How it Works
Rohde & Schwarz
Loading...
GP-E
User Manual
233 pgs13.34 Mb0
Table of contents
Loading...

Rohde & Schwarz GP-E, GP-S User Manual

Download
Page 1
R&S®GP-E/GP-S gateprotect Firewall
User Manual
v16.2.1 ─ 01
User Manual
Page 2
This document describes the following R&S®gateprotect Firewall models:
R&S®gateprotect Firewall GP-E
R&S®gateprotect Firewall GP-S
© 2017 R&S Cybersecurity gateprotect GmbH Augustusplatz 9, 04109 Leipzig, Germany Phone: +49 (0) 341 392 993 43-0 Fax: +49 (0) 341 392 993 43-9 E-mail: cybersecurity@rohde-schwarz.com Internet: https://cybersecurity.rohde-schwarz.com Printed in Germany – Subject to change – Data without tolerance limits is not binding.
R&S® is a registered trademark of Rohde & Schwarz GmbH & Co. KG. Trade names are trademarks of the owners.
The following abbreviations are used throughout this manual: R&S®gateprotect Firewall is indicated as gateprotect Firewall.
Page 3
R&S®GP-E/GP-S
1 About This Manual.................................................................................9
1.1 Audience........................................................................................................................ 9
1.2 What’s in This Manual................................................................................................ 10
1.3 Conventions................................................................................................................ 10
1.4 Related Resources......................................................................................................11
1.5 About Rohde & Schwarz Cybersecurity................................................................... 11
2 Getting Started..................................................................................... 13
2.1 Logging On.................................................................................................................. 13
2.2 Resetting the Hardware.............................................................................................. 14
3 User Interface....................................................................................... 17

Contents

Contents
3.1 Web Interface Components........................................................................................17
3.1.1 Header Area..................................................................................................................18
3.1.2 Navigation Pane............................................................................................................19
3.1.3 Desktop......................................................................................................................... 19
3.2 Icons and Buttons.......................................................................................................21
3.3 Firewall Rule Settings.................................................................................................22
3.4 Menu Reference.......................................................................................................... 29
3.4.1 Firewall..........................................................................................................................29
3.4.1.1 Status............................................................................................................................ 29
3.4.1.2 Reports..........................................................................................................................30
3.4.1.3 Updates.........................................................................................................................33
3.4.1.4 Backup.......................................................................................................................... 34
3.4.1.5 Local Logs.....................................................................................................................38
3.4.1.6 Network Diagnostics..................................................................................................... 42
3.4.1.7 System.......................................................................................................................... 44
3.4.1.8 User Authentication.......................................................................................................47
3.4.1.9 License..........................................................................................................................53
3.4.1.10 Time Profiles................................................................................................................. 54
3.4.2 Network......................................................................................................................... 55
3.4.2.1 Firewall Rules................................................................................................................55
3.4.2.2 Static Routes.................................................................................................................56
3User Manual v16.2.1 ─ 01
Page 4
R&S®GP-E/GP-S
3.4.2.3 Syslog Servers.............................................................................................................. 58
3.4.2.4 SSL Proxy..................................................................................................................... 59
3.4.2.5 High Availability.............................................................................................................60
3.4.2.6 Support Access............................................................................................................. 63
3.4.2.7 FTC (Forensic Traffic Capture)..................................................................................... 64
3.4.2.8 NAT Rules.....................................................................................................................66
3.4.3 LAN............................................................................................................................... 68
3.4.3.1 Ethernet Zones..............................................................................................................68
3.4.3.2 WLAN Zones.................................................................................................................72
3.4.3.3 VLAN Zones..................................................................................................................76
3.4.4 WAN..............................................................................................................................78
3.4.4.1 Connection Monitoring.................................................................................................. 78
3.4.4.2 DynDNS Accounts........................................................................................................ 80
Contents
3.4.4.3 Failover Settings........................................................................................................... 82
3.4.4.4 WAN Zone.....................................................................................................................84
3.4.4.5 Port Forwarding.............................................................................................................89
3.4.4.6 IP Forwardings.............................................................................................................. 90
3.4.4.7 Policy Based Routes..................................................................................................... 92
3.4.5 Nodes............................................................................................................................94
3.4.5.1 Custom Hosts................................................................................................................94
3.4.5.2 Network Groups............................................................................................................ 95
3.4.5.3 Custom Networks..........................................................................................................96
3.4.6 UTM.............................................................................................................................. 97
3.4.6.1 Invalid Protocols............................................................................................................97
3.4.6.2 IPS/IDS Profiles............................................................................................................ 98
3.4.6.3 Web Filter Profiles.......................................................................................................100
3.4.6.4 Antispam Settings....................................................................................................... 103
3.4.6.5 Antivirus Settings........................................................................................................ 104
3.4.6.6 Mail Filter Settings.......................................................................................................105
3.4.7 VPN.............................................................................................................................107
3.4.7.1 IPsec........................................................................................................................... 108
3.4.7.2 OpenVPN.................................................................................................................... 117
3.4.8 Certificate Management.............................................................................................. 121
4User Manual v16.2.1 ─ 01
Page 5
R&S®GP-E/GP-S
3.4.8.1 Certificates.................................................................................................................. 122
3.4.8.2 Templates................................................................................................................... 125
3.4.8.3 OCSP/CRL Settings....................................................................................................126
3.4.8.4 Truststore.................................................................................................................... 126
4 Application Examples........................................................................129
4.1 Firewall Rule Examples............................................................................................ 129
4.1.1 Blocking Certain Websites Using Applications............................................................130
4.1.2 Blocking Certain Websites Using Web Filters.............................................................130
4.1.3 Allowing Certain Websites Using Web Filters............................................................. 132
4.1.4 Forcing Secure Communication..................................................................................134
4.1.5 Using Quality of Service..............................................................................................135
4.1.6 Using DHCP in Bridge Mode.......................................................................................136
Contents
4.2 Setting Up Single Sign-On....................................................................................... 137
4.2.1 Configuring the NTP Server........................................................................................ 137
4.2.2 Preparing the Domain Controller.................................................................................137
4.2.3 Configuring the Firewall.............................................................................................. 139
4.2.4 Configuring User-Specific Firewall Rules....................................................................142
4.2.5 Configuring the Windows Clients................................................................................ 143
4.3 Setting Up a Static Route......................................................................................... 145
4.4 Using NAT Rules....................................................................................................... 146
4.4.1 Destination NAT.......................................................................................................... 146
4.4.2 Source NETMAP.........................................................................................................146
4.5 Setting Up a Syslog Server...................................................................................... 146
4.6 Setting Up a VLAN.................................................................................................... 148
4.7 Setting Up Port Forwarding..................................................................................... 149
4.8 Sorting Policy-Based Routes...................................................................................150
4.8.1 Sorting IP Addresses.................................................................................................. 150
4.8.2 Sorting Ports and IP Addresses.................................................................................. 150
4.8.3 Overall Sorting............................................................................................................ 151
4.9 Setting Up the Mail Filter with SSL Inspection.......................................................152
4.10 Handling Certificates................................................................................................ 153
4.10.1 Creating a Certificate.................................................................................................. 153
4.10.2 Importing a Certificate................................................................................................. 153
5User Manual v16.2.1 ─ 01
Page 6
R&S®GP-E/GP-S
4.10.3 Replacing a Certificate................................................................................................ 154
4.10.4 Exporting a Certificate.................................................................................................155
4.10.5 Exporting a Certificate Signing Request..................................................................... 155
4.10.6 Suspending a Certificate............................................................................................. 156
4.10.7 Resuming a Certificate................................................................................................156
4.10.8 Renewing a Certificate................................................................................................ 156
4.10.9 Revoking a Certificate................................................................................................. 157
4.11 Setting Up OCSP/CRL Services...............................................................................157
4.12 VPN Setup Examples................................................................................................ 158
4.12.1 Setting Up a Client-to-Site VPN via IPsec...................................................................159
4.12.1.1 Setting Up the VPN Connection..................................................................................160
4.12.1.2 Setting Up Authentication............................................................................................175
4.12.2 Setting Up a Site-to-Site VPN via IPsec......................................................................177
Contents
4.12.2.1 Creating VPN Certificates........................................................................................... 177
4.12.2.2 Setting Up the VPN Connection..................................................................................181
4.12.2.3 Setting Up IPsec Site-to-Site for Complex Networks.................................................. 185
4.12.3 Setting Up a Client-to-Site VPN via OpenVPN........................................................... 187
4.12.3.1 Creating a VPN Certificate.......................................................................................... 187
4.12.3.2 Configuring Authentication.......................................................................................... 188
4.12.3.3 Setting Up the VPN Connection..................................................................................190
4.12.4 Setting Up a Site-to-Site VPN via OpenVPN.............................................................. 192
4.12.4.1 Creating VPN Certificates........................................................................................... 193
4.12.4.2 Setting Up the Primary Box.........................................................................................196
4.12.4.3 Setting Up the Secondary Box.................................................................................... 199
4.12.4.4 Connecting the Remote Networks.............................................................................. 201
4.13 Decoder Examples.................................................................................................... 201
4.13.1 Blocking PDF Files......................................................................................................202
4.13.2 Blocking Microsoft Office Files.................................................................................... 202
4.13.3 Blocking Web Hosts.................................................................................................... 202
4.13.4 Blocking Keywords in Webmail................................................................................... 203
4.13.5 Blocking Keywords in Mail Clients.............................................................................. 203
4.13.6 Using Anchors in String Decoders.............................................................................. 204
4.13.7 Using IEC 104 Protocol Decoders.............................................................................. 205
6User Manual v16.2.1 ─ 01
Page 7
R&S®GP-E/GP-S
A Decoder Reference............................................................................ 209
A.1 FTP Commands.........................................................................................................209
A.2 HTTP MIME Types..................................................................................................... 211
Contents
Annex.................................................................................................. 209
Index....................................................................................................231
7User Manual v16.2.1 ─ 01
Page 8
R&S®GP-E/GP-S
Contents
8User Manual v16.2.1 ─ 01
Page 9
R&S®GP-E/GP-S

1 About This Manual

About This Manual
Audience
The gateprotect Firewall User Manual describes the innovative next-generation firewall solution from Rohde & Schwarz Cybersecurity. gateprotect Firewall integrates firewall, intrusion prevention, application control, web filtering, malware protection and many more functions in a single system.
Figure 1-1: Sample gateprotect Firewall GP-E-1200.
This document applies to two gateprotect Firewall product lines:
Extended Line - Easy to configure - the firewall solution for complex office networks in medium-sized companies
Specialized Line - Easy to customize - the perfectly tailored solution that meets the high demands of complex network structures in industry and enterprise environ­ments
There are license-based features that distinguish individual product models within the two product lines from one another. For more information about your specific gatepro­tect Firewall, see the information on the relevant data sheet.
See the topics below for more information about this document.

1.1 Audience

This manual is for the networking or computer technician responsible for installing and configuring gateprotect Firewall and employees that use the web interface to define traffic filtering rules.
To use this document effectively, you have to have the following skills depending on your responsibilities:
To install and configure the hardware, you have to be familiar with telecommunica­tions equipment and installation procedures. You also have to have good experi­ence as a network or system administrator.
To define filtering rules, you need to understand basic TCP/IP networking con­cepts.
9User Manual v16.2.1 ─ 01
Page 10
R&S®GP-E/GP-S
About This Manual
Conventions

1.2 What’s in This Manual

The contents of this manual are designed to assist you in installing and configuring gateprotect Firewall.
This document includes the following chapters and appendixes:
1. Chapter 2, "Getting Started", on page 13 Log on to gateprotect Firewall to set up the system for your network.
2. Chapter 3, "User Interface", on page 17 The sections in this chapter describe the components of the gateprotect Firewall user interface.
3. Chapter 4, "Application Examples", on page 129 This chapter includes various examples that illustrate how to use firewall rules to manage network traffic, set up specific features, services and VPN connections, and configure decoders to block communication containing certain file types or keywords.
4. Chapter A, "Decoder Reference", on page 209 The gateprotect Firewall protocol decoder can detect FTP commands and HTTP MIME types in traffic flows.

1.3 Conventions

This topic explains the typographic conventions and other notations used to represent information in this manual.
Elements of the web-based graphical user interface (GUI, or »web interface«) are indi­cated as follows:
Buttons, checkboxes, list names and other controls appear in quotation marks. For example: »Click "Save" to create the rule.«
A sequence of menu commands is indicated as follows: "Firewall > Status" . In this case, select "Status" from the "Firewall" menu.
List options and literal text both appear in a fixed-width font. For example: »The default filename is set to config.tar.gz
Terms that require extended definitions or explanations are indicated in italics. For example, the term application is often used to refer to a software program. In this manual, however, it usually means the Layer 7 protocol used by the program on the Application Layer of the OSI reference model. With Skype traffic, for example, the terms application and protocol are used interchangeably.
Notes
The following types of notes are used in this manual to indicate information which expands on or calls attention to a particular point.
10User Manual v16.2.1 ─ 01
Page 11
R&S®GP-E/GP-S
About This Manual
About Rohde & Schwarz Cybersecurity
This note is a little hint that can help make your work easier.
This note contains important additional information.
This note contains information that is important to consider. Non-observance can dam­age your gateprotect Firewall or put your network security at risk.

1.4 Related Resources

This section describes additional documentation and other resources for information on gateprotect Firewall.
Refer to these resources for more information on gateprotect Firewall:
A separate gateprotect Firewall Getting Started guide is provided with the gate­protect Firewall hardware. The document describes the installation procedure and first steps to start working.
Getting Started guides are also available for the virtual machines (VM) of gatepro­tect Firewall. The platform-specific documents are provided for all types of suppor­ted virtualization software.
How-tos describe specific configuration scenarios and solutions.
Data sheets summarize the technical characteristics of the different gateprotect Firewall hardware models.
Release Notes provide the latest information on each release.
Our website at cybersecurity.rohde-schwarz.com provides a wealth of information about our products and solutions and the latest company news and events.
For additional documents such as technical specifications, please visit the mygatepro­tect portal at www.mygateprotect.com.

1.5 About Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity protects companies and public institutions worldwide against espionage and cyber attacks.
The company develops and produces high-end encryption products, next-generation firewalls, network traffic analytics and endpoint security software as leading-edge tech­nical solutions for information and network security requirements.
11User Manual v16.2.1 ─ 01
Page 12
R&S®GP-E/GP-S
About This Manual
About Rohde & Schwarz Cybersecurity
Rohde & Schwarz, active for over 20 years in the field of IT security, is now expanding into this sector. The integration of enterprise security experts gateprotect, ipoque and Sirrix has created the new brand »Rohde & Schwarz Cybersecurity« as the leading European provider of cybersecurity solutions.
The trustworthy IT solutions are developed based on the »Security by Design« princi­ple, which proactively prevents cyber attacks rather than reacting to a known threat. This new approach even protects against complex attacks that use zero-day exploits to expose the weakness of existing antivirus software or traditional firewalls.
For more information, visit our website at cybersecurity.rohde-schwarz.com.
12User Manual v16.2.1 ─ 01
Page 13
R&S®GP-E/GP-S

2 Getting Started

Getting Started
Logging On

2.1 Logging On

Log on to gateprotect Firewall to set up the system for your network.
After having completed the installation and licensing procedure for gateprotect Firewall as described in the gateprotect Firewall Getting Started guide, you can begin working with the firewall:
1. On the gateprotect Firewall logon page, enter admin as the "User Name" and the factory default "Password" gateprotect.
Figure 2-1: Logging on to gateprotect Firewall.
2. Click "Login" .
3. After your first login using the standard credentials, the system prompts you to change your password. You cannot skip this step.
Note: If you forget the new password entered, the password can only be reset by setting the system back to the factory default configuration as described under
Chapter 2.2, "Resetting the Hardware", on page 14.
Note: The admin password is included in a system backup.
The web interface appears.
After three unsuccessful login attempts, you will be blocked for an hour to prevent unauthorized access. Every new attempt during that hour resets the waiting period. After one hour without login attempts, you can log on to gateprotect Firewall again with valid credentials.
You are automatically logged out after 10 minutes of inactivity.
13User Manual v16.2.1 ─ 01
Page 14
R&S®GP-E/GP-S
Getting Started
Resetting the Hardware
Set your browser configuration to clear all session data and cookies when the browser is closed. Otherwise, your admin session will be restored after the computer is reboo­ted and unauthorized persons can access the firewall.

2.2 Resetting the Hardware

If you cannot access the web interface, you can reset the system to the factory default configuration.
Connect the ports labeled eth2 and eth3 with a patch cable, then power off and power on.
Figure 2-2: Resetting the hardware of the gateprotect Firewall GP-S series.
With models GP-E-1000/GP-S-1800 or higher, connect the first two ports in the first module (for example eth11 and eth12) with a patch cable, then power off and power on.
Figure 2-3: Resetting the hardware of gateprotect Firewall models GP-E-1000/GP-S-1800 or higher.
The kind of power button (power off switch, push button or power off button) and its location differ by hardware model.
14User Manual v16.2.1 ─ 01
Page 15
R&S®GP-E/GP-S
Getting Started
Resetting the Hardware
The default settings are restored.
Booting to a factory reset can take up to 5 minutes.
15User Manual v16.2.1 ─ 01
Page 16
R&S®GP-E/GP-S
Getting Started
Resetting the Hardware
16User Manual v16.2.1 ─ 01
Page 17
R&S®GP-E/GP-S

3 User Interface

User Interface
Web Interface Components
The sections in this chapter describe the components of the gateprotect Firewall user interface.
The gateprotect Firewall web interface requires a minimum display resolution of 1024 × 786 pixels (XGA).
The following browser versions (or newer) are supported, with JavaScript enabled:
Google Chrome 10
Firefox 12
The first sections provide an overview of the main components of the web interface.
The next topic explains the meaning of the icons and buttons commonly used on the user interface and throughout this manual.
The following topic describes how a firewall rule for a connection between two desktop nodes is set up.
The remaining topics correspond to the menu items in the navigation bar on the left side of the user interface. For information on the available options, see the correspond­ing section.

3.1 Web Interface Components

The gateprotect Firewall web interface uses a standard tri-pane page layout with a common header area, a left navigation pane, and a main content pane on the right.
17User Manual v16.2.1 ─ 01
Page 18
R&S®GP-E/GP-S
User Interface
Web Interface Components
Figure 3-1: gateprotect Firewall web interface.
The information displayed in each area is described in the following sections.

3.1.1 Header Area

The header area (1) contains the following elements (from left to right):
Figure 3-2: gateprotect Firewall web interface header area.
the button to hide or show the navigation bar (the navigation bar is displayed by default, see Chapter 3.1.2, "Navigation Pane", on page 19),
the Rohde & Schwarz Cybersecurity logo,
the current system status information, expressing the system load and the memory and disk usage as a percentage, so you can quickly spot system performance bot­tlenecks,
a user menu that allows you to select the language to be used in the web interface,
a menu to change the current user's password (the new password has to be at least eight characters long and cannot be identical with the current password) and to end the current user session and return to the login dialog and
a link which provides access to a PDF version of the gateprotect Firewall User Manual. Depending on your browser settings, the PDF file is either displayed in a
new tab or window, or downloaded.
In addition, the header area displays unsaved configuration changes if you close an editor panel by pressing the Esc key on your computer keyboard (unsaved changes
18User Manual v16.2.1 ─ 01
Page 19
R&S®GP-E/GP-S
User Interface
Web Interface Components
are not displayed if you close an editor panel by clicking the button in the upper right corner of the panel, however).
The PDF version of the gateprotect Firewall User Manual is also available from the logon page. Click on "User Manual" to access the file.

3.1.2 Navigation Pane

The navigation pane (2) is on the left side of the web interface and consists of two parts. The links in the left navigation bar provide access to the gateprotect Firewall set­tings. The item list bar on the right is used to display information on the current desktop configuration.
Both bars contain a search field at the top which can filter the lists to help you quickly find menus or items. Each search field works for the bar it is part of only. As you type in the search field, gateprotect Firewall reduces the lists to show only those menus or items that contain the characters you are typing.
The information displayed in the item list bar depends on, firstly, the menu item selected in the navigation bar and, secondly, how much information you desire to be displayed. You can unfold more detailed information by clicking amount of information presented by clicking in the upper right corner of this pane.
To view the complete list of menus or items again, reset the search by clicking in the search field.
See Chapter 3.4, "Menu Reference", on page 29 for details on the options available in each view.

3.1.3 Desktop

or reduce the
The desktop (3) fills the main portion of the screen below the header area and to the right of the navigation pane. The information displayed here depends on the item selected in the navigation pane or on the desktop.
19User Manual v16.2.1 ─ 01
Page 20
R&S®GP-E/GP-S
User Interface
Web Interface Components
Figure 3-3: gateprotect Firewall desktop.
On the desktop you always have a complete overview of your entire configured net­work. You can edit various settings in this pane or view the details of a configuration.
A toolbar at the top of the desktop allows you to create and edit objects or connections. To create an object on the desktop, click with the left mouse button on the desired but­ton in the toolbar, keep the mouse button pressed and drag the object onto the desk­top. Depending on the type of object you are creating, an editor panel automatically opens where you can enter the required data for the object. To delete an object from the desktop, click the object with the left mouse button and select
from the circular
menu.
If the system configuration changes, the "
Activate" button is highlighted, prompting you to update your configuration. Click this button to save your current desktop config­uration changes and to activate them on the firewall.
The buttons that appear in the circular menu when you click an object with the left mouse button allow you to adjust the settings for an existing object, to create a connec­tion between two existing objects, to hide or display objects attached to the object, to unpin an object from a specific location on the desktop or to remove it from the desk­top.
20User Manual v16.2.1 ─ 01
Page 21
R&S®GP-E/GP-S
User Interface
Icons and Buttons
It is possible to customize the desktop layout by dragging the objects to the desired positions where they are automatically pinned. Use the buttons in the toolbar to save and restore your customized layout or to arrange the objects automatically.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.

3.2 Icons and Buttons

This topic explains the icons and buttons commonly used on the user interface and throughout this manual.
Icon/Button Description
Hide and show the navigation bar.
Indicates that firewall rules can be rearranged in the "Firewall Rules" list.
Reflects the total percentage of system load.
Reflects the total percentage of memory usage.
Reflects the total percentage of disk usage.
Create or edit a connection between two desktop objects.
Create a host.
Create a network.
Create a network group.
Create a user.
Discard all manual desktop layout changes and apply an automatic layout.
Save the current desktop layout.
Restore the last saved desktop layout.
Restore a backup.
Replace a certificate by importing a new certificate.
Fit the entire network to the desktop.
Marks a menu item with settings to configure in the navigation bar.
Marks a table column with actions available for a table entry.
Unpin the desktop object to be able to move it via drag & drop on the desktop.
Pin individual or all LDAP users to the desktop.
Remove an individual LDAP user from the desktop.
View and adjust the settings for a desktop object, a list item or a table entry.
Create a list item or a table entry based on a copy of an existing entry.
Delete a desktop object, a list item or a table entry from the system after a posi­tive response to the confirmation request popping up.
Permanently revoke a certificate.
21User Manual v16.2.1 ─ 01
Page 22
R&S®GP-E/GP-S
User Interface
Firewall Rule Settings
Icon/Button Description
View the details of a list item in the item list bar.
Import a backup or a certificate from a file.
Export a backup or a certificate to a file.
Create a list item in the item list bar.
Unfold a menu item to view subordinate items in the navigation bar.
Unfold an IPS/IDS category to view its individual rules.
Unfold a web filter category to view its subcategories.
Hide subordinate menu items in the navigation bar.
Hide individual IPS/IDS rules of an IPS/IDS category.
Hide subcategories of a web filter category.
Unfold more detailed information in the item list bar.
Show additional actions available for a desktop object or show objects attached to it.
Reduce the amount of information given in the item list bar.
Hide additional actions available for a desktop object or hide objects attached to it.
Expand the desktop node of a network group to view the members associated with it.
Collapse the desktop node of a network group to hide the members associated with it.
Indicates that a certificate is still valid.
Indicates that a certificate has expired.
Renew the validity of a certificate.
Export the certificate signing request (CSR) from the certificate.
Verify a certificate.
Suspend a certificate or CA temporarily.
Resume a certificate that was previously suspended.
Close a pop-up window.
Clear all search criteria of a filter to show all results.
Show additional information.

3.3 Firewall Rule Settings

This topic describes how to create a firewall rule for a connection between two desktop objects.
22User Manual v16.2.1 ─ 01
Page 23
R&S®GP-E/GP-S
User Interface
Firewall Rule Settings
There are two ways to create firewall rules:
You can start by first setting up a connection between two objects on the desktop and then configuring firewall rules for this connection. To set up a connection, you can first click in the toolbar at the top of the desktop and then select first the source object and then the target object to create a con­nection between them. Or you can click
in the circular menu of the source object on the desktop and then select the target object. The "Firewall Rules" panel opens, automatically applying the firewall rules filter regarding "Sources" and "Destinations" to display already existing firewall rules for this connection, if applicable.
Alternatively, you can create firewall rules under "Network > Firewall Rules" (see
Chapter 3.4.2.1, "Firewall Rules", on page 55 ). Then the connection between
two objects on the desktop is automatically set up by defining a source and a desti­nation on the "Firewall Rule" editor panel.
On the "Firewall Rules" panel, you can set up firewall rules.
1.
Click "
" (Add) to set up a firewall rule.
2. The settings on the editor panel that opens allow you to configure the following ele­ments:
Field Description
"On" / "Off" A slider switch indicates whether the firewall rule is active ( "On" ) or inac-
tive ( "Off" ). By clicking the slider switch, you can toggle the state of the firewall rule. A new firewall rule is enabled by default.
On the "General" tab:
Field Description
"Name" Enter a unique name for the firewall rule.
"Description" Optional: Enter additional information regarding the firewall rule.
"Time Profiles" Optional: Select a time profile during which the rule is applied to network
traffic. If no time profile is selected, the rule will be applied 24/7. There are four preset time profiles available:
Office hours – The rule is applied on weekdays (Monday to Friday) from 06:00 a.m. to 04:00 p.m.
Outside office hours – The rule is applied on weekdays (Monday to Friday) from 04:00 p.m. to 06:00 a.m.
Weekdays – The rule is applied around-the-clock from Monday to Fri­day.
Weekend – The rule is applied around-the-clock on Saturday and Sun­day.
To configure a custom time profile, click the "New Time Profile" link below the drop-down field or navigate directly to "Firewall > Time Profiles" . For more information, see Chapter 3.4.1.10, "Time Profiles", on page 54.
23User Manual v16.2.1 ─ 01
Page 24
R&S®GP-E/GP-S
User Interface
Firewall Rule Settings
Field Description
"Alert Log" Optional: To add an entry to the alert log when traffic matches this firewall
rule, select one of the following alert levels from the drop-down list:
emergency – system is unusable (highest priority)
alert – action must be taken immediately
critical – critical conditions
error – error conditions
warning – warning conditions
notice – normal but significant conditions
info – informational messages
debug – any messages that do not fit into the other log levels (lowest priority)
For more information, see "Alert Log" on page 39.
"Message" Optional: Specify the alert message to be included in the alert log entry.
The "Connection Settings" section provides the following options:
Field Description
"Policy" Select the action to be performed by the firewall rule from the drop-down
list.
New firewall rules are set to Allow by default, but you can adjust the set­tings to one of the other values as necessary:
Allow – Traffic matching this rule is permitted if it is not classified as a threat by any of the other selected modules (IDS/IPS, Anti-Malware, Web Filter). No other rules are processed for this traffic.
Continue – Any traffic matching this rule is subject to further inspec­tion: the traffic is passed on to the next rule in the list to determine whether any other filter criteria apply. A continue rule should never be the last rule in the list. If enabled, IDS/IPS, Anti-Malware, SSL Inspec­tion, QoS and Web Filter are applied.
Drop – Traffic matching this rule is silently dropped and rule process­ing for the associated traffic ceases.
Reject – Traffic matching this rule is actively rejected and rule pro­cessing for the associated traffic ceases.
Important: If you create a rule with the Allow action and do not apply any restrictions (security options or application filters), that rule permits all traffic to pass unchecked.
"Source(s)" Specify the sources of the traffic flow to which the firewall rule applies. This
can be a combination of a zone and any other network objects, such as cus­tom networks, network groups, users, etc.
If you first set up the connection between two objects on the desktop and then started to configure a firewall rule for this connection, this input field is pre-filled with the desktop object that was selected as the source object.
Important: If no source is selected, the rule will be applied to traffic originat­ing from any source.
"Destination(s)" Specify the destinations of the traffic flow that the firewall rule applies to.
This can be a combination of a zone and any other network objects, such as custom networks, network groups, users, etc.
If you first set up the connection between two objects on the desktop and then started to configure a firewall rule for this connection, this input field is pre-filled with the desktop object that was selected as the target object.
Important: If no destination is selected, the rule will be applied to traffic being transmitted to any destination.
24User Manual v16.2.1 ─ 01
Page 25
R&S®GP-E/GP-S
User Interface
Firewall Rule Settings
Field Description
"QoS Upstream" / "QoS Downstream"
"Transport Protocol" Optional: Specify the protocol to which the rule should be applied. You can
"Source Port" Optional: To limit the rule to apply only to traffic originating from a certain
"Destination Port" Optional: To limit the rule to apply only to traffic being transmitted to a speci-
Optional: To ensure Quality of Service, enter the bandwidth thresholds that should be applied to traffic matching this rule. The two input fields determine the maximum bandwidth (in bits per second) for download and upload. For an application example using QoS, see Chapter 4.1.5, "Using Quality of
Service", on page 135.
select TCP or UDP from the drop-down list.
source port, specify the source port by entering individual values or ranges.
fied destination, specify the destination port by entering individual values or ranges.
In the "Security" section, you can select the security features to be applied in the rule:
Field Description
"IDS/IPS" Optional: Select this checkbox to compare traffic to the database of known
threats before further evaluation. For more information, see Chapter 3.4.6.2,
"IPS/IDS Profiles", on page 98.
"FTC" Optional: To capture network traffic to identify the precise timing, scope, and
nature of a malicious attack from outside or inside sources on your network, select this checkbox. When the firewall rule hits, the network traffic is cap­tured until the rule does not trigger Forensic Traffic Capture anymore or the resources no longer support the rule. To view and download the captured files, see "FTC Data" on page 66 for more information.
"Anti Malware" Optional: Select this checkbox to compare traffic to a list of known viruses,
malware and other threats (available for HTTP, FTP, IRC, MSN, OSCAR and YAHOO).
"SSL Inspection" Optional: Select this checkbox to unpack and analyze encrypted traffic.
Important: If you decide to use the whitelisting approach and enable SSL inspection in firewall rules together with SSL related protocols (e.g. FTPS, HTTPS, IMAPS, POP3S and SMTPS), network traffic will flow through gate­protect Firewall until SSL encryption is detected. Unless you select these protocols in firewall rules further down the list as well, you might want to cre­ate a firewall rule with the undesired protocol selected from the "Applica­tions / Protocols" list and the action being Drop or Reject. The protocol will then be dropped or rejected as long as SSL is not activated.
Note: "SSL Inspection" can only be selected after an application, a protocol or a custom decoder has been specified.
The "Application Filters" section contains the following options:
25User Manual v16.2.1 ─ 01
Page 26
R&S®GP-E/GP-S
User Interface
Firewall Rule Settings
Field Description
"Warning Page" Optional: The Reject action can be combined with a warning page which
appears to the user in the browser window. To enable a warning page, select this checkbox and one of the following options from the drop-down list:
Show and block – a warning page which cannot be overridden is presented
Show and continue – a warning page appears but it can be overrid­den
"Web Filter Profile" Optional: This filter can only be selected if a web filter profile has been
defined as described under Chapter 3.4.6.3, "Web Filter Profiles", on page 100. From the drop-down list, select a web filter profile to apply it to the network traffic (available for HTTP).
"Applications / Proto­cols"
Optional: gateprotect Firewall can detect various applications and protocols. Select those applications and protocols to which the rule should be applied.
By clicking the input field, you are offered a selection of applications and protocols included in the list. You can also type in the input field, getting a list of applications and protocols whose names contain the characters you are typing. The first option or match is highlighted in the list. Press ENTER to select the application or protocol, or use the arrow keys on your keyboard to select a different one. To delete an application or a protocol from the
input field, click on the left side of its name.
Important: If no applications or protocols are specified, the rule will be applied to all traffic.
On the "Custom Decoders" tab, you can add custom search patterns that the fire­wall rule applies to detect hash values, numeric values such as telephone num­bers, regular expressions or text strings within the headers, payload or message fields of supported protocols (see details below). The buttons on the bottom right of the editor panel depend on whether you add a new firewall rule or edit an existing rule. For a newly configured rule, click "Create" to add the rule to the list of available firewall rules or "Cancel" to reject the creation of a new rule. To edit an existing rule, click "Save" to store the reconfigured rule or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
3.
Click "
Activate" in the toolbar at the top of the desktop to apply your configura-
tion changes.
Once you have left the editor panel, the list of firewall rules that are currently defined on the system is displayed.
Figure 3-4: Sample firewall rules list.
New rules are inserted at the top of the rule list by default (and are thus executed before the already existing rules). For best results, the most specific rules should be
26User Manual v16.2.1 ─ 01
Page 27
R&S®GP-E/GP-S
User Interface
Firewall Rule Settings
placed at the beginning of the list, followed by more general rules that apply to a broader range of traffic.
You can rearrange rules by dragging and dropping them in the list to create the desired sequence.
Custom decoders
To avoid confusion, use either application signatures or decoders.
If multiple decoders are defined for a single rule, decoders of the same protocol (such as two HTTP decoders) are linked with AND logic. Decoders of different protocols (such as an HTTP and a DNS decoder) are OR-connected.
To add a protocol decoder to a firewall rule, perform the following steps:
1.
Click " Add Decoder" on the "Custom Decoders" tab.
2. Select a "Protocol" from the drop-down list.
3. The entries in the "Option" drop-down list are protocol-specific and determine which fields or portion of the content are searched.
4. Select the "Type" of content to search for (text string, number, hash value, or regu­lar expression) from the drop-down list.
5. By selecting the "Invert" checkbox, the rule will match traffic if the specified "Option" is not matched (equivalent to a Boolean NOT operator).
6. Enter the desired text, number, term, or search keyword in the "Expression" field.
The selected type determines how the expression is treated and which other options are available.
When the "Type" option is set to string, the following additional options can be defined.
27User Manual v16.2.1 ─ 01
Page 28
R&S®GP-E/GP-S
User Interface
Firewall Rule Settings
Checkbox/Field Description
"Left Anchor"/
"Right Anchor"
"Case Sensitive" When this checkbox is selected, traffic will only match if it contains the specified
Anchors define which boundary is set before (left anchor) or after (right anchor) the search string. The decoder will search for the "Expression" (preceded or fol­lowed by the chosen boundary) in the header field selected under "Option" . Both drop-down lists contain the following options:
any – does not define any boundary for the chosen anchor; if both anchors are set to any, the expression may match anywhere in the content
string – specifies a boundary at the beginning (left anchor) or the end (right anchor) of the content; if both anchors are set, the expression only matches when it equals the entire content
word – specifies the PCRE word boundary; if both anchors are set to word, the expression matches when it is found in the content surrounded
by word boundaries
Note: Letters, digits and underscores in search strings are treated as word characters (equivalent to the character classes [:word:], \w and [A-Za-z0-9_]. All other characters are treated as word boundaries.
expression in the exact case entered.
Setting the "Type" option and both anchors to string will only match if the specified search term exactly matches the entire content field.
When the "Type" option is set to number, the following options can be defined.
Field Description
"Operator" Determines the relationship between the numeric value entered in the "Expres-
sion" field and the value(s) that appear(s) in the content.
Possible values include:
< (less than),
> (greater than),
<= (less or equal),
>= (greater or equal),
== (equal),
!= (not equal),
|| (bitwise or), and
&& (bitwise and).
When the "Type" option is set to hash, the rule matches when the exact search string entered in the "Expression" field is found in traffic. For example, if the target search expression is specified as www.facebook.com, the rule would not match if a user were to visit www.facebook.de.
The hash "Type" is equivalent to setting the "Type" option and both anchors to string and selecting the "Case Sensitive" option, but the search runs much faster.
When the "Type" option is set to regex, the "Expression" is treated as a Perl-Compati­ble Regular Expression (PCRE) and the following additional options are available as checkboxes.
28User Manual v16.2.1 ─ 01
Page 29
R&S®GP-E/GP-S
User Interface
Menu Reference
Checkbox Description
"dollar end only" Make the $ anchor match only at the end of the string (or end of line if multi-line
mode is enabled).
"caseless" Ignore case: pattern is treated as case insensitive.
"dot all" The dot (period) character class matches any character except newline by
default. Select this option to match newlines.
"anchored" Matches at the start of the search string.
"ungreedy" »Lazy« mode (reverses quantifiers): The regular quantifier * will cause matches
to be as small as possible and quantifiers followed by a ? will cause matches to be as large as possible.
"multiline" Multiple-line matching: The ^ and $ anchors match at newlines.
"extended" Free spacing mode (?x): Ignore white space in the remainder of the pattern or
subpattern.
See Chapter 4.13, "Decoder Examples", on page 201 for sample decoder configura­tions that can be used to detect various types of content. For a list of supported FTP commands and HTTP mime types, see Chapter A, "Decoder Reference", on page 209.

3.4 Menu Reference

This reference section describes each menu item in the navigation pane on the left side of the browser window.
Refer to the topics below for information on the options available.

3.4.1 Firewall

The " Firewall" settings display an overview of basic system settings and detailed information about the traffic flowing through gateprotect Firewall and allow you to con­figure gateprotect Firewall for your local environment.
3.4.1.1 Status
The "Firewall Status" displays an overview of basic system settings, the status of each of the assigned interfaces on the local network, and information on the services that are running on the system.
Navigate to "Firewall > Status" to display the overview.
In the expanded view, the columns of the table display the following information in each section:
The "Physical Interfaces" section displays basic information about the configured zones and their physical interfaces. The columns of the table display the "Name" of
29User Manual v16.2.1 ─ 01
Page 30
R&S®GP-E/GP-S
User Interface
Menu Reference
the interfaces that are assigned to the zones, their link status, transmitted and received bytes and the data throughput for every zone.
In the "Services" section you can see whether the services DHCP, DNS, Firewall, High Availability, NTP, and Updater are running on the system.
The "Maintenance" section gives an overview of basic system settings:
"Backup Schedule" indicates whether backups are enabled or not
"Updates" shows whether updates are pending or not (the tooltip shows how
many updates are pending)
"High Availability" indicates whether High Availability is enabled or not
"Uptime" displays for how long the system has been running since the last
reboot
"Machine ID" states the Machine ID of your device
"Hardware" informs you about the hardware version of your device
"Version" indicates which software version is running on the system
"Timezone" shows which time zone is configured on the system (click the blue
link to navigate directly to "Settings" to view the corresponding configuration options)
3.4.1.2 Reports
The "Reports" display detailed information about the traffic flowing through the gatepro­tect Firewall. Each report includes a chart and a table with statistics for a certain time range. You can control several aspects of the presentation and data on these reports.
Navigate to "Firewall > Reports" to display the list of reports, subdivided into aggrega­tion intervals (last hour, day, week, and month), that are available on the system in the item list bar. To view a report, click the desired report in the item list bar and the report panel opens.
Click "Close" to leave the report view.
Working with Reports
The charts and tables in the "Reports" panels share common functions to adjust the data display and allow you to focus on the data you are most interested in.
30User Manual v16.2.1 ─ 01
Page 31
R&S®GP-E/GP-S
User Interface
Menu Reference
Figure 3-5: Sample users report.
Reports typically contain drop-down lists that can be used to adjust the data displayed in the report and the quantity or »depth of interest« in the report data. For example, a traffic volume report may have an option to display the traffic in incoming ( "Rx" : received), outgoing ( "Tx" : transmitted) or total bytes and may also have a selection for the top users or zones (depending on the report).
Additionally, the data to be displayed in a report can be filtered by name. There are two options:
By clicking the search field above the chart, you are offered a selection of items included in the report. You can also type in the search field, getting a list of items whose names contain the characters you are typing. The first option or match is highlighted in the list. Press ENTER to select the item or use the arrow keys on your keyboard to select a different item. To delete an item from the search field, click on the left side of the item.
Filtering by name can also be performed by clicking items in the legend below the chart to activate and deactivate them in the report.
A mouse-over provides details on a specific point in the graphical report. A click with a dragging motion selects an area within the graphical report for higher granularity. Upon click-and-drag, the graphical report then redraws itself with the selected areas of detail as the new display parameters. To return to the default graph, click "Reset zoom" in the upper right corner of the chart.
Reports include a legend. The legend is color-coded and is ordered to reflect the rela­tive quantity displayed in the report (left to right, top to bottom). For example, the leg­end for a report showing the top users in bytes would have the highest user first (far left, or listed first).
The sections below provide further information on the data available in each type of report.
31User Manual v16.2.1 ─ 01
Page 32
R&S®GP-E/GP-S
User Interface
Menu Reference
Users
The "Users" reports contain information relating to end-user hosts either by IP address or by name (depending on the integration of gateprotect Firewall into your environ­ment). The administrator can use these reports to discover heavy users of the network to determine whether this behavior is expected or represents a threat to the business.
Protocols
The "Protocols" reports contain information about the protocols and applications on the network and passing through gateprotect Firewall. A security or network administrator can use these reports to determine whether bandwidth utilization on the network reflects the goals of the business.
These reports show the aggregated data volume statistics for the complete link, distin­guished by inbound and outbound traffic and both combined.
Zones
The "Zones" reports show traffic volume for each configured zone. The administrator can use these reports to monitor traffic usage between WAN-side and LAN-side con­nections and determine whether a policy rule needs to be created to change the com­position or volume of traffic between the displayed points.
The reports provided here aggregate data for the zones that are configured via the "LAN" and "WAN" menus.
Domains
The "Domains" reports display the Internet sites that were most frequently visited by users on the local network. These reports are used to determine whether web-brows­ing habits match the company policy and the goals of the business.
Traffic per Rule
The "Traffic per rule" reports contain information about the traffic volume for each con­figured firewall rule. An administrator can use these reports to monitor the impact of a firewall rule on the network traffic and to refine the current rule set if necessary.
Hits per Rule
The "Hits per rule" reports show statistics on the firewall rules that matched recent traf­fic. This information can be used in combination with the other reports to refine the cur­rent rule set and ensure that gateprotect Firewall is properly configured to permit the network traffic that is required for business while blocking any undesired or malicious activity.
Network Interfaces
The "Network Interfaces" reports show the traffic volume for each physical network interface. This information can help the network administrator to determine whether a link is saturated and to reconsider the cabling decisions if necessary.
32User Manual v16.2.1 ─ 01
Page 33
R&S®GP-E/GP-S
User Interface
Menu Reference
3.4.1.3 Updates
These options allow you to download new software for gateprotect Firewall, to install system updates as well as updates for the Application Signatures, Certificates, Intru­sion Prevention System (IPS), Malware Protection and Web Filter.
Navigate to "Firewall > Updates" to display the list of available module versions and system updates and their status.
If the " update can be installed. First, save your current desktop configuration changes, then install the updates.
The list of license modules (Application Signatures, Certificates, IPS, Anti-Malware, and Web Filter) is reset during system updates, factory resets or when reverting to a previous version. To avoid compatibility problems, license module updates should be reinstalled after the reset.
Click "Check for Updates" to update the list of available modules with the latest ver­sions.
A slider switch indicates whether the automatic download and/or installation options are currently active ( "On" ) or inactive ( "Off" ). All options are disabled by default. By clicking the slider switch, you can toggle the state of each individual option. When the automatic download and/or installation options are deactivated, the links in the far right column allow you to "Download" and "Install" updates manually.
Activate" button in the toolbar at the top of the desktop is highlighted, no
Automatic download and installation will only begin after you click " Activate" in the toolbar at the top of the desktop.
Before installing a system update, you may want to create a new backup checkpoint and download it to your computer so you can restore this configuration later if neces­sary. For more information, see "Local Backups" on page 34.
System updates require a restart. A "Reboot" button in the far right column prompts you to reboot the system to complete the update process. Click the link to restart the system and install the new system software. In this case, it is important to restart the system via the button in the table to ensure that the new firmware is applied. (When the system is restarted via "Firewall > System > System Actions > Reboot Firewall" or by switching the device off and on, the software installation routine does not run, so the system uses the same firmware version that was running before the restart.)
33User Manual v16.2.1 ─ 01
Page 34
R&S®GP-E/GP-S
User Interface
Menu Reference
In a High Availability configuration, system updates must be installed in two phases. First, by clicking "Download" , "Install" and "Reboot" on the master system, the standby (slave) system is updated and rebooted. If the update was successful, the former slave takes over the master role, since the software version is newer than the software ver­sion on the other system. Then, the former master is updated and rebooted by clicking "Download" , "Install" and "Reboot" on the new master system. After restarting, the new slave (former master) retains the role of standby system. Do not make changes
to the system at any point in this process.
Important: Always update both systems (master and slave). Otherwise, High Availabil-
ity does not work correctly.
If you do not have a license for one of the modules, you will see a " Get Subscription" link in the far right column. By clicking this link, you will be redirected to our website at
cybersecurity.rohde-schwarz.com.
The "Close" button at the bottom of the updates panel allows you to shut the panel and return to the overview of your entire configured network.
3.4.1.4 Backup
gateprotect Firewall stores settings in configuration files which are automatically cre­ated whenever settings are changed in the web interface. The options under "Backup" allow you to schedule regular backups, manually back up the current system configura­tion and restore previous configurations.
For more detailed information on backups, see the following sections.
Local Backups
Local backups allow you to manually create a backup of the current firewall configura­tion and to upload a previously downloaded backup file from your computer to restore the system configuration.
In a High Availability configuration, backups that were created on the master system are displayed on the standby (slave) system as well.
Navigate to "Firewall > Backup > Local Backups" to display the list of backups that are currently available on the system in the item list bar. In the expanded view, the left col­umn of the table displays the "Name" of an existing backup. The buttons in the last col­umn allow you to view the details of a backup, export and restore a backup file, or delete a backup from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
34User Manual v16.2.1 ─ 01
Page 35
R&S®GP-E/GP-S
User Interface
Menu Reference
Creating a Backup
1. Navigate to "Firewall > Backup > Local Backups" .
2.
Click the plus button (Create a new backup) in the item list bar header.
3. On the "Backup" panel that opens, enter a "Custom name" for the backup. This name has to be unique and may consist of 3 to 25 characters (allowed are letters of the English alphabet, integers, dashes, underscores and dots). If no custom name is provided, the system automatically assigns a name.
4. Click "Create" to add the new backup to the list of available backups or "Cancel" to reject the creation of the backup.
Use this function, for example, to reload a configuration after a system update or to transfer a configuration to a second (secondary) firewall for a High Availability solution. For further information, see Chapter 3.4.2.5, "High Availability", on page 60.
Importing a Backup
1. Navigate to "Firewall > Backup > Local Backups" .
2.
Click the
3. Select a backup file to transfer from your computer or click "Cancel" to reject the transfer of the backup.
4. If the import is successful, the backup is added to the list of available backups so you can restore this configuration later. Click "Close" to shut the confirmation win­dow.
If High Availability is enabled, it is not possible to import a backup on the master sys­tem. An error message is displayed that asks you to disable High Availability first.
Viewing the Details of a Backup
1. Navigate to "Firewall > Backup > Local Backups" .
2.
Click the (View backup details) button next to the backup you would like to view the details of.
(Import backup) button in the item list bar header.
3. The "Backup" panel that opens displays the name and the timestamp of the crea­tion of the backup.
4. Click "Close" to exit the "Backup" panel.
Exporting a Backup
1. Navigate to "Firewall > Backup > Local Backups" .
35User Manual v16.2.1 ─ 01
Page 36
R&S®GP-E/GP-S
User Interface
Menu Reference
2.
Expand the view of the "Local Backups" list by clicking next to the search field at the top of the item list bar.
3.
Click the (Export backup) button behind the backup which you would like to export to transfer the current configuration in YML.ZIP file format to your computer so you can restore this configuration later if necessary. Specify a storage location and click "OK" or click "Cancel" to reject the transfer of the backup.
Restoring a Backup
1. Navigate to "Firewall > Backup > Local Backups" .
2.
Expand the view of the "Local Backups" list by clicking the top of the item list bar.
3.
Click the (Restore backup) button behind the backup which you would like to restore.
4. On the panel that opens, click "Yes" to return to the configuration of the backup file immediately or "No" to reject the recovery of the backup.
next to the search field at
5. If the restoration is successful, click "Close" to shut the confirmation window.
6.
Click " Activate" in the toolbar at the top of the desktop to apply your configura­tion changes.
Backups contain the administrator password. Therefore, it is recommended to go to "admin" in the header and click "Change Password" to set a new password right after restoring the backup.
Only backups of software version v15.0.0 or higher can be restored.
Restoring a backup does not overwrite any log, audit or FTC data but only the system and rule configuration.
Backup Profiles
Backup profiles allow you to schedule how often the database is backed up automati­cally and how many backups are kept. There are no restrictions on the number of backup profiles you can create and, therefore, on the amount or interval of backup cre­ation.
36User Manual v16.2.1 ─ 01
Page 37
R&S®GP-E/GP-S
User Interface
Menu Reference
Before you proceed, make sure that you set the time zone for your gateprotect Firewall as described under "Settings" on page 45. Otherwise, the backups are created according to Etc/UTC instead of the time specified by you in the backup profiles.
In a High Availability configuration, backups that were created on the master system are displayed on the standby (slave) system as well.
Backup Profiles Overview
Navigate to "Firewall > Backup > Profiles" to display the list of backup profiles that are currently defined on the system in the item list bar.
In the expanded view, the left column of the table displays the "Name" of an existing backup profile. Furthermore, the "Status" of the backup profile and its backup "Interval" are displayed. The buttons in the last column allow you to view and adjust the settings of an existing backup profile, create a new profile based on a copy of an existing backup profile, or delete a profile from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Backup Profiles Settings
Under "Firewall > Backup > Profiles" , you can add a new or edit an existing backup profile.
The "Backup" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the backup profile is active ( "On" ) or inactive
( "Off" ). By clicking the slider switch, you can toggle the state of the profile. A new backup profile is enabled by default.
"Name" Enter a unique name to identify the backup profile in the item list bar.
"Time" Enter the time (in the 24-hour HH:MM format) when the database should be
backed up automatically. The default time is set to 02:00.
"Interval" Select the desired interval for the creation of backups from the drop-down list.
The option is set to Week by default, but you can adjust the settings to one of the other values as necessary (see below).
"Day of Week/Day of Month"
If you selected the interval:
DAY, you do not have to specify the day any further.
Week, specify the day of the week on which the backup should be created. The default value is set to Sunday.
Month, specify the day of the month (as a date) on which the backup should be created.
"Filename base path" Enter a base filename for the backup files. The name has to be unique and
must consist of at least 3 characters (allowed are letters of the English alpha­bet, integers, dashes, underscores and dots). The date and the YML.ZIP file extension are automatically added to the filename.
"Store Locally" This checkbox is pre-selected by default. Clear the checkbox to disable the
local storage of backups created with this profile.
37User Manual v16.2.1 ─ 01
Page 38
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Number of Backups stored"
"Upload" This checkbox is cleared by default. Select this checkbox if you wish to store
"Protocol" From the drop-down list, select the network protocol used to upload the back-
"Username" Enter the name of the user on the remote file service.
"Password" Enter the user's password for the remote file service if required.
"Show Password" Optional: Select this checkbox to verify the password.
"Server" Specify the IP address or domain name of the host that will store the backups.
"SSH fingerprint" If the SCP protocol was selected, enter the SSH fingerprint of the remote
"Zone" From the drop-down list, select the zone that contains the host specified in the
"Port" Enter the port number (from 1 to 65535) of the file service.
"Directory" Specify the directory on the remote server where the backups will be stored. If
From the drop-down list, select how many backups should be stored locally if the "Store Locally" checkbox has been selected. The option is set to Last 5 by default. The oldest backups are automatically deleted if the selected number is exceeded.
backups on a remote server.
ups. The option is set to SCP by default.
machine.
"Server" field.
the directory does not exist, it will be created.
Backups have to be stored locally or uploaded to a remote server. That means at least one of the two checkboxes has to be selected.
The buttons at the bottom right of the editor panel depend on whether you add a new backup profile or edit an existing profile. For a newly configured profile, click "Create" to add the profile to the list of available backup profiles or "Cancel" to discard your changes. To edit an existing profile, click "Save" to store the reconfigured profile or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
3.4.1.5 Local Logs
gateprotect Firewall stores records of system events, status information, errors and other communication in a log database. The "Local Logs" panels display the contents of the logs. If a problem occurs, you may be able to find technical details about the cause of the problem by viewing these logs.
The logs are automatically reloaded to get the latest entries by default. You can disable the automatic reload to focus on older entries by clicking the "AUTORELOAD ON" slider switch. Then you can manually update the list of items in the logs by clicking
38User Manual v16.2.1 ─ 01
Page 39
R&S®GP-E/GP-S
User Interface
Menu Reference
"Manual Reload" . To enable automatic reload again, click the slider switch to turn it on.
The filter options in the first row of the tables allow you to narrow the list of results to display only items that include a certain search string. Toggle the options to specify search criteria in the input fields. The available options depend on the log type. With filter options set, the logs are always automatically reloaded.
To filter the contents of a log by a customized time range, click the "Time" input field. A new window on which you can either select a pre-defined or enter a custom time range opens. By clicking "Custom" , a calendar and drop-down lists for changing the date and time appear. Set the date and time as desired. Click "Apply" to save your changes and view the filtered log or "Cancel" to discard your changes.
Use the checkbox to enable (" aa") or disable (" Aa") case sensitivity regarding your search strings.
To view the complete logs again, delete all search criteria by clicking "Reset" , the (Remove) button on the left side of the selected "Log Level" or the (Delete) button in the other input fields.
The "Close" button at the bottom of the log panels allows you to shut the log panels and return to the complete overview of your entire configured network.
For more detailed information on local logs, see the following sections.
Alert Log
The "Alert Log" displays a list of recent alert messages. Alerts may be triggered by fire­wall rules, the Intrusion Prevention System and protocol validation to call attention to certain security-relevant events.
The columns of the table contain the following information:
Column Description
"Time" The timestamp of the log entry.
"Log Level" The log level which can be one of the following:
emergency – system is unusable (highest priority)
alert – action must be taken immediately
critical – critical conditions
error – error conditions
warning – warning conditions
notice – normal but significant conditions
info – informational messages
debug – any messages that do not fit into the other log levels (lowest pri­ority)
"Source IP" The source IP address of the connection triggering the alert.
"Source Port" The source port of the connection triggering the alert.
"Destination IP" The destination IP address of the connection triggering the alert.
"Destination Port" The destination port of the connection triggering the alert.
39User Manual v16.2.1 ─ 01
Page 40
R&S®GP-E/GP-S
User Interface
Menu Reference
Column Description
"Protocol" The protocol that was detected for the connection triggering the alert.
"Message" The log message itself.
You can filter the contents of the Alert log. The "Message" filter returns all results that contain the input string, whereas the remaining filter fields return exact matches only.
The list of log messages will be adjusted to reflect your changes in the filter options.
Figure 3-6: Sample filtered Alert log.
Audit Log
The "Audit Log" shows the history of rule events and user sessions in the web inter­face, including when certain users logged on or signed out.
The columns of the table contain the following information:
Column Description
"Time" The timestamp of the log entry.
"IP-address" The IP address from which the user carried out the operation.
"User" The name of the user who logged the entry, such as admin.
"Operation" The activity that created the entry, for example Activated a new
configuration.
You can filter the contents of the Audit log.
The list of log messages will be adjusted to reflect your changes in the filter options.
40User Manual v16.2.1 ─ 01
Page 41
R&S®GP-E/GP-S
User Interface
Menu Reference
Figure 3-7: Sample filtered Audit log.
System Log
The "System Log" displays a list of recent system messages (e.g. from the kernel, DHCP, DNS services, etc.).
The columns of the table contain the following information:
Column Description
"Time" The timestamp of the log entry.
"Log Level" The log level which can be one of the following:
"Facility" The name of the facility that logged the entry, for example daemon.
"Program" The name of the program that created the entry, such as updater or
"Message" The log message itself.
emergency – system is unusable (highest priority)
alert – action must be taken immediately
critical – critical conditions
error – error conditions
warning – warning conditions
notice – normal but significant conditions
info – informational messages
debug – any messages that do not fit into the other log levels (lowest pri­ority)
hwclockd.
You can filter the contents of the System log. The "Message" filter returns all results that contain the input string, whereas the remaining filter fields return exact matches only.
The list of log messages will be adjusted to reflect your changes in the filter options.
41User Manual v16.2.1 ─ 01
Page 42
R&S®GP-E/GP-S
User Interface
Menu Reference
Figure 3-8: Sample filtered System log.
3.4.1.6 Network Diagnostics
Use the "Network Diagnostics" tools to verify whether gateprotect Firewall can commu­nicate with a computer or other device at a specific network address (ping) or to follow the path a message takes as it travels through the network (traceroute).
To allow diagnostic analysis between zones, a firewall rule with the ICMP protocol or the ICMP Ping application has to be active in the appropriate direction.
Ping
Use the ping command to check if gateprotect Firewall can communicate with a com­puter or other device at a specific network address.
Ping is a diagnostic tool that continuously sends ping signals to the target to check if it is able to receive data.
Pinging can help you debug communication problems by verifying connectivity between selected zones and the remote device.
To ping another device, adjust the following "Parameters" :
1. From the drop-down list, select the gateprotect Firewall "Source Zone" from which you wish to test.
2. Enter the valid network address to ping under "Destination" .
3. Enter the "ICMP Time-to-live" , the value of the TTL field in the IP header that limits the lifetime of a datagram. The value can be any integer from 1 to 255. The default ICMP time-to-live is set to 64.
4. Specify the "Payload Size" (in bytes) of the ICMP payload. The default payload size is set to 32 bytes. Any other integer from 1 to 1480 can be entered.
42User Manual v16.2.1 ─ 01
Page 43
R&S®GP-E/GP-S
User Interface
Menu Reference
5. Under "Request Count" , select the number of ICMP echo request packets to be sent to the target. You can choose any integer from 1 to 10 from the drop-down list. The default number is set to 4.
6. Click "Run" to start pinging.
The output of the ping command is shown in the console area under "Output" . If the other device responds to the ping, gateprotect Firewall can reach the device from the selected source zone.
If the other device does not respond, try pinging from other zones to determine if fire­wall rules are blocking communication from certain zones.
Figure 3-9: Pinging a remote device.
Traceroute
Use the traceroute command to track the path a message takes through the net­work.
Packets sent from gateprotect Firewall may pass through many other devices on the way to their final destination, which can make it difficult to figure out where problems are occurring if connectivity cannot be established. You can use the traceroute command to track the route that packets follow from a gateprotect Firewall zone along the path to a certain host.
To follow the path to another device, adjust the following "Parameters" :
1. From the drop-down list, select the gateprotect Firewall "Source Zone" from which you wish to test.
2. Enter the host name or IP address of the final destination under "Destination" .
43User Manual v16.2.1 ─ 01
Page 44
R&S®GP-E/GP-S
User Interface
Menu Reference
3. Under "Max Hops" , enter the maximum number of nodes (routers or other devices) to be traversed on the way to the destination. The default number is set to 30, but you can enter any integer from 1 to 255. If the destination is not reached before this threshold, probe packets are discarded.
4. Click "Run" to start tracerouting.
The list of gateways traversed along the way is shown in the console area under "Out­put" .
3.4.1.7 System
Use the options under "System" to reboot your gateprotect Firewall, reset the system configuration, revert to a previous version or shut down the firewall. You can also determine the host name of your gateprotect Firewall, set the system date and time and specify your time zone.
System Actions
Under "Firewall > System > System Actions" , you can reboot or shut down the firewall, reset its configuration or revert to a previous version.
The following actions are available on the panel that opens:
Field Description
"Reboot Firewall" Restart the system without changing any settings. The currently installed firm-
"Reset to factory defaults"
"Revert to previous ver­sion"
ware version is used and the current configuration is reloaded.
Restore the original configuration from the time of system delivery and log out the current user. This command does not change the current gateprotect Fire­wall system firmware.
Restart the system with the previously used firmware version. This can be used in case a system upgrade was successfully installed but is not working properly.
To be able to execute any of these actions, you need to provide your login "Pass­word" .
The buttons at the bottom right of the panel allow you to perform the chosen action ( "Confirm" ) or to reject the execution of the action ( "Cancel" ).
Notifications
The "Notifications" settings determine which events trigger notification messages to the administrator.
You can activate notifications for the events listed in the table. To enable notifications, you need to specify the email addresses, server and transmission options that are used to send messages.
Be sure to verify the settings before activating any notifications.
44User Manual v16.2.1 ─ 01
Page 45
R&S®GP-E/GP-S
User Interface
Menu Reference
The "Notifications" panel provides the following SMTP setting options:
Field Description
"Relay Host" Specify the outgoing mail server by entering a host name or an IP address.
"Port" Enter the port to be used for communication. The default value is port 25.
"Reachable from Zone" From the drop-down list, select the network zone in which the daemon that con-
nects to the configured mail server is started. The WAN zone is selected by default.
"Mail from" Enter the sender email address from which notifications are sent.
"Mail to" Enter the recipient email address to which notifications are sent.
"Use TLS" Optional: Select this checkbox to encrypt communication with the mail server.
"Relay Host needs authentication"
Optional: If it is desired to use a specific web interface user account as the sender email address, select this checkbox and enter the login credentials ( "User" and "Password" ).
If you modify the settings, click "Save" to store your changes or "Reset" to discard them. Otherwise, click "Close" to shut the editor panel.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
The table below the SMTP setting options shows a list of event types that can be enabled. For each type, the table includes a checkbox to enable or disable the notifica­tion, a type ( "Code" ) and a description of the message content ( "Body" ).
Notifications belong to one of three types:
Critical errors (CRIT) indicate problems that require the immediate attention of an administrator.
Warnings (WARN) are issued to alert an administrator to events that may require action soon.
Info messages (INFO) are used to notify an administrator when certain events take place during daily operation. Events of this type do not typically require interven­tion.
If the mail server is located in a zone other than that in which the daemon is started, a firewall rule must be defined to permit communication. Similarly, firewall rules have to be configured to allow traffic if the mail server is running in a zone in the internal net­work and needs to send messages to recipients in another zone (such as WAN). For further information, see Chapter 3.3, "Firewall Rule Settings", on page 22.
Settings
The "Settings" allow you to determine the host name of your gateprotect Firewall and to specify the Captive Portal authentication method. You can also use these settings to set the system date and time, to specify your time zone and to enable NTP servers.
Navigate to "Firewall > System > Settings" to display and edit the default system set­tings.
45User Manual v16.2.1 ─ 01
Page 46
R&S®GP-E/GP-S
User Interface
Menu Reference
The "Hostname" entered here is used to identify the gateprotect Firewall in the local network. The host name may consist of a combination of upper and lower case letters of the English alphabet, dashes and dots.
You can use the default host name gateprotect.intern or adjust the name to suit your network environment. The host name must include a suffix if you intend to set up a warning page as described under Chapter 3.3, "Firewall Rule Settings", on page 22 and "Web Filter Profiles Settings" on page 101.
Under "Captive Portal Authentication" , specify the method used to authenticate users when they log on to the Captive Portal. You can choose between the settings internal and LDAP from the drop-down list. However, to be able to use LDAP, you first need to configure the "Directory Service" settings accordingly (see "Directory Ser-
vice" on page 51).
The "Path MTU Discovery" checkbox is selected by default. Path MTU Discovery dynamically detects the maximum transmission unit (MTU) and determines the maxi­mum packet size. Clear the checkbox to apply individual MTU values for the WAN interfaces.
You can select your "Time Zone" from the drop-down list.
Since the system time is particularly important for services such as logging and report­ing that rely on accurate and universally accepted timestamps, the system time is set to Coordinated Universal Time (Etc/UTC) by default.
To manually change the "Date & Time" of the system, first click "Edit" and then on the "Date & Time" input field. A pop-up window with a calendar and fields for changing the date and time appears. Set the date and time as desired. If you wish to revert your changes before saving, click "Reset" .
To set the time manually, NTP has to be disabled. Otherwise, the time will be reset automatically as soon as the system sends the next NTP request.
You can also use remote network time protocol servers to set the system date and time automatically. For this purpose, select the "NTP Client" checkbox. Click "Add" to configure a new time server. Enter the IP address or the full host name of the desired NTP server. Use the icons on the right to edit or remove an NTP server.
If more than one NTP server is configured, gateprotect Firewall automatically synchro­nizes the system clock with the server that transmits the best time signal.
If you modify the settings, click "Save" to store your changes or "Reset" to discard them. Otherwise, click "Close" to shut the editor panel.
Click " changes.
Activate" in the toolbar at the top of the desktop to apply your configuration
46User Manual v16.2.1 ─ 01
Page 47
R&S®GP-E/GP-S
User Interface
Menu Reference
3.4.1.8 User Authentication
The "User Authentication" settings determine which users are authorized to connect to gateprotect Firewall for VPN access and allow you to connect gateprotect Firewall to an external directory server via the Lightweight Directory Access Protocol (LDAP) to manage users that appear in the web interface. This allows you to set firewall regula­tions not just for computers but also for individual users.
Captive Portal
Once users have been set up as active users shown on the desktop and firewall rules including these users have been configured, they can act according to the rules using the so-called Captive Portal. The users have to enter the IP address of the LAN zone in which they are located followed by port number 8080 (for example http://192.168.100.1:8080) in the address bar of the browser. A special web page presenting a logon page appears. After having signed in, the users will be able to use the rule sets defined for them. Captive Portal authentication can be configured under "Settings" on page 45.
For more detailed information on user authentication, see the following sections.
Single Sign-On
When using Single Sign-On (SSO), users can log on to a Windows client with their Active Directory credentials and firewall rules configured on gateprotect Firewall con­cerning these users will be automatically applied.
SSO cannot be used in an IPsec C2S connection with iOS clients using certificates for authentication and Active Directory.
Before SSO can be used, several preconditions have to be met.
As Kerberos is time-critical, make sure to use the same time/NTP server for all compo­nents (domain controller, Windows client and firewall).
> Preparing the Domain Controller
On the domain controller, two things have to be done:
a user named gpLogin has to be created and
a keytab file has to be generated and exported to your local disk.
> Configuring the Firewall
In a next step, you need to set up gateprotect Firewall for SSO.
Under "Firewall > User Authentication > Single Sign-On" , you can configure your gate­protect Firewall to enable SSO.
47User Manual v16.2.1 ─ 01
Page 48
R&S®GP-E/GP-S
User Interface
Menu Reference
The "Single Sign-On" settings allow you to configure the following elements:
Field Description
"Keytab File" By clicking "Select File" , you can import the keytab file generated on the
domain controller.
Note: The dialog changes as soon as the keytab file has been imported suc­cessfully.
"Zones" From the drop-down list, select the zones where you want to use SSO (the
zone of the domain controller is not needed). To remove a zone from the list, click on the left side of the name of the zone.
To disable SSO, click the "Delete" button to remove the keytab file.
The buttons at the bottom right of the editor panel allow you to shut ( "Close" ) the edi­tor panel as long as no changes have been made and to store ( "Save" ) or to discard ( "Reset" ) your changes.
Under "LAN > Ethernet Zones" , you need to set the IP address of the domain control­ler as the primary DNS server for every Ethernet zone that is supposed to provide Win­dows clients with SSO capabilities.
Under "Nodes > Custom Hosts" , you can create a custom host node for the domain controller on the desktop. The node is connected to the zone of the domain controller and used to establish a connection between the zones that Windows clients are con­nected to and the domain controller.
During the connection process, the Windows clients need to receive a ticket from the domain controller. Therefore, you need to:
establish connections between the zones that the Windows clients are connected to and the domain controller and
to set up a minimum of five firewall rules to allow traffic to pass between the Win­dows clients and the domain controller.
Under "Firewall > User Authentication > Directory Service" , you can connect the domain controller to gateprotect Firewall to be able to configure user-specific firewall rules.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
> Configuring the Windows Client
The installation medium contains the UAClientSSO directory with three files:
the UAClientSSOSetup.exe file, the setup program,
the UAClientSSO.exe file and
the UAClientSSO.msi file, the installation routine as an MSI file.
The first two files are needed to configure the Windows clients themselves for SSO.
For detailed instructions on setting up SSO, see Chapter 4.2, "Setting Up Single Sign-
On", on page 137.
48User Manual v16.2.1 ─ 01
Page 49
R&S®GP-E/GP-S
User Interface
Menu Reference
Local Users
gateprotect Firewall offers local user administration for smaller companies without cen­tral administration. Use the "Local Users" settings to define and manage users by specifying the user names and passwords that are authorized to connect to gateprotect Firewall for VPN access.
Navigate to "Firewall > User Authentication > Local Users" to display the list of local users that are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" of the local user and a "Description" if one was entered. The buttons in the last column allow you to view and adjust the settings for an existing local user, create a new user based on a copy of an existing local user, or delete a user from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
There are several ways to create a new local user. Either click
in the toolbar at the top of the desktop or navigate to "Firewall > User Authentication > Local Users" and click the plus button in the item list header.
To edit, copy or delete an existing local VPN user, navigate to either "Firewall > User Authentication > Local Users" or use the circular menu around the desktop object.
The "Local User" settings allow you to configure the following elements:
Field Description
"User Name" Enter a unique name for the local user which will be the logon name.
Important: The user's logon name has to exactly match the "User Name" (case-sensitive). Otherwise, the name in the user-specific firewall rules will not correspond to the user logging on to the client and the rules will not match.
"Description" Optional: The information given here is for internal use for the administrator
only.
"Password" Enter a password for the user and confirm it. It must consist of at least eight
characters.
"Show Password" Optional: Select the checkbox to verify the password.
"Activate User" This checkbox is pre-selected by default. You can deactivate a user to deny
access but keep the credentials on the system for future use by clearing this checkbox.
Note: Only active users are allowed to access the VPN.
"Show on Desktop" This checkbox is pre-selected by default. Clear the checkbox if you do not want
the user to be displayed in the network overview on the desktop.
Only users for whom the "Activate User" and "Show on Desktop" checkboxes are selected will be displayed on the desktop and are, therefore, available for connections and firewall rules.
49User Manual v16.2.1 ─ 01
Page 50
R&S®GP-E/GP-S
User Interface
Menu Reference
Figure 3-10: Sample Local User settings.
The buttons at the bottom right of the editor panel depend on whether you add a new VPN user or edit an existing user. For a newly configured local user, click "Create" to add the new user to the list of available local VPN users or "Cancel" to reject the crea­tion. To edit an existing VPN user, click "Save" to store the reconfigured user or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
LDAP Users
It is possible to connect gateprotect Firewall to an external directory server via the Lightweight Directory Access Protocol (LDAP) to manage users that appear in the web interface. You can use these users in firewall rules.
LDAP can be used by medium to large companies to access directory services and to manage user data.
Connect to a directory server as described under "Directory Service" on page 51.
If you are using the Microsoft Active Directory as the directory service, the "User Login Attribute" in the directory service settings has to be userPrincipalName as Ker­beros/GSSAPI only uses this attribute. The user's login name has to exactly match the userPrincipalName (the name is case-sensitive). If you select another "User Login Attribute" , the name of the imported user will not match the name used for logging on to a Windows client. Therefore, the name in the user-specific firewall rules will not cor­respond to the user logging on and the rules will not match.
Navigate to "Firewall > User Authentication > LDAP Users" to display the list of users that are currently defined on the directory server in the item list bar.
50User Manual v16.2.1 ─ 01
Page 51
R&S®GP-E/GP-S
User Interface
Menu Reference
To make the LDAP users in this list available for use in connections and firewall rules, the users have to be added to the desktop by clicking
(Pin this user to the desktop)
next to the respective user in the item list bar.
The user's login name has to exactly match the name displayed on the desktop (case­sensitive). Otherwise, the name in the user-specific firewall rules will not correspond to the user logging on to the client and the rules will not match.
On the desktop, LDAP users are displayed with a lock symbol and cannot be edited because they are managed on the LDAP server.
It is also possible to pin all users to the desktop at once by clicking (Pin all users to desktop) in the header of the item list bar. However, it is not possible to unpin all users at once.
To remove individual LDAP users from the desktop, click (Unpin this user from desk­top) next to the user in the item list bar.
Removing an LDAP user from the desktop deletes all connections and rules linked to this user. To avoid accidental unpinning, you will be asked to confirm the unpin action.
To create connections and firewall rules for an LDAP user existing on the desktop, use the circular menu around the desktop object and click .
Directory Service
Specify the connection parameters for the directory server that is used to manage the LDAP users on your network.
Navigate to "Firewall > User Authentication > Directory Service" to configure the set­tings for the directory server.
The "Directory Service" settings allow you to configure the following elements:
> Server
The "Server" settings determine the directory server to which gateprotect Firewall con­nects and the communication methods that are used for the connection.
Field Description
"Source Zone" From the drop-down list, select the network zone in which the server is located.
"Host or IP Address" Enter the host name or the IP address of the directory server.
"Server Timeout" Specify (in minutes) how long gateprotect Firewall should wait for responses
from the server. The default server timeout is set to 10 minutes.
51User Manual v16.2.1 ─ 01
Page 52
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"use TLS" / "use SSL" Optional: To encrypt communication with the directory server, select either of
the "use TLS" or "use SSL" checkboxes (or both).
Important: To use SSL encryption, select "use SSL" on your gateprotect Fire­wall and configure this option on the directory server. If you select SSL on your gateprotect Firewall only, the directory server cannot be reached.
"Port" From the drop-down list, select the port number to be used for communication.
The Default LDAP port (389) is pre-selected for convenience but you can select one of the standard ports from the drop-down list or enter a Custom Port number from 1 to 65535 directly in the input field which appears when you select this option.
"LDAP Version" From the drop-down list, select the LDAP version used by your server. The
more secure Version 3 is pre-selected by default. Nearly all servers support this version, so you should only change this setting if your server explicitly requires Version 2.
> User / Group Objects
The "Schema" setting allows you to select and adjust the settings for various directory services, such as Microsoft Active Directory, Novell eDirectory, OpenLDAP, RFC2307 NIS or a custom type. By default, RFC2307 NIS is pre-selected from the drop-down list.
The available options depend on the selected schema. Most settings use standard val­ues which are shown in read-only fields.
For Active Directory, only the following changes are allowed:
Verify the "Qualified User Login Attribute" which is set to
userPrincipalName by default.
The "Group Member Selector" determines which attribute is used to determine
a user's group membership if the schema does not include this information automatically. None is pre-selected by default from the drop-down list.
For Novell eDirectory, you can adjust the following settings:
The "Qualified User Login Attribute"
The "Framed User IP" which is used to specify the user's IP address.
The "Group Member Selector" determines which attribute is used to determine
a user's group membership if the schema does not include this information automatically. By default, None is pre-selected from the drop-down list.
The OpenLDAP and RFC2307 NIS schemas only allow the "Group Member Selec­tor" to be changed. None is pre-selected by default from the drop-down list.
If setting up a custom type schema, you can configure the following elements:
The "User Object Class"
Optional: The "Qualified User Login Attribute"
Optional: The "Framed User IP"
Optional: The "Group Member Attribute"
The "User Login Attribute"
Optional: The "User Group Attribute"
52User Manual v16.2.1 ─ 01
Page 53
R&S®GP-E/GP-S
User Interface
Menu Reference
Optional: The "Group Object Class"
Optional: The "Group Member Selector"
> Access to LDAP Server
The settings in this section determine whether gateprotect Firewall connects to the server anonymously or logs in using a specified user account to access the necessary entries in the directory. By default, Anonymous is pre-selected from the drop-down list.
> Directory
The "Directory" settings allow you to specify the directory structure.
Under "Search Base DN" , enter a distinguished name as a sequence of relative distinguished names (RDN) separated by commas, such as three domainCompo­nents: dc=ldap,dc=example,dc=com, to define the location within the directory from where the directory search should start.
The "LDAP Scope" setting determines the depth of the directory search:
The default SUBTREE setting searches all entries under the defined search
base (including the search base).
The ONELEVEL option limits the search to the entries located immediately
below the defined search base.
The BASE setting verifies the existence of the specified search base.
The buttons at the bottom right of the editor panel allow you to shut ( "Close" ) the edi­tor panel as long as no changes have been made and to store ( "Save" ) or to discard ( "Reset" ) your changes.
Click " changes.
3.4.1.9 License
The exact feature set of each gateprotect Firewall depends on the license acquired from Rohde & Schwarz Cybersecurity.
Without any license purchased, the system operates on a minimal feature set, only allowing for a license to be downloaded or uploaded by the administrator.
The following features can be included in a license:
Custom Decoder
DynDNS
Forensic Traffic Capture
High Availability
Mail Proxy
Multi WAN
WLAN (Wi-Fi)
Activate" in the toolbar at the top of the desktop to apply your configuration
53User Manual v16.2.1 ─ 01
Page 54
R&S®GP-E/GP-S
User Interface
Menu Reference
Navigate to "Firewall > License" to view the validity period of your license or to upload a new license. In fixed intervals, the deployed firewall will check whether a license update for its Machine ID is available on the update server. At the same time, the expi­ration dates of the license and individual feature licenses are checked as well. When a license has expired, all licensable features will be deactivated until a new license is acquired.
To upload a new license, perform the following steps:
1. Click "Select" behind the "License File" field to choose a new license file from the
local disk.
2. Open the license file to upload it.
3. If the upload is successful, confirm that you want to log out by clicking "OK" .
4. On the logon page, enter your login credentials.
5. Click "Login" .
6. Reboot your gateprotect Firewall.
3.4.1.10 Time Profiles
You can specify custom time ranges during which firewall rules are applied to network traffic. Time ranges can be based on combinations of the times of day, days of the week, dates in each month and months of the year. This allows you to enable rules using named intervals such as Office hours or Weekend.
Navigate to "Firewall > Time Profiles" to display the list of time profiles that are cur­rently defined on the system in the item list bar.
In the expanded view, the left column of the table displays the "Name" of the time pro­file. The buttons in the last column allow you to view and adjust the settings for an existing time profile, create a time profile based on a copy of an existing profile or delete a profile from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
There are four preset time profiles available:
Office hours – The rule is applied on weekdays (Monday to Friday) from 06:00 a.m. to 04:00 p.m.
Outside office hours – The rule is applied on weekdays (Monday to Friday) from 04:00 p.m. to 06:00 a.m.
Weekdays – The rule is applied around-the-clock from Monday to Friday.
Weekend – The rule is applied around-the-clock on Saturday and Sunday.
The "Time Profiles" settings allow you to configure the following elements:
Field Description
"Name" Specify a name for the time profile.
"Timespan" Use the slider to set a specific timespan for this time profile.
54User Manual v16.2.1 ─ 01
Page 55
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Month of Year" Select one or more months of the year to associate with the profile.
"Day of Week" Select one or more days of the week to associate with the profile.
"Day of Month" Select one or more days of the month to associate with the profile.
The buttons at the bottom right of the editor panel depend on whether you add a new time profile or edit an existing profile. For a newly configured time profile, click "Create" to add the profile to the list of available time profiles or "Cancel" to discard your changes. To edit an existing time profile, click "Save" to store the reconfigured profile or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
The time profiles defined here are available for use in custom firewall rules as descri­bed under Chapter 3.3, "Firewall Rule Settings", on page 22. If a time profile is associ­ated with a firewall rule and selected in the item list bar, the respective connection is highlighted on the desktop. If you select a node on the desktop, the time profile associ­ated with this node is highlighted in the item list bar.
Click "
Activate" in the toolbar of the desktop to apply your configuration changes if
the edited time profile is already associated with a firewall rule.

3.4.2 Network

Use the " Network" settings to create and edit firewall rules and to set up static routes, remote syslog servers, an SSL proxy, High Availability, Forensic Traffic Cap­ture, and NAT rules.
3.4.2.1 Firewall Rules
Use these settings to define the firewall rules which are used to manage network traf­fic. For more detailed information on firewall rules, see Chapter 3.3, "Firewall Rule Set-
tings", on page 22.
Navigate to "Network > Firewall Rules" to display the list of firewall rules that are cur­rently defined on the system.
The plus button above the filter settings allows you to add new firewall rules.
The settings dialog for firewall rules opens. For more detailed information on how to create firewall rules, see Chapter 3.3, "Firewall Rule Settings", on page 22.
The "Filter Settings" allow you to narrow the list of firewall rules to display only rules that include a certain search string. You can filter the contents by choosing the required options in the drop-down lists and/or entering search strings in the respective input fields. Click "Apply" to make use of the selected filter options. The list of firewall rules is adjusted to reflect your filter results. Click "Reset" to delete the selected filter options and display an unfiltered view of the list of firewall rules.
The table columns of the firewall rules list display the following information:
55User Manual v16.2.1 ─ 01
Page 56
R&S®GP-E/GP-S
User Interface
Menu Reference
Column Description
Indicates that you can rearrange rules by dragging and dropping them in the list to create the desired sequence.
"State" The icon in this column indicates whether the firewall rule is active or not. Newly
created rules are enabled by default.
"Name" This column displays the name of the firewall rule.
"Policy" This column displays the action to be performed by the firewall rule. There are
four possible policies (see Chapter 3.3, "Firewall Rule Settings", on page 22 for a description of the policies):
Allow
Continue
Drop
Reject
"Sources" This column displays the source(s) of traffic flow to which the firewall rule is to
be applied.
"Destinations" This column displays the destination(s) of traffic flow to which the firewall rule is
to be applied.
"Applications" This column displays the number of applications and protocols selected for the
firewall rule. Place the mouse pointer on the number to see a tooltip with the selected applications.
"Filters" This column displays the number of filters selected for the firewall rule. Place
the mouse pointer on the number to see a tooltip with the selected filters.
The buttons in the last column allow you to view and adjust the settings for an existing firewall rule, create a firewall rule based on a copy of an existing rule or delete a rule from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
New rules are inserted at the top of the rule list by default (and thus executed before any of the already existing rules). For best results, the most specific rules should be placed at the beginning of the list, followed by more general rules that apply to a broader range of traffic.
You can rearrange rules by dragging and dropping them in the list to create the desired sequence.
To close the "Firewall Rules" panel and return to the desktop, click in the upper right corner of the panel.
3.4.2.2 Static Routes
The routing settings allow you to define custom routes that are used to reach devices on a given destination network.
56User Manual v16.2.1 ─ 01
Page 57
R&S®GP-E/GP-S
User Interface
Menu Reference
Routes between zones are created automatically and hidden. You should not normally need to create routes unless you have an upstream router that requires special routes. To influence traffic between zones, create a firewall rule as described under Chap-
ter 3.3, "Firewall Rule Settings", on page 22.
For more detailed information on static routes, see the following sections.
Static Routes Overview
Navigate to "Network > Static Routes" to display the list of static routes that are cur­rently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" of the static route, the "Source" and the "Destination" network and the "Gateway" that is associated with it. The buttons in the last column allow you to view and adjust the settings for an exist­ing static route, create a new route based on a copy of an existing static route or delete a route from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Static Routes Settings
The "Static Routes" settings allow you to define custom routes that are used to reach devices on a given destination network.
Under "Network > Static Routes" , you can add a new or edit an existing static route.
The "Static Route" settings allow you to configure the following elements:
Field Description
"Name" Enter a name for the static route.
"Source" Select a network zone from the drop-down list. This source zone determines
the point from which the network is reachable. All traffic to the destination net­work is routed through this zone.
"Destination" Enter the IP address of the destination network in CIDR notation (IP address
followed by a slash »/« and the number of bits set in the subnet mask, for example 192.168.50.1/24).
"Gateway" Enter an IP address as the gateway for this route. Traffic from the source zone
to the destination network will be routed via this gateway (rather than the stan­dard gateway).
The buttons at the bottom right of the editor panel depend on whether you add a new static route or edit an existing route. For a newly configured static route, click "Create" to add the route to the list of available static routes or "Cancel" to discard your changes. To edit an existing route, click "Save" to store the reconfigured route or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
For detailed instructions, see Chapter 4.3, "Setting Up a Static Route", on page 145.
57User Manual v16.2.1 ─ 01
Page 58
R&S®GP-E/GP-S
User Interface
Menu Reference
3.4.2.3 Syslog Servers
gateprotect Firewall can be used to configure multiple external syslog servers to for­ward log messages generated by different message sources based on the level of severity for reporting purposes.
Syslog messages are sent in cleartext (not encrypted) usually via port number 514 and either via the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP) to the remote syslog server.
For more detailed information on external syslog servers, see the following sections.
Syslog Servers Overview
Navigate to "Network > Syslog Servers" to display the list of remote syslog servers that are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" of the external syslog server and the "Server Address" which consists of the IP address and the port. For example, the server address 192.168.124.5:514 represents the IP address
192.168.124.5 and the port number 514. Furthermore, the "Protocol" type used for the transmission of the text message is displayed. The buttons in the last column allow you to view and adjust the settings for an existing external syslog server, create a syslog server based on a copy of an existing external syslog server or delete a remote syslog server from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Syslog Servers Settings
The "Syslog Servers" settings allow you to specify connection details for multiple remote syslog servers to forward log messages generated by different message sour­ces based on the level of severity.
Under "Network > Syslog Servers" , you can add a new or edit an existing remote syslog server.
The "Syslog Server" settings allow you to configure the following elements:
Field Description
"Name" Enter a unique name for the remote syslog server.
"Zone" From the drop-down list, select the network zone in which the server is located.
Syslog servers may only be located in the LAN zones.
"Server Address" Enter the host name or IP address of the server.
"Port" Optional: Specify the port number to be used by entering a value. The value
can be any integer from 1 to 65,535. Port number 514 is pre-defined by default as this is the standard port used for message logging.
58User Manual v16.2.1 ─ 01
Page 59
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Protocol" Optional: Select the protocol type to be used from the drop-down list. UDP is
pre-selected by default.
"Message Level" From the drop-down list, select the minimum logged severity level of each mes-
sage source that can generate log messages:
off – no messages are sent to the syslog server
emergency – system is unusable (highest priority)
alert – action must be taken immediately
critical – critical conditions
error – error conditions
warning – warning conditions
notice – normal but significant conditions
info – informational messages
debug – debug-level messages (lowest priority)
The buttons at the bottom right of the editor panel depend on whether you add a new remote syslog server or edit an existing server. For a newly configured server, click "Create" to add the server to the list of available remote syslog servers or "Cancel" to discard your changes. To edit an existing server, click "Save" to store the reconfigured server or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
You can create multiple remote syslog servers within one network zone or for several zones. If the syslog server is not located within the managed network, an additional firewall rule may be needed to ensure connectivity.
"IPS/IDS" , "Webfilter" , "NAT Logging" , "Firewall Alert" and "Malware" log messages sent to the remote syslog servers are based on the Common Event Format (CEF) standard.
For detailed instructions, see Chapter 4.5, "Setting Up a Syslog Server", on page 146.
3.4.2.4 SSL Proxy
The "SSL Proxy" settings allow you to select the certificate that is used to encrypt secure sessions and specify what to do when a user visits a site with an invalid certifi­cate.
A proxy is a program which communicates between a client (an application, for exam­ple a web browser) and a server (for example a web server). An SSL certificate is a digital file that authenticates the identity of an object and is used to encrypt information which is transmitted between client and server. The SSL proxy is used to intercept these SSL encrypted connections. Thus gateprotect Firewall can evaluate the incom­ing traffic and apply the configured firewall rules to it.
Navigate to "Network > SSL Proxy" to configure the settings for the SSL proxy.
59User Manual v16.2.1 ─ 01
Page 60
R&S®GP-E/GP-S
User Interface
Menu Reference
The SSL proxy server certificate is evaluated by the gateprotect Firewall. Under "Han­dling" , decide what to do if the certificate is not trusted:
Use invalid certificate (invalidate connection) – a different inva­lid certificate is presented to the client,
Use valid certificate (validate connection) – even though the con­nection is distrusted, a valid SSL Proxy Certificate Authority is presented to the cli­ent, or
Block the connection – the connection is blocked and no traffic is possible.
The buttons at the bottom right of the editor panel allow you to shut ( "Close" ) the edi­tor panel as long as no changes have been made and to store ( "Save" ) or to discard ( "Reset" ) your changes.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.2.5 High Availability
"High Availability" allows two independent gateprotect Firewall systems to be connec­ted in a master/slave configuration that provides failover capability. If the master machine becomes unavailable, the standby (slave) machine assumes its duties.
The master and slave systems are connected via a Cluster Interconnect cable that allows them to communicate with one another and monitor the status of the paired sys­tem. If the slave system fails to detect a »heartbeat« signal from the master, it takes over the role of the master system (in the event of power outage, hardware failure/ shutdown, and so forth). All communication via the Cluster Interconnect cable is secured via IPsec.
The following figure illustrates a typical network environment with a redundant master/ slave configuration for High Availability.
60User Manual v16.2.1 ─ 01
Page 61
R&S®GP-E/GP-S
User Interface
Menu Reference
Figure 3-11: Sample network setup for High Availability.
High Availability Settings
Use the "High Availability" settings to specify the connection parameters for the mas­ter/slave configuration.
The High Availability feature requires two identical systems of the same hardware type (for example GP-E-800 with GP-E-800 or GP-S-1600 with GP-S-1600) and software version, each with a free network interface (NIC) that is not currently associated with a zone. For more information, see Chapter 3.4.3.1, "Ethernet Zones", on page 68. The same NIC must be used on both systems for Cluster Interconnection.
The master system synchronizes its initial configuration and any subsequent configura­tion changes to the slave system to ensure that the same configuration will be used in the event of failure.
Before the High Availability feature can be enabled, all pending configuration changes must be applied. (If the "
Activate" button is highlighted in the toolbar at the top of the
desktop, click it to apply your changes.)
To set up High Availability, complete the following steps:
1. On the master system:
Log in to the web client.
Under "Network > High Availability" : – Use the slider switch to enable High Availability.
61User Manual v16.2.1 ─ 01
Page 62
R&S®GP-E/GP-S
User Interface
Menu Reference
Set "Mode" to Master. – From the drop-down list, select an "Interface" as the Cluster Interconnect
interface.
Click "Save" to store your settings.
2. On the standby (slave) system:
Connect the slave system to the master with the Cluster Interconnect cable. Make sure to connect it to the NIC that you selected when configuring the mas­ter.
Log in to the web client.
Under "Network > High Availability" : – Use the slider switch to enable High Availability. – Set "Mode" to Slave. – From the drop-down list, select the same "Interface" as chosen on the mas-
ter.
Click "Save" to store your settings.
3. Connect the slave system with the same WAN (the MAC address can be found under "Firewall > Status" ) and LAN network components as the master system (see Figure 3-11).
Only the master system can be reached and configured via the web interface.
The High Availability status in the "Maintenance" section under "Firewall > Status" dis­plays one of four states (see Chapter 3.4.1.1, "Status", on page 29):
not enabled (yellow) – High Availability is disabled (default setting)
not configured (yellow) – the master system is synchronizing its initial configuration to the slave system when the slave system is connected for the first time
OK (green) – the slave system was effectively connected and synching was suc­cessful
no slave (yellow) – no slave system is connected or available
When using High Availability, neither the PCAP files nor the FTC files are copied from the master system to the slave system. Also, if the slave system takes over, it does not always carry on forensic traffic capturing as it did not see the beginning of the flow.
Updating and Disabling High Availability Configurations
When High Availability is enabled, several important considerations apply:
Any updates to non-system modules (such as Application Signatures, Certificates, IPS, Anti-Malware, and Web Filter rules) are applied on the master node only. The changes are replicated to the slave including the version numbers of these updates.
62User Manual v16.2.1 ─ 01
Page 63
R&S®GP-E/GP-S
User Interface
Menu Reference
In a High Availability configuration, system updates must be installed in two phases (see also Chapter 3.4.1.3, "Updates", on page 33). First, by clicking "Download" , "Install" and "Reboot" on the master system, the standby (slave) system is updated and rebooted. If the update was successful, the former slave takes over the master role, since the software version is newer than the software version on the other system. Then, the former master is updated and rebooted by clicking "Download" , "Install" and "Reboot" on the new master system. After restarting, the new slave (former master) retains the role of standby system. Do not make changes to the
system at any point in this process. Important: Always update both systems (master and slave). Otherwise, High
Availability does not work correctly.
As long as the slave has an older version running (in the second update phase), no synchronization is performed as the old system may not understand newer configu­ration files. It is not advisable to keep this state for too long.
Switching off High Availability on a working pair will only switch off the feature on the master. In this case, the slave would take over and the old master would run normally without High Availability. Both machines would deliver the same services on the network which would have unintended effects. So, it is advisable not to switch off High Availability in such a configuration. It is better to switch off one machine beforehand and perform a factory reset there. The other machine can still work with High Availability switched on and later High Availability can be switched off there.
To remove the slave system from the High Availability configuration and operate it as a standalone system, unplug the cable to the LAN zone and reset the system to the factory default configuration.
3.4.2.6 Support Access
Enable support access to grant the Rohde & Schwarz Cybersecurity support team remote access to your gateprotect Firewall via the command-line interface (CLI) in case of problems.
Navigate to "Network > Support Access" to activate remote access to your gateprotect Firewall.
The "Support Access" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the support access
"Public IP address" Displays the public IP address of your gateprotect
is currently enabled ( "On" ) or disabled ( "Off" ). By clicking on the slider switch you can toggle the state of this service. The support access is disabled by default.
Firewall.
63User Manual v16.2.1 ─ 01
Page 64
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Active Period" Set the time (in minutes) for how long remote
access will be granted. When this time elapses, the CLI access will be disabled automatically.
"Start Time" Set the date and time when remote access to the
gateprotect Firewall will become available for the support team.
The buttons at the bottom right of the editor panel allow you to shut ( "Close" ) the edi­tor panel as long as no changes have been made and to store ( "Save" ) or to discard ( "Reset" ) your changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
3.4.2.7 FTC (Forensic Traffic Capture)
Forensic Traffic Capture (FTC) can be used to identify the precise timing, scope, and nature of a malicious attack from outside or inside sources on your network.
Two types of files are captured for each flow:
PCAP files – contain the stored packets of a flow and
FTC files – contain metadata (for example, the protocol type, information about the connection and, if applicable, an RSA Session ID and a Master Key to decrypt encrypted traffic stored in the appropriate PCAP file).
To examine the downloaded PCAP files, use any packet analyzer (e.g. Wireshark).
FTC Overview
Navigate to "Network > FTC" to display the list of custom firewall rules in which Foren­sic Traffic Capture is enabled in the item list bar.
In the expanded view, the columns of the table display the name of the custom firewall "Rules" and the number of "FTC Files" and "PCAP Files" captured by it. The buttons in the last two columns allow you to delete, download, and view all captured traffic for the rule.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
FTC Settings
Use the FTC "Settings" to view and edit the pre-defined storage policy to be used when enabling Forensic Traffic Capture in custom firewall rules.
Under "Network > FTC > Settings" , you can view the pre-defined FTC profile.
The "Settings" panel allows you to edit the following elements:
64User Manual v16.2.1 ─ 01
Page 65
R&S®GP-E/GP-S
Max PCAPs per Rule
PCAP1PCAP2PCAP3PCAP4PCAP
5
Max Flow Depth in MB
Max PCAP Size in MB
Flow 1
Flow 2
FTC Profile
Rule 1
PCAP1PCAP2PCAP3PCAP4PCAP
5
Flow 1
Rule 2
Profile Quota in MB
PCAP1PCAP2PCAP3PCAP4PCAP5PCAP
6
User Interface
Menu Reference
Field Description
"Max number of PCAPs" Specify the maximum number of PCAP files to be stored for all firewall rules
and flows using the FTC profile. The default maximum number is set to 500. To separate flows from each other for a more effective analysis, PCAP files are stored separately for each single flow.
"Queue override" A slider switch indicates whether this option is enabled ( "On" ) or disabled
( "Off" ). By clicking the slider switch, you can toggle the state of this option. If enabled (default setting), the oldest PCAP files will be overwritten when the maximum number of PCAP files per rule has been saved. Otherwise, no further PCAP files will be stored when the defined maximum value is reached.
"Max disk usage" Specify the maximum storage capacity (in megabytes) to reserve for the PCAP
files captured with this profile. The default maximum storage capacity is set to 5000 megabytes.
Note: Only one storage location is set up. This local storage location is used by the default FTC profile. The storage space for the local storage location is restricted to five gigabytes.
"Flow depth" Define (in megabytes) how much data to store from the beginning of a flow. The
default setting is 500 megabytes.
"Max PCAP size" Set (in megabytes) the maximum size of a single PCAP file. The default maxi-
mum size is set to 10 megabytes.
Figure 3-12: FTC profile settings.
The buttons at the bottom right of the editor panel allow you to shut ( "Close" ) the edi­tor panel as long as no changes have been made and to store ( "Save" ) or to discard ( "Reset" ) your changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
65User Manual v16.2.1 ─ 01
Page 66
R&S®GP-E/GP-S
User Interface
Menu Reference
The FTC profile defined here is available for use in custom firewall rules as described under Chapter 3.3, "Firewall Rule Settings", on page 22.
FTC Data
Navigate to "Network > FTC" to display information about the forensic traffic captured for each custom firewall rule in which FTC has been enabled.
> FTC Data Summary
Click the view button
The panel that opens displays the volume of data in the local box storage, the number of custom firewall rules which are generating FTC data and the resultant number of PCAP and FTC files stored for all firewall rules. The buttons allow you to download the files which were captured by all firewall rules or remove them from the local box stor­age.
Click "Close" to shut the panel.
> Rule-Specific FTC Data
To view rule-specific FTC data, click the view button in the row of a custom firewall rule in the item list bar.
On the panel which opens, each row displays the name of a stored FTC or PCAP file and buttons which allow you to download individual files or delete them from the stor­age location and to view more information about the files such as when the files were created, updated or their size.
Click "Close" to shut the panel.
3.4.2.8 NAT Rules
Network address translation (NAT) automatically modifies address information in pack­ets.
in the Summary row in the item list bar.
NAT provides IP address masquerading to secure connections between internal and external addresses, e.g. connections for clients on the internal network by hiding their private IP addresses behind the public IP address of gateprotect Firewall.
NAT Rules Overview
Navigate to "Network > NAT Rules" to display the list of NAT rules that are currently defined on the system in the item list bar.
The NAT rules are grouped by the zones they belong to. In the expanded view, the left column of the table displays the "Name" of an existing NAT rule. The "Active" column indicates whether the NAT rule is enabled or not. The buttons in the last column allow you to view and adjust the settings of an existing NAT rule, create a rule based on a copy of an existing NAT rule or delete a rule from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
66User Manual v16.2.1 ─ 01
Page 67
R&S®GP-E/GP-S
User Interface
Menu Reference
NAT Rules Settings
The "NAT Rules" settings allow you to manipulate packets directly in a zone.
The "NAT Rule" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the NAT rule is active ( "On" ) or inactive
( "Off" ). By clicking the slider switch, you can toggle the state of the NAT rule. A new NAT rule is enabled by default.
"Name" Enter a name for the NAT rule.
"Zone" From the drop-down list, select a network zone to which the rule is to be
applied.
"Network Interface" Optional: If you select WAN in "Zone" , you can specify the interface to be used.
"Type" From the drop-down list, select one of the following NAT types:
Source NAT – allows you to change the source address and the source port of a packet.
Destination NAT – allows you to change the destination address and the destination port of a packet.
Source NETMAP – allows you to map the source address and the source port of an entire network.
Destination NETMAP – allows you to map the destination address and the destination port of an entire network.
When you select an interface of the WAN zone for a Source NAT rule, this rule is applied to traffic going out of the selected interface. Incoming traffic is NOT affected.
When you select an interface of the WAN zone for a Destination NAT rule, this rule is applied to traffic coming in on the selected interface. Outgoing traffic is NOT affec­ted.
In the "Traffic Selection" tab, specify the traffic that the NAT rule is to be applied to:
Field Description
"Source Address" Define the source IP address of the traffic to be manipulated.
"Destination Address" Define the destination IP address of the traffic to be manipulated.
"Protocol" Specify the protocol to which the NAT rule is to be applied ("Any", "TCP" or
"UDP").
"Source Ports" Optional and only available if the selected "Protocol" is not "Any": specify the
source ports or valid source port ranges to be selected.
"Destination Ports" Optional and only available if the selected "Protocol" is not "Any": specify the
destination ports or valid destination port ranges to be selected.
In the "Traffic Manipulation" tab, specify what operation is to be performed on the selected traffic. The available options depend on the selected NAT type and protocol:
67User Manual v16.2.1 ─ 01
Page 68
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"New Source Address" Specify a new source IP address for the selected traffic.
"New Source Ports" Specify a new source port or a source port range for the selected traffic.
"New Destination Address"
"New Destination Ports" Specify a new destination port or a destination port range for the selected traf-
"New Source Subnet" Enter a new source subnet that the selected traffic is to be mapped to in CIDR
"New Destination Sub­net"
Specify a new destination IP address for the selected traffic.
fic.
notation (IP address followed by a slash »/« and the number of bits set in the subnet mask, for example 192.168.50.1/24).
Enter a new destination subnet that the selected traffic is to be mapped to in CIDR notation (IP address followed by a slash »/« and the number of bits set in the subnet mask, for example 192.168.50.1/24).
The "Priority" tab displays a list of the existing NAT rules in the selected zone. To change the priority of the current NAT rule, drag and drop it to the desired position in the list.
The buttons at the bottom right of the editor panel depend on whether you add a new NAT rule or edit an existing rule. For a newly configured NAT rule, click "Create" to add the rule to the list of available NAT rules or "Cancel" to discard your changes. To edit an existing rule, click "Save" to store the reconfigured rule or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
For configuration examples, see Chapter 4.4, "Using NAT Rules", on page 146.

3.4.3 LAN

Go to the " LAN" settings to organize your network by setting up Ethernet, WLAN and VLAN zones.
3.4.3.1 Ethernet Zones
Use the "Ethernet Zones" settings to define the settings to be used for the subnets being connected to the physical interfaces.
Logical network zones are used to divide the physical Ethernet interfaces on gatepro­tect Firewall into named groups so that firewall rules and web filters can be applied to all members of a group at once.
In the default configuration, gateprotect Firewall ships with pre-defined zones:
The eth0 interface is assigned to the "WAN" zone. Make sure that this interface is used to connect gateprotect Firewall with the external network (Internet).
The eth1 interface is assigned to the "Mgmt_Zone" (management zone), with
68User Manual v16.2.1 ─ 01
Page 69
R&S®GP-E/GP-S
User Interface
Menu Reference
"Web Admin Access" , an encrypted connection to the web interface, being
activated and
a DHCP server running on the management port (192.168.255.0/24) to
allow you to connect a PC and configure the system even if it is not (yet) reach­able via the network.
Important: After putting gateprotect Firewall into operation for the first time, the "Mgmt_Zone" can be renamed and used like any other »LAN« zone but at least one Ethernet zone has to have the "Web Admin Access" activated to ensure that gateprotect Firewall remains accessible. It is advisable to use eth1 for this pur­pose, as all interfaces except for eth0 and eth1 are disabled when the license expires. Note: When updating from a version prior to v16.1.2 to version 16.1.2 or higher, the "Mgmt_Zone" is created during the update process.
The remaining interfaces (eth2, eth3, and so forth) are assigned to the »LAN « zone.
If you require a free interface for other purposes such as High Availability or multi­WAN, you need to delete one of the available Ethernet zones. To do so, use the delete button in the Ethernet zones list (see "Ethernet Zones Overview" on page 70).
All interfaces are activated automatically when the box is put into operation.
Figure 3-13: Sample network zones.
69User Manual v16.2.1 ─ 01
Page 70
R&S®GP-E/GP-S
User Interface
Menu Reference
For more detailed information on Ethernet zones, see the following sections.
Ethernet Zones Overview
Navigate to "LAN > Ethernet Zones" to display the list of Ethernet zones that are cur­rently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the Ethernet zone. The name of the Ethernet zone contains the name of the selected physical net­work interface, for example Zone-eth2. Furthermore, the status ( "Enabled" or not) of the zone and its "IP Address" are displayed. The buttons in the last column allow you to view and adjust the settings for an existing Ethernet zone, create a new zone based on a copy of an existing Ethernet zone or delete a zone from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Ethernet Zones Settings
The "Ethernet Zones" settings allow you to customize the settings of the available Ethernet zones.
Under "LAN > Ethernet Zones" , you can add a new or edit an existing Ethernet zone.
The "Ethernet Zone" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the Ethernet zone is active ( "On" ) or inactive
( "Off" ). By clicking the slider switch, you can toggle the state of the Ethernet zone.
On the "General" tab:
Field Description
"Name" Enter a name for the Ethernet zone.
"IP Address/Netmask" Enter the IP address and netmask in CIDR notation (IP address followed by a
slash »/« and the number of bits set in the subnet mask, for example
192.168.50.1/24). Multiple IP addresses from the same or other networks are possible. You can only enter an IP address which has not already been configured on a different Ethernet zone, WLAN or VLAN.
"Network Interfaces" Assign as many unallocated physical network interfaces to the zone as you like.
"Bridged" This checkbox indicates whether the zone is bridged. The checkbox is cleared
by default.
To set up a bridge, deactivate the first zone of the bridge. Select the "Bridged" checkbox and save the settings. Then, open the settings of the second zone of the bridge. Select the "Bridged" checkbox und the first zone as "Bridge Target" . When you save the settings, the first zone is automatically reactivated.
Note: When zones are bridged, the DHCP server is automatically disabled.
70User Manual v16.2.1 ─ 01
Page 71
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Enable DNS Cache" This checkbox is pre-selected by default; it has to be selected to activate DNS
caching. Clear the checkbox to disable DNS caching.
"Log Refused Connec­tion Attempts"
Optional: Select this checkbox to create an entry in the System log (see "Sys-
tem Log" on page 41) whenever a connection attempt from the outside to this
Ethernet zone fails. Filtering the System log by "Program" ulogd, the log entries for refused connection attempts are displayed.
gateprotect Firewall provides IP addresses to computers on the network using the Dynamic Host Configuration Protocol. The "DHCP Server" tab provides the following options:
Field Description
"On" / "Off" A slider switch indicates whether the DHCP server is active ( "On" ) or inactive
( "Off" ). By clicking the slider switch, you can toggle the state of the DHCP server. The DHCP server is enabled by default. If the DHCP server is disabled, no other settings can be configured on this tab.
"Domain Name" Optional: Enter a custom domain name that the DHCP server assigns to the cli-
ents.
"Lease Time" Enter the default and maximum lease time (in seconds) to determine the
amount of time that a computer will have a valid IP address.
"DNS Servers" Specify the primary and secondary DNS servers to be used by computers that
receive an IP address from the enabled DHCP server in the LAN zone.
Note: To be able to specify the DNS servers, you need to clear the "Enable DNS Cache" checkbox in the "General" tab.
"DHCP Relay" Enable DHCP relay by selecting the checkbox if gateprotect Firewall is to be
used as a proxy server, passing on the task of assigning IP addresses to clients to a remote DHCP server.
"Mark" Select this checkbox to append an agent option field (adds IDs to requests).
"Port" Specify the port that is used to listen for and transmit queries. This is useful for
debugging purposes. The default port for DHVPv4/BOOTP is port 67.
"Dynamic DHCP Scope" To supply clients with addresses, a range of IP addresses can be assigned to
the server using these settings. You can use the default DHCP address range or enter a different beginning and end of the range of addresses that you want to distribute to computers in this zone. A dynamic DHCP scope provides each client with the next available address in the range.
Note: If you edit the DHCP scope, a check mark appears on the right of the input fields. You have to click the check mark before being able to save the set­tings of the Ethernet zone.
"Static IP Addresses" A static DHCP scope provides specific IP addresses to specific computers on
your network. When a host connects with the specified hostname or MAC address, it receives the designated IP address.
If you configure an IP address from within the dynamic DHCP address range as a static IP address, this IP address will not be dynamically assigned by the DHCP server to a client other than the one specified any more.
On the "Web Admin Access" tab:
71User Manual v16.2.1 ─ 01
Page 72
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Web Admin Access" Select the checkbox to enable HTTP(S) access to the web admin frontend.
"HTTPS" This option determines whether an encrypted connection is used to access the
gateprotect Firewall web interface. The option is set to "Off" by default but you can turn it "On" or use the "Force" setting.
Note: When "HTTPS" is set to "Force" , subsequent requests from your browser to the web interface must be preceded by https:// or you will be unable to connect.
"Certificate" From the drop-down list, select a webserver certificate to be used for the
HTTPS connection.
"Certificate Password" Enter the corresponding password for the certificate.
"Show Password" Optional: Select the checkbox to verify the password.
The buttons at the bottom right of the editor panel depend on whether you add a new Ethernet zone or edit an existing zone. For a newly configured Ethernet zone, click "Create" to add the zone to the list of available Ethernet zones or "Cancel" to discard your changes. To edit an existing zone, click "Save" to store the reconfigured zone or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
Configured Ethernet zones are displayed as nodes in the network overview on the desktop and are, therefore, available for use in connections and firewall rules.
3.4.3.2 WLAN Zones
Some gateprotect Firewall models can be enhanced with a wireless USB flash drive to create a wireless access point in your network.
Connect a compatible wireless USB adapter to the USB port of your gateprotect Fire­wall to configure a wireless access point. A successful configuration allows wireless cli­ents to connect to this access point to join the wireless local area network (WLAN).
For more detailed information on WLAN zones, see the following sections.
WLAN Zones Overview
Navigate to "LAN > WLAN Zones" to display the list of WLAN zones that are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" of the WLAN zone, its status ( "Enabled" or not), the "Mode" , and the "IP Address" of the WLAN zone. The buttons in the last column allow you to view and adjust the settings for an existing WLAN zone or delete a zone from the system. Click the " table to obtain updated information on the WLAN zones.
Refresh" button above the
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
72User Manual v16.2.1 ─ 01
Page 73
R&S®GP-E/GP-S
User Interface
Menu Reference
WLAN Zones Settings
Use the "WLAN Zones" settings to configure your gateprotect Firewall as a wireless access point.
Under "LAN > WLAN Zones" , you can edit an existing WLAN zone.
The "WLAN Zone" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the WLAN zone is active ( "On" ) or inactive
( "Off" ). By clicking the slider switch, you can toggle the state of the WLAN zone.
On the "General" tab:
Field Description
"IP Address/Netmask" Enter the IP address and the netmask in CIDR notation (IP address followed by
a slash »/« and the number of bits set in the subnet mask, for example
192.168.50.1/24). You can only enter an IP address which has not already been configured on a different Ethernet, WLAN or VLAN zone.
"Enable DNS Cache" Select the checkbox to activate DNS caching.
"Log Refused Connec­tion Attempts"
Optional: Select this checkbox to create an entry in the System log (see "Sys-
tem Log" on page 41) whenever a connection attempt from the outside to this
WLAN zone fails. Filtering the System log by "Program" ulogd, the log entries for refused connection attempts are displayed.
Configure a DHCP server to assign IP addresses to devices that are to be interconnec­ted via WLAN. The "DHCP Server" tab provides the following options:
Field Description
"On" / "Off" A slider switch indicates whether the DHCP server is active ( "On" ) or inactive
( "Off" ). By clicking the slider switch, you can toggle the state of the DHCP server. If the DHCP server is disabled, no other settings can be configured on this tab.
"Domain Name" Optional: Enter a custom domain name that the DHCP server assigns to the cli-
ents.
"Lease Time" Enter the default and maximum lease time (in seconds) to determine the
amount of time that a computer will have a valid IP address.
"DNS Servers" Specify the primary and secondary DNS servers to be used by computers that
receive an IP address from the enabled DHCP server in the WLAN zone.
Note: To be able to specify the DNS servers, you need to clear the "Enable DNS Cache" checkbox in the "General" tab.
"DHCP Relay" Enable DHCP relay by selecting the checkbox if gateprotect Firewall is to be
used as a proxy server, passing on the task of assigning IP addresses to clients to a remote DHCP server.
"Mark" Select this checkbox to append an agent option field (adds IDs to requests).
"Port" Specify the port that is used to listen for and transmit queries. This is useful for
debugging purposes. The default port for DHVPv4/BOOTP is port 67.
73User Manual v16.2.1 ─ 01
Page 74
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Dynamic DHCP Scope" To supply clients with addresses, a range of IP addresses can be assigned to
the server using these settings. You can use the default DHCP address range, or enter a different beginning and end of the range of addresses that you want to distribute to computers in this zone. A dynamic DHCP scope provides each client with the next available address in the range.
Note: If you edit the DHCP scope, a check mark appears on the right of the input fields. You have to click the check mark before being able to save the set­tings of the WLAN zone.
"Static IP Addresses" A static DHCP scope provides specific IP addresses to specific computers on
your network. When a host connects with the specified hostname or MAC address, it receives the designated IP address.
If you configure an IP address from within the dynamic DHCP address range as a static IP address, this IP address will not be dynamically assigned by the DHCP server to a client other than the one specified any more.
On the "Web Admin Access" tab:
Field Description
"Web Admin Access" Select the checkbox to enable HTTP(S) access to the web admin frontend.
"HTTPS" This option determines whether an encrypted connection is used to access the
gateprotect Firewall web interface. The option is set to "Off" by default but you can turn it "On" or use the "Force" setting.
Note: When "HTTPS" is set to "Force" , subsequent requests from your browser to the web interface must be preceded by https:// or you will be unable to connect.
"Certificate" From the drop-down list, select a webserver certificate to be used for the
HTTPS connection.
"Certificate Password" Enter the corresponding password for the certificate.
"Show Password" Optional: Select the checkbox to verify the password.
On the "WLAN" tab:
Field Description
"Mode" Select the communication specifications according to IEEE 802.11 from the
drop-down list. The mode can be one of the following:
a – up to 54 Mbit/s 5 GHz
an – up to 300 Mbit/s 5 GHz
b – up to 11 Mbit/s 2.4 GHz
g – up to 54 Mibt/s 2.4 GHz
gn – up to 300 Mbit/s 2.4 GHz
"Country Code" Select the correct country code for your country (for example DE for Germany).
Note: This may affect the permissible maximum "Transmit Power" .
"SSID" Enter an identifier for the wireless local area network. The set default value is
gateprotect.
"SSID Visible" Select this checkbox if you want the SSID to be visible.
74User Manual v16.2.1 ─ 01
Page 75
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Encryption Mode" Select the desired encryption mode from the drop-down list. The mode can be
one of the following:
Open (i.e. not encrypted) WPA
WPA2
WPA+WPA2
The WPA+WPA2 encryption is set by default.
"Encryption Protocol" From the drop-down list, select one of the following encryption protocols to be
used:
TKIP – Temporal Key Integrity Protocol
CCMP – Counter-Code/CBC-MAC Protocol
TKIP+CCMP – a combination of the above two methods
"Preshared Key" Select the pre-shared key to be used for encryption. Clients need to supply this
password in order to establish a secured connection to gateprotect Firewall. The given default key is gateprotect.
"Show Password" Optional: Select the checkbox to verify the password.
"Channel Width" If you selected an or gn as the communication mode, you can now set the
channel width to 20 or 40 MHz. For the remaining communication modes, this field is disabled and set to 20 by default.
"Channel Number" Select the channel number (frequency) from the drop-down list. The options
available for selection depend on the chosen communication mode and on the selected country code.
"Transmit Power" Specify the transmit power (in decibel-milliwatts) to be used. The value can be
any integer from 1 to the maximum transmit power. It is set to 20 dBm by default.
"Access Point Station Isolation"
"Log Level" Define the log level from level 0 to 4.
Select this checkbox to prevent the clients from communicating directly with each other.
On the "MAC Filter" tab:
Field Description
"MAC Filter" Use the MAC filter to determine whether a wireless device is to be granted
access to the WLAN. The default setting is "Disabled" , that is to say that no filtering is performed, but you can adjust the settings to one of the following val­ues as necessary:
"Blacklist" – the specified MAC addresses and therefore clients are blocked
"Whitelist" – the specified MAC addresses and therefore clients are gran­ted access to the network
"MAC Addresses" Click "Add" to enter MAC addresses to be applied when filtering.
The buttons at the bottom right of the editor panel allow you to shut ( "Close" ) the edi­tor panel as long as no changes have been made and to store ( "Save" ) or to discard ( "Reset" ) your changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
75User Manual v16.2.1 ─ 01
Page 76
R&S®GP-E/GP-S
User Interface
Menu Reference
3.4.3.3 VLAN Zones
Use the "VLAN Zones" settings to add custom Virtual Local Area Network tags to all traffic on a given interface.
This method can be used to create »virtual interfaces« that allow you to put several logical network zones on one physical interface. When a VLAN tag is associated with a network interface, the tag is added to all outgoing packets that are sent via this virtual interface and stripped from the incoming packets that are received on this VLAN. Sev­eral VLANs may be associated with each network interface. Packets with different tags can be processed and associated to the corresponding zones.
For more detailed information on VLAN zones, see the following sections.
VLAN Zones Overview
Navigate to "LAN > VLAN Zones" to display the list of VLAN zones that are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" and the status ( "Enabled" or not) of the VLAN zone, the "VLAN Tag" , the network "Interface" with which the virtual local area network is associated and the "IP Address" of the VLAN zone. The buttons in the last column allow you to view and adjust the settings for an existing virtual local area network, create a new VLAN zone based on a copy of an existing virtual local area network or delete a VLAN zone from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
VLAN Zones Settings
Use the "VLAN Zones" settings to configure custom Virtual Local Area Network tags to be added to all traffic on a given interface.
Under "LAN > VLAN Zones" , you can add a new or edit an existing virtual local area network.
The "VLAN Zone" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the VLAN is active ( "On" ) or inactive ( "Off" ).
By clicking the slider switch, you can toggle the state of the VLAN zone. A new VLAN zone is enabled by default.
On the "General" tab:
Field Description
"Name" Enter a name for the VLAN zone. The name has to be unique and may consist
of 3 to 14 characters (allowed are letters of the English alphabet, integers, dashes, underscores and dots).
"IP Address/Netmask" Enter the IP address and netmask in CIDR notation (IP address followed by a
slash »/« and the number of bits set in the subnet mask, for example
192.168.50.1/24). You can only enter an IP address which has not already been configured on a different Ethernet, WLAN or VLAN zone.
76User Manual v16.2.1 ─ 01
Page 77
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Enable DNS Cache" This checkbox is pre-selected by default; it has to be selected to activate DNS
caching. Clear the checkbox to disable DNS caching.
"Log Refused Connec­tion Attempts"
"Network Interfaces" From the drop-down list, select the network interface with which the tag should
"VLAN Tag" Enter the text content of the VLAN tag. The tag may contain any integer from 1
Optional: Select this checkbox to create an entry in the System log (see "Sys-
tem Log" on page 41) whenever a connection attempt from the outside to this
VLAN zone fails. Filtering the System log by "Program" ulogd, the log entries for refused connection attempts are displayed.
be associated.
to 4094.
On the "DHCP Server" tab:
Field Description
"On" / "Off" A slider switch indicates whether the DHCP server is active ( "On" ) or inactive
( "Off" ). By clicking the slider switch, you can toggle the state of the DHCP server. The DHCP server is disabled by default. If the DHCP server is disabled, no other settings can be configured on this tab.
"Domain Name" Optional: Enter a custom domain name that the DHCP server assigns to the cli-
ents.
"Lease Time" Enter the default and maximum lease time (in seconds) to determine the
amount of time that a computer will have a valid IP address.
"DNS Servers" Specify the primary and secondary DNS servers to be used by computers that
receive an IP address from the enabled DHCP server in the VLAN zone.
Note: To be able to specify the DNS servers, you need to clear the "Enable DNS Cache" checkbox in the "General" tab.
"DHCP Relay" Enable DHCP relay by selecting the checkbox if gateprotect Firewall is to be
used as a proxy server, passing on the task of assigning IP addresses to clients to a remote DHCP server.
"Mark" Select this checkbox to append an agent option field (adds IDs to requests).
"Port" Specify the port that is used to listen for and transmit queries. This is useful for
debugging purposes. The default port for DHVPv4/BOOTP is port 67.
"Dynamic DHCP Scope" To supply clients with addresses, a range of IP addresses can be assigned to
the server using these settings. You can use the default DHCP address range, or enter a different beginning and end of the range of addresses that you want to distribute to computers in this zone. A Dynamic DHCP Scope provides each client with the next available address in the range.
Note: If you edit the DHCP scope, a check mark appears on the right of the input fields. You have to click the check mark before being able to save the set­tings of the VLAN zone.
"Static IP Addresses" A Static DHCP Scope provides specific IP addresses to specific computers on
your network. When a host connects with the specified Hostname or MAC Address, it receives the designated IP address.
77User Manual v16.2.1 ─ 01
Page 78
R&S®GP-E/GP-S
User Interface
Menu Reference
If you configure an IP address from within the dynamic DHCP address range as a static IP address, this IP address will not be dynamically assigned by the DHCP server to a client other than the one specified any more.
On the "Web Admin Access" tab:
Field Description
"Web Admin Access" Select the checkbox to enable HTTP(S) access to the web admin frontend.
"HTTPS" The option determines whether an encrypted connection is used to access the
gateprotect Firewall web interface. The option is set to "Off" by default but you can turn it "On" or use the "Force" setting.
Note: When "HTTPS" is set to "Force" , subsequent requests from your browser to the web interface must be preceded by https:// or you will be unable to connect.
"Certificate" Select a webserver certificate to be used for the HTTPS connection.
"Certificate Password" Enter the corresponding password for the certificate.
"Show Password" Optional: Select the checkbox to verify the password.
The buttons at the bottom right of the editor panel depend on whether you add a new VLAN zone or edit an existing virtual local area network. For a newly configured VLAN zone, click "Create" to add the VLAN to the list of available virtual local area network zones or "Cancel" to discard your changes. To edit an existing VLAN zone, click "Save" to store the reconfigured VLAN or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click " changes.
Configured VLAN zones are displayed as nodes in the network overview on the desk­top and are, therefore, available for use in connections and firewall rules.
For detailed instructions, see Chapter 4.6, "Setting Up a VLAN", on page 148.

3.4.4 WAN

Navigate to the " WAN" menu to configure the WAN zone, connection monitoring pro­files, DynDNS accounts, failover settings, physical interfaces for multi-WAN, port and IP forwarding and policy-based routes.
Activate" in the toolbar at the top of the desktop to apply your configuration
3.4.4.1 Connection Monitoring
"Connection Monitoring" automatically monitors the accessibility of URLs and IP addresses to verify the state of the connection.
Connection monitoring tests the accessibility of URLs and IP addresses by pinging the destination. If all ping signals are returned correctly, the connection is okay. If a speci­fied number of signals is lost, the test fails. The failover feature uses the connection
78User Manual v16.2.1 ─ 01
Page 79
R&S®GP-E/GP-S
User Interface
Menu Reference
monitor to determine which interfaces fail and to switch them accordingly (see Chap-
ter 3.4.4.3, "Failover Settings", on page 82).
For more detailed information on connection monitoring, see the following sections.
Connection Monitoring Overview
Navigate to "WAN > Connection Monitoring" to display the list of connection monitoring profiles that are currently defined on the system in the item list bar.
In the expanded view, the left column of the table displays the "Name" of the connec­tion monitoring profile. The buttons in the right column allow you to view and adjust the settings for an existing connection monitoring profile, create a profile based on a copy of an existing connection monitoring profile or delete a profile from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Connection Monitoring Settings
Use the "Connection Monitoring" settings to configure profiles that allow you to monitor the accessibility of URLs and IP addresses.
When an interface is set up as a failover interface in the WAN zone (see Chap-
ter 3.4.4.3, "Failover Settings", on page 82), the system automatically creates a con-
nection monitoring profile for this interface using default values. Navigate to "WAN > Connection Monitoring" to customize connection monitoring profiles.
The "Connection Monitoring Profile" settings allow you to configure the following ele­ments:
Field Description
"On" / "Off" A slider switch indicates whether the connection monitoring profile is active
( "On" ) or inactive ( "Off" ). By clicking the slider switch, you can toggle the state of the profile. This option is enabled by default.
"Name" Enter a name for the profile. This name has to be unique and can consist of 3 to
15 characters (allowed are letters of the English alphabet, integers, dashes, underscores and dots).
"Test Interval" Define (in seconds) how often the connection is to be tested.
"Response Timeout" Specify the timeout (in seconds) for the ping.
Important: The response timeout must be less than or equal to the test inter­val. Otherwise, several tests are running simultaneously.
"Tolerated Error Rate" Define how many tests can fail before the connection profile is considered to be
CRITICAL.
"Description" Optional: Enter additional information regarding the profile.
"Network Interface" From the drop-down list, select the physical network interface to be used for the
test.
79User Manual v16.2.1 ─ 01
Page 80
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Destinations" Add up to three desired URLs or IP addresses and click "Add" after each entry.
You can edit or delete each single entry in the list by clicking the appropriate button next to an entry.
Note: If you edit the URL or the IP address of a destination, a check mark appears on the right of the input field. You have to click the check mark before being able to save the settings of the connection monitoring profile.
"Minimum Destination Success Count"
The interface enters CRITICAL state and is switched over by the failover only when the number of tests specified in "Tolerated Error Rate" has failed and the correspond­ing test intervals and response times have elapsed. For this reason, make sure that the selected values are suitable and not too great.
The buttons at the bottom right of the editor panel depend on whether you add a new connection monitoring profile or edit an existing profile. For a newly configured connec­tion monitoring profile, click "Create" to add the profile to the list of available connection monitoring profiles or "Cancel" to discard your changes. To edit an existing profile, click "Save" to store the reconfigured profile or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.4.2 DynDNS Accounts
To be able to connect from the external network to your gateprotect Firewall, for exam­ple via a VPN connection, the IP address of your device has to be recognized on the Internet.
From the drop-down list, select how many destinations are to be accessed suc­cessfully to set the profile to OK.
Using dynamic DNS (»DynDNS«), your gateprotect Firewall gets a fixed host name (for example yourcompany.dyndns.org) on the Internet, even if it has no fixed IP address for the dial-in procedure by ISDN or DSL, for example. This is accomplished by sending the current IP address to a DynDNS provider that maps it to a domain name so that the firewall is accessible using that domain name. If the IP address changes due to a DSL reset, it is re-sent to the DynDNS provider. This ensures that the dynamic DNS always points to the current IP address.
To set up DynDNS on your gateprotect Firewall, you require a configured DynDNS account with a DynDNS provider. Further information on dynamic DNS and the regis­tration for the dynamic DNS process can be found at, for example, www.dyndns.org.
For more detailed information on DynDNS accounts, see the following sections.
DynDNS Accounts Overview
Navigate to "WAN > DynDNS Accounts" to display the list of DynDNS accounts that are currently defined on the system in the item list bar.
80User Manual v16.2.1 ─ 01
Page 81
R&S®GP-E/GP-S
User Interface
Menu Reference
In the expanded view, the columns of the table display the "Name" of the DynDNS account, indicate whether the account is "Enabled" and show the "Server Type" . The buttons in the last column allow you to view and adjust the settings for an existing DynDNS account, create an account based on a copy of an existing DynDNS account or delete an account from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
DynDNS Accounts Settings
The "DynDNS Accounts" settings allow you to define custom accounts for the WAN zone in general.
Under "WAN > DynDNS Accounts" , you can add a new or edit an existing DynDNS account.
The "DynDNS Accounts" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the DynDNS account is active ( "On" ) or inac-
tive ( "Off" ). By clicking the slider switch, you can toggle the state of the DynDNS account. A new DynDNS account is enabled by default.
"Server Type" From the drop-down list of supported DynDNS services, select the type of
server to be used.
"Server Address" Optional: Enter the address of the server if your DynDNS provider requires the
definition of a different server address.
"User Name" Enter the user name with which your account is registered with the DynDNS
provider.
"Password" Enter the password with which your account is registered with the DynDNS pro-
vider.
"Show Password" Optional: Select this checkbox to verify the password.
"WAN Interfaces" Optional: Select the WAN interface to be used for this DynDNS service and
then click "Add" . Several interfaces can be added. You can delete or change the position of each single entry in the list by clicking the appropriate button next to an entry. gateprotect Firewall will communicate the IP of the first opera­tional interface to the DynDNS service.
"Host Name" DynDNS services provide a domain name entry under their authority. So a reg-
istered host always has the suffix of the service provider (for example yourname.dynamicdns.org). Enter the complete host name in this input field.
"Wildcards" Optional: Select this checkbox to activate the possibility to use wildcards in host
names if you plan to use subdomains of your DynDNS account (for example,
*.yourname.dynamicdns.org will resolve for any domains ending with yourname.dynamicdns.org).
The buttons at the bottom right of the editor panel depend on whether you add a new DynDNS account or edit an existing account. For a newly configured account, click "Create" to add the account to the list of available DynDNS accounts or "Cancel" to dis­card your changes. To edit an existing account, click "Save" to store the reconfigured account or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
81User Manual v16.2.1 ─ 01
Page 82
R&S®GP-E/GP-S
User Interface
Menu Reference
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
3.4.4.3 Failover Settings
Use the "Failover" settings to configure a backup connection to the wide area network, typically the Internet.
The current version allows you to activate either failover or WAN load balancing (see
"Interface Groups" on page 87), not both together.
Some services rely on your gateprotect Firewall being reachable under a specific IP address. If you supplied the external IP address of a specific WAN interface to those services, they might not work reliably or fail completely if a broken internet connection is replaced by a backup connection via automatic failover. gateprotect Firewall offers automatic management of DynDNS services to handle this issue. When configuring DynDNS, specify the external IP addresses of those interfaces which should be com­municated to your DynDNS provider and the order in which they should be used. Should an interface fail, gateprotect Firewall updates the DynDNS settings automati­cally. For more information, see Chapter 3.4.4.2, "DynDNS Accounts", on page 80.
Automatic Failover
After multiple physical interfaces have been connected to the WAN zone under "WAN > WAN Zone > Physical Interfaces" (see "Physical Interfaces" on page 85), auto­matic failover can be activated. If the connection via the currently active interface fails, the system automatically switches to the next available interface with the highest prior­ity. When an interface with a higher priority becomes available again, this interface is reactivated automatically.
Under "WAN > Failover" , you can set up and activate automatic failover. The "Fail­over" settings allow you to configure the following elements:
82User Manual v16.2.1 ─ 01
Page 83
R&S®GP-E/GP-S
User Interface
Menu Reference
Figure 3-14: Failover settings.
Field Description
"Failover Time" Set the time (in seconds) after which the WAN interface will be switched should
the connection enter the critical state. The default failover time is set to 80 sec­onds.
"Automatic Failover" A slider switch indicates whether the automatic failover is active ( "On" ) or inac-
tive ( "Off" ). Use the slider switch to enable or disable automatic failover. If it is set to "Off" (default setting), you can save the settings even if no interfaces are configured for multi-WAN.
"WAN Interface" Select the WAN interfaces that will be used for automatic failover according to
their priority. A minimum of two interfaces is required for automatic failover to work.
Note: The priority of the interfaces must be unique.
To add a WAN interface, select an interface from the drop-down list, define its priority and click the plus button . To remove an interface, click the minus but­ton
behind the respective WAN interface.
The buttons at the bottom right of the editor panel depend on whether you change the failover settings or not. Click "Close" to shut the editor panel as long as no changes have been made on it. When all settings are configured as required, click "Save" to store your changes. Otherwise, click "Reset" to discard all changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
When the settings are applied, the failover editor panel provides additional information on the status of the WAN interfaces.
There are four possible states:
83User Manual v16.2.1 ─ 01
Page 84
R&S®GP-E/GP-S
User Interface
Menu Reference
OK (green) – the connection is working
WARNING (yellow) – the connection attempt failed
CRITICAL (red) – at least three connection attempts failed
PENDING (gray) – the connection setup is still in progress
Manual Failover
To initiate failover manually, navigate to "WAN > WAN Zone > Physical Interfaces" (see also "Physical Interfaces" on page 85).
In the item list bar, you can see the status of the physical interfaces that have been connected to the WAN zone in the "Failover" column. To activate an interface for fail­over manually, click the respective radio button in the fourth column.
Figure 3-15: Initiating failover manually.
Interfaces can only be used for manual failover and their status is only displayed if they have been set up in the "Failover" editor panel (see above), even if automatic failover is disabled.
When an interface is set up as a failover interface in the WAN zone, the system auto­matically creates a connection monitoring profile for this interface using default values. Navigate to "WAN > Connection Monitoring" to customize connection monitoring pro­files.
3.4.4.4 WAN Zone
Use the "WAN Zone" settings to configure the WAN settings of your gateprotect Fire­wall and the physical interfaces connected to it to set up multi-WAN.
Navigate to "WAN > WAN Zone" to display the WAN zone that is defined on the sys­tem in the item list bar.
84User Manual v16.2.1 ─ 01
Page 85
R&S®GP-E/GP-S
User Interface
Menu Reference
In the expanded view, the "Interface" column of the table displays the name of the WAN zone. The button in the right column allows you to view and adjust the settings of the WAN zone.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
WAN Zone Settings
The "WAN Zone" settings determine how gateprotect Firewall connects to the wide area network, typically the Internet.
Under "WAN > WAN Zone" , you can edit the WAN zone.
The "WAN Zone" settings allow you to configure the following elements:
Field Description
"Name" Enter a name for the WAN zone (allowed are letters of the English alphabet,
integers, dashes, underscores and dots). The name is set to WAN by default.
"Comment" Optional: You can enter a comment if you wish.
"NAT" NAT provides IP address masquerading to secure the Internet connection for
clients on the internal network by hiding their private IP addresses behind the public IP address of gateprotect Firewall.
This checkbox is pre-selected by default. Clear the checkbox to disable network address translation.
"Log Refused Connec­tion Attempts"
"IP Address" Displays the IP address of the WAN zone.
Optional: Select this checkbox to create an entry in the System log (see "Sys-
tem Log" on page 41) whenever a connection attempt from the outside to the
WAN zone of your gateprotect Firewall fails. Filtering the System log by "Pro­gram" ulogd, the log entries for refused connection attempts are displayed.
The buttons at the bottom right of the editor panel depend on whether you change the settings of the WAN zone or not. Click "Close" to shut the editor panel as long as no changes have been made on it. When all settings are configured as required, click "Save" to store your changes. Otherwise, click "Reset" to discard all changes.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
Physical Interfaces
Navigate to "WAN > WAN Zone > Physical Interfaces" to display and configure the physical interfaces connected to the WAN zone.
Multiple interfaces can be connected to the WAN zone to set up multi-WAN (see also
Chapter 3.4.4.3, "Failover Settings", on page 82).
In the expanded view, the columns of the table display the "Physical Interface" that is connected to the WAN zone (for example eth0) and the "Mode" used to establish the connection (PPPoE, DHCP or Static). The "Failover" column indicates whether an interface is configured for failover. For more information, see Chapter 3.4.4.3, "Failover
Settings", on page 82. The buttons in the last column allow you to view and adjust the
settings for a physical interface, create an interface based on a copy of an existing physical interface or delete an interface from the WAN zone.
85User Manual v16.2.1 ─ 01
Page 86
R&S®GP-E/GP-S
User Interface
Menu Reference
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
The WAN zone has to have at least one physical interface connected to it. Thus, the last remaining interface cannot be deleted.
Multi-WAN Settings
Use the "Physical Interfaces" settings to customize the settings of the available physi­cal interfaces to set up multi-WAN for your gateprotect Firewall.
Navigate to "WAN > WAN Zone > Physical Interfaces" to add a new physical interface to the WAN zone or edit an existing one.
The "Physical Interface" settings allow you to configure the following elements:
Field Description
"Name" Displays the name of the WAN zone as specified under "WAN > WAN Zone" .
"Comment" Shows the comment as entered under "WAN > WAN Zone" .
"NAT" Displays the NAT settings as defined under "WAN > WAN Zone" .
"MTU Size" Set the maximum size of each packet (in bytes) for the WAN zone. The Maxi-
mum Transmission Unit can be any integer from 68 to 1500.
Note: To customize the "MTU Size" successfully, you need to disable the "Path MTU Discovery" as it will overwrite the "MTU Size" , otherwise. Click the blue link on the right of the input field to open "Firewall > System > Settings" and dis­able "Path MTU Discovery" .
"Physical Interface" For newly added interfaces only: From the drop-down list, select a free network
interface (NIC) that is not currently associated with a zone.
"Mode" For edited interfaces only: From the drop-down list, select the mode used to
configure an IP address from the external network. The default setting is DHCP, that is a public IP address is dynamically assigned to your gateprotect Firewall by an upstream server. You can adjust the settings to one of the other values as necessary (see below).
"MAC Address Override" Optional: Choose whether to use the default MAC address of your gateprotect
Firewall, or specify a different address.
If you change the "Mode" from DHCP to PPPoE or Static, additional settings become available (see below).
Use the PPPoE mode to connect via Point-to-Point Protocol over Ethernet. PPPoE is typically used to share a broadband connection, such as a single DSL line or cable modem.
Field Description
"Username" Enter the user name required to connect to your Internet service provider.
"Password" Enter the password required to connect to your Internet service provider.
"Show Password" Optional: Select the checkbox to verify the password.
86User Manual v16.2.1 ─ 01
Page 87
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Local IP" Optional: Enter your local IP address.
"Peer IP" Optional: Enter the IP address of the peer.
"MRU" Optional: Set the maximum receive unit.
"MTU" Optional: Set the maximum transmission unit.
"LCP" This checkbox is cleared by default. Select the checkbox to enable the Link
Control Protocol to check and configure the connection.
Important: This option has to be enabled to be able to establish the PPP con­nection.
"LCP Ping" Optional: Set the LCP ping frequency.
"LCP Timeout" Optional: Set the LCP time after which the LCP protocol is terminated.
Use the Static mode to specify a fixed IP address, subnet mask and gateway address for your connection to the wide area network.
Field Description
"IP Address" Enter the static IP address that will be used for the WAN zone in CIDR notation
(IP address followed by a slash »/« and the number of bits set in the subnet mask, for example 192.168.50.1/24 ).
"Alias IP Addresses" Optional: Once you have entered the static IP address to be used for the WAN
zone, you can enter as many alias IP addresses in CIDR notation for the static WAN interface as desired. Click behind the input field to add a new alias IP address or to remove an alias IP address.
"Gateway" Specify the gateway address to be used.
"DNS Server 1"/
"DNS Server 2"/
"DNS Server 3"
Optional: When DHCP or PPPoE mode is selected for the WAN zone, gatepro­tect Firewall automatically uses the DNS settings provided by the external DHCP server or the PPP-Peer. For Static mode, you can specify up to three custom Domain Name System servers that resolve requests for host and domain names and provide the corresponding IP address.
The buttons at the bottom right of the editor panel depend on whether you add a new physical interface to the WAN zone or edit an existing interface. For a newly configured physical interface, click "Create" to add the interface to the list of available physical interfaces or "Cancel" to discard your changes. To edit an existing interface, click "Save" to store the reconfigured interface or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
Interface Groups
If your license allows you to use multi-WAN, you can configure WAN load balancing by creating WAN interface groups.
87User Manual v16.2.1 ─ 01
Page 88
R&S®GP-E/GP-S
User Interface
Menu Reference
The current version allows you to activate either failover (see Chapter 3.4.4.3, "Failover
Settings", on page 82) or WAN load balancing, not both together.
Some services rely on your gateprotect Firewall being reachable under a specific IP address. If you supplied the external IP address of a specific WAN interface to those services, they might not work reliably or fail completely if your firewall uses WAN inter­face groups for load balancing. gateprotect Firewall offers automatic management of DynDNS services to handle this issue. When configuring DynDNS, specify the external IP addresses of those interfaces which should be communicated to your DynDNS pro­vider and the order in which they should be used. Should an interface fail, gateprotect Firewall updates the DynDNS settings automatically. For more information, see Chap-
ter 3.4.4.2, "DynDNS Accounts", on page 80.
Interface Groups Overview
Navigate to "WAN > WAN Zone > Interface Groups" to display the list of WAN interface groups that are currently defined on the system in the item list bar.
In the expanded view, the left column of the table displays the "Name" of the WAN interface group. The buttons in the last column allow you to view and adjust the set­tings for an existing interface group or delete a group from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Interface Groups Settings
Under "WAN > WAN Zone > Interface Groups" , you can add or edit an existing WAN interface group for load balancing.
The "Interface Group" settings allow you to configure the following elements:
Field Description
"Name" Enter a unique name for the WAN interface group.
"Weight" Specify how much of the internet traffic routed through the interface group
should be handled by the interface by entering a value from 1 to 256. The higher the set value, the higher the percentage of the internet traffic being routed through that interface will be. Setting the same value for all interfaces results in equal traffic distribution across all interfaces.
"Interface" From the drop-down list, select the interfaces which should belong to the inter-
face group and click "Add" . You can edit or delete each single entry in the list by clicking the appropriate button next to an entry.
The buttons at the bottom right of the editor panel depend on whether you add a new WAN interface group or edit an existing group. For a newly configured WAN interface group, click "Create" to add the group to the list of available interface groups or "Can­cel" to reject the creation of the new group. To edit an existing interface group, click "Save" to store the reconfigured group or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
88User Manual v16.2.1 ─ 01
Page 89
R&S®GP-E/GP-S
User Interface
Menu Reference
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
3.4.4.5 Port Forwarding
gateprotect Firewall supports "Port Forwarding" rules, which can be defined to forward connections from a source port range to a given IP address and target port range for a specific zone.
Port forwarding can be used to redirect all incoming traffic arriving on a specific port to the specified target port of an internal server. For example, gateprotect Firewall can be configured to redirect ports 80 and 443 to an internal web server and forward the ports for mail-related protocols, such as SMTP, IMAP, POP and so forth, to another machine (the internal mail server).
Port forwarding is performed in the WAN zone. This approach can be used regardless of whether the WAN zone is configured with a static IP address or a dynamically allo­cated address. When traffic is received for a port in a certain range, it will be routed to the specified target IP address and port. For example, if a port forwarding rule is defined to forward ports 1000-1100 to an internal server on ports 2000-2100, any traffic received for port 1000 will be sent to port 2000 of the internal server, traffic for port 1001 to port 2001 and so forth.
For port forwarding, "NAT" must be enabled in the WAN zone settings. For further information, see "WAN Zone Settings" on page 85.
Port Forwarding Overview
Navigate to "WAN > Port Forwarding" to display the list of port forwarding rules that are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" of the port forward­ing rule, its "Source Range" , "Target Range" , related "Target IP" and its "State" (active or not). The buttons in the last column allow you to view and adjust the settings for an existing port forwarding rule, create a rule based on a copy of an existing port forwarding rule or delete a rule from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
Port Forwarding Settings
Under "WAN > Port Forwarding" , you can add a new or edit an existing port forward­ing rule.
The "Port Forwarding" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the port forwarding rule is active ( "On" ) or
inactive ( "Off" ). By clicking the slider switch, you can toggle the state of the port forwarding rule. A new port forwarding rule is enabled by default.
"Name" Enter a unique name for the port forwarding rule.
89User Manual v16.2.1 ─ 01
Page 90
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Zone" From the drop-down list, select the zone to which this port forwarding rule
should apply.
"Source Port Range" Enter a unique single port (for example 800) or a port range using a hyphen '-'
character (for example 800-810) as the source.
"Target Port Range" Enter a unique single port (for example 900) or a port range using a hyphen '-'
character (for example 900-910) as the destination.
"Target IP" Enter a valid IP address from within the selected zone.
"Protocols" Select the protocols ( "TCP" / "UDP" ) for which the rule should be used. At
least one protocol has to be selected.
The buttons at the bottom right of the editor panel depend on whether you add a new port forwarding rule or edit an existing rule. For a newly configured port forwarding rule, click "Create" to add the rule to the list of available port forwarding rules or "Cancel" to reject the creation of the new rule. To edit an existing rule, click "Save" to store the reconfigured rule or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
3.4.4.6 IP Forwardings
gateprotect Firewall supports "IP Forwardings" , which can be used to publish services provided by an internal server to the Internet without assigning a public IP address to this server. The server's internal IP address is transparently mapped to a public IP address.
IP forwarding rules redirect all incoming traffic for the WAN zone's public IP address to an internal IP address.
For IP forwarding, NAT must be enabled in the WAN zone settings. For further infor­mation, see "WAN Zone Settings" on page 85.
IP forwarding can only work if the WAN IP address is configured as a static IP address (no DHCP/PPPoE). For further information, see "Multi-WAN Settings" on page 86.
IP Forwarding Overview
Navigate to "WAN > IP Forwardings" to display the list of IP forwarding rules that are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" and the "State" (active or not) of the IP forwarding rule. The buttons in the last column allow you to view and adjust the settings for an existing IP forwarding rule, create a rule based on a copy of an existing IP forwarding rule or delete a rule from the system.
90User Manual v16.2.1 ─ 01
Page 91
R&S®GP-E/GP-S
User Interface
Menu Reference
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
IP Forwarding Settings
Under "WAN > IP Forwardings" , you can add a new or edit an existing IP forwarding rule.
Before creating an IP forwarding rule, you must first configure custom hosts for the public IP address in the WAN zone and for the private IP address of the internal target (destination host). See Chapter 3.4.5.1, "Custom Hosts", on page 94 for more infor­mation.
Figure 3-16: Sample IP forwarding rule settings.
The "IP Forwarding" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the IP forwarding rule is active ( "On" ) or inac-
tive ( "Off" ). By clicking the slider switch, you can toggle the state of the IP for­warding rule. A new IP forwarding rule is enabled by default.
"Name" Enter a unique name for the IP forwarding rule.
"Forwarded IP" From the drop-down list with all available static IP addresses for the WAN zone,
select the custom host (the public IP address) that you want to forward.
91User Manual v16.2.1 ─ 01
Page 92
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Destination Zone" From the drop-down list, select the zone in which the destination host (the inter-
nal IP address) is located.
"Destination Host" From the drop-down list with all available IP addresses for the destination zone,
select the custom host to which the traffic should be forwarded (the internal IP address).
The buttons at the bottom right of the editor panel depend on whether you add a new IP forwarding rule or edit an existing rule. For a newly configured IP forwarding rule, click "Create" to add the rule to the list of available IP forwarding rules or "Cancel" to reject the creation of the new rule. To edit an existing rule, click "Save" to store the reconfigured rule or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
3.4.4.7 Policy Based Routes
Policy-based routing can be used to specify which traffic should go out of which inter­face or interface group of the WAN zone to a certain custom host or network.
Policy Based Routes Overview
Navigate to "WAN > Policy Based Routes" to display the list of policy-based routes that are currently defined on the system.
The plus button
above the filter settings allows you to add new policy-based routes.
The "Filter Settings" allow you to narrow the list of results in the table to display only entries that include a certain search string. You can filter the contents by choosing the required options in the drop-down menu and/or entering search strings in the respec­tive input fields. Click "Apply" to apply the selected filter options. The list of policy­based routes is adjusted to reflect your filter results. Click "Reset" to delete the selected filter options and display an unfiltered view of the list of policy-based routes.
The table columns of the policy-based routes list display whether the policy-based route is active or not, the "Name" of the route and the selectors that can be used to define which traffic should go out of which interface or interface group of the WAN zone. The buttons in the right column allow you to view and adjust the settings for an existing policy-based route, create a route based on a copy of an existing policy-based route or delete a route from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
To close the "Policy Based Routes" panel, click
in the upper right corner of the
panel.
Policy Based Routes Settings
Under "WAN > Policy Based Routes" , you can add a new or edit an existing policy­based route.
92User Manual v16.2.1 ─ 01
Page 93
R&S®GP-E/GP-S
User Interface
Menu Reference
The "Policy Based Route" settings allow you to configure the following elements:
Field Description
"On" / "Off" A slider switch indicates whether the policy-based route is active ( "On" ) or
inactive ( "Off" ). By clicking the slider switch, you can toggle the state of the policy-based route. A new policy-based route is enabled by default.
"Name" Enter a unique name for the policy-based route.
"Routing Target" From the drop-down list, select from which interface or interface group in the
WAN zone the traffic should be sent out.
"Source Address" Optional: From the drop-down list, select a custom host or custom network. For
more information, see Chapter 3.4.5, "Nodes", on page 94.
"Destination Address" Optional: From the drop-down list, select a custom host or custom network. For
more information, see Chapter 3.4.5, "Nodes", on page 94.
"Protocol" Select the transport protocol to be used (Any, TCP, or UDP).
"Source Ports" Optional and only available if the selected "Protocol" is not Any: To apply the
policy-based route only to traffic originating from a certain source port, specify a single port or a port range where the start port number is lower than the end port number.
"Destination Ports" Optional and only available if the selected "Protocol" is not Any: To apply the
policy-based route only to traffic being transmitted to a specified destination, specify a single port or a port range where the start port number is lower than the end port number.
"DiffServ" Optional: Enter a Type of Service (ToS) value.
As you add a new policy-based route, the new route is automatically inserted in the list of available policy-based routes according to some sorting rules. The descending order of importance of the optional selectors is as follows:
1. "Destination Ports"
2. "Protocol"
3. "DiffServ"
4. "Destination Address"
5. "Source Address"
6. "Source Ports"
When a new route is added, the system compares the selectors according to the fol­lowing rules:
the system starts comparing two routes with the selector of highest importance (see list above)
if the value of a selector is empty, the selector is skipped
if the value of the same selector is equal in both routes, the system goes on to compare the selector of next highest importance
if the value of the same selector is different in both routes, the route with the more important value in that selector gets higher priority
93User Manual v16.2.1 ─ 01
Page 94
R&S®GP-E/GP-S
User Interface
Menu Reference
The values of single selectors have the following order of importance:
"Destination Ports" :
a single port takes priority over a port range
smaller single ports and ranges take priority over larger single ports and ranges
"Protocol" :
UDP takes priority over TCP
TCP takes priority over Any
"DiffServ" :
a higher QoS value takes priority over a lower ToS value
"Destination Address" :
a host (xxx.xxx.xxx.xxx/32) takes priority over a subnet
(xxx.xxx.xxx.xxx/24)
a subnet (xxx.xxx.xxx.xxx/24) takes priority over a default route
(xxx.xxx.xxx.xxx/0)
"Source Address" :
a host (xxx.xxx.xxx.xxx/32) takes priority over a subnet
(xxx.xxx.xxx.xxx/24)
a subnet (xxx.xxx.xxx.xxx/24) takes priority over a default route
(xxx.xxx.xxx.xxx/0)
"Source Ports" :
a single port takes priority over a port range
smaller single ports and ranges take priority over larger single ports and ranges
The buttons at the bottom right of the editor panel depend on whether you add a new policy-based route or edit an existing route. For a newly configured policy-based route, click "Create" to add the route to the list of available policy-based routes or "Cancel" to reject the creation of the new route. To edit an existing route, click "Save" to store the reconfigured route or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
For examples of how policy-based routes are automatically sorted, see Chapter 4.8,
"Sorting Policy-Based Routes", on page 150.

3.4.5 Nodes

Under " Nodes", you can see a tabular representation of what can be seen as nodes in the overview of your entire configured network on the desktop.
3.4.5.1 Custom Hosts
Navigate to "Nodes > Custom Hosts" to display the list of custom hosts that are cur­rently defined on the system in the item list bar and to create hosts.
94User Manual v16.2.1 ─ 01
Page 95
R&S®GP-E/GP-S
User Interface
Menu Reference
A custom host (for example a printer or a VoIP phone) can be assigned a dedicated IP address so that firewall rules can be specifically applied to it. Custom hosts are dis­played as nodes on the desktop.
In the expanded view, the columns of the table display the "Name" , "Zone" and "IP" address of the hosts. The buttons in the last column allow you to view and adjust the settings for an existing custom host, create a host based on a copy of an existing cus­tom host or delete a host from the system.
Under "Nodes > Custom Hosts" , you can add a new or edit an existing custom host.
The "Custom Hosts" settings allow you to configure the following elements:
Field Description
"Name" Enter a unique name for the custom host.
"IP Address" Enter the IP address of this host.
The buttons at the bottom right of the editor panel depend on whether you add a new custom host or edit an existing host. For a newly configured custom host, click "Create" to add the host to the list of available custom hosts or "Cancel" to discard your changes. To edit an existing custom host, click "Save" to store the reconfigured host or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
3.4.5.2 Network Groups
A network group can include one or multiple network objects (for example, custom hosts or custom networks) that are connected to the same zone. Therefore, you can define one common firewall ruleset for the whole group and handle large rulesets.
Navigate to "Nodes > Network Groups" to display the list of network groups that are currently defined on the system in the item list bar.
In the expanded view, the columns of the table display the "Name" of the network group and the "Zone" that the group is associated with. The buttons in the last column allow you to view and adjust the settings for an existing network group, create a group based on a copy of an existing network group or delete a group from the system.
The "Network Group" settings allow you to configure the following elements:
Field Description
"Name" Enter a unique name for the network group.
"Description" Optional: The information given here is for internal use for the administrator
only.
95User Manual v16.2.1 ─ 01
Page 96
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Zone" From the drop-down list, select the zone that you want the network group to be
associated with.
Note: As long as a network group is associated with a zone, you cannot change the IP address or the netmask of this zone.
"Members" Optional: Select the members that you want to be associated with the network
group. Only members that are associated with the same zone as the network group can be selected.
Tip: One member can be part of multiple groups. Two network groups can con­tain the same set of members.
Note: As long as a member is associated with a network group, this member cannot be deleted or moved to another zone.
The buttons at the bottom right of the editor panel depend on whether you add a new network group or edit an existing group. For a newly configured network group, click "Create" to add the group to the list of available network groups or "Cancel" to discard your changes. To edit an existing network group, click "Save" to store the reconfigured group or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
The network groups defined here are displayed as nodes on the desktop. When you assign a member to a network group, a copy of the member's desktop node is added to the group.
Only the original network object can be edited or deleted, not the copy of the desktop node.
Nodes of network groups are collapsed on the desktop by default. You can expand the view and see the members associated with a network group by clicking in the circu­lar menu around the node of the network group. To collapse the view, click .
The network groups are available for use as source and/or destination in custom fire­wall rules as described under Chapter 3.3, "Firewall Rule Settings", on page 22.
3.4.5.3 Custom Networks
Navigate to "Nodes > Custom Networks" to display the list of available subnets that are currently defined on the system in the item list bar.
Similar in purpose to zones, subnets can be used as sources and/or destinations to apply firewall rules and web filters to multiple computers. Custom networks are dis­played as nodes on the desktop.
In the expanded view, the table shows the "Name" and the IP address of the respec­tive subnet. The buttons in the last column allow you to view and adjust the settings for an existing custom network, create a subnet based on a copy of an existing custom network or delete a subnet from the system.
Under "Nodes > Custom Networks" , you can add a new or edit an existing custom net­work.
96User Manual v16.2.1 ─ 01
Page 97
R&S®GP-E/GP-S
User Interface
Menu Reference
The "Custom Network" settings allow you to configure the following elements:
Field Description
"Name" Enter a unique name for the subnet. The name must consist of 3 to 100 alpha-
numeric characters (allowed are letters of the English alphabet, integers, dashes, and underscores).
"Subnet" Enter a valid CIDR subnet address (IP address followed by a slash »/« and the
number of bits set in the subnet mask, for example 192.168.50.1/24 ).
The buttons at the bottom right of the editor panel depend on whether you add a new custom network or edit an existing subnet. For a newly configured custom network, click "Create" to add the subnet to the list of available custom networks or "Cancel" to discard your changes. To edit an existing custom network, click "Save" to store the reconfigured subnet or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.

3.4.6 UTM

The " UTM" (»Unified threat management«) settings allow you to define the handling of protocol validation and to configure the Intrusion Prevention/Detection System, web filter profiles and antispam, antivirus and mail filter policies that protect your network.
3.4.6.1 Invalid Protocols
You can select which protocols are to be validated and how network traffic is to be handled if protocol validation fails.
Navigate to "UTM > Invalid Protocols" to display the list of protocols that are currently available on the system for validation in the item list bar.
In the expanded view, the columns of the table display the name of the "Protocol" , the "Action" settings that are currently associated with it and whether an alert has been enabled or not. The button in the last column allows you to view and edit the settings for a protocol.
The protocol settings allow you to configure the following elements:
Field Description
"Action" Select one of the following actions:
"Continue" – protocol validation is ignored and traffic passes through unchanged (selected by default)
"Drop" – invalid traffic is silently dropped
"Reject" – invalid traffic is actively rejected
"Enable Alert" Optional: Select this checkbox to specify an alert message for any of the
actions.
"Alert Message" Optional and only available if you selected "Enable Alert" : Enter your alert mes-
sage.
97User Manual v16.2.1 ─ 01
Page 98
R&S®GP-E/GP-S
User Interface
Menu Reference
If you modify the settings, click "Save" to store your changes or "Reset" to discard them. Otherwise, click "Close" to shut the editor panel.
Click "
Activate" in the toolbar at the top of the desktop to apply your configuration
changes.
3.4.6.2 IPS/IDS Profiles
The Intrusion Prevention/Detection System (or »IPS/IDS«) maintains a database of known threats to protect the computers on your network from a wide range of hostile attack scenarios, generate alarms when any such threats are detected and terminate communication from hostile sources.
The threat database consists of categories which include either intrusion detection sys­tem (»IDS«) rules which allow you to monitor suspicious activities on the network or intrusion prevention system (»IPS«) rules that detect real attacks. For detailed informa­tion on these categories, see Emerging Threats FAQ.
For more detailed information on IPS/IDS profiles, see the following sections.
IPS/IDS Profiles Overview
Navigate to "UTM > IPS/IDS Profiles" to display the list of IPS/IDS rule sets that are currently defined on the system in the item list bar.
In the expanded view, the first column of the table displays the "Name" of the IPS/IDS profile. The buttons in the last column allow you to view and adjust the settings for an existing IPS/IDS profile, create a profile based on a copy of an existing IPS/IDS profile or delete a profile from the system.
For further information, see Chapter 3.2, "Icons and Buttons", on page 21.
IPS/IDS Profiles Settings
Use the "IPS/IDS Profiles" settings to configure custom rule sets.
You are not able to configure IPS/IDS profiles until you have installed the IPS license module update. For further information, see Chapter 3.4.1.3, "Updates", on page 33.
Under "UTM > IPS/IDS Profiles", you can add a new or edit an existing IPS/IDS pro­file.
The "IPS/IDS Profile" settings allow you to configure the following elements:
Field Description
"Name" Enter a name for the IPS/IDS profile.
"Action" Select the desired action from the drop-down list. When the action is set to
Continue and an IPS/IDS rule matches, access to the item is permitted. When the action is set to Reject, access to the item is denied.
98User Manual v16.2.1 ─ 01
Page 99
R&S®GP-E/GP-S
User Interface
Menu Reference
Field Description
"Alert Level" You can select one of the following alert levels from the drop-down list:
"Block Source" With Reject, the block source time option allows you to specify (in minutes or
emergency – system is unusable (highest priority)
alert – action must be taken immediately
critical – critical conditions
error – error conditions
warning – warning conditions
notice – normal but significant conditions
info – informational messages
debug – any messages that do not fit into the other alert levels (lowest pri­ority)
hours) how long to block the machine that initiated the communication if an IPS/IDS rule matches.
The threat database is displayed in tabular form. The table contains categories of intru­sion detection system (»IDS«) rules which allow you to monitor suspicious activities on the network and intrusion prevention system (»IPS«) rules that detect real attacks.
Figure 3-17: Selecting IPS/IDS rules.
Each category contains individual rules that are interrelated. If you select the checkbox of one of the categories, all its rules are applied automatically. When you click the icon next to a category's name, the table is expanded. It then displays all the rules that belong to this category along with a description of the rule. Clear the checkbox next to any rule to exclude it from the rule set. The checkbox next to the category's name then changes from to .
The search field on top of the table helps you to find individual rules faster. To return to the overview of the categories, click
on the right-hand side of the search field.
The buttons at the bottom right of the editor panel depend on whether you add a new IPS/IDS profile or edit an existing profile. For a newly configured profile, click "Create" to add the profile to the list of available IPS/IDS profiles or "Cancel" to discard your
99User Manual v16.2.1 ─ 01
Page 100
R&S®GP-E/GP-S
User Interface
Menu Reference
changes. To edit an existing profile, click "Save" to store the reconfigured profile or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Click "
Activate" in the toolbar of the desktop to apply your configuration changes if
the edited IPS/IDS profile is already associated with a firewall rule.
The IPS/IDS profiles defined here are available for use in custom firewall rules as described under Chapter 3.3, "Firewall Rule Settings", on page 22.
By selecting the "IDS/IPS" checkbox in firewall rules, the rules of all configured IPS/IDS profiles are applied. It is not possible to select a single profile for a specific firewall rule in this release version. If profiles including the same IDS or IPS rule but different action settings are created, the action setting of the lowest profile that con­tains this IDS or IPS rule is applied to the firewall rule where IPS/IDS has been enabled. Necessary improvements follow.
The information in the database is updated in regular intervals based on the license status and update settings described in Chapter 3.4.1.3, "Updates", on page 33. If an IPS update contains new rules for a selected category, these rules are automatically applied.
3.4.6.3 Web Filter Profiles
Web filter profiles determine which websites are available to computers on the protec­ted network.
The web filter function of your gateprotect Firewall checks Internet addresses (URL, Uniform Resource Locator consisting of server name, path and filenames) received in the HTTP traffic for allowed and/or not allowed terms according to their classification in the black- and whitelists.
A »blacklist« approach defines a list of sites to block and grants access to all sites that have not been explicitly forbidden. For example, if the URL of a website is on a black­list, access to this site is blocked. Therefore, with the category "Interests" being black­listed, the URL http://www.amazon.de is blocked.
In blacklist mode, the web filter triggers a »Reject« action if the requested host matches any from the "Hostname Blacklist" . If a warning page has been configured, the user will be directed to it. For all the hosts which do not match any from the "Host­name Blacklist" , the web filter passes the request on to the firewall rule in which the web filter profile concerned has been activated.
A »whitelist« approach can be used to limit access to a list of sites that have specifi­cally been approved for usage and block all others. For example, if the subcategory "Shopping" is on the blocking list but you want to allow access to the URL http://www.amazon.de, this URL must be entered into a whitelist.
In whitelist mode, the web filter passes the request on to the firewall rule in which the web filter profile concerned has been activated if the host matches any from the "Host­name Whitelist" , and the firewall rule is applied. For all the hosts which do not match
100User Manual v16.2.1 ─ 01
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use