Rohde & Schwarz GP-E, GP-S User Manual

R&S®GP-E/GP-S gateprotect Firewall

User Manual

v16.2.1 ─ 01

Cybersecurity

User Manual

This document describes the following R&S®gateprotect Firewall models:

●

R&S®gateprotect Firewall GP-E

●

R&S®gateprotect Firewall GP-S

© 2017 R&S Cybersecurity gateprotect GmbH Augustusplatz 9, 04109 Leipzig, Germany Phone: +49 (0) 341 392 993 43-0 Fax: +49 (0) 341 392 993 43-9 E-mail: cybersecurity@rohde-schwarz.com Internet: https://cybersecurity.rohde-schwarz.com Printed in Germany – Subject to change – Data without tolerance limits is not binding.

R&S® is a registered trademark of Rohde & Schwarz GmbH & Co. KG. Trade names are trademarks of the owners.

The following abbreviations are used throughout this manual: R&S®gateprotect Firewall is indicated as gateprotect Firewall.

R&S®GP-E/GP-S

1 About This Manual.................................................................................9

1.1 Audience........................................................................................................................ 9

1.2 What’s in This Manual................................................................................................ 10

1.3 Conventions................................................................................................................ 10

1.4 Related Resources......................................................................................................11

1.5 About Rohde & Schwarz Cybersecurity................................................................... 11

2 Getting Started..................................................................................... 13

2.1 Logging On.................................................................................................................. 13

2.2 Resetting the Hardware.............................................................................................. 14

3 User Interface....................................................................................... 17

Contents

3.1 Web Interface Components........................................................................................17

3.1.1 Header Area..................................................................................................................18

3.1.2 Navigation Pane............................................................................................................19

3.1.3 Desktop......................................................................................................................... 19

3.2 Icons and Buttons.......................................................................................................21

3.3 Firewall Rule Settings.................................................................................................22

3.4 Menu Reference.......................................................................................................... 29

3.4.1 Firewall..........................................................................................................................29

3.4.1.1 Status............................................................................................................................ 29

3.4.1.2 Reports..........................................................................................................................30

3.4.1.3 Updates.........................................................................................................................33

3.4.1.4 Backup.......................................................................................................................... 34

3.4.1.5 Local Logs.....................................................................................................................38

3.4.1.6 Network Diagnostics..................................................................................................... 42

3.4.1.7 System.......................................................................................................................... 44

3.4.1.8 User Authentication.......................................................................................................47

3.4.1.9 License..........................................................................................................................53

3.4.1.10 Time Profiles................................................................................................................. 54

3.4.2 Network......................................................................................................................... 55

3.4.2.1 Firewall Rules................................................................................................................55

3.4.2.2 Static Routes.................................................................................................................56

3User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

3.4.2.3 Syslog Servers.............................................................................................................. 58

3.4.2.4 SSL Proxy..................................................................................................................... 59

3.4.2.5 High Availability.............................................................................................................60

3.4.2.6 Support Access............................................................................................................. 63

3.4.2.7 FTC (Forensic Traffic Capture)..................................................................................... 64

3.4.2.8 NAT Rules.....................................................................................................................66

3.4.3 LAN............................................................................................................................... 68

3.4.3.1 Ethernet Zones..............................................................................................................68

3.4.3.2 WLAN Zones.................................................................................................................72

3.4.3.3 VLAN Zones..................................................................................................................76

3.4.4 WAN..............................................................................................................................78

3.4.4.1 Connection Monitoring.................................................................................................. 78

3.4.4.2 DynDNS Accounts........................................................................................................ 80

Contents

3.4.4.3 Failover Settings........................................................................................................... 82

3.4.4.4 WAN Zone.....................................................................................................................84

3.4.4.5 Port Forwarding.............................................................................................................89

3.4.4.6 IP Forwardings.............................................................................................................. 90

3.4.4.7 Policy Based Routes..................................................................................................... 92

3.4.5 Nodes............................................................................................................................94

3.4.5.1 Custom Hosts................................................................................................................94

3.4.5.2 Network Groups............................................................................................................ 95

3.4.5.3 Custom Networks..........................................................................................................96

3.4.6 UTM.............................................................................................................................. 97

3.4.6.1 Invalid Protocols............................................................................................................97

3.4.6.2 IPS/IDS Profiles............................................................................................................ 98

3.4.6.3 Web Filter Profiles.......................................................................................................100

3.4.6.4 Antispam Settings....................................................................................................... 103

3.4.6.5 Antivirus Settings........................................................................................................ 104

3.4.6.6 Mail Filter Settings.......................................................................................................105

3.4.7 VPN.............................................................................................................................107

3.4.7.1 IPsec........................................................................................................................... 108

3.4.7.2 OpenVPN.................................................................................................................... 117

3.4.8 Certificate Management.............................................................................................. 121

4User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

3.4.8.1 Certificates.................................................................................................................. 122

3.4.8.2 Templates................................................................................................................... 125

3.4.8.3 OCSP/CRL Settings....................................................................................................126

3.4.8.4 Truststore.................................................................................................................... 126

4 Application Examples........................................................................129

4.1 Firewall Rule Examples............................................................................................ 129

4.1.1 Blocking Certain Websites Using Applications............................................................130

4.1.2 Blocking Certain Websites Using Web Filters.............................................................130

4.1.3 Allowing Certain Websites Using Web Filters............................................................. 132

4.1.4 Forcing Secure Communication..................................................................................134

4.1.5 Using Quality of Service..............................................................................................135

4.1.6 Using DHCP in Bridge Mode.......................................................................................136

Contents

4.2 Setting Up Single Sign-On....................................................................................... 137

4.2.1 Configuring the NTP Server........................................................................................ 137

4.2.2 Preparing the Domain Controller.................................................................................137

4.2.3 Configuring the Firewall.............................................................................................. 139

4.2.4 Configuring User-Specific Firewall Rules....................................................................142

4.2.5 Configuring the Windows Clients................................................................................ 143

4.3 Setting Up a Static Route......................................................................................... 145

4.4 Using NAT Rules....................................................................................................... 146

4.4.1 Destination NAT.......................................................................................................... 146

4.4.2 Source NETMAP.........................................................................................................146

4.5 Setting Up a Syslog Server...................................................................................... 146

4.6 Setting Up a VLAN.................................................................................................... 148

4.7 Setting Up Port Forwarding..................................................................................... 149

4.8 Sorting Policy-Based Routes...................................................................................150

4.8.1 Sorting IP Addresses.................................................................................................. 150

4.8.2 Sorting Ports and IP Addresses.................................................................................. 150

4.8.3 Overall Sorting............................................................................................................ 151

4.9 Setting Up the Mail Filter with SSL Inspection.......................................................152

4.10 Handling Certificates................................................................................................ 153

4.10.1 Creating a Certificate.................................................................................................. 153

4.10.2 Importing a Certificate................................................................................................. 153

5User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

4.10.3 Replacing a Certificate................................................................................................ 154

4.10.4 Exporting a Certificate.................................................................................................155

4.10.5 Exporting a Certificate Signing Request..................................................................... 155

4.10.6 Suspending a Certificate............................................................................................. 156

4.10.7 Resuming a Certificate................................................................................................156

4.10.8 Renewing a Certificate................................................................................................ 156

4.10.9 Revoking a Certificate................................................................................................. 157

4.11 Setting Up OCSP/CRL Services...............................................................................157

4.12 VPN Setup Examples................................................................................................ 158

4.12.1 Setting Up a Client-to-Site VPN via IPsec...................................................................159

4.12.1.1 Setting Up the VPN Connection..................................................................................160

4.12.1.2 Setting Up Authentication............................................................................................175

4.12.2 Setting Up a Site-to-Site VPN via IPsec......................................................................177

Contents

4.12.2.1 Creating VPN Certificates........................................................................................... 177

4.12.2.2 Setting Up the VPN Connection..................................................................................181

4.12.2.3 Setting Up IPsec Site-to-Site for Complex Networks.................................................. 185

4.12.3 Setting Up a Client-to-Site VPN via OpenVPN........................................................... 187

4.12.3.1 Creating a VPN Certificate.......................................................................................... 187

4.12.3.2 Configuring Authentication.......................................................................................... 188

4.12.3.3 Setting Up the VPN Connection..................................................................................190

4.12.4 Setting Up a Site-to-Site VPN via OpenVPN.............................................................. 192

4.12.4.1 Creating VPN Certificates........................................................................................... 193

4.12.4.2 Setting Up the Primary Box.........................................................................................196

4.12.4.3 Setting Up the Secondary Box.................................................................................... 199

4.12.4.4 Connecting the Remote Networks.............................................................................. 201

4.13 Decoder Examples.................................................................................................... 201

4.13.1 Blocking PDF Files......................................................................................................202

4.13.2 Blocking Microsoft Office Files.................................................................................... 202

4.13.3 Blocking Web Hosts.................................................................................................... 202

4.13.4 Blocking Keywords in Webmail................................................................................... 203

4.13.5 Blocking Keywords in Mail Clients.............................................................................. 203

4.13.6 Using Anchors in String Decoders.............................................................................. 204

4.13.7 Using IEC 104 Protocol Decoders.............................................................................. 205

6User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

A Decoder Reference............................................................................ 209

A.1 FTP Commands.........................................................................................................209

A.2 HTTP MIME Types..................................................................................................... 211

Contents

Annex.................................................................................................. 209

Index....................................................................................................231

7User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

Contents

8User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

1 About This Manual

About This Manual

Audience

The gateprotect Firewall User Manual describes the innovative next-generation firewall solution from Rohde & Schwarz Cybersecurity. gateprotect Firewall integrates firewall, intrusion prevention, application control, web filtering, malware protection and many more functions in a single system.

Figure 1-1: Sample gateprotect Firewall GP-E-1200.

This document applies to two gateprotect Firewall product lines:

●

Extended Line - Easy to configure - the firewall solution for complex office networks in medium-sized companies

●

Specialized Line - Easy to customize - the perfectly tailored solution that meets the high demands of complex network structures in industry and enterprise environments

There are license-based features that distinguish individual product models within the two product lines from one another. For more information about your specific gateprotect Firewall, see the information on the relevant data sheet.

See the topics below for more information about this document.

1.1 Audience

This manual is for the networking or computer technician responsible for installing and configuring gateprotect Firewall and employees that use the web interface to define traffic filtering rules.

To use this document effectively, you have to have the following skills depending on your responsibilities:

●

To install and configure the hardware, you have to be familiar with telecommunications equipment and installation procedures. You also have to have good experience as a network or system administrator.

●

To define filtering rules, you need to understand basic TCP/IP networking concepts.

9User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

About This Manual

Conventions

1.2 What’s in This Manual

The contents of this manual are designed to assist you in installing and configuring gateprotect Firewall.

This document includes the following chapters and appendixes:

1. Chapter 2, "Getting Started", on page 13 Log on to gateprotect Firewall to set up the system for your network.

2. Chapter 3, "User Interface", on page 17 The sections in this chapter describe the components of the gateprotect Firewall user interface.

3. Chapter 4, "Application Examples", on page 129 This chapter includes various examples that illustrate how to use firewall rules to manage network traffic, set up specific features, services and VPN connections, and configure decoders to block communication containing certain file types or keywords.

4. Chapter A, "Decoder Reference", on page 209 The gateprotect Firewall protocol decoder can detect FTP commands and HTTP MIME types in traffic flows.

1.3 Conventions

This topic explains the typographic conventions and other notations used to represent information in this manual.

Elements of the web-based graphical user interface (GUI, or »web interface«) are indicated as follows:

●

Buttons, checkboxes, list names and other controls appear in quotation marks. For example: »Click "Save" to create the rule.«

●

A sequence of menu commands is indicated as follows: "Firewall > Status" . In this case, select "Status" from the "Firewall" menu.

●

List options and literal text both appear in a fixed-width font. For example: »The default filename is set to config.tar.gz.«

●

Terms that require extended definitions or explanations are indicated in italics. For example, the term application is often used to refer to a software program. In this manual, however, it usually means the Layer 7 protocol used by the program on the Application Layer of the OSI reference model. With Skype traffic, for example, the terms application and protocol are used interchangeably.

Notes

The following types of notes are used in this manual to indicate information which expands on or calls attention to a particular point.

10User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

About This Manual

About Rohde & Schwarz Cybersecurity

This note is a little hint that can help make your work easier.

This note contains important additional information.

This note contains information that is important to consider. Non-observance can damage your gateprotect Firewall or put your network security at risk.

1.4 Related Resources

This section describes additional documentation and other resources for information on gateprotect Firewall.

Refer to these resources for more information on gateprotect Firewall:

●

A separate gateprotect Firewall Getting Started guide is provided with the gateprotect Firewall hardware. The document describes the installation procedure and first steps to start working.

●

Getting Started guides are also available for the virtual machines (VM) of gateprotect Firewall. The platform-specific documents are provided for all types of supported virtualization software.

●

How-tos describe specific configuration scenarios and solutions.

●

Data sheets summarize the technical characteristics of the different gateprotect Firewall hardware models.

●

Release Notes provide the latest information on each release.

●

Our website at cybersecurity.rohde-schwarz.com provides a wealth of information about our products and solutions and the latest company news and events.

For additional documents such as technical specifications, please visit the mygateprotect portal at www.mygateprotect.com.

1.5 About Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity protects companies and public institutions worldwide against espionage and cyber attacks.

The company develops and produces high-end encryption products, next-generation firewalls, network traffic analytics and endpoint security software as leading-edge technical solutions for information and network security requirements.

11User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

About This Manual

About Rohde & Schwarz Cybersecurity

Rohde & Schwarz, active for over 20 years in the field of IT security, is now expanding into this sector. The integration of enterprise security experts gateprotect, ipoque and Sirrix has created the new brand »Rohde & Schwarz Cybersecurity« as the leading European provider of cybersecurity solutions.

The trustworthy IT solutions are developed based on the »Security by Design« principle, which proactively prevents cyber attacks rather than reacting to a known threat. This new approach even protects against complex attacks that use zero-day exploits to expose the weakness of existing antivirus software or traditional firewalls.

For more information, visit our website at cybersecurity.rohde-schwarz.com.

12User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

2 Getting Started

Getting Started

Logging On

2.1 Logging On

Log on to gateprotect Firewall to set up the system for your network.

After having completed the installation and licensing procedure for gateprotect Firewall as described in the gateprotect Firewall Getting Started guide, you can begin working with the firewall:

1. On the gateprotect Firewall logon page, enter admin as the "User Name" and the factory default "Password" gateprotect.

Figure 2-1: Logging on to gateprotect Firewall.

2. Click "Login" .

3. After your first login using the standard credentials, the system prompts you to change your password. You cannot skip this step.

Note: If you forget the new password entered, the password can only be reset by setting the system back to the factory default configuration as described under

Chapter 2.2, "Resetting the Hardware", on page 14.

Note: The admin password is included in a system backup.

The web interface appears.

After three unsuccessful login attempts, you will be blocked for an hour to prevent unauthorized access. Every new attempt during that hour resets the waiting period. After one hour without login attempts, you can log on to gateprotect Firewall again with valid credentials.

You are automatically logged out after 10 minutes of inactivity.

13User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

Getting Started

Resetting the Hardware

Set your browser configuration to clear all session data and cookies when the browser is closed. Otherwise, your admin session will be restored after the computer is rebooted and unauthorized persons can access the firewall.

2.2 Resetting the Hardware

If you cannot access the web interface, you can reset the system to the factory default configuration.

Connect the ports labeled eth2 and eth3 with a patch cable, then power off and power on.

Figure 2-2: Resetting the hardware of the gateprotect Firewall GP-S series.

With models GP-E-1000/GP-S-1800 or higher, connect the first two ports in the first module (for example eth11 and eth12) with a patch cable, then power off and power on.

Figure 2-3: Resetting the hardware of gateprotect Firewall models GP-E-1000/GP-S-1800 or higher.

The kind of power button (power off switch, push button or power off button) and its location differ by hardware model.

14User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

Getting Started

Resetting the Hardware

The default settings are restored.

Booting to a factory reset can take up to 5 minutes.

15User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

Getting Started

Resetting the Hardware

16User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

3 User Interface

User Interface

Web Interface Components

The sections in this chapter describe the components of the gateprotect Firewall user interface.

The gateprotect Firewall web interface requires a minimum display resolution of 1024 × 786 pixels (XGA).

The following browser versions (or newer) are supported, with JavaScript enabled:

●

Google Chrome 10

●

Firefox 12

The first sections provide an overview of the main components of the web interface.

The next topic explains the meaning of the icons and buttons commonly used on the user interface and throughout this manual.

The following topic describes how a firewall rule for a connection between two desktop nodes is set up.

The remaining topics correspond to the menu items in the navigation bar on the left side of the user interface. For information on the available options, see the corresponding section.

3.1 Web Interface Components

The gateprotect Firewall web interface uses a standard tri-pane page layout with a common header area, a left navigation pane, and a main content pane on the right.

17User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Web Interface Components

Figure 3-1: gateprotect Firewall web interface.

The information displayed in each area is described in the following sections.

3.1.1 Header Area

The header area (1) contains the following elements (from left to right):

Figure 3-2: gateprotect Firewall web interface header area.

●

the button to hide or show the navigation bar (the navigation bar is displayed by default, see Chapter 3.1.2, "Navigation Pane", on page 19),

●

the Rohde & Schwarz Cybersecurity logo,

●

the current system status information, expressing the system load and the memory and disk usage as a percentage, so you can quickly spot system performance bottlenecks,

●

a user menu that allows you to select the language to be used in the web interface,

●

a menu to change the current user's password (the new password has to be at least eight characters long and cannot be identical with the current password) and to end the current user session and return to the login dialog and

●

a link which provides access to a PDF version of the gateprotect Firewall User Manual. Depending on your browser settings, the PDF file is either displayed in a

new tab or window, or downloaded.

In addition, the header area displays unsaved configuration changes if you close an editor panel by pressing the Esc key on your computer keyboard (unsaved changes

18User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Web Interface Components

are not displayed if you close an editor panel by clicking the button in the upper right corner of the panel, however).

The PDF version of the gateprotect Firewall User Manual is also available from the logon page. Click on "User Manual" to access the file.

3.1.2 Navigation Pane

The navigation pane (2) is on the left side of the web interface and consists of two parts. The links in the left navigation bar provide access to the gateprotect Firewall settings. The item list bar on the right is used to display information on the current desktop configuration.

Both bars contain a search field at the top which can filter the lists to help you quickly find menus or items. Each search field works for the bar it is part of only. As you type in the search field, gateprotect Firewall reduces the lists to show only those menus or items that contain the characters you are typing.

The information displayed in the item list bar depends on, firstly, the menu item selected in the navigation bar and, secondly, how much information you desire to be displayed. You can unfold more detailed information by clicking amount of information presented by clicking in the upper right corner of this pane.

To view the complete list of menus or items again, reset the search by clicking in the search field.

See Chapter 3.4, "Menu Reference", on page 29 for details on the options available in each view.

3.1.3 Desktop

or reduce the

The desktop (3) fills the main portion of the screen below the header area and to the right of the navigation pane. The information displayed here depends on the item selected in the navigation pane or on the desktop.

19User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Web Interface Components

Figure 3-3: gateprotect Firewall desktop.

On the desktop you always have a complete overview of your entire configured network. You can edit various settings in this pane or view the details of a configuration.

A toolbar at the top of the desktop allows you to create and edit objects or connections. To create an object on the desktop, click with the left mouse button on the desired button in the toolbar, keep the mouse button pressed and drag the object onto the desktop. Depending on the type of object you are creating, an editor panel automatically opens where you can enter the required data for the object. To delete an object from the desktop, click the object with the left mouse button and select

from the circular

menu.

If the system configuration changes, the "

Activate" button is highlighted, prompting you to update your configuration. Click this button to save your current desktop configuration changes and to activate them on the firewall.

The buttons that appear in the circular menu when you click an object with the left mouse button allow you to adjust the settings for an existing object, to create a connection between two existing objects, to hide or display objects attached to the object, to unpin an object from a specific location on the desktop or to remove it from the desktop.

20User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Icons and Buttons

It is possible to customize the desktop layout by dragging the objects to the desired positions where they are automatically pinned. Use the buttons in the toolbar to save and restore your customized layout or to arrange the objects automatically.

For further information, see Chapter 3.2, "Icons and Buttons", on page 21.

3.2 Icons and Buttons

This topic explains the icons and buttons commonly used on the user interface and throughout this manual.

Icon/Button Description

Hide and show the navigation bar.

Indicates that firewall rules can be rearranged in the "Firewall Rules" list.

Reflects the total percentage of system load.

Reflects the total percentage of memory usage.

Reflects the total percentage of disk usage.

Create or edit a connection between two desktop objects.

Create a host.

Create a network.

Create a network group.

Create a user.

Discard all manual desktop layout changes and apply an automatic layout.

Save the current desktop layout.

Restore the last saved desktop layout.

Restore a backup.

Replace a certificate by importing a new certificate.

Fit the entire network to the desktop.

Marks a menu item with settings to configure in the navigation bar.

Marks a table column with actions available for a table entry.

Unpin the desktop object to be able to move it via drag & drop on the desktop.

Pin individual or all LDAP users to the desktop.

Remove an individual LDAP user from the desktop.

View and adjust the settings for a desktop object, a list item or a table entry.

Create a list item or a table entry based on a copy of an existing entry.

Delete a desktop object, a list item or a table entry from the system after a positive response to the confirmation request popping up.

Permanently revoke a certificate.

21User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Firewall Rule Settings

Icon/Button Description

View the details of a list item in the item list bar.

Import a backup or a certificate from a file.

Export a backup or a certificate to a file.

Create a list item in the item list bar.

Unfold a menu item to view subordinate items in the navigation bar.

Unfold an IPS/IDS category to view its individual rules.

Unfold a web filter category to view its subcategories.

Hide subordinate menu items in the navigation bar.

Hide individual IPS/IDS rules of an IPS/IDS category.

Hide subcategories of a web filter category.

Unfold more detailed information in the item list bar.

Show additional actions available for a desktop object or show objects attached to it.

Reduce the amount of information given in the item list bar.

Hide additional actions available for a desktop object or hide objects attached to it.

Expand the desktop node of a network group to view the members associated with it.

Collapse the desktop node of a network group to hide the members associated with it.

Indicates that a certificate is still valid.

Indicates that a certificate has expired.

Renew the validity of a certificate.

Export the certificate signing request (CSR) from the certificate.

Verify a certificate.

Suspend a certificate or CA temporarily.

Resume a certificate that was previously suspended.

Close a pop-up window.

Clear all search criteria of a filter to show all results.

Show additional information.

3.3 Firewall Rule Settings

This topic describes how to create a firewall rule for a connection between two desktop objects.

22User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Firewall Rule Settings

There are two ways to create firewall rules:

●

You can start by first setting up a connection between two objects on the desktop and then configuring firewall rules for this connection. To set up a connection, you can first click in the toolbar at the top of the desktop and then select first the source object and then the target object to create a connection between them. Or you can click

in the circular menu of the source object on the desktop and then select the target object. The "Firewall Rules" panel opens, automatically applying the firewall rules filter regarding "Sources" and "Destinations" to display already existing firewall rules for this connection, if applicable.

●

Alternatively, you can create firewall rules under "Network > Firewall Rules" (see

Chapter 3.4.2.1, "Firewall Rules", on page 55 ). Then the connection between

two objects on the desktop is automatically set up by defining a source and a destination on the "Firewall Rule" editor panel.

On the "Firewall Rules" panel, you can set up firewall rules.

Click "

" (Add) to set up a firewall rule.

2. The settings on the editor panel that opens allow you to configure the following elements:

Field Description

"On" / "Off" A slider switch indicates whether the firewall rule is active ( "On" ) or inac-

tive ( "Off" ). By clicking the slider switch, you can toggle the state of the firewall rule. A new firewall rule is enabled by default.

On the "General" tab:

Field Description

"Name" Enter a unique name for the firewall rule.

"Description" Optional: Enter additional information regarding the firewall rule.

"Time Profiles" Optional: Select a time profile during which the rule is applied to network

traffic. If no time profile is selected, the rule will be applied 24/7. There are four preset time profiles available:

●

Office hours – The rule is applied on weekdays (Monday to Friday) from 06:00 a.m. to 04:00 p.m.

●

Outside office hours – The rule is applied on weekdays (Monday to Friday) from 04:00 p.m. to 06:00 a.m.

●

Weekdays – The rule is applied around-the-clock from Monday to Friday.

●

Weekend – The rule is applied around-the-clock on Saturday and Sunday.

To configure a custom time profile, click the "New Time Profile" link below the drop-down field or navigate directly to "Firewall > Time Profiles" . For more information, see Chapter 3.4.1.10, "Time Profiles", on page 54.

23User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Firewall Rule Settings

Field Description

"Alert Log" Optional: To add an entry to the alert log when traffic matches this firewall

rule, select one of the following alert levels from the drop-down list:

●

emergency – system is unusable (highest priority)

●

alert – action must be taken immediately

●

critical – critical conditions

●

error – error conditions

●

warning – warning conditions

●

notice – normal but significant conditions

●

info – informational messages

●

debug – any messages that do not fit into the other log levels (lowest priority)

For more information, see "Alert Log" on page 39.

"Message" Optional: Specify the alert message to be included in the alert log entry.

The "Connection Settings" section provides the following options:

Field Description

"Policy" Select the action to be performed by the firewall rule from the drop-down

list.

New firewall rules are set to Allow by default, but you can adjust the settings to one of the other values as necessary:

●

Allow – Traffic matching this rule is permitted if it is not classified as a threat by any of the other selected modules (IDS/IPS, Anti-Malware, Web Filter). No other rules are processed for this traffic.

●

Continue – Any traffic matching this rule is subject to further inspection: the traffic is passed on to the next rule in the list to determine whether any other filter criteria apply. A continue rule should never be the last rule in the list. If enabled, IDS/IPS, Anti-Malware, SSL Inspection, QoS and Web Filter are applied.

●

Drop – Traffic matching this rule is silently dropped and rule processing for the associated traffic ceases.

●

Reject – Traffic matching this rule is actively rejected and rule processing for the associated traffic ceases.

Important: If you create a rule with the Allow action and do not apply any restrictions (security options or application filters), that rule permits all traffic to pass unchecked.

"Source(s)" Specify the sources of the traffic flow to which the firewall rule applies. This

can be a combination of a zone and any other network objects, such as custom networks, network groups, users, etc.

If you first set up the connection between two objects on the desktop and then started to configure a firewall rule for this connection, this input field is pre-filled with the desktop object that was selected as the source object.

Important: If no source is selected, the rule will be applied to traffic originating from any source.

"Destination(s)" Specify the destinations of the traffic flow that the firewall rule applies to.

This can be a combination of a zone and any other network objects, such as custom networks, network groups, users, etc.

Important: If no destination is selected, the rule will be applied to traffic being transmitted to any destination.

24User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Firewall Rule Settings

Field Description

"QoS Upstream" / "QoS Downstream"

"Transport Protocol" Optional: Specify the protocol to which the rule should be applied. You can

"Source Port" Optional: To limit the rule to apply only to traffic originating from a certain

"Destination Port" Optional: To limit the rule to apply only to traffic being transmitted to a speci-

Optional: To ensure Quality of Service, enter the bandwidth thresholds that should be applied to traffic matching this rule. The two input fields determine the maximum bandwidth (in bits per second) for download and upload. For an application example using QoS, see Chapter 4.1.5, "Using Quality of

Service", on page 135.

select TCP or UDP from the drop-down list.

source port, specify the source port by entering individual values or ranges.

fied destination, specify the destination port by entering individual values or ranges.

In the "Security" section, you can select the security features to be applied in the rule:

Field Description

"IDS/IPS" Optional: Select this checkbox to compare traffic to the database of known

threats before further evaluation. For more information, see Chapter 3.4.6.2,

"IPS/IDS Profiles", on page 98.

"FTC" Optional: To capture network traffic to identify the precise timing, scope, and

nature of a malicious attack from outside or inside sources on your network, select this checkbox. When the firewall rule hits, the network traffic is captured until the rule does not trigger Forensic Traffic Capture anymore or the resources no longer support the rule. To view and download the captured files, see "FTC Data" on page 66 for more information.

"Anti Malware" Optional: Select this checkbox to compare traffic to a list of known viruses,

malware and other threats (available for HTTP, FTP, IRC, MSN, OSCAR and YAHOO).

"SSL Inspection" Optional: Select this checkbox to unpack and analyze encrypted traffic.

Important: If you decide to use the whitelisting approach and enable SSL inspection in firewall rules together with SSL related protocols (e.g. FTPS, HTTPS, IMAPS, POP3S and SMTPS), network traffic will flow through gateprotect Firewall until SSL encryption is detected. Unless you select these protocols in firewall rules further down the list as well, you might want to create a firewall rule with the undesired protocol selected from the "Applications / Protocols" list and the action being Drop or Reject. The protocol will then be dropped or rejected as long as SSL is not activated.

Note: "SSL Inspection" can only be selected after an application, a protocol or a custom decoder has been specified.

The "Application Filters" section contains the following options:

25User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Firewall Rule Settings

Field Description

"Warning Page" Optional: The Reject action can be combined with a warning page which

appears to the user in the browser window. To enable a warning page, select this checkbox and one of the following options from the drop-down list:

●

Show and block – a warning page which cannot be overridden is presented

●

Show and continue – a warning page appears but it can be overridden

"Web Filter Profile" Optional: This filter can only be selected if a web filter profile has been

defined as described under Chapter 3.4.6.3, "Web Filter Profiles", on page 100. From the drop-down list, select a web filter profile to apply it to the network traffic (available for HTTP).

"Applications / Protocols"

Optional: gateprotect Firewall can detect various applications and protocols. Select those applications and protocols to which the rule should be applied.

By clicking the input field, you are offered a selection of applications and protocols included in the list. You can also type in the input field, getting a list of applications and protocols whose names contain the characters you are typing. The first option or match is highlighted in the list. Press ENTER to select the application or protocol, or use the arrow keys on your keyboard to select a different one. To delete an application or a protocol from the

input field, click on the left side of its name.

Important: If no applications or protocols are specified, the rule will be applied to all traffic.

On the "Custom Decoders" tab, you can add custom search patterns that the firewall rule applies to detect hash values, numeric values such as telephone numbers, regular expressions or text strings within the headers, payload or message fields of supported protocols (see details below). The buttons on the bottom right of the editor panel depend on whether you add a new firewall rule or edit an existing rule. For a newly configured rule, click "Create" to add the rule to the list of available firewall rules or "Cancel" to reject the creation of a new rule. To edit an existing rule, click "Save" to store the reconfigured rule or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.

Click "

Activate" in the toolbar at the top of the desktop to apply your configura-

tion changes.

Once you have left the editor panel, the list of firewall rules that are currently defined on the system is displayed.

Figure 3-4: Sample firewall rules list.

New rules are inserted at the top of the rule list by default (and are thus executed before the already existing rules). For best results, the most specific rules should be

26User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Firewall Rule Settings

placed at the beginning of the list, followed by more general rules that apply to a broader range of traffic.

You can rearrange rules by dragging and dropping them in the list to create the desired sequence.

Custom decoders

To avoid confusion, use either application signatures or decoders.

If multiple decoders are defined for a single rule, decoders of the same protocol (such as two HTTP decoders) are linked with AND logic. Decoders of different protocols (such as an HTTP and a DNS decoder) are OR-connected.

To add a protocol decoder to a firewall rule, perform the following steps:

Click " Add Decoder" on the "Custom Decoders" tab.

2. Select a "Protocol" from the drop-down list.

3. The entries in the "Option" drop-down list are protocol-specific and determine which fields or portion of the content are searched.

4. Select the "Type" of content to search for (text string, number, hash value, or regular expression) from the drop-down list.

5. By selecting the "Invert" checkbox, the rule will match traffic if the specified "Option" is not matched (equivalent to a Boolean NOT operator).

6. Enter the desired text, number, term, or search keyword in the "Expression" field.

The selected type determines how the expression is treated and which other options are available.

When the "Type" option is set to string, the following additional options can be defined.

27User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Firewall Rule Settings

Checkbox/Field Description

"Left Anchor"/

"Right Anchor"

"Case Sensitive" When this checkbox is selected, traffic will only match if it contains the specified

Anchors define which boundary is set before (left anchor) or after (right anchor) the search string. The decoder will search for the "Expression" (preceded or followed by the chosen boundary) in the header field selected under "Option" . Both drop-down lists contain the following options:

●

any – does not define any boundary for the chosen anchor; if both anchors are set to any, the expression may match anywhere in the content

●

string – specifies a boundary at the beginning (left anchor) or the end (right anchor) of the content; if both anchors are set, the expression only matches when it equals the entire content

●

word – specifies the PCRE word boundary; if both anchors are set to word, the expression matches when it is found in the content surrounded

by word boundaries

Note: Letters, digits and underscores in search strings are treated as word characters (equivalent to the character classes [:word:], \w and [A-Za-z0-9_]. All other characters are treated as word boundaries.

expression in the exact case entered.

Setting the "Type" option and both anchors to string will only match if the specified search term exactly matches the entire content field.

When the "Type" option is set to number, the following options can be defined.

Field Description

"Operator" Determines the relationship between the numeric value entered in the "Expres-

sion" field and the value(s) that appear(s) in the content.

Possible values include:

●

< (less than),

●

> (greater than),

●

<= (less or equal),

●

>= (greater or equal),

●

== (equal),

●

!= (not equal),

●

|| (bitwise or), and

●

&& (bitwise and).

When the "Type" option is set to hash, the rule matches when the exact search string entered in the "Expression" field is found in traffic. For example, if the target search expression is specified as www.facebook.com, the rule would not match if a user were to visit www.facebook.de.

The hash "Type" is equivalent to setting the "Type" option and both anchors to string and selecting the "Case Sensitive" option, but the search runs much faster.

When the "Type" option is set to regex, the "Expression" is treated as a Perl-Compatible Regular Expression (PCRE) and the following additional options are available as checkboxes.

28User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Menu Reference

Checkbox Description

"dollar end only" Make the $ anchor match only at the end of the string (or end of line if multi-line

mode is enabled).

"caseless" Ignore case: pattern is treated as case insensitive.

"dot all" The dot (period) character class matches any character except newline by

default. Select this option to match newlines.

"anchored" Matches at the start of the search string.

"ungreedy" »Lazy« mode (reverses quantifiers): The regular quantifier * will cause matches

to be as small as possible and quantifiers followed by a ? will cause matches to be as large as possible.

"multiline" Multiple-line matching: The ^ and $ anchors match at newlines.

"extended" Free spacing mode (?x): Ignore white space in the remainder of the pattern or

subpattern.

See Chapter 4.13, "Decoder Examples", on page 201 for sample decoder configurations that can be used to detect various types of content. For a list of supported FTP commands and HTTP mime types, see Chapter A, "Decoder Reference", on page 209.

3.4 Menu Reference

This reference section describes each menu item in the navigation pane on the left side of the browser window.

Refer to the topics below for information on the options available.

3.4.1 Firewall

The " Firewall" settings display an overview of basic system settings and detailed information about the traffic flowing through gateprotect Firewall and allow you to configure gateprotect Firewall for your local environment.

3.4.1.1 Status

The "Firewall Status" displays an overview of basic system settings, the status of each of the assigned interfaces on the local network, and information on the services that are running on the system.

Navigate to "Firewall > Status" to display the overview.

In the expanded view, the columns of the table display the following information in each section:

●

The "Physical Interfaces" section displays basic information about the configured zones and their physical interfaces. The columns of the table display the "Name" of

29User Manual v16.2.1 ─ 01

R&S®GP-E/GP-S

User Interface

Menu Reference

the interfaces that are assigned to the zones, their link status, transmitted and received bytes and the data throughput for every zone.

●

In the "Services" section you can see whether the services DHCP, DNS, Firewall, High Availability, NTP, and Updater are running on the system.

●

The "Maintenance" section gives an overview of basic system settings:

– "Backup Schedule" indicates whether backups are enabled or not

– "Updates" shows whether updates are pending or not (the tooltip shows how

many updates are pending)

– "High Availability" indicates whether High Availability is enabled or not

– "Uptime" displays for how long the system has been running since the last

reboot

– "Machine ID" states the Machine ID of your device

– "Hardware" informs you about the hardware version of your device

– "Version" indicates which software version is running on the system

– "Timezone" shows which time zone is configured on the system (click the blue

link to navigate directly to "Settings" to view the corresponding configuration options)

3.4.1.2 Reports

The "Reports" display detailed information about the traffic flowing through the gateprotect Firewall. Each report includes a chart and a table with statistics for a certain time range. You can control several aspects of the presentation and data on these reports.

Navigate to "Firewall > Reports" to display the list of reports, subdivided into aggregation intervals (last hour, day, week, and month), that are available on the system in the item list bar. To view a report, click the desired report in the item list bar and the report panel opens.

Click "Close" to leave the report view.

Working with Reports

The charts and tables in the "Reports" panels share common functions to adjust the data display and allow you to focus on the data you are most interested in.

30User Manual v16.2.1 ─ 01

+ 203 hidden pages

Rohde & Schwarz GP-E, GP-S User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

1 About This Manual

1.1 Audience

1.2 What’s in This Manual

1.3 Conventions

1.4 Related Resources

1.5 About Rohde & Schwarz Cybersecurity

2 Getting Started

2.1 Logging On

2.2 Resetting the Hardware

3 User Interface

3.1 Web Interface Components

3.1.1 Header Area

3.1.2 Navigation Pane

3.1.3 Desktop

3.2 Icons and Buttons

3.3 Firewall Rule Settings

3.4 Menu Reference

3.4.1 Firewall

3.4.1.1 Status

3.4.1.2 Reports