset" to
discard your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.
The local users defined here are available for use in desktop objects, for example VPN
users.
Unassigned Users
Navigate to "Firewall > User Authentication > Unassigned Users" to view LDAP users
that are assigned to user desktop objects but who R&S Unified Firewalls is not able to
retrieve where they used to be from the directory service.
Application Examples
Using a Windows domain
If you have a Windows domain, you can connect the user authentication to the Windows domain controller.
To connect the user authentication to the Windows domain controller, perform the following steps:
1. Navigate to "Firewall > User Authentication".
2. Click the "Authentication Server" tab.
3. Enter the data of your domain controller.
All users in the specified domain appear on the user list.
55User Manual 3646.4026.02 ─ 02
Page 56
R&S®Unified Firewalls
4. Drag user icons onto the configuration desktop and assign rules to them.
To log on, users must enter the URL with https:// and the IP address of the firewall in the address bar of their browser. A logon page appears. After a successful
logon, the firewall rules for the user are assigned to the supplied IP address. When
the browser window is closed, the session cookie expires and the rules lose their
validity.
Excluding the Terminal Server from User Authentication
If you are using a terminal server, exclude it from the user authentication. Otherwise,
after one user has logged on, all previous users are logged out.
To exclude the terminal server from the user authentication, perform the following
steps:
1. Click the host group icon in the toolbar at the top of the desktop.
2. Clear the checkbox in the "Login Allowed" column.
User Interface
Menu Reference
Figure 3-9: Object settings – terminal server.
If your users do need authentication on the terminal server, you can activate Remote
Desktop IP Virtualization on the terminal server. This way, all users are assigned their
own IP address during a session.
3.4.2 Monitoring & Statistics
The " Monitoring & Statistics" settings display detailed information about the traffic
flowing through R&S Unified Firewalls and allow you to set up remote SNMP and
syslog servers to forward log messages generated by different message sources. Furthermore, you can configure how to deal with the different kinds of events that
R&S Unified Firewalls can detect and whether to create statistics for each of them or
not.
56User Manual 3646.4026.02 ─ 02
Page 57
R&S®Unified Firewalls
3.4.2.1 Statistics Settings
Navigate to "Monitoring & Statistics > Settings" to customize the statistics.
The "Settings" panel allows you to configure how to deal with the different kinds of
events that R&S Unified Firewalls can detect and whether to create statistics for each
of them or not. From the drop-down lists, select one of the following options to deal
with the various event types:
Mode Description
Disabled No data is collected for this event type.
Create Statistics Data from occurring events is collected to create statistics.
Send Raw Data to External Syslog Data from occurring events is collected to create statistics and
Save Raw Data Locally Data from occurring events is collected to create statistics,
User Interface
Menu Reference
passed on to a configured external syslog server.
passed on to a configured external syslog server and stored
on the device.
Note: This mode can cause the storage of the device to fill up
rapidly.
Hover the mouse over the next to the event type label to find an explanation of what
graph a particular event is used for. Use the "All Event Types" drop-down list to set all
event types simultaneously to the same mode.
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.2.2 Connection Tracking
The "Connection Tracking" panel allows you to view and interact with the in-kernel connection tracking system to get a list of all active connections on R&S Unified Firewalls.
Navigate to "Monitoring & Statistics > Connection Tracking" to open an editor panel to
display the list of connections that are currently tracked through the system.
The filter section allows you to narrow the list of results in the table below it. First,
select one of the options in a drop-down list or type in one of the input fields. Then,
click "Reload" to refresh the list to show only those entries that contain the selected
option or the characters you have typed. Click in the drop-down list or in the input
field to delete the selected option or the search string or click "Reset Filter" to delete all
entries and display an unfiltered view of the list.
The filter options are AND-connected.
57User Manual 3646.4026.02 ─ 02
Page 58
R&S®Unified Firewalls
The table columns of the currently active connections list contain the following information:
Column Description
# Displays a consecutive number for the table row.
"Protocol" Displays the IP protocol type used by the connec-
"TTL" Displays how long (in seconds) the conntrack entry
"TCP State" Displays the current state of the TCP connection.
User Interface
Menu Reference
tion. The type can be either TCP or UDP.
has to live. Once this time span has elapsed, the
entry is discarded.
The TCP state can be one of the following:
SYN_SENT
●
SYN_RECV
●
ESTABLISHED
●
FIN_WAIT
●
CLOSE_WAIT
●
LAST_ACK
●
TIME_WAIT
●
CLOSE
●
LISTEN
●
"Source" Displays the source IP address and port of the con-
nection request.
"Destination" Displays the destination IP address and port of the
connection request.
"Packets" Displays the number of packets sent in the original
direction for the given connection. In this case, original direction means from source to destination.
"Bytes" Displays the number of bytes sent in the original
direction for the given connection. In this case, original direction means from source to destination.
58User Manual 3646.4026.02 ─ 02
Page 59
R&S®Unified Firewalls
Column Description
"State" Displays the state of the connection in the original
User Interface
Menu Reference
direction. In this case, original direction means from
source to destination.The state can be one of the
following:
ASSURED
●
●
ESTABLISHED - This connection has been
established.
●
EXPECTED - This is an expected connection.
That is, there have not yet been any matching
packets, but the firewall expects such packets
soon.
FIXED_TIMEOUT
●
●
INVALID - This connection does not follow the
expected behavior of a connection and is,
therefore, considered invalid.
●
NEW - This connection is starting.
●
RELATED - This connection has already been
expected.
●
SEEN_REPLY - The first answer packet from
the destination was seen, but the handshake
has not yet been completed.
●
UNREPLIED - An initial packet from the source
was seen, but it has not yet been replied.
UNSET
●
●
UNTRACKED - This connection is not tracked.
"State (Reply)" Displays the state of the connection in the reply
direction. In this case, reply direction means from
destination to source.The state can be one of the
following:
ASSURED
●
●
ESTABLISHED - This connection has been
established.
●
EXPECTED - This is an expected connection.
That is, there have not yet been any matching
packets, but the firewall expects such packets
soon.
FIXED_TIMEOUT
●
●
INVALID - This connection does not follow the
expected behavior of a connection and is,
therefore, considered invalid.
●
NEW - This connection is starting.
●
RELATED - This connection has already been
expected.
●
SEEN_REPLY - The first answer packet from
the source was seen, but the handshake has
not yet been completed.
●
UNREPLIED - An initial packet from the destination was seen, but it has not yet been replied.
UNSET
●
●
UNTRACKED - This connection is not tracked.
"Source (Reply)" Displays the source IP address and port expected of
the return packets (usually the same as under "Destination").
"Destination (Reply)" Displays the destination IP address and port expec-
ted of the return packets (usually the same as under
"Source").
59User Manual 3646.4026.02 ─ 02
Page 60
R&S®Unified Firewalls
Column Description
"Packets (Reply)" Displays the number of packets sent in the reply
"Bytes (Reply)" Displays the number of bytes sent in the reply direc-
"Mark" Displays the connection mark. The mark is set by
"Used" Displays the conntrack Use field.
Click "Reload" to refresh the connections list in the table.
The "Close" button at the bottom of the editor panel allows you to shut the panel and
return to the complete overview of your entire configured network.
3.4.2.3 Logs
User Interface
Menu Reference
direction for the given connection. In this case, reply
direction means from destination to source.
tion for the given connection. In this case, reply
direction means from destination to source.
R&S Unified Firewalls.
R&S Unified Firewalls stores records of system events, status information, errors and
other communication in a log database. The "Logs" panels display the contents of the
logs. If a problem occurs, you may be able to find technical details about the cause of
the problem by viewing these logs.
The logs are automatically reloaded to get the latest entries by default. You can disable
the automatic reload to focus on older entries by clicking the "AUTORELOAD ON"
slider switch. Then you can manually update the list of items in the logs by clicking
"Manual Reload". To enable automatic reload again, click the slider switch to turn it on.
The filter options above the tables allow you to narrow the list of results to display only
items that include a certain search string. Toggle the options to specify search criteria
in the input fields. The "Message" and "User" filters return all results that contain the
input string, whereas the remaining filter fields return exact matches only. The available
options depend on the log type. With filter options set, the logs are always automatically reloaded.
To filter the contents of a log by a customized time range, click the "Time" input field. A
new window on which you can either select a predefined or enter a custom time range
opens. By clicking "Custom", a calendar and drop-down lists for changing the date and
time appear. Set the date and time as desired. Click "Apply" to save your changes and
view the filtered log or "Cancel" to discard your changes.
To view the complete logs again, delete all search criteria by clicking "Reset", the
button on the right side of a selected drop-down list entry or the button in the input
fields.
60User Manual 3646.4026.02 ─ 02
Page 61
R&S®Unified Firewalls
Figure 3-10: Sample filtered system log.
The "Close" button at the bottom of the log panels allows you to shut the log panels
and return to the complete overview of your entire configured network.
User Interface
Menu Reference
For more detailed information on the different types of logs, see the following sections.
Audit Log
The "Audit Log" provides a journal of every configuration change made to R&S Unified Firewalls (e.g. update VPN settings) or action performed by it (e.g. import a
backup) and who it was triggered by. The "Monitoring" right is required to view the log.
For further information on web client permissions, see "Administrators Settings"
on page 26.
The columns of the table contain the following information:
Column Description
"Time" The timestamp of the log entry.
"Action" The action type which can be one of the following:
●
Call – perform a special operation (e.g. import a backup)
●
Delete – delete a configuration item (e.g. delete an obsolete IPsec connection)
●
Insert – insert a new configuration item (e.g. insert a host group)
●
Update – change a configuration item (e.g. adjust the antivirus settings)
61User Manual 3646.4026.02 ─ 02
Page 62
R&S®Unified Firewalls
Column Description
"User" The name of the user that created the entry, such as admin.
"Message" The log message itself. The content of the message depends on the "Action"
System Log
The "System Log" displays a list of recent system messages.
User Interface
Menu Reference
type selected:
●
If the "Action" is Call, then the "Message" starts with the API endpoint
that was called.
●
If the "Action" is Delete, then the "Message" states the name and internal
type of the configuration item that was removed.
●
If the "Action" is Insert, then the "Message" states the name and internal
type of the created configuration item. It also shows the full payload of the
message used to create the configuration item, showing the specific settings that were used.
●
If the "Action" is Update, then the "Message" states the name and internal
type of the changed configuration item. It also lists the specific changes
that were made to a specific path (displayed in italics). The path identifies
the actual setting of a configuration item that was altered.
The columns of the table contain the following information:
Column Description
"Time" The timestamp of the log entry.
"Type" The message type which can be one of the following:
●
OK – the service is working correctly
●
Error – an error occured and an error message is displayed
62User Manual 3646.4026.02 ─ 02
Page 63
R&S®Unified Firewalls
Column Description
User Interface
Menu Reference
"Service" The name of the service that created the entry. Possible filters are:
"Message" The log message itself.
●
Server – firewall services, including kernel, DHCP server, DNS server,
SNMP server and WLAN access point messages
●
VPN – IPSec and SSL tunnels
●
Internet – NTP, DynDNS and DSL connection status
●
User – terminal login, SSH login and superuser privilege operations
(sudo)
●
Connections – connections that were successfully finished. These messages will only be stored if Connection Finished in the "Monitoring & Statistics > Settings" is set to Save Raw Data Locally.
●
Proxy – messages regarding web and mail proxies
●
Updates – all messages regarding the firewall software
●
Appfilter – application filter messages
●
IDPS – IDS/IPS messages
●
Alerts – all security relevant alerts, irrespective of the generating engine
(e.g. when the anti-malware engine detects a virus or when the IDS/IPS
engine detects a thread)
Note: Alerts will only be shown in the Alerts category, even if they also
belong to another category.
Example: Appfilter generates an alert. The alert will only be shown in
Alerts, but not in Appfilter.
Select Alerts in the "Service" column to filter IDS/IPS log messages.
Tip: You can use the log messages to add an IDS/IPS rule to the list of ignored
rules on the "Rules" tab of the "IDS/IPS" editor panel. Click in the respective
IDS/IPS log message. A drop-down list opens. Select the "Ignore rule" entry.
The IDS/IPS rule is automatically added to the list of ignored rules on the
"Rules" tab of the "IDS/IPS" editor panel. For further information, see Chap-
ter 3.4.5.4, "IDS/IPS", on page 121.
3.4.2.4 SNMP Settings
SNMP (Simple Network Management Protocol) is a networking protocol that is used to
offer and receive status information across a network. The participants of the SNMP
based information exchange are the SNMP manager (e.g. Nagios) and the SNMP clients (devices such as your R&S Unified Firewalls that are meant to be monitored by
the SNMP manager).
While the SNMP manager requests, receives and monitors information, the SNMP clients respond to information requests (e.g. "What is the current CPU load/memory
usage of the device?"). Status information offered by managed devices is organized
like a tree (the so-called Management Information Base, short MIB), with each leaf
being a retrievable piece of information. Every single leave can be addressed and
requested individually via its own unique numeric address. A file containing a mapping
of these numeric address snippets to meaningful names, and thereby a declaration of
all information available on a managed device, can be provided to the SNMP manager
to increase human usability (e.g. 29577.1.1 represents
RSCS.SystemLoad.cpuLoad).
The "SNMP Settings" allow you to configure the following elements:
63User Manual 3646.4026.02 ─ 02
Page 64
R&S®Unified Firewalls
Field Description
I/〇 A slider switch indicates whether SNMP is active (I) or inactive (〇). By clicking
"Listening IP" Optional: Enter a local IP address on which the service will be listening. If you
"Listening Port" Optional: Specify the port number on which the service will be listening. Port
"Protocol Version" From the drop-down list, select the version of the SNMP protocol to be used.
"Community String" Only available if the selected "Protocol Version" is v2c: Enter the pre-shared
User Interface
Menu Reference
the slider switch, you can toggle the state individually. SNMP is deactivated by
default.
retain the pre-defined default IP address 0.0.0.0, requests will be accepted
on all IP addresses.
number 161 is pre-defined by default.
Depending on the version selected, additional options become available. Version v2c is pre-selected by default.
key that every SNMP manager/client has to use to authenticate to the SNMP
service of the access zone.
"Show Community
String"
"Username" Only available if the selected "Protocol Version" is v3: Enter the username that
"Authentication Protocol" Only available if the selected "Protocol Version" is v3: From the drop-down list,
"Authentication Password"
"Show Authentication
Password"
"Privacy Protocol" Optional and only available if the selected "Protocol Version" is v3 and the
"Privacy Password" Only available if the selected "Protocol Version" is v3, the selected "Authentica-
Optional and only available if the selected "Protocol Version" is v2c: Select this
checkbox to verify the pre-shared key.
every SNMP manager/client software has to use to identify to the SNMP service of the access zone.
Note: The username is created and used by the SNMP service internally.
select the hashing algorithm that is used for authentication purposes. You can
choose between the settings No Authentication, MD5 and SHA.
Only available if the selected "Protocol Version" is v3 and the selected "Authentication Protocol" is MD5 or SHA: Enter the password to be used for authentication. The password must consist of at least eight characters.
Optional and only available if the selected "Protocol Version" is v3 and the
selected "Authentication Protocol" is MD5 or SHA: Select this checkbox to verify
the authentication password.
selected "Authentication Protocol" is MD5 or SHA: From the drop-down list,
select the algorithm to be used to encrypt the communication with the SNMP
service. You can choose between the encryption algorithms 3DES and AES. The
option is set to No Encryption by default.
tion Protocol" is MD5 or SHA and the selected "Privacy Protocol" is 3DES or AES:
Enter the password to be used to encrypt the communication with the SNMP
service using the selected encryption algorithm.
"Show Privacy Password"
"Location" Optional: Enter a fixed value which R&S Unified Firewalls returns for requests
"Contact" Optional: Enter a fixed value which R&S Unified Firewalls returns for requests
Optional and only available if the selected "Protocol Version" is v3, the selected
"Authentication Protocol" is MD5 or SHA and the selected "Privacy Protocol" is
3DES or AES: Select this checkbox to verify the privacy password.
to certain Object Identifiers (OIDs) of the standard Management Information
Base (MIB): sysLocation.
to certain Object Identifiers (OIDs) of the standard Management Information
Base (MIB): sysContact.
64User Manual 3646.4026.02 ─ 02
Page 65
R&S®Unified Firewalls
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
User Interface
Menu Reference
Click "
changes.
3.4.2.5 Statistics
The "Statistics" panels contain charts and tables. You can control several aspects of
the presentation and data on these statistics.
The "Statistics" right is required to access the statistics and configure the settings related to them. For further information on web client permissions, see "Administrators Set-
tings" on page 26.
When analyzing the statistics and configuring the settings related to them, the administrator must comply with data security regulations.
There are two ways to access the individual statistics panels:
●
●
Activate" in the toolbar at the top of the desktop to apply your configuration
You can use the links in the navigation bar to navigate to the detailed statistics panels, e.g. via "Monitoring & Statistics > Statistics > Blocked Connections".
You can click the "Details" link in the top right corner of one of the chart panels on
the "Statistics" overview. The link forwards you to the detailed statistics panel for
that chart. For further information, see "Overview" on page 67.
Working with statistics
There are two kinds of statistics:
●
Counters are displayed as line charts on the "Blocked Connections" and "Blocked
Content" statistics panels, each of them containing multiple counters.
●
Toplists provide a ranking for different events types and are displayed as a pie
chart or an area chart, depending on the selected data period. Data for the Day
period is displayed as a pie chart, while data for Month and Year is displayed as a
stacked area chart.
A tabular display of the graphical data complements each statistics panel. In the case
of counters, the data table always displays the same data as the chart. Each statistics
element creates a column in the data table. In the case of toplists, the data table displays the values of the statistics elements.
The charts and tables in the statistics panels share common functions to adjust the
data display and allow you to focus on the data you are most interested in:
●
Under "Period" in the header area of the statistics panels, you can set the desired
temporal scope of the data to be displayed. Use the buttons to toggle between the
different data periods available. You can choose between Day, Month and Year.
The option is set to Day by default.
●
Toplists typically contain an input field in the header area of the panels. Use the
"Entries" field to adjust the maximum number of items to be displayed in the chart.
65User Manual 3646.4026.02 ─ 02
Page 66
R&S®Unified Firewalls
The option is set to 5 entries by default. You can enter a different value or use the
up and down arrows in the input field to change the value.
Note: Regardless of the value set for the chart, the data table always displays up
to 1000 entries.
●
The charts and tables can be collapsed and expanded by clicking the corresponding icon in the header area of a chart or table, e.g. giving more space to the table
or hiding unnecessary details. For further information, see Chapter 3.2, "Icons and
Buttons", on page 21.
●
Click
view, PNG, JPEG, SVG, PDF, CSV and XLS) for the data displayed in the chart.
Note: If you use the spreadsheet export function available for the toplist charts,
only the data used by that chart is exported, taking into account the value you have
selected for the maximum number of toplist items.
●
Line and area charts include a legend. The legend is color-coded and can be used
as a filter for the chart. Click items in the legend below the chart to activate and
deactivate them in the chart. If clicking has no effect and the legend item remains
gray, data collection for the underlying event type was disabled in the statistics settings and, therefore, no data is available. For further information, see Chap-
ter 3.4.2.1, "Statistics Settings", on page 57.
●
Tooltips provide details on specific points in the graphical statistics. Hover the cursor of your mouse over the chart to see the exact values for a specific point in time.
User Interface
Menu Reference
in the top right corner of a chart to access various export options (print
The sections below provide further information on the data available in the statistics
overview, on each detailed statistics panel and on the settings.
Blocked Connections
The "Blocked Connections" panel can display the following statistics:
Statistics Element (Event Type) Description
"Rule Set Inbound" ("Blocked Inbound Traffic") Number of connections blocked because of input
rules
"Rule Set Outbound/Forward" ("Blocked Forwarded
Traffic")
"IPS/IDS" ("IDPS Alert") Number of IDS/IPS alerts.
Number of connections blocked because of forwarding rules
If the IDS/IPS mode is set to "IDS", "IPS Drop" or
"IPS Reject", then this statistics element displays
the number of dropped packets. For further information, see Chapter 3.4.5.4, "IDS/IPS", on page 121.
Blocked Content
The "Blocked Content" panel can display the following statistics:
Statistics Element (Event Type) Description
"Virus (Mail)" ("Malware Alert (Mail)") Number of viruses detected in emails
"Virus (Other)" ("Malware Alert (HTTP and FTP)") Number of viruses detected in HTTP or FTP traffic
"Spam" ("Spam Alert") Number of spam emails detected
66User Manual 3646.4026.02 ─ 02
Page 67
R&S®Unified Firewalls
Statistics Element (Event Type) Description
"Web Access" ("Web Content Blocked") Web access blocked by content filter
"Appfilter" ("Appfilter Alert") Number of alerts regarding blocked application-spe-
Overview
Navigate to "Monitoring & Statistics > Statistics > Overview" to view a summary of all
available statistics charts. It can be considered a dashboard for "Statistics" and is
intended to provide an initial answer to the most common questions regarding the
events that R&S Unified Firewalls can detect.
The following special features apply only to this panel (diverging from the description of
the individual statistics panels in "Working with statistics" on page 65):
●
Under "Period" in the header area of the overview panel, you can select the
desired temporal scope of the data to be displayed in all charts.
●
You can click the "Details" link in the top right corner of an individual chart panel to
be forwarded to the detailed statistics panel for the respective chart.
●
The number of entries for toplist charts is set to a fixed value of 5.
User Interface
Menu Reference
cific traffic
Top Domains Accessed
The "Top Domains Accessed" panel displays the Internet sites that were most frequently visited by users on the local network if you allow R&S Unified Firewalls to collect this kind of data by enabling the "Web Content Allowed" event type. These statistics are used to determine whether web-browsing habits match the company policy and
the goals of the business.
Top Domains Blocked
The "Top Domains Blocked" panel displays the Internet sites that were most frequently
blocked if you allow R&S Unified Firewalls to collect this kind of data by enabling the
"Web Content Blocked" event type.
Top Traffic per Source
The "Top Traffic per Source" panel shows the traffic volume for the top data traffic sources if you allow R&S Unified Firewalls to collect this kind of data by enabling the "Connection Finished" event type.
3.4.2.6 Syslog Servers
R&S Unified Firewalls can be used to configure multiple external syslog servers to forward log messages generated by different message sources for reporting purposes.
Syslog messages are sent in cleartext (not encrypted) usually via port number 514 and
either via the User Datagram Protocol (UDP) or the Transmission Control Protocol
(TCP) to the remote syslog server.
For more detailed information on external syslog servers, see the following sections.
67User Manual 3646.4026.02 ─ 02
Page 68
R&S®Unified Firewalls
Syslog Servers Overview
Navigate to "Monitoring & Statistics > Syslog Servers" to display the list of remote
syslog servers that are currently defined on the system in the item list bar.
In the expanded view, the table displays the server address of the external syslog
server which consists of the IP address and the port. For example, the server address
192.168.124.5:514 represents the IP address 192.168.124.5 and the port num-
ber 514. Furthermore, the "Protocol" type used for the transmission of the text message is displayed. The buttons in the last column allow you to view and adjust the settings for an existing external syslog server, create a syslog server based on a copy of
an existing external syslog server or delete a remote syslog server from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Syslog Servers Settings
The "Syslog Servers" settings allow you to specify connection details for multiple
remote syslog servers to forward log messages generated by different message sources.
User Interface
Menu Reference
Under "Monitoring & Statistics > Syslog Servers", you can add a new or edit an existing
remote syslog server.
The "Syslog Servers" settings allow you to configure the following elements:
Field Description
"Destination IP" Enter the IP address of the server.
"Destination Port" Specify the port number to be used by entering an integer value.
"Transport Protocol" Select the protocol type to be used from the drop-down list.
The buttons at the bottom right of the editor panel depend on whether you add a new
remote syslog server or edit an existing server. For a newly configured server, click
"Create" to add the server to the list of available remote syslog servers or "Cancel" to
discard your changes. To edit an existing server, click "Save" to store the reconfigured
server or "Reset" to discard your changes. You can click "Close" to shut the editor
panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.3 Network
The " Network" settings allow you to organize your network by configuring interfaces,
connections, WLAN, routing policies and DHCP settings. Furthermore, you can to set
up the WAN access of your R&S Unified Firewalls by configuring DNS settings,
DynDNS accounts and QoS settings.
68User Manual 3646.4026.02 ─ 02
Page 69
R&S®Unified Firewalls
3.4.3.1 Connections
The "Desktop Connections" settings allow you to configure network and PPP connections on R&S Unified Firewalls.
Network Connections
Use the "Network Connections" settings to configure network connections. The system
offers default connections for all available Ethernet interfaces.
For more detailed information on network connections, see the following sections.
Network Connections Overview
Navigate to "Network > Connections > Network Connections" to display the list of network connections that are currently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the network
connection. The "Status" column shows one of the following status indicators:
●
Green – The network connection is enabled.
●
Gray – The network connection is disabled.
●
Red – The network connection is disconnected.
User Interface
Menu Reference
Furthermore, the "Interface" that the network connection is assigned to and the connection "Type" are displayed. The buttons in the last column allow you to view and
adjust the settings for an existing network connection, create a new connection based
on a copy of an existing network connection or delete a network connection from the
system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Network Connections Settings
Use the "Network Connections" settings to configure custom network connections.
Under "Network > Connections > Network Connections", you can add a new or edit an
existing network connection.
The "Network Connection" panel displays the following information and allows you to
configure the following elements:
Field Description
I/〇 A slider switch indicates whether the network connection is active (I) or inactive
(〇). By clicking the slider switch, you can toggle the state of the connection. A
new network connection is enabled by default.
"Name" Enter a name for the network connection.
Note: If you leave this field empty, the name will be generated automatically
from the selected interface and the connection type.
"Interface" From the drop-down list, select the interface that you want to assign to the con-
nection. You may select an Ethernet, VLAN or bridge interface.
69User Manual 3646.4026.02 ─ 02
Page 70
R&S®Unified Firewalls
Field Description
"Type" From the drop-down list, select the connection type. This option is set to
"Used by" Displays the components that use the network connection.
User Interface
Menu Reference
Static by default, but you can adjust the settings to the other value as
required:
●
Static – This mode is used to specify a fixed IP address for the connection.
●
DHCP – This mode is used to assign IP addresses dynamically.
Note: Once you click "Create" to establish the network connection, you will no
longer be able to change the connection type.
Tip: The elements on the "Network" tab described below differ depending on
the selected connection type.
"Status" Displays the status of the network connection.
The status can be one of the following:
●
up – The network connection is enabled.
●
disabled – The network connection is disabled.
●
disconnected – The network connection is disconnected.
On the "Network" tab:
Field Description
"IP Addresses" Assign one or multiple IP addresses to the network connection. Enter an IP
address in CIDR notation (IP address followed by a slash »/« and the number
of bits set in the subnet mask, for example 192.168.50.1/24). Click "Add" to
add the IP address to the list.
You can edit or delete single entries in the list by clicking the corresponding button next to an entry. For further information, see Chapter 3.2, "Icons and But-
tons", on page 21.
Note: If you edit an IP address, a check mark appears on the right of the entry.
Click the check mark to be able to save the settings of the IP address.
Click / to change the order of the IP addresses in the list.
Note: The IP address which is listed first in the list is used as the default source
IP address for NAT and for IPsec connections.
"Obtain Gateway" Only available if the selected connection "Type" is DHCP: Select this checkbox if
you want R&S Unified Firewalls to obtain a gateway for the connection from the
DHCP server.
"Obtain DNS Server" Only available if the selected connection "Type" is DHCP: Select this checkbox if
you want R&S Unified Firewalls to obtain a DNS server for the connection.
"Obtain Domain" Only available if the selected connection "Type" is DHCP: Select this checkbox if
you want R&S Unified Firewalls to obtain a domain for the connection from the
DHCP server.
"Obtained via DHCP" Only available if the selected connection "Type" is DHCP:
Displays one of the following states:
●
If the connection is working, the IP address is displayed.
●
Connection not yet saved – A new connection is being created.
●
Failed – The DHCP connection could not be established.
On the "WAN" tab:
70User Manual 3646.4026.02 ─ 02
Page 71
R&S®Unified Firewalls
Field Description
"Set Default Gateway" Only available if the selected connection "Type" is Static: Select this check-
"Default Gateway" Only available if the selected connection "Type" is Static: Enter the default
"Time Restrictions" Optional: Select this checkbox if you want to set a time limit for which the con-
User Interface
Menu Reference
box if you want to set a default gateway for the network connection.
Note: If you select DHCP as the connection "Type", this checkbox is always
enabled and grayed out because the gateway is obtained from the DHCP
server.
gateway for this connection.
Note: If you select DHCP as the connection "Type", this input field is grayed out
and displays the gateway which is obtained from the DHCP server.
nection is enabled.
Click "Edit" to open the "Time Restriction" editor panel which provides the following options:
●
Set specific times and weekdays using the sliders.
●
"Always On" – The connection is always enabled.
●
"Always Off" – The connection is always disabled.
The buttons at the bottom right of the editor panel allow you to confirm your
changes to the time restrictions ("OK") and to discard your changes ("Cancel").
The editor panel closes and the chosen option is displayed on the left of the
"Edit" button: Restricted., Always On. or Always Off..
"Multi WAN Weight" Specify how much of the Internet traffic is routed through this connection by
entering a value from 1 to 256. The higher the set value, the higher the percentage of Internet traffic routed through the connection. Setting the same
value for all connections results in equal traffic distribution across all connections.
"Desktop Object" From the drop-down list, select an Internet object that is used in firewall rules
for this WAN connection. For further information, see "Internet Objects"
on page 100.
On the "Failover" tab:
71User Manual 3646.4026.02 ─ 02
Page 72
R&S®Unified Firewalls
Field Description
"Heartbeats" Specify how the state of the connection is to be tested by adding tests.
User Interface
Menu Reference
The default settings contain a ping test of the Google server (8.8.8.8). Click
"Add" to add another test to the list. For information on configuring the reachability test, see "Heartbeat Settings" on page 72.
You can edit or delete single entries in the list by clicking the corresponding button next to an entry. For further information, see Chapter 3.2, "Icons and But-
tons", on page 21.
"Use as backup connection"
"Backup connections" Select any backup connection you wish to assign to the connection and specify
Optional: Select this checkbox if you want to configure the connection as a
backup Internet connection.
its "Priority". If the current connection fails, R&S Unified Firewalls switches to
the available backup connection with the highest priority. Click "Add" to add the
backup connection to the list.
You can edit or delete single entries in the list by clicking the corresponding button next to an entry. For further information, see Chapter 3.2, "Icons and But-
tons", on page 21.
Note: If you edit a backup connection, a check mark appears on the right of the
entry. Click the check mark to be able to save the settings of the backup connection.
The buttons at the bottom right of the editor panel depend on whether you add a new
network connection or edit an existing connection. For a newly configured network connection, click "Create" to add the connection to the list of available network connections or "Cancel" to reject the creation of a new network connection. To edit an existing
network connection, click "Save" to store the reconfigured connection or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
Heartbeat Settings
Use the "Heartbeat" editor panel to set up automatic heartbeat tests to check the state
of the connection. The panel allows you to configure the following elements:
Field Description
"Type" From the drop-down list, select the type of reachability test you want to run:
"Timeout" Specify the timeout (in seconds) for the test.
"Number of tries" Set the overall number of tries to be performed.
"Number of successful
tries"
"Arguments" Specify the arguments to be used in the test, e.g. IP addresses that will be
●
ping – This mode sends ping signals to the target.
●
tcp_probe – This mode tests the capacity of a TCP connection.
Set the number of successful tries required for a successful heartbeat.
pinged.
72User Manual 3646.4026.02 ─ 02
Page 73
R&S®Unified Firewalls
If you have defined a backup Internet connection on the "Failover" tab and the automatic heartbeat test defines the state of the connection as disconnected, R&S Unified Firewalls automatically switches to the backup connection with the highest priority
available.
The buttons at the bottom of the "Heartbeat" editor panel allow you to discard your
changes to the heartbeat test ("Reset") and to run the connection test manually
("Test"). Furthermore, you can reject ("Cancel") or confirm your changes ("OK") to the
test, close the editor panel and return to the "Network Connection" editor panel. The
specified test is displayed as an entry in the list under "Heartbeats" on the "Failover"
tab.
PPP Connections
Use the "PPP Connections" settings to configure existing connections using the Pointto-Point Protocol and to add new ones.
For more detailed information on PPP connections, see the following sections.
User Interface
Menu Reference
PPP Connections Overview
Navigate to "Network > Connections > PPP Connections" to display the list of PPP
connections that are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" of the connection,
whether it is "Active" or not, its "Interface", and the "Type" of connection. The buttons in
the last column allow you to view and adjust the settings for an existing PPP connection, create a new connection based on a copy of an existing connection or delete a
PPP connection from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
PPP Connections Settings
Under "Network > Connections > PPP Connections", you can add a new or edit an
existing network connection.
The "PPP Connections" settings contain the following elements:
Field Description
I/〇 A slider switch indicates whether the PPP connection is active (I) or inactive
(〇). By clicking the slider switch, you can toggle the state of the connection. A
new PPP connection is enabled by default.
"Name" Specify the name of the network connection.
If you leave this field empty, the name will be generated automatically from the
selected interface and the connection type.
"Interface" Assign an interface to the connection. You may only select a PPP interface that
has not yet been used in another connection.
73User Manual 3646.4026.02 ─ 02
Page 74
R&S®Unified Firewalls
Field Description
"Type" Select the connection type from the drop-down list, depending on your Internet
"Used by" Displays the components that use the PPP connection.
"Status" Displays the status (up, disconnected or disabled) of the connection.
On the "Configuration" tab:
Field Description
"Auth. Method" Select an authentication method for the connection, depending on your Internet
User Interface
Menu Reference
service provider: PPPoE or PPTP. Use the PPPoE mode to connect using the
Point-to-Point Protocol over Ethernet. PPPoE is typically used to share a broadband connection, such as a single DSL line or cable modem. Use the PPTP
mode to connect using the Point-to-Point Tunneling Protocol.
Note: Once you click "Create" to establish the PPP connection, you will no longer be able to change the connection type.
Tip: The elements on the "Configuration" tab differ depending on the selected
connection type.
service provider:
None
●
●
auto - Automatically selects the authentication method which best
matches the Internet service provider.
●
pap-only - password authentication
●
chap-only - handshake authentication
●
ms-chap2 - handshake authentication for Microsoft
"Username" Enter the username required to connect to your Internet service provider.
"Password" Enter the password required to connect to your Internet service provider.
"PPTP Server IP" If you chose PPTP as connection type, enter the IP address of the PPTP
server.
"MPPE" If you chose PPTP as connection type, select the Microsoft Point-to-Point
Encryption key length:
mppe-40
●
mppe-56
●
mppe-128
●
"Local IP" Optional: Enter your local IP address only if your Internet service provider
explicitly requires this.
"Remote IP" Optional: Enter the remote IP address only if your Internet service provider
explicitly requires this.
"AC Hardware Address" Optional: Enter the hardware MAC address of the Access Concentrator used by
your Internet service provider. Only do so if your Internet service provider
explicitly requires this.
"Force disconnect" Optional: Select this checkbox if you wish to enforce a disconnect process at a
specified time. Enter the time in the HH:MM:SS format.
Some Internet service providers force a disconnect at specific intervals (usually
every 24 hours). With this setting enabled, R&S Unified Firewalls disconnects at
a specific time thereby preventing the auto-disconnect from the Internet service
provider. This allows you to control when the disconnect happens.
On the "WAN" tab:
74User Manual 3646.4026.02 ─ 02
Page 75
R&S®Unified Firewalls
Field Description
"Time Restrictions" Select this checkbox if you want to set a time limit for which the connection is
"Multi WAN Weight" Specify how much of the Internet traffic is routed through this connection by
"Desktop Object" Select an Internet object that is used in firewall rules for this connection. For fur-
On the "Failover" tab:
Field Description
User Interface
Menu Reference
enabled.
Click "Edit" to open the "Time Restrictions" editor panel that provides the following options:
●
Set specific times and weekdays using the sliders.
●
"Always On" - The connection is always enabled.
●
"Always Off" - The connection is always disabled.
entering a value from 1 to 256. The higher the set value, the higher the percentage of Internet traffic routed through the connection. Setting the same
value for all connections results in equal traffic distribution across all connections.
ther information, see "Internet Objects" on page 100.
"Heartbeats" Specify how the reachability of the connection is to be tested by adding ping
tests.
The default settings contain a ping test of the Google server (8.8.8.8). Click
"Add" to add another test to the list. For information on how to configure the
reachability test, see "Heartbeat Settings" on page 75.
You can edit or delete single entries in the list by clicking the corresponding button next to an entry. For further information, see Chapter 3.2, "Icons and But-
tons", on page 21.
"Use as backup connection"
"Backup connections" Select any backup connection you wish to assign to the connection and specify
Select this checkbox if you want to configure the connection as a backup Internet connection.
their "Priority". If the current connection fails, R&S Unified Firewalls switches to
the available backup connection with the highest priority. Click "Add" to add the
backup connection to the list.
You can edit or delete single entries in the list by clicking the corresponding button next to an entry. For further information, see Chapter 3.2, "Icons and But-
tons", on page 21.
Heartbeat Settings
The "Heartbeats" settings allow you to configure automatic heartbeat tests to test the
connection. The editor panel contains the following elements:
Field Description
"Type" Select the type of reachability test you want to run:
"Timeout" Specify the timeout (in seconds) for the test.
"Number of tries" Set the overall number of tries to be performed.
●
ping - Sends ping signals to the target.
●
tcp_probe - Tests the capacity of a TCP connection.
75User Manual 3646.4026.02 ─ 02
Page 76
R&S®Unified Firewalls
Field Description
User Interface
Menu Reference
"Number of successful
tries"
"Arguments" Specify the arguments to be used in the test, e.g. IP addresses that will be
Click "Test" to run the connection test manually. Click "OK" to save the settings and
return to the "Network Connection" settings panel.
The buttons at the bottom right of the editor panel depend on whether you add a new
PPP connection or edit an existing connection. For a newly configured PPP connection, click "Create" to add the connection to the list of available PPP connections or
"Cancel" to discard your changes. To edit an existing PPP connection, click "Save" to
store the reconfigured connection or "Reset" to discard your changes. You can click
"Close" to shut the editor panel as long as no changes have been made on it.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.3.2 DHCP Settings
Navigate to "Network > DHCP Settings" to configure the DHCP settings on R&S Unified Firewalls.
Set the number of successful tries required for a successful heartbeat.
pinged.
Field Description
I/〇 A slider switch indicates whether the DHCP settings are enabled (I) or disabled
(〇). By clicking the slider switch, you can toggle the state.
"Operation Mode" Select if you want to set up a DHCP server or a DHCP relay. The remaining
fields on the screen depend on the chosen operation mode.
DHCP Server Settings
With the DHCP server running on R&S Unified Firewalls, you can assign IP addresses
and transfer them to other configuration parameters (gateway, DNS server, NTP server
etc.). Alternatively, it is possible to forward DHCP requests to an existing DHCP server
on another network.
Configure the following elements for the DHCP server:
Field Description
"Default Lease Time" Enter the default lease time (in seconds) to determine the amount of time that
the IP address of a computer is valid.
"Maximum Lease Time" Enter the maximum lease time (in seconds).
"Prevent IP Conflicts" Select this checkbox to have the DHCP server ping an IP address to verify that
it is not yet in use before assigning it to a new client.
"Interfaces" This table displays all interfaces (Ethernet, VLAN and bridge) on which a static
connection has been configured and their DHCP settings.
Click to open the "DHCP Settings" editor panel for the respective interface.
76User Manual 3646.4026.02 ─ 02
Page 77
R&S®Unified Firewalls
The "DHCP Settings" editor panel of an interface allows you to configure the following
elements:
Field Description
I/〇 A slider switch indicates whether the DHCP server is active (I) or inactive (〇)
On the "General" tab:
Field Description
"Network" From the drop-down list, select the subnet whose IP addresses are distributed by
"Range Start IP" If the prefilled start IP address does not meet your requirements, adjust the entry
"Range End IP" If the prefilled end IP address does not meet your requirements, adjust the entry
User Interface
Menu Reference
on this interface. By clicking the slider switch, you can toggle the state of the
DHCP server on this interface.
the DHCP server. By selecting the subnet, the "Range Start IP" and the "Range
End IP" input fields are automatically prefilled with the respective IP range.
to specify the range of IP addresses that are distributed to the client computers.
to specify the range of IP addresses that are distributed to the client computers.
Note: Make sure that the permanent IP addresses are not within the IP address
range of the DHCP server as permanent IP addresses are not excluded automatically during dynamic address assignment. Otherwise, addresses may be
assigned twice.
"Lease Time" Specify the time (in minutes) that the IP address of a computer is valid. The
default lease time is 60 minutes.
"Gateway" If the prefilled gateway IP address to be pushed to the client does not meet your
requirements, adjust the entry. The default gateway IP address is usually the IP
address of your R&S Unified Firewalls.
"WINS server" Optional: If there is a WINS server in the network, use this input field to communi-
cate it to the clients.
"Preferred NTP
server"/"Alternative
NTP server"
"Preferred DNS
server"/"Alternative
DNS server"
"DNS Search
Domains"
Optional: Clients may use NTP servers to determine the exact time. This is particularly important for user authentication via Windows servers.
If R&S Unified Firewalls does not carry out name resolution, enter internal DNS
servers that are located in the network or the Internet. Otherwise, the clients are
allocated the IP address of R&S Unified Firewalls as their DNS server.
Specify a DNS search domain that the DNS service uses to resolve hostnames
that are not fully qualified domain names.
Click to add the DNS search domain to the list.
You can edit or delete single entries in the list by clicking the corresponding button next to an entry. For further information, see Chapter 3.2, "Icons and But-
tons", on page 21.
Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.
On the "Static IP Addresses" tab:
77User Manual 3646.4026.02 ─ 02
Page 78
R&S®Unified Firewalls
Field Description
User Interface
Menu Reference
"MAC Address"/"IP
Address"/"Host Name"
"Add from ARP Cache" From the drop-down list, select the addresses you want to add from the ARP
Specify a static IP address for a host in the network by entering the host's MAC
address and IP address. Aditionally, you can enter the host name. Click "Add"
to add the static IP address to the list.
You can edit or delete single entries in the list by clicking the corresponding button next to an entry. For further information, see Chapter 3.2, "Icons and But-
tons", on page 21.
Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.
cache.
Click "OK" to save the interface settings and return to the "DHCP Settings" panel.
DHCP Relay Settings
A DHCP relay redirects incoming requests to a DHCP server to another network as
DHCP requests cannot be routed.
Field Description
"DHCP Server IP
Address"
"Relay through these
interfaces"
Enter the IP address of the server to which the DHCP requests will be redirected.
Select one or more interfaces from which DHCP requests will be forwarded.
Also, select the interface that the DHCP server is connected to.
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.3.3 DNS Settings
Navigate to "Network > DNS Settings" to configure the DNS settings of your R&S Unified Firewalls.
Usually, the DNS server settings are provided by the WAN connection. You should
have to configure the DNS server settings only if you cannot obtain them over the WAN
connection.
The "DNS Settings" panel allows you to configure the following elements:
78User Manual 3646.4026.02 ─ 02
Page 79
R&S®Unified Firewalls
Field Description
"Acquire DNS server" Select this checkbox to connect to a DNS server selected by the router or the
"Nameserver" Specify an alternative DNS server by entering its IP address.
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.3.4 DynDNS Accounts
To be able to connect to your R&S Unified Firewalls from the external network, for
example using a VPN connection, the IP address of your device has to be recognized
on the Internet. Using dynamic DNS (»DynDNS«), R&S Unified Firewalls retrieves a
fixed hostname (for example yourcompany.dyndns.org) on the Internet, even if it
has no fixed public IP address. This is accomplished by sending the current IP address
to a DynDNS provider that maps it to a domain name so that the firewall is accessible
using that domain name. If the IP address changes due to a DSL disconnect forced, for
example, by your Internet service provider, the IP address is re-sent to the DynDNS
provider. This ensures that the dynamic DNS always points to the current IP address.
User Interface
Menu Reference
provider.
Note: In case you are using several Internet lines from different providers,
make sure that the DNS servers you use can be reached from all lines. If necessary, use public DNS servers on the Internet.
To set up DynDNS on R&S Unified Firewalls, you require a configured DynDNS
account with a DynDNS provider. Further information on dynamic DNS and the registration for the dynamic DNS process can be found at, for example, www.dyndns.org.
For more detailed information on dynamic DNS accounts, see the following sections.
DynDNS Accounts Overview
Navigate to "Network > DynDNS Accounts" to display the list of DynDNS accounts that
are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Hostname" of the DynDNS
account, the "Status" of the account and the "Server Type". The buttons in the last column allow you to view and adjust the settings for an existing DynDNS account, create
an account based on a copy of an existing DynDNS account or delete an account from
the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
DynDNS Accounts Settings
Under "Network > DynDNS Accounts", you can add a new or edit an existing custom
DynDNS account for WAN access in general.
79User Manual 3646.4026.02 ─ 02
Page 80
R&S®Unified Firewalls
The "DynDNS Account" settings allow you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether the DynDNS account is active (I) or inactive
"Internet Connection" From the drop-down list, select the Internet connection to be used by the
"Server Type" From the drop-down list of supported DynDNS services, select the type of
"Hostname" DynDNS services provide a domain name entry under their authority. Conse-
"Username" Enter the user name with which your account is registered with the DynDNS
"Password" Enter the password with which your account is registered with the DynDNS pro-
User Interface
Menu Reference
(〇). By clicking the slider switch, you can toggle the state of the DynDNS
account. A new DynDNS account is enabled by default.
account.
server to be used.
quently, a registered host always has the suffix of the service provider (for
example yourname.dynamicdns.org). Enter the complete host name in this
input field.
provider.
vider.
"Show Password" Optional: Select this checkbox to verify the password.
"Custom Server
Address"
"MX Record" Optional: If you wish to use an MX record, enter its IP address or hostname.
"Wildcards" Optional: Select this checkbox to activate the possibility to use wildcards in host
The buttons at the bottom right of the editor panel depend on whether you add a new
DynDNS account or edit an existing account. For a newly configured account, click
"Create" to add the account to the list of available DynDNS accounts or "Cancel" to discard your changes. To edit an existing account, click "Save" to store the reconfigured
account or "Reset" to discard your changes. You can click "Close" to shut the editor
panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.3.5 Interfaces
Navigate to "Network > Interfaces" to configure Ethernet, VLAN, Bridge, PPP and
WLAN interfaces. The item list bar displays an overview of all interfaces which are currently defined on the system.
Optional: Enter the address of the server if your DynDNS provider requires the
definition of a different server address.
names if you plan to use subdomains of your DynDNS account (for example,
*.yourname.dynamicdns.org will resolve for any domains ending with
yourname.dynamicdns.org).
Bond Interfaces
Use the "Bond Interfaces" settings to aggregate multiple physical Ethernet interfaces
into one logical bond interface. Depending on its mode of operation, a bond interface
offers the following two advantages:
80User Manual 3646.4026.02 ─ 02
Page 81
R&S®Unified Firewalls
●
Load balancing – A bond interface provides increased bandwidth by using all
aggregated Ethernet interfaces in parallel to transmit data.
●
High availability – If one Ethernet interface fails, data can still be received and
transmitted on the remaining Ethernet interfaces.
You can add as many bond interfaces as you like as long as there are available Ethernet interfaces that are not used by other interfaces or in any network connections.
For more detailed information on bond interfaces, see the following sections.
Bond Interfaces Overview
Navigate to "Network > Interfaces > Bond Interfaces" to display the list of bond interfaces that are currently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the bond
interface. The "Status" column shows one of the following status indicators:
●
Green – The bond interface is up.
●
Gray – The bond interface is disabled.
User Interface
Menu Reference
Furthermore, the "Ports" (i.e. the Ethernet interfaces) that are assigned to the bond
interface are displayed. The buttons in the last column allow you to view and adjust the
settings for an existing bond interface or delete a bond interface from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Bond Interfaces Settings
Use the "Bond Interfaces" settings to configure custom bond interfaces.
Under "Network > Interfaces > Bond Interfaces", you can add a new or edit an existing
bond interface.
The "Bond Interface" panel displays the following information and allows you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether the bond interface is active (I) or inactive (〇).
By clicking the slider switch, you can toggle the state of the bond interface. A
new bond interface is enabled by default.
"Name" Displays the name of the bond interface. The name is generated automatically.
Bond interfaces are numbered in the order they are created, starting with
bond0.
"Hardware Address" Displays the hardware address (MAC address) of the bond interface.
"Used by" Displays the network components (e.g. connections, other interfaces, etc.) that
use the bond interface.
81User Manual 3646.4026.02 ─ 02
Page 82
R&S®Unified Firewalls
Field Description
"Mode" From the drop-down list, select the mode of operation for the bond interface,
User Interface
Menu Reference
specifying how the multiple Ethernet interfaces are to be aggregated.
The option is set to IEEE 802.1AX (LACP, Direct Connection) by
default, but you can adjust the settings to the other values as neccessary:
●
Balance - Round-Robin (Trunk, Direct Connection) – This
mode provides load balancing and high availability. Packets are transmitted in sequential order from the first available aggregated Ethernet interface through the last, then continuing with the first aggregated Ethernet
interface again.
●
Active-Backup (Bridge, Direct Connection) – This mode provides high availability only. Data is transmitted and received by the active
Ethernet interface (i.e. the first Ethernet interface in the list) only as long as
it is not faulty. When the first Ethernet interface fails, the next Ethernet
interface in the list is used to transmit and receive data.
●
Balance - XOR (Trunk, Direct Connection) – This mode provides load balancing and high availability. Packets are transmitted on all
Ethernet interfaces. A simple algorithm (layer2+3 XOR) is applied to
decide which Ethernet interface is used to transmit the data.
●
Broadcast (Trunk, Direct Connection) – This mode provides
high availability only. Data is transmitted and received on all Ethernet interfaces simultaneously.
●
IEEE 802.1AX (LACP, Direct Connection) – This mode provides
load balancing and high availability by using the LACP (Link Aggregation
Control Protocol) standard. Packets are transmitted on all Ethernet interfaces. A simple algorithm (layer2+3 XOR) is applied to decide which Ethernet interface is used to transmit the data.
●
Balance - TLB (Bridge) – This mode provides load balancing and
high availability. In addition to the simple selection algorithm (layer 2+3
XOR), the current load of the Ethernet interface is taken into account when
deciding which Ethernet interface is to be used to transmit the data.
●
Balance - ALB (Bridge) – This mode provides load balancing and
high availability. Data is received using ARP negotiation. In addition to the
simple selection algorithm (layer2+3 XOR), the current load of the Ethernet
interface is taken into account when deciding which Ethernet interface is to
be used to transmit the data.
"Ports" Add the Ethernet interfaces that you want to aggregate into one logical link by
clicking the input field. You can select any number of the available Ethernet
interfaces.
Note: You can select only Ethernet interfaces that are not used by other interfaces or in any network connections.
The selected Ethernet interfaces are displayed in a table at the bottom of the
panel.
To delete an element from the input field, click to the left of the entry.
"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission
Unit can be any integer from 64 to 16384.
The buttons at the bottom right of the editor panel depend on whether you add a new
bond interface or edit an existing interface. For a newly configured bond interface, click
"Create" to add the interface to the list of available bond interfaces or "Cancel" to discard your changes. To edit an existing bond interface, click "Save" to store the reconfigured interface or "Reset" to discard your changes. You can click "Close" to shut the
editor panel as long as no changes have been made on it.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
82User Manual 3646.4026.02 ─ 02
Page 83
R&S®Unified Firewalls
Bridge Interfaces
Use the "Bridge Interfaces" settings to connect two interfaces and their networks on
Layer 2, forming a common broadcast domain.
For more detailed information on bridge interfaces, see the following sections.
Bridge Interfaces Overview
Navigate to "Network > Interfaces > Bridge Interfaces" to display the list of bridge interfaces that are currently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the bridge
interface. The "Status" column shows one of the following status indicators:
●
Green – The bridge interface is enabled.
●
Orange – The bridge interface is disabled.
Furthermore, the "Ports" that are assigned to the bridge interface are displayed. The
buttons in the last column allow you to view and adjust the settings for an existing
bridge interface, create a new bridge interface based on a copy of an existing bridge
interface or delete a bridge interface from the system.
User Interface
Menu Reference
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Bridge Interfaces Settings
Use the "Bridge Interfaces" settings to configure custom bridge interfaces.
Under "Network > Interfaces > Bridge Interfaces", you can add a new or edit an existing bridge interface.
The "Bridge Interface" panel displays the following information and allows you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether the bridge interface is active (I) or inactive
(〇). By clicking the slider switch, you can toggle the state of the bridge interface. A new bridge interface is enabled by default.
"Name" Displays the name of the bridge interface. The name is generated automati-
cally. Bridges are numbered in the order they are created, starting with br0.
"Hardware Address" Displays the hardware address (MAC address) of the bridge interface.
"Used by" Displays the network components (e.g. connections, other interfaces, etc.) that
use the bridge interface.
"Ports" Add the ports that the interface will bridge by clicking the input field. You can
select any number of VLAN interfaces or other bridge interfaces.
To delete an element from the input field, click to the left of the entry.
The selected ports are displayed in a table at the bottom of the panel.
Note: Bridges cannot be created using interfaces which are already used in
another bridge.
"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission
Unit can be any integer from 64 to 16384.
83User Manual 3646.4026.02 ─ 02
Page 84
R&S®Unified Firewalls
Field Description
"Spanning Tree Protocol" Optional: Select this checkbox to enable the Spanning Tree Protocol. It is dis-
"Priority" Only available if "Spanning Tree Protocol" is enabled: Set the bridge priority.
"Hello Interval" Only available if "Spanning Tree Protocol" is enabled: Set the hello interval (in
"Ports" This table displays the ports selected in the bridge interface.
The buttons at the bottom right of the editor panel depend on whether you add a new
bridge interface or edit an existing bridge. For a newly configured bridge interface, click
"Create" to add the bridge to the list of available bridge interfaces or "Cancel" to discard your changes. To edit an existing bridge interface, click "Save" to store the reconfigured bridge or "Reset" to discard your changes. You can click "Close" to shut the
editor panel as long as no changes have been made on it.
User Interface
Menu Reference
abled by default.
Enter a multiple of 4096 in the range of 4096 to 61440.
seconds). Enter any integer from 1 to 10.
If "Spanning Tree Protocol" is enabled, the buttons on the right of each entry
allow you to configure the "Priority" and the "Cost" for the respective port, and
to remove the port from the bridge interface.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
Ethernet Interfaces
The physical "Ethernet Interfaces" receive the following default IP addresses:
192.168.X.254/24 (X being the number of the interface, i.e. the IP address of eth0
is 192.168.0.254).
For more detailed information on Ethernet interfaces, see the following sections.
Ethernet Interfaces Overview
Navigate to "Network > Interfaces > Ethernet Interfaces" to display the list of Ethernet
interfaces that are currently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the Ethernet
interface. The "Status" column shows one of the following status indicators:
●
Green – The Ethernet interface is up.
●
Gray – The Ethernet interface is disabled.
Furthermore, the "Speed" of the Ethernet interface is displayed. The button in the last
column allows you to view and adjust the settings for an existing Ethernet interface.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Ethernet Interfaces Settings
Under "Network > Interfaces > Ethernet Interfaces", you can display more detailed
information on the available Ethernet interfaces and adjust the settings.
The "Ethernet Interface" panel displays the following information and allows you to
configure the following elements:
84User Manual 3646.4026.02 ─ 02
Page 85
R&S®Unified Firewalls
Field Description
"Name" Displays the name of the Ethernet interface, e.g. eth0.
"Description" Displays a short description of the Ethernet interface.
"Hardware Address" Displays the hardware address (Ethernet MAC address) of the Ethernet inter-
"Used by" Displays the connection that is currently using the Ethernet interface.
User Interface
Menu Reference
face.
"Status" Displays the status of the Ethernet interface.
"Speed" Displays the speed (e.g. in Gbit/s) of the Ethernet interface.
"Duplex" Displays the duplex mode of the interface, e.g. full.
"Type" Displays the type of wiring connected to the interface, e.g. twisted pair.
I/〇 A slider switch indicates whether the Ethernet interface link is active (I) or inac-
"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission
The status can be one of the following:
●
up – The Ethernet interface is enabled.
●
disabled – The Ethernet interface is disabled.
tive (〇). By clicking the slider switch, you can toggle the state of the Ethernet
interface link.
Unit can be any integer from 64 to 16384.
If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
PPP Interfaces
Use the "PPP Interfaces" settings to create interfaces using the Point-to-Point Protocol.
For more detailed information on PPP interfaces, see the following sections.
PPP Interfaces Overview
Navigate to "Network > Interfaces > PPP Interfaces" to display the list of PPP interfaces that are currently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the PPP
interface. The "Status" column shows one of the following status indicators:
●
Green – The PPP interface is enabled.
●
Orange – The PPP interface is disabled.
Furthermore, the "Master Interface" that the PPP interface is associated with is displayed. The buttons in the last column allow you to view and adjust the settings for an
existing PPP interface, create a new PPP interface based on a copy of an existing PPP
interface or delete a PPP interface from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
85User Manual 3646.4026.02 ─ 02
Page 86
R&S®Unified Firewalls
PPP Interfaces Settings
Use the "PPP Interfaces" settings to configure custom PPP interfaces.
Under "Network > Interfaces > PPP Interfaces", you can add a new or edit an existing
PPP interface.
The "PPP Interfaces" panel allows you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether the PPP interface is active (I) or inactive (〇).
"Master Interface" From the drop-down list, select the Ethernet, VLAN or bridge interface that the
"LCP Echo Interval" Specify at which interval (in seconds) R&S Unified Firewalls sends an echo
"LCP Echo Failure" Specify the number of LCP echo failures after which the peer is considered
User Interface
Menu Reference
By clicking the slider switch, you can toggle the state of the PPP interface. A
new PPP interface is enabled by default.
PPP interface is associated with.
request to the peer by entering an integer value from 1 to 1800.
dead by entering an integer value from 0 to 64. If you enter 0, failures are
ignored.
"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission
Unit can be any integer from 64 to 16384.
"MRU" Specify the Maximum Receive Unit by entering an integer value from 128 to
16384.
The buttons at the bottom right of the editor panel depend on whether you add a new
PPP interface or edit an existing interface. For a newly configured PPP interface, click
"Create" to add it to the list of available PPP interfaces or "Cancel" to discard your
changes. To edit an existing PPP interface, click "Save" to store the reconfigured interface or "Reset" to discard your changes. You can click "Close" to shut the editor panel
as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
VLAN Interfaces
Use the "VLAN Interfaces" settings to add custom Virtual Local Area Network tags to
all traffic on a given interface.
This method can be used to create »virtual interfaces« that allow you to put several
logical network zones on one physical interface. When a VLAN tag is associated with a
network interface, the tag is added to all outgoing packets that are sent via this virtual
interface and stripped from the incoming packets that are received on this VLAN. Several VLANs may be associated with each network interface. Packets with different tags
can be processed and associated with the corresponding interface.
For more detailed information on VLAN interfaces, see the following sections.
86User Manual 3646.4026.02 ─ 02
Page 87
R&S®Unified Firewalls
VLAN Interfaces Overview
Navigate to "Network > Interfaces > VLAN Interfaces" to display the list of VLAN interfaces that are currently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the VLAN
interface. The "Status" column shows one of the following status indicators:
●
Green – The VLAN interface is enabled.
●
Orange – The VLAN interface is disabled.
Furthermore, the "Master Interface" that the virtual local area network is associated
with and the "VLAN Tag" are displayed. The buttons in the last column allow you to
view and adjust the settings for an existing virtual local area network, create a new
VLAN interface based on a copy of an existing virtual local area network or delete a
VLAN interface from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
VLAN Interfaces Settings
User Interface
Menu Reference
Use the "VLAN Interfaces" settings to configure custom Virtual Local Area Network
tags to be added to all traffic on a given interface.
Under "Network > Interfaces > VLAN Interfaces", you can add a new or edit an existing
virtual local area network.
The "VLAN Interface" panel displays the following information and allows you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether the VLAN interface is active (I) or inactive (〇).
By clicking the slider switch, you can toggle the state of the VLAN interface. A
new VLAN interface is enabled by default.
"Name" Displays the name of the VLAN interface. The name is generated automatically
and contains the "VLAN Tag" and the underlying "Master Interface".
"Hardware Address" For edited VLAN interfaces only: Displays the hardware address (MAC
address) of the underlying "Master Interface".
"Used by" Displays the network components (e.g. connections, other interfaces etc.) that
use the VLAN interface.
"Master Interface" For newly added VLAN interfaces only: From the drop-down list, select the
Ethernet or Bridge interface that the virtual local area network is associated
with.
For edited VLAN interfaces only: Displays the Ethernet or Bridge interface that
the virtual local area network is associated with.
"VLAN Tag" Enter the text content of the VLAN tag. The tag may contain any integer from 1
to 4094.
"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission
Unit is limited to the MTU value of the underlying master interface.
Note: Due to a kernel restriction, the maximum MTU value is limited by the
Maximum Transmission Unit value of the underlying interface.
87User Manual 3646.4026.02 ─ 02
Page 88
R&S®Unified Firewalls
The buttons at the bottom right of the editor panel depend on whether you add a new
VLAN interface or edit an existing virtual local area network. For a newly configured
VLAN interface, click "Create" to add the VLAN to the list of available virtual local area
network interfaces or "Cancel" to discard your changes. To edit an existing VLAN interface, click "Save" to store the reconfigured VLAN or "Reset" to discard your changes.
You can click "Close" to shut the editor panel as long as no changes have been made
on it.
User Interface
Menu Reference
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
WLAN (Wireless LAN) Interfaces
All R&S Unified Firewalls models can be enhanced with a wireless USB flash drive to
create a wireless access point in your network (see also Chapter 3.4.3.8, "WLAN Set-
tings", on page 94).
Use the "WLAN Interfaces" settings to configure interfaces that can be used in WLAN
connections.
For more detailed information on WLAN interfaces, see the following sections.
WLAN Interfaces Overview
Navigate to "Network > Interfaces > WLAN Interfaces" to display the list of WLAN interfaces that are currently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the WLAN
interface. The "Status" column shows one of the following status indicators:
●
Green – The WLAN interface is enabled.
●
Orange – The WLAN interface is disabled.
The button in the last column allows you to view and adjust the settings for an existing
WLAN interface.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
WLAN Interfaces Settings
Use the "WLAN Interfaces" settings to configure an interface that can be used in a
WLAN connection.
Under "Network > Interfaces > WLAN Interfaces", you can view and edit an existing
WLAN interface.
The "WLAN Interface" panel displays the following information and allows you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether the WLAN interface is active (I) or inactive
(〇). By clicking the slider switch, you can toggle the state of the WLAN interface.
"Name" Displays the name of the WLAN interface: wlan0. The name is automatically
generated.
88User Manual 3646.4026.02 ─ 02
Page 89
R&S®Unified Firewalls
Field Description
User Interface
Menu Reference
"Device Status" Displays the status of the device.
The status can be one of the following:
●
●
"Hardware Address" Displays the hardware address (Ethernet MAC address) of the physical inter-
face that the wireless USB flash drive is connected to.
"Used by" Displays the connection that uses the WLAN interface.
"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission
Unit can be any integer from 64 to 16384.
Note: Due to a kernel restriction, the maximum MTU value is limited by the
Maximum Transmission Unit value of the underlying interface.
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.3.6 Quality of Service (QoS)
Plugged – A wireless USB flash drive is connected to R&S Unified Fire-
walls.
Unplugged – No wireless USB flash drive has been connected to your
firewall yet, or a previously connected wireless USB flash drive has been
disconnected from R&S Unified Firewalls.
Under "Network > QoS" you can set up Quality of Service for your Internet connections, in other words, for the network and PPP connections for which you configured a
default gateway.
Quality of Service (QoS) prioritizes the processing of queued network packets in
R&S Unified Firewalls based on Type of Service (ToS) flags. This way, performancecritical applications like Voice over IP (RTP) can be prioritized.
A precondition for Quality of Service is that applications or devices (such as VoIP telephone systems) set the ToS field in IP data packets. R&S Unified Firewalls then sorts
the packets based on the value of the ToS field and assigns them to several queues
with different priorities. Data packets from the queue with the highest priority are forwarded immediately. Data packets from queues with lower priority are only forwarded
when all the queues with higher priority have been emptied.
QoS Settings
Navigate to "Network > QoS > QoS Settings" to open en editor panel to view, activate
and adjust the Quality of Service settings.
The "QoS Settings" panel allows you to configure the following elements:
89User Manual 3646.4026.02 ─ 02
Page 90
R&S®Unified Firewalls
Field Description
I/〇 A slider switch indicates whether Quality of Service is active (I) or inactive (〇).
"QoS Services" Enter a "Service" for which you want to activate QoS. Specify the hexadecimal
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
User Interface
Menu Reference
By clicking the slider switch, you can toggle the state of QoS.
"Value" of the ToS field which defines the application or the device for the service.
Click to add the service to the list. You can edit or delete single entries in the
list by clicking the corresponding button next to an entry. For further information,
see Chapter 3.2, "Icons and Buttons", on page 21.
Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.
Click
/ or drag and drop an entry to change the priority of the services. The
service which is listed first in the list has the highest priority.
QoS Connections
The "Connections" settings allow you to configure Quality of Service connections.
The QoS connections configured here take effect only if Quality of Service has been
activated for Internet connections. For more information, see "QoS Settings"
on page 89.
For more detailed information on QoS connections, see the following sections.
QoS Connections Overview
Navigate to "Network > QoS > Connections" to display the list of QoS connections that
are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" of the connection as
well as the configured "Download" and "Upload" bandwidth thresholds. The buttons in
the last column allow you to view and adjust the settings for an existing QoS connection or delete a connection from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
QoS Connections Settings
The "QoS Connection" settings allow you to configure the following elements for a
Quality of Service connection:
90User Manual 3646.4026.02 ─ 02
Page 91
R&S®Unified Firewalls
Field Description
"Internet Connection" From the drop-down list, select the Internet connection for which you want to
User Interface
Menu Reference
set up Quality of Service.
"Download
Rate"/"Upload Rate"
The buttons at the bottom right of the editor panel depend on whether you add a new
QoS connection or edit an existing connection. For a newly configured QoS connection, click "Create" to add the connection to the list of available QoS connections or
"Cancel" to reject the creation of a new QoS connection. To edit an existing QoS connection, click "Save" to store the reconfigured connection or "Reset" to discard your
changes. You can click "Close" to shut the editor panel as log as no changes have
been made on it.
3.4.3.7 Routing
Use the "Routing" settings to configure routing tables and routing rules.
The routing settings allow you to define custom routes that are used to reach devices
on a given destination network.
Routes between network objects are created automatically and hidden. You should not
normally need to create routes unless you have an upstream router that requires special routes. To influence traffic between network objects, create a firewall rule as
described under Chapter 3.3, "Firewall Rule Settings", on page 23.
To ensure Quality of Service, enter the bandwidth thresholds to be reserved for
QoS services using this QoS connection. The two input fields determine the
maximum bandwidth (in kilobits per second) for download and upload.
If you set both fields to 0, Quality of Service is not applied for this QoS connection.
Routing Rules
Routing rules specify which packets are managed by which routing table. This allows
for more differentiated routing as routing rules include more fields of the IP header in
the routing decision, whereas routing tables only consider the destination IP address.
Routing Rules Overview
Navigate to "Network > Routing Rules" to display the list of routing rules that are currently defined on the system.
The plus button above the filter settings allows you to add new routing rules.
The "Filter Settings" allow you to narrow down the list of results in the table to display
only entries that include a certain search string. You can filter the contents by selecting
the required options from the drop-down list and/or entering search strings in the
respective input fields. Click "Apply" to apply the selected filter options. The list of routing rules is adjusted to reflect your filter results. Click "Reset" to delete the selected filter options and display an unfiltered view of the list of routing rules.
The table columns of the routing rules list display the priority of the routing rule, the
selectors that can be used to define which traffic should be routed where and whether
91User Manual 3646.4026.02 ─ 02
Page 92
R&S®Unified Firewalls
it is a system rule or not. The buttons in the last column allow you to view and adjust
the settings of a routing rule or delete a rule from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
System routing rules cannot be modified or deleted.
To close the "Routing Rules" panel, click in the upper right corner of the panel.
Routing Rules Settings
Under "Network > Routing Rules", you can add a new or edit an existing routing rule.
The "Routing Rule" settings allow you to configure the following elements:
Field Description
"Priority" Set the priority of the routing rule by entering an integer value from 64 to 32767
User Interface
Menu Reference
for custom rules.
The rules are sorted by priority in ascending order. This means the system runs
through the rules list starting with the system rule with priority 0 until all selectors in a rule match the packet. The action of this rule is then carried out.
"Source Subnet" Optional: Enter the IP address of the source subnet in CIDR notation (IP
address followed by a slash »/« and the number of bits set in the subnet mask,
for example 192.168.50.0/24).
"Destination Subnet" Optional: Enter the IP address of the destination subnet in CIDR notation (IP
address followed by a slash »/« and the number of bits set in the subnet mask,
for example 192.168.50.0/24).
"Input Interface" Optional: Select one of the interfaces defined on R&S Unified Firewalls as the
input interface.
"Output Interface" Optional: Select one of the interfaces defined on R&S Unified Firewalls as the
output interface.
"TOS" Optional: Specify the Type of Service value by entering a hexadecimal number
from 0 to FF.
"Action" Specify the rule action:
●
"Goto" – Enter the "Priority" of another routing rule. If a packet matches the
selectors in the rule, it goes to the rule with the specified goto priority.
●
"Table" – Enter the number of a routing table. If a packet matches the
selectors in the rule, it runs through the specified routing table. If one of the
routes in the table matches the packet, it is routed accordingly. Otherwise,
the packet continues to run through the routing rules list.
The parameter entered here, is displayed in the "Action Parameter" table column of the routing rules list (for more information, see "Routing Rules Over-
view" on page 91).
If you specify none of the selectors, the entire traffic matches the rule.
92User Manual 3646.4026.02 ─ 02
Page 93
R&S®Unified Firewalls
The buttons at the bottom right of the editor panel depend on whether you add a new
routing rule or edit an existing rule. For a newly configured routing rule, click "Create"
to add the rule to the list of available routing rules or "Cancel" to reject the creation of
the new rule. To edit an existing rule, click "Save" to store the reconfigured rule or
"Reset" to discard your changes. You can click "Close" to shut the editor panel as long
as no changes have been made on it.
Routing Tables
Routing tables route packets through the network based on the destination IP address.
For more detailed information on routing tables, see the following sections.
Routing Tables Overview
Navigate to "Network > Routing > Routing Tables" to display the list of routing tables
that are currently defined on the system in the item list bar.
Deselect the "Show configurable tables only" checkbox to display all tables on the system. Otherwise, only tables that can be edited are displayed.
User Interface
Menu Reference
The following tables are preset on the system:
●
Table 254 is the main routing table. You can add custom routes to this table. The
entries are then adopted for all existing routing tables.
●
Table 255 contains local routes for all configured interfaces.
●
Tables 1 to 63 are reserved for the management of the Internet connections.
●
Tables 64 to 250 are reserved for routes with a source address and appear with a
source IP address during the set-up of routes.
●
Table 293 is reserved for the transparent proxy.
In the expanded view, the columns of the table display the name of the routing table.
The buttons in the last column allow you to view and adjust the settings for an existing
routing table or delete a table from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Routing Tables Settings
The "Routing Tables" settings allow you to add a new or edit existing routing tables.
The "Routing Table" settings allow you to configure the following elements:
Field Description
"Table Number" Enter an ID for the routing table. Custom routing tables receive the ID 512 or
higher. You must configure routing rules pointing to custom routing tables, otherwise those tables are not used (see "Routing Rules" on page 91).
"Routes" This table displays the custom routes that are specified in the routing table.
Click "Add" to open the "Edit Route" panel and define a new route. You can edit
or delete single entries in the list by clicking the corresponding button next to an
entry.
The "Edit Route" panel allows you to configure the following elements:
93User Manual 3646.4026.02 ─ 02
Page 94
R&S®Unified Firewalls
Field Description
"Destination" Enter the IP address of the destination network in CIDR notation (IP address
"Interface" Select an interface for the route.
"Gateway" Enter an IP address as the gateway for this route. Traffic from the source zone
"Type" Select the address type from the drop-down list.
"Preferred Source" Only packets with the selected sender address will be routed.
"Metric" Define the costs for the route. The value entered here concerns routing proto-
Click "OK" to save the route settings and return to the "Routing Table" panel.
The buttons at the bottom right of the editor panel depend on whether you add a new
routing table or edit an existing table. For a newly configured routing table, click "Create" to add the table to the list of available routing tables or "Cancel" to discard your
changes. To edit an existing routing table, click "Save" to store the reconfigured table
or "Reset" to discard your changes. You can click "Close" to shut the editor panel as
long as no changes have been made on it.
User Interface
Menu Reference
followed by a slash »/« and the number of bits set in the subnet mask, for
example 192.168.50.0/24).
to the destination network will be routed using this gateway (rather than the
standard gateway).
cols. A higher metric means the route is considered costly and is less likely to
be chosen.
3.4.3.8 WLAN Settings
All R&S Unified Firewalls models can be enhanced with a wireless USB flash drive to
create a wireless access point in your network.
Connect a compatible wireless USB adapter to the USB port of your R&S Unified Firewalls to configure a wireless access point. A successful configuration allows wireless
clients to connect to this access point to join the wireless local area network (WLAN).
Navigate to "Network > WLAN Settings" to display and edit the WLAN settings of your
R&S Unified Firewalls.
The "WLAN Settings" panel allows you to configure the following elements:
Field Description
I/〇 A slider switch indicates whether the WLAN is active (I) or inactive (〇). By
"Device Status" Displays the status of the device.
"License" Displays your license information.
clicking the slider switch, you can toggle the state.
The status can be one of the following:
●
Plugged – A wireless USB flash drive is connected to R&S Unified Fire-
walls.
●
Unplugged – A previously connected wireless USB flash drive has been
disconnected from R&S Unified Firewalls.
94User Manual 3646.4026.02 ─ 02
Page 95
R&S®Unified Firewalls
Field Description
"Mode" From the drop-down list, select the communication specifications according to
"Country Code" From the drop-down list, select the correct two-letter code for your country. The
"SSID" Enter an identifier for the WLAN.
"Show SSID" Optional: Select this checkbox if you want the SSID to be visible to the public.
"Encryption Mode" From the drop-down list, select the desired encryption mode. The mode can be
User Interface
Menu Reference
IEEE 802.11.
The mode can be one of the following:
●
a – up to 54 Mbit/s 5 GHz
●
an – up to 300 Mbit/s 5 GHz
●
b – up to 11 Mbit/s 2.4 GHz
●
g – up to 54 Mibt/s 2.4 GHz (default setting)
●
gn – up to 300 Mbit/s 2.4 GHz
set default value is the standard country code 00 which is compatible with all
countries.
one of the following:
WPA
●
WPA2
●
●
WPA+WPA2 (default setting)
"Encryption Protocol" From the drop-down list, select one of the following encryption protocols to be
used:
●
TKIP – Temporal Key Integrity Protocol
●
CCMP – Counter-Code/CBC-MAC Protocol
●
TKIP+CCMP – a combination of the two methods above
"Preshard Key" Enter the pre-shared key to be used for encryption. Clients need to supply this
password in order to establish a secured connection to R&S Unified Firewalls.
On the "Advanced" tab:
Field Description
"HT Mode" If you selected an or gn as the communication mode, you can now select the
channel width from the drop-down list:
Disabled
●
●
[HT-40] - 40MHz below the selected channel for the channels 5 to 13 in
mode g
●
[HT40+] - 40MHz above the selected channel for the channels 1 to 9 in
mode g
For the remaining communication modes, this field is disabled and set to 20 by
default.
"Channel Number/
Frequency"
"Transmit Power" Specify the transmit power (in decibel-milliwatts) to be used. The value can be
From the drop-down list, select the channel number (frequency). The options
available for selection depend on the chosen communication mode and on the
selected country code.
any integer from 1 to the maximum transmit power. It is set to 20 dBm by
default.
"Access Point Station
Isolation"
"Log Level" Define the log level from level 0 to 4.
Optional: Select this checkbox to prevent the clients from communicating
directly with each other.
On the "MAC Filter" tab:
95User Manual 3646.4026.02 ─ 02
Page 96
R&S®Unified Firewalls
Field Description
"MAC Filter Mode" Use the MAC filter to determine whether a wireless device is to be granted
"MAC Addresses" Enter MAC addresses to be applied when filtering and click "Add" after each
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
3.4.4 Desktop
User Interface
Menu Reference
access to the WLAN. The default setting is "Disabled" which means that no filtering is performed, but you can adjust the settings to one of the following values as necessary:
●
"Blacklist" – The specified MAC addresses and, therefore, clients are
blocked.
●
"Whitelist" – The specified MAC addresses and, therefore, clients are granted access to the network.
entry. You can edit or delete single entries in the list by clicking the corresponding button next to an entry.
The " Desktop" settings display a list of all available services and the firewall rules
defined in the system.
3.4.4.1 Desktop Connections
Navigate to "Desktop > Desktop Connections" to display and edit the connections
between various desktop objects that are defined on the system.
Desktop Connections Overview
In the expanded view, the columns of the table display the nodes of the desktop connection. The buttons in the last column allow you to view and adjust the settings for an
existing desktop connection, create a connection based on a copy of an existing desktop connection or delete a connection from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Copied desktop connections are always set up between the same nodes as the original.
Desktop Connections Settings
When you edit a desktop connection, the "Connection" panel opens. Under "Description", you can enter additional information regarding the desktop connection for internal
use.
On the "Rules" tab, you can modify the rule set for this connection. For further information on creating firewall rules, see Chapter 3.3, "Firewall Rule Settings", on page 23.
The "URL / Content Filter" tab allows you to configure the URL and content filter for
this connection:
96User Manual 3646.4026.02 ─ 02
Page 97
R&S®Unified Firewalls
Field Description
"Block all by default" Select this checkbox to add all URL filters that are currently defined on the sys-
"Name" Displays the name of the URL and content filter.
User Interface
Menu Reference
tem to the blacklist and to select all content filters.
"URL Filter
Black"/"White"
"Content Filter" Select the content filters by clicking the corresponding checkboxes.
"Schedule" Displays whether the filter is always active, always inactive or active on a cus-
Add the URLs in the respective filters to the blacklist or whitelist by clicking the
corresponding checkboxes.
tomized time schedule.
Click the entry to modify the schedule.
If you have created application filter profiles as described in Chapter 3.4.5.2, "Applica-
tion Filter", on page 117, you can enable or disable the application filter for this desk-
top connection. On the "Application Filter" tab, you can set the "Mode" of the application filter to "Blacklist" or "Whitelist" or disable the application filter for each selected
profile by selecting the respective radio button.
The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
For further information on URL and content filters and the application filter, see Chap-
ter 3.4.5.7, "URL/Content Filter", on page 128 and Chapter 3.4.5.2, "Application Filter",
on page 117.
3.4.4.2 Desktop Objects
Use the "Desktop Objects" settings to organize your network by setting up single and
group objects for hosts, users, networks, VPN and IP ranges. The created objects are
displayed as nodes on the desktop and can be used as sources and/or destinations in
connections to apply firewall rules.
The item list bar displays an overview of all desktop objects, subdivided into types of
desktop objects, that are currently defined on the system. When you click an entry in
the item list bar, the system highlights the respective desktop object and all connections which use this object on the desktop.
To create a desktop object, click the button at the top of the respective section in the
item list bar. Alternatively, click the respective desktop object icon in the toolbar at the
top of the desktop.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
The sections below provide further information on the various types of desktop objects.
97User Manual 3646.4026.02 ─ 02
Page 98
R&S®Unified Firewalls
Host/Network Groups
Create desktop objects for host and network groups that can be used to create connections between multiple hosts or networks and other desktop objects (such as VPN
objects, etc.). Host and network groups can be used as sources and/or destinations to
apply firewall rules and web filters to multiple computers.
Host/Network Groups Overview
Navigate to "Desktop > Desktop Objects > Host/Network Groups" to display the list of
host and network group objects that are currently defined on the system in the item list
bar.
In the expanded view, the table displays the "Name" of the host or network group
object. The buttons in the last column allow you to view and adjust the settings for an
existing host or network group object, create a group object based on a copy of an
existing host or network group object or delete a group object from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Host/Network Groups Settings
User Interface
Menu Reference
The "Host/Network Group" settings allow you to configure the following elements:
Field Description
"Name" Specify a name for the host or network group object.
"Description" Optional: Enter additional information on the host or network group object for
internal use.
"Tags" Optional: From the drop-down list, select the desktop tags that you want to
assign to the host or network group object. For further information, see Chap-
ter 3.4.4.4, "Desktop Tags", on page 110.
"Color" Select the color to be used for this object on the desktop.
"Hosts/Networks" Specify the hosts or networks that you want to add to the host or network group
object. Define the "Name", whether login is allowed, the "Interface", and the IP
address of the host or network. Click "Add" to add a host or network to the list.
You can edit or delete single entries in the list by clicking the corresponding button next to an entry. For further information, see Chapter 3.2, "Icons and But-
tons", on page 21.
Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.
The buttons at the bottom right of the editor panel depend on whether you add a new
host or network group object or edit an existing object. For a newly configured object,
click "Create" to add the object to the list of available host and network groups or "Cancel" to discard your changes. To edit an existing object, click "Save" to store the reconfigured object or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click "
changes.
Activate" in the toolbar at the top of the desktop to apply your configuration
98User Manual 3646.4026.02 ─ 02
Page 99
R&S®Unified Firewalls
Hosts
Create a host object that can be used to create connections between the host and
other desktop objects (such as VPN objects etc.). A host (for example a printer or a
VoIP phone) can be assigned a dedicated IP address so that firewall rules can be specifically applied to it. For further information on creating firewall rules, see Chapter 3.3,
"Firewall Rule Settings", on page 23.
Hosts Overview
Navigate to "Desktop > Desktop Objects > Hosts" to display the list of host objects that
are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" and the "IP" of the
host object as well as the interface it is connected to. The buttons in the last column
allow you to view and adjust the settings for an existing host object, create an object
based on a copy of an existing host object or delete an object from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Hosts Settings
User Interface
Menu Reference
The "Host" settings allow you to configure the following elements:
Field Description
"Name" Specify a name for the host object.
"Description" Optional: Enter additional information on the host object for internal use.
"Tags" Optional: From the drop-down list, select the desktop tags that you want to
assign to the host object. For further information, see Chapter 3.4.4.4, "Desktop
Tags", on page 110.
"Color" Select the color to be used for this object on the desktop.
"Allow login" Select this checkbox to allow the user to log on to R&S Unified Firewalls using
the IP address of this host object. This allows your R&S Unified Firewalls to
apply user-specific firewall rules to the user currently logged on.
"Icon" Select an icon to represent the host on the desktop.
"Connected to" Select an interface that the host is connected to.
"IP Address" Enter the IP address of the host object.
The buttons at the bottom right of the editor panel depend on whether you add a new
host object or edit an existing object. For a newly configured object, click "Create" to
add the object to the list of available host objects or "Cancel" to discard your changes.
To edit an existing object, click "Save" to store the reconfigured object or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
99User Manual 3646.4026.02 ─ 02
Page 100
R&S®Unified Firewalls
Internet Objects
Create Internet objects for your Internet connections. Internet objects are used to create connections between other desktop objects (such as VPN objects) and the Internet.
Internet Objects Overview
Navigate to "Desktop > Desktop Objects > Internet Objects" to display the list of Internet objects that are currently defined on the system in the item list bar.
In the expanded view, the table displays the "Object Name" of the Internet object. The
buttons in the last column allow you to view and adjust the settings for an existing
Internet object, create an object based on a copy of an existing Internet object or
delete an object from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Internet Objects Settings
The "Internet Object" settings allow you to configure the following elements:
User Interface
Menu Reference
Field Description
"Object Name" Specify a name for the Internet object.
"Description" Optional: Enter additional information on the Internet object for internal use.
"Tags" Optional: From the drop-down list, select the desktop tags that you want to
assign to the Internet object. For further information, see Chapter 3.4.4.4,
"Desktop Tags", on page 110.
"Color" Select the color to be used for this object on the desktop.
"Connections" Select the Internet connection(s) that this object is part of. For further informa-
tion, see "Network Connections Settings" on page 69.
The buttons at the bottom right of the editor panel depend on whether you add a new
Internet object or edit an existing object. For a newly configured object, click "Create"
to add the object to the list of available Internet objects or "Cancel" to discard your
changes. To edit an existing object, click "Save" to store the reconfigured object or
"Reset" to discard your changes. You can click "Close" to shut the editor panel as long
as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
For information on how to create an Internet object, see "Creating an Internet Object"
on page 14.
IP Ranges
Create an IP address range object to group hosts by indicating a start and end IP
address. If a DHCP server is configured for the selected interface, you can also use
the address range of the DHCP server.
100User Manual 3646.4026.02 ─ 02
Loading...