Ronde & Schwarz GP-T, GP-S, GP-E, GP-U User Manual

R&S®GP-U/GP-E/GP-S/GP-T
gateprotect Firewall

User Manual

(T^VT2)

3646.3836.02 ─ 01

Cybersecurity

User Manual

This document applies to the gateprotect software version 10.0. It describes the following R&S®gatepro­tect Firewall models:

●

R&S®gateprotect Firewall GP-U

●

R&S®gateprotect Firewall GP-E

●

R&S®gateprotect Firewall GP-S

●

R&S®gateprotect Firewall GP-T

© 2017 Rohde & Schwarz Cybersecurity GmbH
Mühldorfstr. 15, 81671 Munich, Germany
Phone: +49 (0) 30 65 884 - 223
Email: cybersecurity@rohde-schwarz.com
Internet: cybersecurity.rohde-schwarz.com
Printed in Germany – Subject to change – Data without tolerance limits is not binding.

R&S® is a registered trademark of Rohde & Schwarz GmbH & Co. KG.
Trade names are trademarks of the owners.

The following abbreviations are used throughout this manual: R&S®gateprotect Firewall is indicated as gateprotect Firewall.

R&S®GP-U/GP-E/GP-S/GP-T

Contents

1 About This Manual.................................................................................7

1.1 Audience........................................................................................................................ 7

1.2 What’s in This Manual.................................................................................................. 8

1.3 Conventions.................................................................................................................. 8

1.4 Related Resources........................................................................................................9

1.5 About Rohde & Schwarz Cybersecurity..................................................................... 9

2 Getting Started..................................................................................... 11

3 User Interface....................................................................................... 13

3.1 Web Client Components.............................................................................................13

3.1.1 Header Area..................................................................................................................14

Contents

3.1.2 Navigation Pane............................................................................................................15

3.1.3 Desktop......................................................................................................................... 15

3.2 Icons and Buttons.......................................................................................................17

3.3 Firewall Rule Settings.................................................................................................19

3.4 Menu Reference.......................................................................................................... 22

3.4.1 Firewall..........................................................................................................................22

3.4.1.1 License Settings............................................................................................................22

3.4.1.2 Updates Settings...........................................................................................................23

3.4.1.3 Administrators............................................................................................................... 26

3.4.1.4 User Authentication.......................................................................................................28

3.4.1.5 Server Access Settings................................................................................................. 41

3.4.1.6 Command Center Settings............................................................................................43

3.4.1.7 Time Settings................................................................................................................ 43

3.4.1.8 High Availability Settings...............................................................................................45

3.4.1.9 Backup.......................................................................................................................... 49

3.4.2 Network......................................................................................................................... 53

3.4.2.1 Interfaces...................................................................................................................... 53

3.4.2.2 Connections.................................................................................................................. 60

3.4.2.3 WLAN Settings..............................................................................................................67

3.4.2.4 Routing..........................................................................................................................69

3.4.2.5 DHCP Settings.............................................................................................................. 72

3User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

3.4.3 WAN..............................................................................................................................74

3.4.3.1 DNS Settings.................................................................................................................74

3.4.3.2 DynDNS Accounts........................................................................................................ 75

3.4.3.3 QoS Settings................................................................................................................. 76

3.4.3.4 QoS Connection Settings..............................................................................................77

3.4.4 Network Objects............................................................................................................78

3.4.4.1 Internet Objects.............................................................................................................78

3.4.4.2 Hosts............................................................................................................................. 79

3.4.4.3 Users.............................................................................................................................80

3.4.4.4 User Groups..................................................................................................................81

3.4.4.5 VPN Users.................................................................................................................... 82

3.4.4.6 VPN User Groups......................................................................................................... 83

3.4.4.7 Networks....................................................................................................................... 84

Contents

3.4.4.8 Host Groups.................................................................................................................. 84

3.4.4.9 IP Ranges..................................................................................................................... 85

3.4.4.10 VPN Hosts.....................................................................................................................86

3.4.4.11 VPN Groups.................................................................................................................. 87

3.4.4.12 VPN Networks...............................................................................................................88

3.4.4.13 Connections.................................................................................................................. 89

3.4.5 Desktop......................................................................................................................... 90

3.4.5.1 Services........................................................................................................................ 90

3.4.5.2 Desktop Rules...............................................................................................................90

3.4.6 UTM.............................................................................................................................. 91

3.4.6.1 Application Filter............................................................................................................91

3.4.6.2 URL/Content Filter........................................................................................................ 93

3.4.6.3 Antivirus Settings.......................................................................................................... 95

3.4.6.4 Email Security............................................................................................................... 98

3.4.6.5 Proxy........................................................................................................................... 101

3.4.7 VPN.............................................................................................................................103

3.4.7.1 IPsec Settings............................................................................................................. 104

3.4.7.2 VPN SSL Settings....................................................................................................... 105

3.4.7.3 VPN Connections........................................................................................................107

3.4.8 Certificate Management.............................................................................................. 114

4User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

3.4.8.1 Certificates.................................................................................................................. 114

3.4.8.2 Templates................................................................................................................... 117

3.4.8.3 OCSP/CRL Settings....................................................................................................118

3.4.8.4 Trusted Proxy CAs...................................................................................................... 119

3.4.9 Monitoring................................................................................................................... 119

3.4.9.1 SNMP Settings............................................................................................................119

3.4.9.2 Syslog Servers............................................................................................................ 121

3.4.9.3 Logs............................................................................................................................ 122

3.4.10 Network Tools............................................................................................................. 123

3.4.10.1 Ping Settings............................................................................................................... 124

3.4.10.2 Traceroute Settings.....................................................................................................124

Index....................................................................................................127

Contents

5User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Contents

6User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

1 About This Manual

The gateprotect Firewall User Manual describes the innovative firewall solution from
Rohde & Schwarz Cybersecurity. gateprotect Firewall integrates firewall, application
control, web filtering, malware protection and many more functions in a single system.

Figure 1-1: Sample gateprotect Firewall GP-S 1900.

About This Manual

Audience

This document applies to four gateprotect Firewall product lines:

●

Unified Line - Easy to use - the firewall solution for small companies which need an
easy-to-use solution to protect their office IT against cyberthreats from the Internet

●

Extended Line - Easy to configure - the firewall solution for complex office networks
in medium-sized companies

●

Specialized Line - Easy to customize - the perfectly tailored solution that meets the
high demands of complex network structures in industry and enterprise environ­ments

●

GP Tough - the firewall solution specifically designed for challenging environments

There are license-based features that distinguish individual product models within the
product lines from one another. For more information about your specific gateprotect
Firewall, see the information on the relevant data sheet.

See the topics below for more information about this document.

1.1 Audience

This manual is for the networking or computer technician responsible for installing and
configuring the gateprotect Firewall system and employees that use the web client to
define traffic filtering rules.

To use this document effectively, you have to have the following skills depending on
your responsibilities:

●

To install and configure the hardware, you have to be familiar with telecommunica­tions equipment and installation procedures. You also have to have good experi­ence as a network or system administrator.

7User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

●

To define filtering rules, you need to understand basic TCP/IP networking con­cepts.

About This Manual

Conventions

1.2 What’s in This Manual

The contents of this manual are designed to assist you in configuring your gateprotect
Firewall.

This document includes the following chapters:

1. Chapter 2, "Getting Started", on page 11
Log on to your gateprotect Firewall to set up the system for your network.

2. Chapter 3, "User Interface", on page 13
The sections in this chapter describe the components of the gateprotect Firewall
user interface.

1.3 Conventions

This topic explains the typographic conventions and other notations used to represent
information in this manual.

Elements of the web-based graphical user interface (GUI, or »web client«) are indica­ted as follows:

Convention Description

"Graphical user interface ele­ments"

"Top-level menu item > sub­menu element"

KEYS Key names are written in capital letters.

List options, literal
text, filenames,
commands, program code

Links Links that you can click (e.g. references to other parts within this manual)

References References to parts of the product documentation are displayed in italics.

All names of graphical user interface elements on the screen, such as
menu items, buttons, checkboxes, dialog boxes, list names are enclosed
by quotation marks.

A sequence of menu commands is indicated by greater than symbols
between menu items and the whole sequence being enclosed by quota­tion marks. Select the submenu element from the top-level menu item.

List options, literal text, filenames, commands, coding samples and
screen output are distinguished by their fixed-width font.

are displayed in blue font.

Notes

The following types of notes are used in this manual to indicate information which
expands on or calls attention to a particular point:

8User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

This note is a little hint that can help make your work easier.

This note contains important additional information.

This note contains information that is important to consider. Non-observance can dam­age your gateprotect Firewall or put your network security at risk.

About This Manual

About Rohde & Schwarz Cybersecurity

1.4 Related Resources

This section describes additional documentation and other resources for information on
your gateprotect Firewall.

Refer to the following related documents and resources:

●

Data Sheets summarize the technical characteristics of the different gateprotect
Firewall hardware models.

●

Release Notes provide the latest information on each release.

●

Our website at cybersecurity.rohde-schwarz.com provides a wealth of information
about our products and solutions as well as the latest company news and events.

For additional documents such as technical specifications, please visit the my gatepro-
tect portal at www.mygateprotect.com.

1.5 About Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity is an IT security company that protects companies
and public institutions around the world against cyberattacks.

The company develops and produces technologically leading solutions for information
and network security, including highly secure encryption solutions, next-generation fire­walls and software for network analysis and endpoint security. As a result of the
DenyAll acquisition, the portfolio now includes vulnerability scanners and firewalls for
business-critical web applications.

The award-winning and certified IT security solutions range from compact, all-in-one
products to customized solutions for critical infrastructures. To prevent cyberattacks
proactively, rather than reactively, our trusted IT solutions are developed following the
security-by-design approach. Around 450 people are employed at the current locations
in Germany, France and Denmark.

9User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

For more information, visit our website at cybersecurity.rohde-schwarz.com.

About This Manual

About Rohde & Schwarz Cybersecurity

10User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

2 Getting Started

Log on to your gateprotect Firewall to set up the system for your network.

When first started after delivery or a new installation, the gateprotect Firewall runs as a
test version for 30 days. For further information, see Chapter 3.4.1.1, "License Set-

tings", on page 22.

To begin working with your gateprotect Firewall, perform the following steps:

1. On the gateprotect Firewall logon page, enter admin as the "User Name" and the
factory default "Password" admin.

Getting Started

Figure 2-1: Logging on to the gateprotect Firewall.

2. Click "Login".

3. After your first logon using the standard credentials, the system prompts you to
change your password. The new password has to be at least six characters long.
You cannot skip this step.

The web client appears.

If you forget the new password entered, contact the Rohde & Schwarz Cybersecurity
support team to reset the password.

The admin password is included in a system backup.

Set your browser configuration to clear all session data and cookies when the browser
is closed. Otherwise, your admin session will be restored after the computer is reboo­ted and unauthorized persons can access the firewall.

11User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Getting Started

12User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

3 User Interface

The sections in this chapter describe the components of the gateprotect Firewall user
interface.

The gateprotect Firewall web client requires a minimum display resolution of
1024 × 786 pixels (XGA).

The following browser versions (or newer) are supported, with JavaScript enabled:

●

Google Chrome 10

●

Chromium 10

●

Firefox 12

Chapter 3.1, "Web Client Components", on page 13 provides an overview of the

main components of the web client.

Chapter 3.2, "Icons and Buttons", on page 17 explains the meaning of the icons and

buttons commonly used on the user interface and throughout this manual.

User Interface

Web Client Components

Chapter 3.3, "Firewall Rule Settings", on page 19 describes how a firewall rule for a

connection between two desktop nodes is set up.

Chapter 3.4, "Menu Reference", on page 22 reflects the arrangement of the menu

items in the navigation bar on the left side of the user interface. For information on the
available options, see the corresponding section.

3.1 Web Client Components

The gateprotect Firewall web client uses a standard tri-pane page layout with a com­mon header area, a left navigation pane and a main content pane on the right.

13User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

User Interface

Web Client Components

Figure 3-1: gateprotect Firewall web client.

The information displayed in each area is described in the following sections.

3.1.1 Header Area

The header area (1) contains the following elements (from left to right):

Figure 3-2: gateprotect Firewall web client header area.

●

the button to hide or show the navigation bar (the navigation bar is displayed by
default, see Chapter 3.1.2, "Navigation Pane", on page 15),

●

the Rohde & Schwarz Cybersecurity logo,

●

a language menu that allows you to select the language to be used in the web cli­ent,

●

a user menu to end the current user session and return to the logon dialog,

●

a system menu to reboot or shut down / power off your gateprotect Firewall, and

●

a help menu with links which provide access to a PDF version of the gateprotect
Firewall User Manual and to the Rohde & Schwarz Cybersecurity support website.

Depending on your browser settings, the PDF file is either displayed in a new tab
or window, or downloaded.

14User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

In addition, the header area displays unsaved configuration changes if you close an
editor panel by pressing the ESC key on your computer keyboard. Unsaved changes
are not displayed if you close an editor panel by clicking the button in the upper right
corner of the panel, however.

The PDF version of the gateprotect Firewall User Manual is also available from the
logon page. Click the "User Manual" link to access the file.

User Interface

Web Client Components

3.1.2 Navigation Pane

The navigation pane (2) is on the left side of the web client and consists of two parts.
The links in the left navigation bar provide access to the gateprotect Firewall settings.
The item list bar on the right is used to display information on the current desktop con­figuration.

Both bars contain a "Filter" input field at the top which helps you quickly find a particu­lar menu item or item list entry. Each input field works for the bar it is part of only. As
you type in one of the input fields, the gateprotect Firewall reduces the corresponding
list to show only those menu items or entries that contain the characters you are typ­ing. Click in the input field to delete the search string and display an unfiltered view
of the list.

You can expand all menus in the navigation bar at once by clicking or collapse them
by clicking in the upper right corner of the navigation bar. Furthermore, you can hide
the navigation bar to maximize the desktop area by clicking
further information, see Chapter 3.1.1, "Header Area", on page 14.

The information displayed in the item list bar depends on, firstly, the menu item
selected in the navigation bar and, secondly, how much information you desire to be
displayed. You can unfold more detailed information by clicking
amount of information presented by clicking in the upper right corner of the item list
bar.

in the header area. For

or reduce the

See Chapter 3.4, "Menu Reference", on page 22 for details on the options available
in each view.

3.1.3 Desktop

The desktop (3) fills the main portion of the screen below the header area and to the
right of the navigation pane. The nodes and connections highlighted here depend on
the item selected in the navigation pane or on the desktop.

15User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

User Interface

Web Client Components

Figure 3-3: gateprotect Firewall web client desktop.

On the desktop, you always have a complete overview of your entire configured net­work. You can edit various settings in this pane or view the details of a configuration.

A toolbar at the top of the desktop provides quick access to frequently used functions:

●

If the system configuration changes, the " Activate" button is highlighted, prompt­ing you to update your configuration. Click this button to save your current desktop
configuration changes and to activate them on the firewall.

●

The buttons in the second section of the toolbar allow you to switch back and forth
between the selection and the connection tool. Use the selection tool for all actions
on the desktop, such as moving objects or selecting certain functions. With the
connection tool, you can create or edit a connection between two desktop objects.
For further information, see Chapter 3.3, "Firewall Rule Settings", on page 19.

●

You can create an object on the desktop by clicking the respective desktop object
button in the next four sections of the toolbar. An editor panel automatically opens
where you can enter the data which is required for the object.

●

It is possible to customize the desktop layout by dragging the objects to the desired
positions where they are automatically pinned. Use the buttons in the last section
of the toolbar to save and restore your customized layout or to arrange the objects
automatically.

All toolbar buttons use mouse-over pop-up labels for easy identification.

16User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

When you click a desktop object with the left mouse button, several buttons appear in
the circular menu, depending on the kind of desktop object. These buttons allow you to
adjust the settings for an existing object and to create or edit a connection between two
existing objects. Furthermore, you can hide or display objects attached to an object,
unpin an object from a specific location on the desktop or remove an object from the
desktop.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

User Interface

Icons and Buttons

3.2 Icons and Buttons

This topic explains the icons and buttons commonly used on the user interface and
throughout this manual.

Icon/Button Description

Hide and show the navigation bar.

Move objects or select objects and functions on the desktop.

Create or edit a connection between two desktop objects.

Create an Internet object.

Create a host.

Create a host group.

Create a network.

Create an IP range.

Create a VPN host.

Create a VPN group.

Create a VPN network.

Create a VPN user.

Create a VPN user group.

Create a user.

Create a user group.

Discard all manual desktop layout changes and apply an automatic layout.

Save the current desktop layout.

Restore the last saved desktop layout.

Restore a backup.

Replace a certificate by importing a new certificate.

Fit the entire network to the desktop.

17User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Icon/Button Description

User Interface

Icons and Buttons

Marks a menu item with settings to configure in the navigation bar.

Marks a table column with actions available for a table entry.

Unpin the desktop object to be able to move it along with the desktop node that
it is associated with via drag & drop on the desktop.

View and adjust the settings for a desktop object, a list item or a table entry.

Create a list item or a table entry based on a copy of an existing entry.

Delete a desktop object or an item list entry from the system after a positive
response to the confirmation request popping up.

Permanently revoke a certificate.

Delete a custom firewall rule from the system.

Remove a firewall rule with a predefined service from the firewall rules table.

Import a certificate or a blacklist/whitelist from a file.

Export a certificate or a blacklist/whitelist to a file.

Import a backup from a file.

Export a backup to a file.

Create a list item in the item list bar.

Unfold a menu item to view subordinate items in the navigation bar.

Unfold a web filter category to view its subcategories.

Unfold a service category for firewall rules to view its subservices.

Hide subordinate menu items in the navigation bar.

Hide subcategories of a web filter category.

Hide subservices of a service category for firewall rules.

Unfold more detailed information in the item list bar.

Reduce the amount of information given in the item list bar.

Collapse all menus in the navigation bar.

Expand a desktop node to view the desktop objects associated with it.

Expand all menus in the navigation bar.

Collapse a desktop node to hide the desktop objects associated with it.

Indicates that a certificate is still valid.

Indicates that a certificate has expired.

Verify a certificate.

Suspend a certificate or CA temporarily.

Resume a certificate that was previously suspended.

Recreate (renew) a certificate with an updated validity range.

18User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Icon/Button Description

User Interface

Firewall Rule Settings

Close a pop-up window.

Clear all search criteria of a filter to show all results.

3.3 Firewall Rule Settings

This topic describes how to create a firewall rule for a connection between two desktop
objects.

Setting Up a Connection

To set up a connection between two desktop objects, perform the following steps:

1.

Click the connection tool button

2. Select the source object of the connection by clicking the appropriate desktop
object.

3. Select the target object of the connection by clicking the appropriate desktop
object.

The "Connection" panel opens, displaying, if applicable, already existing firewall
rules for this connection.

Alternatively, you can click the connection tool button
source object on the desktop and then select the target object.

Setting Up a Firewall Rule with a Predefined Service

in the toolbar at the top of the desktop.

in the circular menu of the

Along with the "Connection" panel, a list of predefined services available for the con­nection opens on the right side of the browser window. The list of services can be col­lapsed and expanded by clicking the appropriate icon.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

The "Filter" input field at the top of the list helps you quickly find a particular service. As
you type in the input field, the gateprotect Firewall reduces the list to show only those
services that contain the characters you are typing. Click

in the input field to delete

the search string and display an unfiltered view of the list.

You can create a firewall rule using one of the predefined services by clicking the plus
button in front of the service. Afterwards, you can adjust the settings on the "Sched­ule" and "Advanced" tabs (e.g. proxy and NAT settings) by editing the rule. The ports
and protocols are predefined and cannot be adjusted.

Setting Up a Custom Firewall Rule

If you require a port or protocol that is not covered by any of the predefined services,
you can add a custom rule to be applied to the connection.

19User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

To set up a custom firewall rule, perform the following steps:

1.

In the "Rules" tab, click "Add Custom Rule " to set up a new firewall rule.

An editor panel opens.

2. On the editor panel, you can configure the following elements for the rule:

a) In the "Ports/Protocols" tab:

Field Description

"Name" Enter a unique name for the firewall rule.

"Ports and Protocols" To limit the rule to apply only to traffic from/to certain ports/port ranges

b) In the "Schedule" tab, you can specify the time when the firewall rule is active.

The tab provides the following options:

User Interface

Firewall Rule Settings

and/or protocols, click "Add" to open another editor panel.
On this panel, you can define the ports and protocols to be used:

●

For TCP and UDP, you can specify individual ports or ranges to
limit the rule to apply only to traffic originating from a certain source
port and/or being transmitted to a certain destination port. Use the
input fields "Port From" and "To" to enter a value. The value can be
any integer from 1 to 65535. Enter a unique single port (for exam­ple 800) or a port range using a hyphen '-' character (for example
800-810).

●

You can specify protocols to which the rule should be applied by
selecting the appropriate checkboxes.

The buttons at the bottom right of the editor panel allow you to confirm
your changes ("OK") and to reject your changes ("Cancel"). The editor
panel closes and the secified ports/port ranges and/or protocols appear
as an entry in the list.

You can edit or delete each single entry in the list by clicking the appro­priate button next to an entry. For further information, see Chapter 3.2,

"Icons and Buttons", on page 17.

● Set specific times and weekdays using the sliders.

● Click "Always On" - the rule is always active.

● Click "Always Off" - the rule is always inactive.

c) The "Advanced" settings tab provides the following options:

Field Description

"Proxy" For firewall rules with predefined services only if the predefined services

allow a proxy (HTTP, HTTPS, FTP, SMTP, SMTPS, POP3 or POP3S):
Select this checkbox to activate the proxy for this rule.

For a custom firewall rules only: From the drop-down list, select a proxy
for this rule. To remove the proxy, click to the right of the selected

proxy.

"NAT / Masquerad­ing"

"New source IP" Optional: If you have multiple outgoing IP addresses, specify the IP

Specify the desired direction (bidirectional, left-to-right or
right-to-left) for NAT/masquerading or disable (Off) the feature
for this rule by selecting the respective radio button. The default setting
depends on the source and target objects selected for the connection.

address to be used for Source NAT. If you do not specify the IP
address, the system automatically chooses the main IP address of the
interface to which the packet has been routed.

20User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

User Interface

Firewall Rule Settings

"Enable DMZ / Port
Forwarding for this
service"

"External IP address" Optional: Specify the destination IP address of the traffic to be manipu-

"External Port" Displays the original destination port of the traffic to be manipulated,

"Destination IP
address"

"Destination Port" Optional: Specify the destination port of the traffic (after its manipula-

Select this checkbox to enable DMZ and port forwarding for this rule.

lated. The DMZ rule only applies to this traffic.

depending on the port defined in the "Ports/Protocols" tab.

Displays the new destination IP address of the traffic (after its manipula­tion).

tion).

d) The buttons at the bottom right of the editor panel allow you to create a new

rule or confirm your changes to an existing rule ("OK"), reject the creation of a
new rule or the editing of an existing rule ("Cancel") and to discard your
changes ("Reset").

The new rule is displayed on the "Rules" tab and is available for all other connec­tions in the list of predefined services.
The table on the "Rules" tab contains the "Name" of a firewall rule and the direction
in which the rule is applied. You can toggle the direction or turn the feature off by
clicking the icon in the "Action" column. You can choose between the following four
options:
"Off" – All traffic between source and destination desktop objects is dropped for this
service.
"Bidirectional" – All traffic between source and destination desktop objects is
allowed for this service.
"Left to right" – The desktop object on the left is allowed to send requests. The
desktop object on the right is allowed to reply to requests.
"Right to left" – The desktop object on the right is allowed to send requests. The
desktop object on the left is allowed to reply to requests.
Furthermore, the table displays whether the rule is always active, always inactive
or active for a limited time schedule and the "Options" which were selected for the
rule. By clicking an entry in the "Schedule" or "Options" column, the respective tab
of the rule editor panel is automatically opened.
The buttons in the last column allow you to view and adjust the settings for an
existing rule and to delete a rule from the table.

3. For further information on the "URL / Content Filter" and "Application Filter" tabs,
see Chapter 3.4.4.13, "Connections", on page 89.

4. The buttons at the bottom right of the editor panel allow you to shut ("Close") the
editor panel as long as no changes have been made and to store ("Save") or to
discard ("Reset") your changes.

5.

Click "

Activate" in the toolbar at the top of the desktop to apply your configura-

tion changes.

21User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

User Interface

Menu Reference

3.4 Menu Reference

This reference section describes each menu item in the navigation pane on the left
side of the browser window. The license acquired from Rohde & Schwarz Cybersecur­ity determines which menu items are available on your gateprotect Firewall. Features
which are not included in your gateprotect Firewall license are grayed out in the navi­gation pane.

Refer to the topics below for information on the options available in each view.

3.4.1 Firewall

Use the " Firewall" settings to configure your gateprotect Firewall for your local envi­ronment. In addition, you can set up access to the gateprotect Firewall from external
networks or the Internet and connect the gateprotect Firewall to a gateprotect Com­mand Center server.

3.4.1.1 License Settings

The exact feature set of each gateprotect Firewall depends on the license acquired
from Rohde & Schwarz Cybersecurity.

When first started after delivery or a new installation, the gateprotect Firewall runs as a
test version for 30 days. You can see that it is a test version in the notification on the
"License Manager" panel under "Firewall > License". During this period of time, it is not
possible to create backups. After this period of time, the firewall remains active with
your configuration. However, you are not able to make any changes and the HTTP and
HTTPS protocols are blocked.

The following licensable features can be included in a gateprotect Firewall license:

●

Antispam

●

Content Filter

●

WLAN

●

Antivirus

●

Application Filter

Navigate to "Firewall > License" to open an editor panel to view the validity period of
your gateprotect Firewall license and additional feature licenses or to upload a new
license.

In fixed intervals, the system checks the expiration dates of the license and individual
feature licenses in the license file. When a license expires, all licensable features are
deactivated until a new license is acquired via www.mygateprotect.com, downloaded to
the local disk and uploaded via the web client under "Firewall > License". The new
license has to comply with the software version number of the gateprotect Firewall and
the hardware.

22User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

To upload a new license, perform the following steps:

1. Click "Select File" behind the "License File" input field.

The local disk search opens.

2. Select a new license file in GPLF format from the local disk.

3. Click "Open".

The local disk search closes.

4. Click "License" to upload the license file.

The license is uploaded. If the upload is successful, all licenses and the information
about them are automatically entered in the gateprotect Firewall and a success
message appears.

5. Confirm that you want to log out by clicking "OK".

The system logs you out and opens the gateprotect Firewall logon page.

6. Enter your logon credentials.

User Interface

Menu Reference

7. Click "Login".

The web client appears.

3.4.1.2 Updates Settings

The "Updates Settings" panel allows you to keep the gateprotect Firewall up to date at
all times. New software, hotfixes, security updates and new functions can be automati­cally downloaded from the update server and installed on the firewall quickly and has­sle-free. In addition, the update system is equipped with various functions for notifying
the system administrator if there are new updates available. Furthermore, you can view
a history of the imported updates.

To prevent any unauthorized or malicious updates from being installed on the firewall,
all gateprotect Firewall updates are signed digitally. Only updates with a valid signature
are displayed and installed.

Navigate to "Firewall > Updates Settings" to open an editor panel to display the list of
available updates with information about them and their status on the "Updates" tab.

The "Filter" input field allows you to narrow the list of results in the table below it. As
you type in the input field, the gateprotect Firewall automatically refreshes the list to
show only those entries that contain the characters you are typing as a name, type or
description. Click
tered view of the list.

in the input field to delete the search string and display an unfil-

The table columns of the updates list contain the following information:

23User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Column Description

"Name" Displays the name of the available update.

User Interface

Menu Reference

"Type" Displays the type of the update.

"Description" Displays a text field with further information about

"Reboot" Indicates whether a reboot of the system is required

"Release Date" Displays the date when the update was released.

"Status" Distinguishes between new updates and updates

"Action / Dependency" If dependencies are met, the "Install" action is

The update system differentiates between four types
of updates:

●

security – contains corrections which con­cern the security of the firewall

●

recommended – contains corrections, perform­ance and stability optimizations

●

hotfix – contains corrections for the firewall
modules but also new functions

●

upgrade – contains an upgrade to the next
gateprotect Firewall software version

the update.

The text field can be unfolded to view all information
relating to the update by clicking on it.

after the update has been installed successfully.

which have already been installed.

Note: An update cannot be installed more than
once.

allowed. Otherwise, a list of dependencies is dis­played. To meet the dependencies, install the
updates mentioned in the list.

Click "Refresh Updates List" to update the list of available updates with the latest ver­sions manually.

The "Settings" tab allows you to configure the following elements:

Field Description

"Search for New Updates Automatically" Select the checkbox to refresh the list of available

updates with the latest versions automatically.

"Interval" From the drop-down list, select the desired fre-

quency for refreshing the updates list. The option is
set to Daily by default, but you can adjust the set­tings to one of the other values as necessary:

Hourly

●

Daily

●

Weekly

●

24User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Update Time" Enter the date and time for the first automatic

"Install Updates Automatically" Select the respective radio button to specify which

"Update Servers" The standard update server is: http://www.gatepro-

User Interface

Menu Reference

refresh of the updates list and the first automatic
update. If you click the input field, a pop-up window
with a calender and input fields for changing the
date and time opens. You can enter a date in the
format MM/DD/YYYY or use the date picker to set a
new date. You can also set a new time by entering
the time in the format hh:mm:ss.

Note: All subsequent updates are carried out at the
time set here if the automatic installation of updates
described below is enabled.

updates you want to be imported and installed on
the gateprotect Firewall automatically. This function
is limited to security and recommended hotfixes.
The option is set to None by default, but you can
adjust the settings to one of the other values as nec­essary.

tect.com/updateserver.

You can add as many update servers as you like.
Enter the URL of an update server and click "Add"
to put the update server on the list.

Note: If the URL contains a fully qualified domain
name (FQDN), you need to configure the DNS set­tings. Otherwise, the FQDN cannot be resolved.

You can edit or delete each single entry in the list by
clicking the appropriate button next to an entry. For
further information, see Chapter 3.2, "Icons and But-

tons", on page 17.

Note: If you edit an update server, a check mark
appears on the right of the entry. Click the check
mark to be able to save the settings of the update
server.

The "History" tab displays the update history of the gateprotect Firewall.

If you modify the settings on the "Updates Settings" panel, click "Save" to store your
changes or "Reset" to discard them. Otherwise, click "Close" to shut the panel and
return to the overview of your entire configured network.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

25User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

In a High Availability configuration, system updates must be installed in two phases.
First, the master system is updated and rebooted. The former slave takes over the
master role. Then, the new master is updated and rebooted. The new slave (former
master) takes over the master role again. Do not make changes to the system at

any point in this process.

Important: Always update both systems (master and slave). Otherwise, High Availabil-

ity does not work correctly.

For more information, see Chapter 3.4.1.8, "High Availability Settings", on page 45.

User Interface

Menu Reference

3.4.1.3 Administrators

Use the "Administrators" settings to define administrators and their access to certain
services.

For more detailed information on administrators, see the following sections.

Administrators Overview

Navigate to "Firewall > Administrators" to display the list of administrators that are cur­rently defined on the system in the item list bar.

The plus button above the list allows you to add new administrators.

In the expanded view, the first table column displays the "Name" of the administrator.
The "Admin" column shows one of the following status indicators:

●

Green – The administrator has been granted access to the web client.

●

Orange – The administrator has not been granted access to the web client.

The buttons in the last column allow you to view and adjust the settings for an existing
administrator. Furthermore, the buttons allow you to create an administrator based on
a copy of an existing administrator or delete an administrator from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Administrators Settings

Under "Firewall > Administrators", you can add a new or edit an existing administrator.

You cannot delete or rename the default user admin. Furthermore, you cannot with­draw this user's access rights to the web client.

The "Administrator" panel allows you to configure the following elements:

26User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Name" Enter a unique name for the administrator.

"Description" Optional: Enter additional information regarding the

On the "Client Access" tab:

Field Description

"Granting access" Select this checkbox to grant the administrator

"Password" For newly added administrators only if the "Granting

"Change" Optional and for edited administrators only if the

User Interface

Menu Reference

administrator for internal use.

access to the web client.

access" checkbox is selected: Enter a password
and confirm it.

For edited administrators only if the "Change"
checkbox is selected: Enter a password and confirm
it.

"Granting access" checkbox is selected: Select this
checkbox to change the administrators password.

"Show Password" Optional and for newly added administrators only if

the "Granting access" checkbox is selected: Select
this checkbox to verify the password.

Optional and for edited administrators only if the
"Change" checkbox is selected: Select this check­box to verify the password.

"Require password change after next login" Optional and for newly added administrators only if

the "Granting access" checkbox is selected: Select
this checkbox if you want the administrator to
change the password after the next logon.

Optional and for edited administrators only if the
"Change" checkbox is selected: Select this check­box if you want the administrator to change the
password after the next logon.

On the "Webclient Permissions" tab, you can specify what the administrator is allowed
to do in specified areas of the web client.

You can choose between the following permissions by selecting the respective radio
button:

●

"Forbidden" – The administrator cannot access the specified area of the web client.

●

"Read/Open" – The administrator can open and read the editor/entities in the
specified area of the web client but cannot change them.

●

"Write/Execute" – The administrator has full access to the editors/entities in the
specified area of the web client.

The buttons at the bottom right of the editor panel depend on whether you add a new
or edit an existing administrator. For a newly configured administrator, click "Create" to
add the administrator to the list of available administrators or "Cancel" to discard your
changes. To edit an existing administrator, click "Save" to store the reconfigured

27User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

administrator or "Reset" to discard your changes. You can click "Close" to shut the edi­tor panel as long as no changes have been made on it.

User Interface

Menu Reference

3.4.1.4 User Authentication

The "User Authentication" settings determine the list of users who can be authorized to
utilize your network resources, such as Internet access and VPN tunnels. Furthermore,
these settings allow you to connect the gateprotect Firewall to an external directory
service from where it can retrieve individual users and user groups. This allows you to
set firewall regulations not just for computers but also for individual users and user
groups.

Navigate to "Firewall > User Authentication" to configure the connection parameters for
the directory server that is used to manage the LDAP users and groups on your net­work and to set up local users. The item list bar displays an overview of all users con­figured on the system.

For more detailed information on user authentication, see the following sections.

Technical Background and Preparations

Purpose of user authentication

With user authentication, firewall rules can be assigned to the users when they are log­ged on. Only one user per IP address can be logged on. If another user logs on from
an IP address which is already being used for a session, the other logged-on user is
logged out and the new user is logged on.

Logging on to the firewall

The gateprotect Firewall runs a special web server which only processes user logons.
It receives the user name and password. With a user database which is created locally
on the gateprotect Firewall, an authentication service first verifies whether the user
name and password are admissible. If this logon fails and if a Microsoft Active Direc­tory server or an openLDAP server are configured on the gateprotect Firewall, the
authentication service additionally queries those directory servers via Kerberos proto­col to see whether the user can be authenticated. If the authentication was successful,
the IP address from which the request was sent is assigned the firewall rules for this
user.

Users who are registered in the local database of the gateprotect Firewall can change
their password over the web server. The password can have up to 248 characters.
Longer passwords are accepted nevertheless but they are cut off automatically.

Certain computers, such as terminal servers on which many users work at the same
time, or servers to which only administrators log on, can be excluded from the user
authentication. Web servers and the authentication service do then not accept any
user logons from the IP addresses of these computers.

Since all users have the same IP address on a terminal server, the gateprotect Firewall
cannot identify the different users in the network. For this purpose, Microsoft offers the
so-called Remote Desktop IP Virtualization for Server 2008 R2 and newer versions.

28User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

This way, every user obtains their own IP address from a pool of IP addresses, similar
to DHCP.

Authentication server

For smaller companies without central user management, the gateprotect Firewall pro­vides local user management. You can always use the local user database. However,
it is also possible to use an external directory service, such as Microsoft Active Direc­tory server or an openLDAP server. The users of the external authentication server
have to be placed in CN=Users within the domain as specified in "User Authentica-

tion / Directory Service Settings" on page 35. Both, Microsoft Active Directory and

openLDAP, use the Kerberos protocol to validate the credentials provided by any of
the user authentication clients.

Active directory groups

If you are using a Microsoft Active Directory server for authentication, the Active Direc­tory groups are displayed in the user authentication item list bar as well. Active Direc­tory groups are a powerful tool to set up and maintain security policies for each user.
For example, you allocate Active Directory users to certain Active Directory groups and
then create firewall rules for these groups on the gateprotect Firewall.

User Interface

Menu Reference

Logging on

Users can log on to the gateprotect Firewall in different ways:

●

"Logging on via web browser" on page 29

●

"Logging on via User Authentication Client (UA Client)" on page 30

●

"Logging on via Single Sign-On (SSO)" on page 32

Logging on via web browser

Once users have been set up as desktop objects and firewall rules including these
users have been configured, they can act according to the rules using the so-called
Landing page. The logon via web browser method works with any browser and is SSL­encrypted.

To log on to the gateprotect Firewall via a web browser, perform the following steps:

1. Start a web browser.

2. Make sure, cookies are activated.

3. Enter the IP address of your gateprotect Firewall, for example
https://192.168.12.1 (using the default port 443), in the address bar.

A special web page presenting the gateprotect Firewall Landing page appears.

29User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Figure 3-4: User authentication via web browser.

4. Enter the "Name".
Note: If the user is an LDAP user, the user's login name has to exactly match the
user name specified in the sAMAccountName attribute of the user. Otherwise, the
name in the user-specific firewall rules will not correspond to the user logging on to
the client and the rules will not match.

User Interface

Menu Reference

5. Enter the "Password" of the user.

6. Click "Login".

The authentication is carried out.

For security reasons, the browser window in which the user logged on must remain
open during the whole session. Otherwise, the user is logged out automatically after
one minute to prevent unauthorized persons from accessing the firewall via a computer
where a user has forgotten to log out.

Logging on via User Authentication Client (UA Client)

The Windows-based UA client provided with the gateprotect Firewall is located in the
UAClient directory on the USB flash drive.

To log on to the gateprotect Firewall via the UA client, perform the following steps:

1. Install the UA client.

2. Start the UA client.

30User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Figure 3-5: User authentication via UA client.

3. Under "Server Address", enter the IP address of your gateprotect Firewall.

4. Enter the "User Name".
Note: If the user is an LDAP user, the user's login name has to exactly match the
user name specified in the sAMAccountName attribute of the user. Otherwise, the
name in the user-specific firewall rules will not correspond to the user logging on to
the client and the rules will not match.

User Interface

Menu Reference

5. Enter the "Password" of the user.

6. Optional: Select the "Remember password" checkbox if you want the password to
be saved for future logons.

7. Optional: Adjust the period of time for reconnection under "Settings" by clicking the
system tray icon in the Windows taskbar with your right mouse button.

31User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

8. Click "Login".

The authentication is carried out.

For security reasons, it is strongly recommended to update the UA client to the latest
version available. However, a compatibility mode that allows older versions of the UA
client to work with the gateprotect Firewall version 10 can be enabled. For more infor­mation, see "User Authentication / Directory Service Settings" on page 35.

Logging on via Single Sign-On (SSO)

When using Single Sign-On (SSO), domain users from the Active Directory domain log
on to a Windows client. Firewall rules configured on the gateprotect Firewall concern­ing these users are then automatically applied.

To realize SSO with the gateprotect Firewall in an Active Directory environment, the
following preconditions have to be met:

User Interface

Menu Reference

1. As Kerberos is time-critical, make sure to set the same time/NTP server for all
components of SSO (domain controller, Windows client and gateprotect Firewall).

2. Creating the user gpLogin
It is necessary to create a normal domain user in the user management under
"CN=Users" in the Active Directory. This user is then assigned a so-called Service
Principal Name (SPN) which is needed for the authentication of the gateprotect
Firewall on the server. The user does not need any specific rights.

a) Open the domain controller.

Figure 3-6: Creating a new user – user logon name.

32User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

b) Under "First name", enter gpLogin.

With this name, it is easier to find the user later in the user overview.

c) Under "User logon name", enter gpLogin/<firewall name>.

In the example above, the host name (<firewall name>) of the gateprotect

Firewall is fw96 and, therefore, the user logon name is gpLogin/fw96.
d) Under "User logon name (pre-Windows 2000)", enter gpLogin.
e) Click "Next".
f) Enter a password for the user and confirm it.

User Interface

Menu Reference

Figure 3-7: Creating a new user – user password.

g) Select the "Password never expires" checkbox.
h) Click "Next".
i) Verify the information relating to the new user by clicking "Finish".

The user gpLogin is created.

3. Using the gpLogin user to query the Active Directory
In the "User Name" input field under "Authentication Server", enter gpLogin.

4. Configuring the Service Principal Name (SPN)
Assign an SPN to the newly created user so that thegateprotect Firewall is able to
create a position of trust regarding the domain controller. To do so, run the follow­ing command on the domain controller: setspn -A gpLogin/fw10 gpLogin

5. Generating a Kerberos Key
With the Kerberos key, the client computer can automatically log on to the gatepro­tect Firewall after the user's logon on the Windows domain. To generate a Ker­beros key, perform the following steps:

a) Log on to your gateprotect Firewall.
b) Navigate to "Firewall > User Authentication > Directory Service".

The "User Authentication Settings" editor panel opens.

c) Enable the user authentication settings by toggling the slider switch to "ON".

33User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

d) On the "Kerberos" tab, click the "Create Kerberos Key" button to generate the

Kerberos key.

The Active Directory is queried to validate the specified AD user and to obtain the
relevant information, such as the Kerberos key version number. With that informa­tion, the gateprotect Firewall is able to generate a valid Kerberos key locally.

6. Activating SSO on the gateprotect Firewall
To enable SSO on the gateprotect Firewall, perform the following steps:

a) On the "Kerberos" tab, select the "Active" checkbox.
b) Click "Save" to store your settings.

7. Preparing the Windows client

The gateprotect Firewall installation medium contains the UAClientSSO directory
with three files:

● the UAClientSSOSetup.exe setup program for the SSO client

This setup file installs the UAClientSSO.exe under C:\Program
Files\R&S Cybersecurity\UA Client\3.0\UAClientSSO.exe.

● the UAClientSSO.exe application

The file needs two parameters which you have to set when starting it:

1) the host name of the gateprotect Firewall (for more information, see "User

Authentication / Directory Service Settings" on page 35) and

2) the IP address of the gateprotect Firewall in the network of the client com­puter.
For example, if the host name of the gateprotect Firewall is fw96 and its IP
address in the network of the client computer is 192.168.0.1, the target path
for the installation of the UA SSO client is C:\Program Files\R&S

Cybersecurity\UA Client\3.0\UAClientSSO.exe fw96

192.168.0.1.

● the UAClientSSO.msi Microsoft installer file

This file serves for the distribution of the client through a software distribution,
also requiring the two parameters host name and IP address. However, you
cannot pass any parameters to the MSI file. The easiest solution is to pass the
parameters via a link.

User Interface

Menu Reference

Tip: The gateprotect User Authentication Client can be started from a network
drive (for example NETLOGON) and does not necessarily have to be installed on
all Windows clients within your network.

Users

Just like computers, users and LDAP groups can be set up on the desktop as individ­ual users or user groups.

For these desktop objects, you then define the rules which are to be assigned to the
users as soon as they log on. If users log on from a computer to which certain rules are
assigned, the rules of this computer and their personal rules are applied to these
users. You can select users and LDAP groups from the local user database on the
gateprotect Firewall and from the openLDAP or Active Directory authentication server
and add them to the user groups on the desktop. There is also a special "Default User

34User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Group" which can be selected on the desktop. To this user group, no users are added.
It comprises all of the users who are able to log on but have not been set up as individ­ual users or members of other user groups on the desktop. If such a default user group
is set up on the desktop and if you have assigned rules to it, users who is later created
in the Active Directory server are automatically allocated to this default user group.
After logon, these new users are automatically assigned the default rules without any
additional administration effort for each individual user.

User Authentication / Directory Service Settings

The "User Authentication Settings" allow you to activate and deactivate user authenti­cation in general. Furthermore, you can specify the connection parameters for the
directory server that is used to manage the LDAP users and groups on your network.

Navigate to "Firewall > User Authentication > Directory Service" to open an editor
panel to define the general settings for user authentication and the directory service.

Alternatively, navigate to "Firewall > User Authentication" to display the list of local
users, LDAP users and groups and unassigned users that are currently defined on the
system in the item list bar. Click "Settings" under the item list bar header to open the
editor panel.

User Interface

Menu Reference

The "User Authentication Settings" panel allows you to configure the following ele­ments:

Field Description

"ON"/"OFF" A slider switch indicates whether user authentication

is active ("ON") or inactive ("OFF"). By clicking the
slider switch, you can toggle the state of user
authentication. User authentication is disabled by
default.

On the "General" tab:

Field Description

"Log Logins" Select this checkbox if you want to log all logons to

the gateprotect Firewall. You can view all logon
events under "Monitoring > Logs > System Log".

"Login Mode" Select one of the following four options:

●

"Single Login (deny new login)" – No user can
be logged on from more than one IP address at
the same time.

●

"Single Login (disconnect old login)" – Any pre­vious logons are first disconnected when the
user logs on from another IP address.

●

"Multiple Logins" – A user can be logged on
from up to 254 different IP addresses at the
same time.

●

"Multiple Logins (with warning in report)" – A
user can be logged on from up to 254 different
IP addresses at the same time and alerts are
recorded in the report.

"Web Login Port" Set the HTTPS port for the web logon by entering

the port number or using the up and down arrows.
The default setting is port 443.

35User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Compatibility Mode" Select this checkbox if you are using user authenti-

"Show Landing Page" Optional: Select this checkbox to display a landing

For each IP address, only one user logon is supported, even if multiple logons are acti­vated.

On the "Authentication Server" tab, you can decide on the type of database to be used.
You can use the local user database on the gateprotect Firewall independently or in
addition to a Microsoft Active Directory server or an openLDAP server with Kerberos
as an external user database. To be able to select a Microsoft Active Directory server
or an openLDAP server with Kerberos from the drop-down list and to configure its set­tings, you first have to activate the Kerberos service on the "Kerberos" tab.

User Interface

Menu Reference

cation clients older than version 3.0.0 to logon to the
gateprotect Firewall.

Notice: By selecting this checkbox you are putting
your network security at risk. For more information,
see Chapter 3.4.1.4, "User Authentication",
on page 28.

page when an unauthorized user tries to access the
Internet.

If Microsoft Active Directory Server is selected, you can configure the fol­lowing elements:

Field Description

"Host" Enter the host name or the IP address of the direc-

tory server.

Note: If you enter the host name of the directory
server, you need to configure the DNS settings. Oth­erwise, the host name cannot be resolved.

"Port" Enter the directory server's port number to be used

for communication. You can also select the port
number by using the up and down arrows.

"User Name" Enter the name of a user with read rights to retrieve

the list of users of the domain from the Active Direc­tory. This field has to be the sAMAccountName
attribute of the user. The user has to be placed in
"CN=Users". For more information, see "Logging on

via Single Sign-On (SSO)" on page 32.

"Password" Enter the password of the user that has read rights.

Tip: It is recommended to create a dedicated user
for this purpose.

"Domain Name" Enter the domain name of the Active Directory.

To test the configured Microsoft Active Directory server settings, click "Test AD Set­tings".

If OpenLDAP Server is selected, you can configure the following elements:

36User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Server Address" Enter the host name or the IP address of the direc-

"Port" Enter the directory server's port number to be used

"User DN" Enter the user DN of an account that has read

"Password" Enter the password of the user that has read rights.

"Base DN" Enter a distinguished name (base DN) as a

User Interface

Menu Reference

tory server.

Note: If you enter the host name of the directory
server, you need to configure the DNS settings. Oth­erwise, the host name cannot be resolved.

for communication. You can also select the port
number by using the up and down arrows.

rights.

Tip: It is not mandatory to provide the full user DN.
Upon clicking "Save", the system automatically adds
the domainComponents from the "Base DN" entry.

sequence of relative distinguished names (RDN)
separated by commas, such as three domainCom­ponents: dc=ldap,dc=example,dc=com, to
define the location within the directory from where
the directory search should start.

"User Query" Optional: Specify the filter to be used to retrieve the

list of users.

"User ID" Optional: Define the attribute where the user identi-

fier is retrieved from. The user names displayed in
the web client are actually coming from this attribute
of the LDAP User. The user ID is retrieved from the
sAMAccountName attribute by default.

"User Name" Optional: Define the attribute where the user name

is retrieved from.

"User Group" Optional: Define the attribute where the user group

is retrieved from.

"User Primary Group" Optional: Define the attribute where the user primary

group is retrieved from.

"Mail Query" Optional: Specify the filter to be used to retrieve the

list of mails.

"Mail Name" Optional: Define the attribute where the mail name

is retrieved from.

"Group Query" Optional: Specify the filter to be used to retrieve the

list of groups.

"Group Name" Optional: Define the attribute where the group name

is retrieved from.

"Group ID" Optional: Define the attribute where the group identi-

fier is retrieved from.

37User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Group Primary ID" Optional: Define the attribute where the group pri-

"Group Parent" Optional: Define the attribute where the group

Upon clicking "Save", all optional fields which you did not specify are filled with default
values by the system.

The users have to be in the root directory Users. If you wish to use Kerberos for Sin­gle Sign-On, the user has to be gpLogin. For more information, see "Logging on via

Single Sign-On (SSO)" on page 32.

On the "Kerberos" tab:

Field Description

"Active" Select this checkbox to activate the Kerberos ser-

User Interface

Menu Reference

mary identifier is retrieved from.

parent is retrieved from.

vice.

"Kerberos Key" Displays the service name, the host name and the

domain related to the userPrincipalName of the
most recently created Kerberos key, also known as
keytab. For more information, see "Logging on via

Single Sign-On (SSO)" on page 32.

"Host Name" Adjust the host name of your gateprotect Firewall if

necessary.

"Domain" Adjust the domain of your gateprotect Firewall so it

matches the domain of the Active Directory if neces­sary.

Local Users

gateprotect Firewall offers local user administration for smaller companies without cen­tral administration. Use the "Local Users" settings to define and manage users by
specifying the usernames and passwords that are authorized to connect to gateprotect
Firewall for VPN access.

Navigate to "Firewall > User Authentication > Local Users" to display the list of local
users that are currently defined on the system in the item list bar.

In the expanded view, the table columns display the "Name" of the local user and a
"Description" if one was entered. The buttons in the last column allow you to view and
adjust the settings for an existing local user, create a new user based on a copy of an
existing local user, or delete a user from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Under "Firewall > User Authentication > Local Users", you can add a new or edit an
existing local user.

The "Local User Authentication" panel allows you to configure the following elements:

38User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"User Name" Enter a unique name for the local user which will be the logon name.

"Description" Optional: The information given here is for internal use for the administrator

"Password" Enter a password for the user and confirm it. The password must consist of at

"Show Password" Optional: Select this checkbox to verify the password.

User Interface

Menu Reference

Important: The user's logon name has to exactly match the "User Name"
(case-sensitive). Otherwise, the name in the user-specific firewall rules will not
correspond to the user logging on to the client and the rules will not match.

only.

least six characters.

"Require password
change after next login"

Optional: Select this checkbox if you want the user to change the password
after the next logon. If selected, the web server will redirect the user from the
logon page to a page for changing the password.

The buttons at the bottom right of the editor panel depend on whether you add a new
local user or edit an existing user. For a newly configured local user, click "Create" to
add the new user to the list of available local users or "Cancel" to reject the creation.
To edit an existing local user, click "Save" to store the reconfigured user or "Reset" to
discard your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

The local users defined here are available for use in desktop objects, for example VPN
users.

LDAP Users

It is possible to connect gateprotect Firewall to an external directory server via the
Lightweight Directory Access Protocol (LDAP) to retrieve users from there. You can
use these users in user-specific firewall rules.

LDAP can be used by medium to large companies to access directory services and to
manage user data.

Connect to a directory server as described under "User Authentication / Directory Ser-

vice Settings" on page 35.

Navigate to "Firewall > User Authentication > LDAP Users" to display the list of LDAP
users that are currently defined on the directory server in the item list bar.

To make LDAP users in this list available for use in connections and user-specific fire­wall rules, the users have to be assigned to a user desktop object. For more informa­tion, see Chapter 3.4.4.4, "User Groups", on page 81.

LDAP Groups

It is possible to connect gateprotect Firewall to an external directory server via the
Lightweight Directory Access Protocol (LDAP) to retrieve user groups from there. You
can use these user groups in group-specific firewall rules.

LDAP can be used by medium to large companies to access directory services and to
manage user data.

39User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Connect to a directory server as described under "User Authentication / Directory Ser-

vice Settings" on page 35.

Navigate to "Firewall > User Authentication > LDAP Groups" to display the list of LDAP
groups that are currently defined on the directory server in the item list bar.

To make LDAP groups in this list available for use in connections and group-specific
firewall rules, the groups have to be assigned to a user group desktop object. For more
information, see Chapter 3.4.4.4, "User Groups", on page 81.

Unassigned Users

Navigate to "Firewall > User Authentication > Unassigned Users" to view LDAP users
that are assigned to user desktop objects but who the gateprotect Firewall is not able
to retrieve where they used to be from the directory service.

Application Examples

Using a Windows domain

User Interface

Menu Reference

If you have a Windows domain, you can connect the user authentication to the Win­dows domain controller.

To connect the user authentication to the Windows domain controller, perform the fol­lowing steps:

1. Navigate to "Firewall > User Authentication".

2. Click the "Authentication Server" tab.

3. Enter the data of your domain controller.

All the users in the specified domain appear on the user list.

4. Drag user icons onto the configuration desktop and assign rules to them.

The users have to enter the URL with https:// and the IP address of the firewall
in the address bar of their browser and log on on the appearing page. After a suc­cessful logon, the firewall rules of the user are assigned to the supplied IP address.
When the browser window is closed, the session cookie expires and the rules lose
their validity.

Excluding the Terminal Server from User Authentication

If you are using a terminal server, exclude it from the user authentication because oth­erwise, after one user has logged on, all the previous users are logged out.

To exclude the terminal server from the user authentication, perform the following
steps:

1. Click the host group icon in the toolbar at the top of the desktop.

2. Clear the checkbox in the "Login Allowed" column.

40User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Figure 3-8: Object settings – terminal server.

If your users do need the authentication on the terminal server, you can activate
Remote Desktop IP Virtualization on the terminal server. This way, all users are
assigned their own IP address during a session.

User Interface

Menu Reference

3.4.1.5 Server Access Settings

The "Server Access" settings allow you to define how the gateprotect Firewall can be
accessed from external networks or the Internet. In addition, you can determine how
the gateprotect Firewall is to react, for example, to ping requests.

The "Server Access" settings only apply to external accesses to the gateprotect Fire­wall for the defined users. Accesses from the internal network are always possible.

Navigate to "Firewall > Server Access" to open an editor panel to determine whether
and how access from external networks or the Internet to the gateprotect Firewall is
allowed.

The "Server Access" panel allows you to configure the following elements:

41User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Web Access from Internet" Select the respective radio button to specify external

"SSH Access from Internet" Select the respective radio button to specify external

User Interface

Menu Reference

web access via the Internet. The option is set to
Deny by default, but you can adjust the settings to
one of the other values as necessary:

●

Deny – Only computers from the internal net­work are allowed to access the gateprotect
Firewall web client, external web access via the
Internet is denied.

●

VPN only – The same function as Deny. How­ever, in this case, access from the Internet to
the gateprotect Firewall web client via VPN is
allowed.

●

Allow – External access to the gateprotect
Firewall web client via the Internet is allowed.

Note: The Allow option provides access to the web
client via the Internet. In certain circumstances, this
may allow attackers to access the gateprotect Fire­wall. Therefore, it is recommended not to use this
option as a permanent solution.

SSH access via the Internet. The option is set to
Deny by default, but you can adjust the settings to
one of the other values as necessary:

●

Deny – Only computers from the internal net­work are allowed to access the gateprotect
Firewall via SSH, external SSH access via the
Internet is denied.

●

VPN only – The same function as Deny. How­ever, in this case, SSH access from the Internet
to the gateprotect Firewall via VPN is allowed.

●

Allow – External SSH access to the gatepro­tect Firewall via the Internet is allowed.

Note: The Allow option provides SSH access to
the gateprotect Firewall via the Internet. The SSH
access is useful, for example, for the Rohde &
Schwarz Cybersecurity support team. In other cir­cumstances, this may allow attackers to access the
gateprotect Firewall. Therefore, it is recommended
not to use this option as a permanent solution.

"Ping (ICMP to Firewall)" Select the respective radio button to specify what

the gateprotect Firewall is to do with ICMP com­mands (ping) to the firewall from the internal net­work and the Internet. The option is set to Allow by
default, but you can adjust the settings to the other
value as necessary:

●

Deny – The gateprotect Firewall does not
respond to ICMP commands to the firewall from
the internal network and the Internet.

●

Allow – The gateprotect Firewall reponds to
ICMP commands to the firewall from the inter­nal network and the Internet.

Note: While blocking ICMP commands can improve
the security of the gateprotect Firewall, it also
makes any troubleshooting in the network difficult.
Therefore, if an error occurs in the network, it is rec­ommended to set this option to Allow before you
start troubleshooting.

42User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.

User Interface

Menu Reference

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.1.6 Command Center Settings

The RSCS Command Center allows you to administrate multiple gateprotect Firewalls
in one application.

Navigate to "Firewall > Command Center" to open an editor panel to connect the gate­protect Firewall to an RSCS Command Center server via a VPN connection.

To establish the VPN connection, you need VPN certificates for all devices that were
signed by the same certificate authority (CA). Therefore, it is advisable to manage the
VPN CA and the VPN certificates on one site and then to export and import the VPN
certificates from there to the other sites.

For information on how to create, export and import certificates, see Chapter 3.4.8.1,

"Certificates", on page 114.

The "Command Center" panel allows you to configure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the connection to the Command Center is

active ("ON") or inactive ("OFF"). By clicking the slider switch, you can toggle
the state of the connection. The connection to the Command Center is deacti­vated by default.

"Host" Enter the host name or IP address under which the Command Center is reach-

"Port" Enter the port number under which the Command Center is reachable.

"Command Center CA" From the drop-down list, select the CA that was used to sign the Command

"Firewall Certificate" From the drop-down list, select the VPN certificate for the gateprotect Firewall.

If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.

3.4.1.7 Time Settings

The gateprotect Firewall works with time-sensitive rules. Furthermore, the system time
is particularly important for services such as logging that rely on accurate timestamps.
Therefore, it is necessary to set the date and time correctly.

Navigate to "Firewall > Time Settings" to open an editor panel to display and edit the
system date and time settings.

The "Time Settings" panel allows you to configure the following elements:

able from the gateprotect Firewall.

Center certificate.

43User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Time Zone" From the drop-down list, select one of the prede-

"Current Time" Check the current system date (MM/DD/YYYY) and

"Date & Time" Optional: Click the input field to set a new system

User Interface

Menu Reference

fined time zones. The time zone is set to (+01:00)
Europe - Berlin by default, but you can adjust
the settings to one of the other values as necessary.

time (hh:mm:ss) of the gateprotect Firewall.

date or time manually. A pop-up window with a cal­ender and input fields for changing the date and
time opens. You can enter a date in the MM/DD/
YYYY format or use the date picker to set a new
date. You can also set a new time by entering the
time in the hh:mm:ss format.

Note: To set the system time manually, NTP has to
be disabled (in other words, the "NTP Client" check­box must be cleared). Otherwise, the time will be
reset automatically when the system sends the next
NTP request.

"NTP Client" Optional: Select the checkbox to use remote net-

work time protocol servers to set the system date
and time automatically.

"NTP Servers" Optional and only available if the "NTP Client"

checkbox is selected: You can either use the prede­fined NTP servers or add your own NTP servers to
the list.

The standard NTP servers are: de.pool.ntp.org and

europe.pool.ntp.org.

You can add as many NTP servers as you like.
Enter the IP address or the fully qualified domain
name of an NTP server in the input field. Then click
"Add" to put the NTP server on the list.

You can edit or delete each single entry in the list by
clicking the appropriate button next to an entry. For
further information, see Chapter 3.2, "Icons and But-

tons", on page 17.

Note: If you edit an NTP server, a check mark
appears on the right of the entry. Click the check
mark to be able to save the settings of the NTP
server.

Note: If more than one NTP server is configured,
the gateprotect Firewall automatically synchronizes
the system clock with the server that transmits the
best time signal.

"Serve as local NTP server" Optional and only available if the "NTP Client"

checkbox is selected: Select the checkbox if you
want to make the system time of the gateprotect
Firewall available in the internal network. The gate­protect Firewall then acts as an internal, local NTP
server.

If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.

44User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

User Interface

Menu Reference

3.4.1.8 High Availability Settings

The "High Availability" (HA) settings allow two independent gateprotect Firewall sys­tems to be connected in a master/slave configuration via a dedicated interface. The so­called HA cluster provides failover capability. If the master machine becomes unavaila­ble, the standby (slave) machine assumes its duties.

The master and slave systems are connected via a Cluster Interconnect cable that
allows them to communicate with one another and monitor the status of the paired sys­tem. The master machine synchronizes its configuration to the slave. On the slave
machine, certain rules are applied which allow network communication with the master
machine only. If the slave system fails to detect a »heartbeat« signal from the master,
it takes over the role of the master system (in the event of power outage or hardware
failure/shutdown).

When the slave machine takes over, it removes the special block rules and sends out a
Gratuitous ARP request. The switch which is connected to the gateprotect Firewall
must allow the arping command. On the client machine in the network, it may take a
few seconds before its ARP cache is updated and the new master is reachable.

The following figure illustrates a typical network environment with a redundant master/
slave configuration for High Availability.

45User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

User Interface

Menu Reference

Figure 3-9: Sample network setup for High Availability.

High Availability is not available for the gateprotect Firewall GP-U 50/100/200 product
models.

For more detailed information on High Availability, see the following sections.

High Availability Settings

Use the "High Availability" settings to specify the connection parameters for the mas­ter/slave configuration.

The High Availability feature requires two identical systems of the same hardware type
(for example GP-U-300 with GP-U-300 or GP-S-1600 with GP-S-1600) and software
version. Furthermore, a free network interface (NIC) is required on both systems, in
other words, a network interface that is not currently used by any other interface (like
VLAN or bridge) or any network connection. For more information, see Chap-

ter 3.4.2.1, "Interfaces", on page 53 and "Network Connections" on page 60. The

same NIC must be used on both systems for Cluster Interconnection.

The master system synchronizes its initial configuration and any subsequent configura­tion changes to the slave system to ensure that the same configuration is used in the
event of failure.

46User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

High Availability can only be activated when no background processes, such as
updates or backups, are running.

Navigate to "Firewall > High Availability" to open an editor panel to set up High Availa­bility.

The "High Availability" panel allows you to configure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether High Availability is

"Status" Displays the High Availability status of the gatepro-

User Interface

Menu Reference

active ("ON") or inactive ("OFF"). By clicking the
slider switch, you can toggle the state of High Avail­ability. High Availability is deactivated by default.

tect Firewall. The status can be one of the following:

●

Disabled – High Availability is not enabled on
the firewall.

●

No connection – High Availability is enabled
on the firewall but the other firewall is not
reachable.

●

Not synced – High Availability is enabled on
the firewall, the other firewall is reachable but
the configuration from the master system has
not been synchronized to the standby (slave)
system yet.

●

Synchronized and ready – High Availabil­ity is enabled on the firewall, the other firewall
is reachable and synchronized.

"Current Role" Displays whether the gateprotect Firewall is config-

ured as a master or a slave machine.

"Initial Role" Select the respective radio button to specify the role

which the gateprotect Firewall is to play in the HA
cluster:

●

"Master" – The gateprotect Firewall is active
and synchronizes its configuration to the gate­protect Firewall being the slave.

●

"Slave" – The gateprotect Firewall is not active
(i. e. not reachable via the web client) but the
master machine synchronizes its configuration
to it.

"HA Interface" From the drop-down list, select the interface to be

used for the HA cluster communication. This inter­face cannot be used for any other firewall services.

Note: The same interface (NIC) must be used on
both gateprotect Firewall systems for Cluster Inter­connection.

"Local IP" Enter the IP address in CIDR notation (IP address

followed by a slash »/« and the number of bits set in
the subnet mask, for example 192.168.50.1/24)
which you want to assign to the HA interface on the
gateprotect Firewall.

"Remote IP" Enter the IP address under which the gateprotect

Firewall can reach the other gateprotect Firewall of
the HA cluster.

47User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

"Local IP" and "Remote IP" must be in the same subnet. HA cluster communication
over routed networks is not supported.

If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.

User Interface

Menu Reference

Click "
changes.

Before you connect the slave system to the master with the Cluster Interconnect cable
and configure High Availability on the slave, the configuration of the master system has
to be complete and activated.

Connect the slave system with the same »WAN« and »LAN« network components as
the master system (see Figure 3-9).

Only the master system can be reached and configured via the web client.

If you want to change the High Availability configuration (for example to change the HA
interface), first disable High Availability, then change the configuration. Then turn High
Availability back on with the new configuration.

To remove the slave system from the High Availability configuration and operate it as a
standalone system, reinstall your gateprotect Firewall. For further information, see

"Disabling High Availability Configurations" on page 48.

Updating High Availability Configurations

Activate" in the toolbar at the top of the desktop to apply your configuration

When High Availability is enabled, the following considerations apply regarding the
updating of the High Availability configurations:

●

In a High Availability configuration, system updates must be installed in two phases
(see also Chapter 3.4.1.2, "Updates Settings", on page 23). First, the master sys­tem is updated and rebooted. If the update was successful, the former slave takes
over the master role. Then, the new master is updated and rebooted. After restart­ing, the new slave (former master) takes over the master role again. Do not make

changes to the system at any point in this process.

●

Important: Always update both systems (master and slave). Otherwise, High
Availability does not work correctly.

●

As long as the slave has an older version running, no synchronization is performed
as the old system may not understand newer configuration files. It is not advisable
to keep this state for too long.

Disabling High Availability Configurations

To disable High Availability, perform the following steps:

1. Switch off the standby (slave) machine.

48User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

2. Disconnect the Cluster Interconnect cable between the master and slave systems.

3. Reinstall the standby (slave) system via USB flash drive.

4. On the master system:

a) Log on to the web client.
b) Under "Firewall > High Availability":

● Use the slider switch to disable High Availability.

● Click "Save" to store your settings.

●

Note: If you disconnect the Cluster Interconnect cable without switching off the
standby (slave) machine, the slave takes over and the old master runs as master
as well. Both machines deliver the same services on the network which has unin­tended effects. So, it is advisable not to disconnect the Cluster Interconnect cable
while both master and slave system are still on.

Click "

Activate" in the toolbar at the top of the desktop to apply your con-

figuration changes.

User Interface

Menu Reference

3.4.1.9 Backup

Your gateprotect Firewall stores settings in configuration files which are automatically
created whenever settings are changed in the web client. The options under "Backup"
allow you to schedule regular backups of the current system configuration, to back up
the system configuration manually and to restore previous configurations.

Backups can be created once a license has been imported (that is to say, not during
the test period of 30 days).

For more detailed information on backups, see the following sections.

Automatic Backup Settings

The "Auto Backup" settings allow you to set up a connection to a remote backup server
on which you want to store automatically created backups. Furthermore, this panel lets
you schedule how often the firewall configuration is backed up automatically. There are
no restrictions on the amount or interval of backup creation.

Before you proceed, make sure that you set the time zone for your gateprotect Firewall
as described under Chapter 3.4.1.7, "Time Settings", on page 43. Otherwise, the back­ups are created according to Europe - Berlin (CET/UTC +1) instead of the time speci­fied by you in the automatic backup settings.

Navigate to "Firewall > Backup > Auto Backup" to open an editor panel to display and
edit the settings for automatic backups.

The "Auto Backup" panel allows you to configure the following elements:

49User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Server Address" Enter the IP address of the remote backup server on

"Username" Enter the name of the user on the remote backup

"Password" Enter the user's password for the remote backup

"Show Password" Optional: Select this checkbox to verify the user's

"Server Type" Select the respective radio button to specify which

"Filename" Enter a name for automatically created backup files.

"Encryption Password" Enter a password for the encryption of the backup

User Interface

Menu Reference

which you want to store automatically created back­ups.

server.

server if necessary.

password.

network protocol is used to upload the backups to
the server. The option is set to "FTP" by default, but
you can adjust the settings to "SCP" as necessary.

files. The password can consist of up to 32 charac­ters (allowed are letters of the English alphabet,
integers and the special characters
\-][/.,~!@#$%^*()_+:?><}{).

"Show Encryption Password" Optional: Select this checkbox to verify the encryp-

tion password.

50User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Options" Select the respective radio button to specify what is

"Schedule" Specify how often the firewall configuration is

User Interface

Menu Reference

added to the filenames to distinguish the backups
from each other. The option is set to "Append cur­rent date to filename" by default, but you can adjust
the settings to the other value as necessary:

●

"Append current date to filename" – The date
and the timestamp of the creation of a backup
is added to the filename (e.g.
Backup_20171130-1527.gp). As these file­names never repeat, old backup files are never
overwritten.

●

"Max. file count" – A number (backup number)
is added to the filename. Specify the maximum
number of backup files to be stored by entering
an integer in the input field below this option.
The option is set to 20 by default. Once the
defined number is reached, counting starts
anew and the oldest backup file is automatically
overwritten.

backed up automatically.

Under "Start", click the input field to set the date and
time of the first backup to be created automatically.
A pop-up window with a calender and input fields for
setting the date and time opens. You can enter a
date in the MM/DD/YYYY format or use the date
picker to set a date. You can also set a time by
entering the time in the hh:mm:ss format.

Under "Interval" and "Unit", define how often the
configuration is backed up automatically. Set the
interval by entering a number or using the up and
down arrows. The option is set to 1 by default.
Then, select one of the unit options from the drop­down list. The option is set to days by default, but
you can adjust the settings to one of the other val­ues as necessary:

once

●

hours

●

days

●

months

●

Click "Add" to add the schedule to the list.

You can edit or delete each single entry in the list by
clicking the appropriate button next to an entry. For
further information, see Chapter 3.2, "Icons and But-

tons", on page 17.

Note: If you edit a schedule, a check mark appears
on the right of the entry. Click the check mark to be
able to save the settings for automatic backups.

To check the connection to the configured backup server, click the "Test Server Set­tings" button at the bottom left of the editor panel. The system tries to save a test file
(file name_test) on the backup server. If this test is successful, a text file is saved
on the server and a pop-up window with a success message appears. You can delete
this text file after the test.

If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.

51User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

Backup Export

The "Export" settings allow you to create and export a manual backup of the current
firewall configuration. Use this function, for example, to reload a configuration after a
system update.

Navigate to "Firewall > Backup > Export" to open an editor panel to create and transfer
a manual backup in GP file format to your computer so you can restore the configura­tion contained in it later if necessary.

The "Export" panel allows you to configure the following elements:

Field Description

"Encryption Password" Enter a password for the encryption of the backup

User Interface

Menu Reference

file and confirm it. The password can consist of up
to 32 characters (allowed are letters of the English
alphabet, integers and the special characters
\-][/.,~!@#$%^*()_+:?><}{).

"Show Password" Optional: Select this checkbox to verify the pass-

word.

"Use auto backup password" Optional: Select this checkbox if you want to use the

encryption password set for the creation of auto­matic backup files (see "Automatic Backup Settings"
on page 49) instead of entering a new one.

If you want to export the backup file, click "Export". Otherwise, click "Cancel" to shut
the editor panel.

Backup Import

The gateprotect Firewall allows you to upload a previously downloaded backup file to
restore the system configuration (e.g. after a new installation).

Navigate to "Firewall > Backup > Import" to load and activate a firewall configuration
from an earlier created backup file.

To upload an automatically created backup file stored on the backup server, you first
have to transfer the backup file from the backup server to your local disk.

The "Import" panel allows you to configure the following elements:

52User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Backup File" Click "Select" to open the local disk search. Select a

"Password" Enter the encryption password which you chose for

"Show Password" Optional: Select this checkbox to verify the pass-

If you want to import the backup file, click "Import". Otherwise, click "Cancel" to shut
the editor panel.

If the upload is successful, a success message appears. Confirm that you want to
reboot the system by clicking "Reboot". The system restarts, logs you out and opens
the gateprotect Firewall logon page. Enter your logon credentials and click "Login". The
web client appears.

User Interface

Menu Reference

backup file in GP format to transfer from your local
disk. Click "Open" to close the local disk search.
The name of the backup file appears in the field.

the export of the file.

word.

3.4.2 Network

The " Network" settings allow you to organize your network by configuring interfaces,
connections, WLAN, routing policies and DHCP settings.

3.4.2.1 Interfaces

Navigate to "Network > Interfaces" to configure Ethernet, VLAN, Bridge, PPP and
WLAN interfaces. The item list bar displays an overview of all interfaces which are cur­rently defined on the system.

Ethernet Interfaces

The physical "Ethernet Interfaces" receive the following default IP addresses:

192.168.X.254/24 (X being the number of the interface, i.e. the IP address of eth0

is 192.168.0.254).

For more detailed information on Ethernet interfaces, see the following sections.

Ethernet Interfaces Overview

Navigate to "Network > Interfaces > Ethernet Interfaces" to display the list of Ethernet
interfaces that are currently defined on the system in the item list bar.

In the expanded view, the first column of the table displays the "Name" of the Ethernet
interface. The "Status" column shows one of the following status indicators:

●

Green – The Ethernet interface is up.

●

Gray – The Ethernet interface is disabled.

Furthermore, the "Speed" of the Ethernet interface is displayed. The button in the last
column allows you to view and adjust the settings for an existing Ethernet interface.

53User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Ethernet Interfaces Settings

Under "Network > Interfaces > Ethernet Interfaces", you can display more detailed
information on the available Ethernet interfaces and adjust the settings.

The "Ethernet Interface" panel displays the following information and allows you to
configure the following elements:

Field Description

"Name" Displays the name of the Ethernet interface, e.g. eth0.

"Description" Displays a short description of the Ethernet interface.

"Hardware Address" Displays the hardware address (Ethernet MAC address) of the Ethernet inter-

"Used by" Displays the connection that is currently using the Ethernet interface.

User Interface

Menu Reference

face.

"Status" Displays the status of the Ethernet interface.

"Speed" Displays the speed (e.g. in Gbit/s) of the Ethernet interface.

"Duplex" Displays the duplex mode of the interface, e.g. full.

"Type" Displays the type of wiring connected to the interface, e.g. twisted pair.

"ON"/"OFF" A slider switch indicates whether the Ethernet interface link is active ("ON") or

"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission

The status can be one of the following:

●

up – The Ethernet interface is enabled.

●

disabled – The Ethernet interface is disabled.

inactive ("OFF"). By clicking the slider switch, you can toggle the state of the
Ethernet interface link.

Unit can be any integer from 64 to 16384.

If you modify the settings, click "Save" to store your changes or "Reset" to discard
them. Otherwise, click "Close" to shut the editor panel.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

VLAN Interfaces

Use the "VLAN Interfaces" settings to add custom Virtual Local Area Network tags to
all traffic on a given interface.

This method can be used to create »virtual interfaces« that allow you to put several
logical network zones on one physical interface. When a VLAN tag is associated with a
network interface, the tag is added to all outgoing packets that are sent via this virtual
interface and stripped from the incoming packets that are received on this VLAN. Sev­eral VLANs may be associated with each network interface. Packets with different tags
can be processed and associated to the corresponding interface.

For more detailed information on VLAN interfaces, see the following sections.

54User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

VLAN Interfaces Overview

Navigate to "Network > Interfaces > VLAN Interfaces" to display the list of VLAN inter­faces that are currently defined on the system in the item list bar.

In the expanded view, the first column of the table displays the "Name" of the VLAN
interface. The "Status" column shows one of the following status indicators:

●

Green – The VLAN interface is enabled.

●

Orange – The VLAN interface is disabled.

Furthermore, the "Master Interface" that the virtual local area network is associated to
and the "VLAN Tag" are displayed. The buttons in the last column allow you to view
and adjust the settings for an existing virtual local area network, create a new VLAN
interface based on a copy of an existing virtual local area network or delete a VLAN
interface from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

VLAN Interfaces Settings

User Interface

Menu Reference

Use the "VLAN Interfaces" settings to configure custom Virtual Local Area Network
tags to be added to all traffic on a given interface.

Under "Network > Interfaces > VLAN Interfaces", you can add a new or edit an existing
virtual local area network.

The "VLAN Interface" panel displays the following information and allows you to config­ure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the VLAN interface is active ("ON") or inactive

("OFF"). By clicking the slider switch, you can toggle the state of the VLAN
interface. A new VLAN interface is enabled by default.

"Name" Displays the name of the VLAN interface. The name is generated automatically

and contains the "VLAN Tag" and the underlying "Master Interface".

"Hardware Address" For edited VLAN interfaces only: Displays the hardware address (MAC

address) of the underlying "Master Interface".

"Used by" Displays the network components (e.g. connections, other interfaces etc.) that

use the VLAN interface.

"Master Interface" For newly added VLAN interfaces only: From the drop-down list, select the

Ethernet or Bridge interface that the virtual local area network is associated to.

For edited VLAN interfaces only: Displays the Ethernet or Bridge interface that
the virtual local area network is associated to.

"VLAN Tag" Enter the text content of the VLAN tag. The tag may contain any integer from 1

to 4094.

"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission

Unit is limited to the MTU value of the underlying master interface.

Note: Due to a kernel restriction, the maximum MTU value is limited by the
Maximum Transmission Unit value of the underlying interface.

55User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

The buttons at the bottom right of the editor panel depend on whether you add a new
VLAN interface or edit an existing virtual local area network. For a newly configured
VLAN interface, click "Create" to add the VLAN to the list of available virtual local area
network interfaces or "Cancel" to discard your changes. To edit an existing VLAN inter­face, click "Save" to store the reconfigured VLAN or "Reset" to discard your changes.
You can click "Close" to shut the editor panel as long as no changes have been made
on it.

User Interface

Menu Reference

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

Bridge Interfaces

Use the "Bridge Interfaces" settings to connect two interfaces and their networks on
Layer 2, forming a common broadcast domain.

For more detailed information on bridge interfaces, see the following sections.

Bridge Interfaces Overview

Navigate to "Network > Interfaces > Bridge Interfaces" to display the list of bridge inter­faces that are currently defined on the system in the item list bar.

In the expanded view, the first column of the table displays the "Name" of the bridge
interface. The "Status" column shows one of the following status indicators:

●

Green – The bridge interface is enabled.

●

Orange – The bridge interface is disabled.

Furthermore, the "Ports" that are assigned to the bridge interface are displayed. The
buttons in the last column allow you to view and adjust the settings for an existing
bridge interface, create a new bridge interface based on a copy of an existing bridge
interface or delete a bridge interface from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Bridge Interfaces Settings

Use the "Bridge Interfaces" settings to configure custom bridge interfaces.

Under "Network > Interfaces > Bridge Interfaces", you can add a new or edit an exist­ing bridge interface.

The "Bridge Interface" panel displays the following information and allows you to con­figure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the bridge interface is active ("ON") or inactive

("OFF"). By clicking the slider switch, you can toggle the state of the bridge
interface. A new bridge interface is enabled by default.

"Name" Displays the name of the bridge interface. The name is generated automati-

cally. Bridges are numbered in the order they are created, starting with br0.

"Hardware Address" Displays the hardware address (MAC address) of the bridge interface.

56User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Used by" Displays the network components (e.g. connections, other interfaces, etc.) that

"Ports" Add the ports that the interface will bridge by clicking the input field. You can

"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission

User Interface

Menu Reference

use the bridge interface.

select any number of VLAN interfaces or other bridge interfaces.

To delete an element from the input field, click to the left of the entry.

The selected ports are displayed in a table at the bottom of the panel.

Note: Bridges cannot be created using interfaces which are already used in
another bridge.

Unit can be any integer from 64 to 16384.

"Spanning Tree Proto­col"

"Priority" Only available if "Spanning Tree Protocol" is enabled: Set the bridge priority.

"Hello Interval" Only available if "Spanning Tree Protocol" is enabled: Set the hello interval (in

"Ports" This table displays the ports selected in the bridge interface.

Optional: Select this checkbox to enable the Spanning Tree Protocol. It is dis­abled by default.

Enter a multiple of 4096 in the range of 4096 to 61440.

seconds). Enter any integer from 1 to 10.

If "Spanning Tree Protocol" is enabled, the buttons on the right of each entry
allow you to configure the "Priority" and the "Cost" for the respective port, and
to remove the port from the bridge interface.

The buttons at the bottom right of the editor panel depend on whether you add a new
bridge interface or edit an existing bridge. For a newly configured bridge interface, click
"Create" to add the bridge to the list of available bridge interfaces or "Cancel" to dis­card your changes. To edit an existing bridge interface, click "Save" to store the recon­figured bridge or "Reset" to discard your changes. You can click "Close" to shut the
editor panel as long as no changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

PPP Interfaces

Use the "PPP Interfaces" settings to create interfaces using the Point-to-Point Protocol.

For more detailed information on PPP interfaces, see the following sections.

PPP Interfaces Overview

Navigate to "Network > Interfaces > PPP Interfaces" to display the list of PPP interfa­ces that are currently defined on the system in the item list bar.

In the expanded view, the first column of the table displays the "Name" of the PPP
interface. The "Status" column shows one of the following status indicators:

●

Green – The PPP interface is enabled.

●

Orange – The PPP interface is disabled.

Furthermore, the "Master Interface" that the PPP interface is associated to is dis­played. The buttons in the last column allow you to view and adjust the settings for an

57User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

existing PPP interface, create a new PPP interface based on a copy of an existing PPP
interface or delete a PPP interface from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

PPP Interfaces Settings

Use the "PPP Interfaces" settings to configure custom PPP interfaces.

Under "Network > Interfaces > PPP Interfaces", you can add a new or edit an existing
PPP interface.

The "PPP Interfaces" panel allows you to configure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the PPP interface is active ("ON") or inactive

"Master Interface" From the drop-down list, select the Ethernet, VLAN or bridge interface that the

User Interface

Menu Reference

("OFF"). By clicking the slider switch, you can toggle the state of the PPP inter­face. A new PPP interface is enabled by default.

PPP interface is associated to.

"LCP Echo Interval" Specify at which interval (in seconds) the gateprotect Firewall sends an echo

request to the peer by entering an integer value from 1 to 1800.

"LCP Echo Failure" Specify the number of LCP echo failures after which the peer is considered

dead by entering an integer value from 0 to 64. If you enter 0, failures are
ignored.

"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission

Unit can be any integer from 64 to 16384.

"MRU" Specify the Maximum Receive Unit by entering an integer value from 128 to

16384.

The buttons at the bottom right of the editor panel depend on whether you add a new
PPP interface or edit an existing interface. For a newly configured PPP interface, click
"Create" to add it to the list of available PPP interfaces or "Cancel" to discard your
changes. To edit an existing PPP interface, click "Save" to store the reconfigured inter­face or "Reset" to discard your changes. You can click "Close" to shut the editor panel
as long as no changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

WLAN Interfaces

All gateprotect Firewall models can be enhanced with a wireless USB flash drive to
create a wireless access point in your network (see also Chapter 3.4.2.3, "WLAN Set-

tings", on page 67).

Use the "WLAN Interfaces" settings to configure interfaces that can be used in WLAN
connections.

For more detailed information on WLAN interfaces, see the following sections.

58User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

WLAN Interfaces Overview

Navigate to "Network > Interfaces > WLAN Interfaces" to display the list of WLAN inter­faces that are currently defined on the system in the item list bar.

In the expanded view, the first column of the table displays the "Name" of the WLAN
interface. The "Status" column shows one of the following status indicators:

●

Green – The WLAN interface is enabled.

●

Orange – The WLAN interface is disabled.

The button in the last column allows you to view and adjust the settings for an existing
WLAN interface.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

WLAN Interfaces Settings

Use the "WLAN Interfaces" settings to configure an interface that can be used in a
WLAN connection.

Under "Network > Interfaces > WLAN Interfaces", you can view and edit an existing
WLAN interface.

User Interface

Menu Reference

The "WLAN Interface" panel displays the following information and allows you to con­figure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the WLAN interface is active ("ON") or inactive

("OFF"). By clicking the slider switch, you can toggle the state of the WLAN
interface.

"Name" Displays the name of the WLAN interface: wlan0. The name is automatically

generated.

"Device Status" Displays the status of the device.

"Hardware Address" Displays the hardware address (Ethernet MAC address) of the physical inter-

"Used by" Displays the connection that uses the WLAN interface.

"MTU" Set the maximum size of each packet (in bytes). The Maximum Transmission

The status can be one of the following:

●

Plugged – a wireless USB flash drive is connected to the gateprotect
Firewall

●

Unplugged – a previously connected wireless USB flash drive has been
disconnected from the gateprotect Firewall

face that the wireless USB flash drive is connected to.

Unit can be any integer from 64 to 16384.

Note: Due to a kernel restriction, the maximum MTU value is limited by the
Maximum Transmission Unit value of the underlying interface.

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

59User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

User Interface

Menu Reference

3.4.2.2 Connections

The "Connections" settings allow you to configure network and PPP connections on
the gateprotect Firewall.

Network Connections

Use the "Network Connections" settings to configure network connections. The system
offers default connections for all available Ethernet interfaces.

For more detailed information on network connections, see the following sections.

Network Connections Overview

Navigate to "Network > Connections > Network Connections" to display the list of net­work connections that are currently defined on the system in the item list bar.

In the expanded view, the first column of the table displays the "Name" of the network
connection. The "Status" column shows one of the following status indicators:

●

Green – The network connection is enabled.

●

Gray – The network connection is disabled.

●

Red – The network connection is disconnected.

Furthermore, the "Interface" that the network connection is assigned to and the con­nection "Type" are displayed. The buttons in the last column allow you to view and
adjust the settings for an existing network connection, create a new connection based
on a copy of an existing network connection or delete a network connection from the
system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Network Connections Settings

Use the "Network Connections" settings to configure custom network connections.

Under "Network > Connections > Network Connections", you can add a new or edit an
existing network connection.

The "Network Connection" panel displays the following information and allows you to
configure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the network connection is active ("ON") or

inactive ("OFF"). By clicking the slider switch, you can toggle the state of the
connection. A new network connection is enabled by default.

"Name" Enter a name for the network connection.

Note: If you leave this field empty, a name containing the selected interface
and connection type is automatically generated.

"Interface" From the drop-down list, select the interface that you want to assign to the con-

nection. You may select an Ethernet, VLAN or bridge interface.

60User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Type" From the drop-down list, select the connection type for the connection. The

"Used by" Displays the components that use the network connection.

User Interface

Menu Reference

option is set to Static by default, but you can adjust the settings to the other
value as necessary:

●

Static – This mode is used to specify a fixed IP address for the connec­tion.

●

DHCP – This mode is used to assign IP addresses dynamically.

Note: Once you click "Create" to establish the network connection, you will no
longer be able to change the connection type.

Tip: The elements on the "Network" tab described below differ depending on
the selected connection type.

"Status" Displays the status of the network connection.

The status can be one of the following:

●

up – The network connection is enabled.

●

disabled – The network connection is disabled.

●

disconnected – The network connection is disconnected.

On the "Network" tab:

Field Description

"IP Addresses" Assign one or more IP addresses to the network connection. Enter an IP

address in CIDR notation (IP address followed by a slash »/« and the number
of bits set in the subnet mask, for example 192.168.50.1/24). Click "Add" to
add the IP address to the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

Note: If you edit an IP address, a check mark appears on the right of the entry.
Click the check mark to be able to save the settings of the IP address.

"Obtain Gateway" Only available if the selected connection "Type" is DHCP: Select this checkbox if

you want the gateprotect Firewall to obtain a gateway for the connection from
the DHCP server.

"Obtain DNS Server" Only available if the selected connection "Type" is DHCP: Select this checkbox if

you want the gateprotect Firewall to obtain a DNS server for the connection.

"Obtain Domain" Only available if the selected connection "Type" is DHCP: Select this checkbox if

you want the gateprotect Firewall to obtain a domain for the connection from
the DHCP server.

"Obtain NTP Server" Only available if the selected connection "Type" is DHCP: Select this checkbox if

you want the gateprotect Firewall to obtain an NTP server for the connection.

"Obtained via DHCP" Only available if the selected connection "Type" is DHCP:

Displays one of the following states:

●

If the connection is working, the IP address is displayed.

●

Connection not yet saved – A new connection is being created.

●

Failed – The DHCP connection could not be established.

On the "WAN" tab:

61User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Set default gateway" Only available if the selected connection "Type" is Static: Select this check-

"Default Gateway" Only available if the selected connection "Type" is Static: Enter the default

"Time Restrictions" Optional: Select this checkbox if you want to limit the time when the connection

User Interface

Menu Reference

box if you want to set a default gateway for the network connection.

Note: If you select DHCP as the connection "Type", this checkbox is always
enabled and grayed out because the gateway is obtained from the DHCP
server.

gateway for this connection.

Note: If you select DHCP as the connection "Type", this input field is grayed out
and displays the gateway which is obtained from the DHCP server.

is enabled.

Click "Edit" to open the "Time Restriction" editor panel which provides the fol­lowing options:

●

Set specific times and weekdays using the sliders.

●

"Always On" – The connection is always enabled.

●

"Always Off" – The connection is always disabled.

The buttons at the bottom right of the editor panel allow you to confirm your
changes to the time restrictions ("OK") and to reject your changes ("Cancel").
The editor panel closes and the chosen option is displayed to the left of the
"Edit" button: Restricted., Always On. or Always Off..

"Multi WAN Weight" Specify how much of the internet traffic is routed through this connection by

entering a value from 1 to 256. The higher the set value, the higher the per­centage of the internet traffic being routed through the connection will be. Set­ting the same value for all connections results in equal traffic distribution across
all connections.

"Desktop Object" From the drop-down list, select an Internet object that is used in firewall rules

for this WAN connection. For further information, see Chapter 3.4.4.1, "Internet

Objects", on page 78.

On the "Failover" tab:

62User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Heartbeats" Specify how the state of the connection is to be tested by adding tests.

User Interface

Menu Reference

The default settings contain a ping test of the Google server (8.8.8.8). Click
"Add" to add another test to the list. For information on configuring the reacha­bility test, see "Heartbeat Settings" on page 63.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

"Use as backup connec­tion"

"Backup connections" Select any backup connection you wish to assign to the connection and specify

Optional: Select this checkbox if you want to configure the connection as a
backup Internet connection.

its "Priority". If the current connection fails, the gateprotect Firewall switches to
the available backup connection with the highest priority. Click "Add" to add the
backup connection to the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

Note: If you edit a backup connection, a check mark appears on the right of the
entry. Click the check mark to be able to save the settings of the backup con­nection.

The buttons at the bottom right of the editor panel depend on whether you add a new
network connection or edit an existing connection. For a newly configured network con­nection, click "Create" to add the connection to the list of available network connec­tions or "Cancel" to reject the creation of a new network connection. To edit an existing
network connection, click "Save" to store the reconfigured connection or "Reset" to dis­card your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

Heartbeat Settings

Use the "Heartbeat" editor panel to set up automatic heartbeat tests to test the state of
the connection. The panel allows you to configure the following elements:

Field Description

"Type" From the drop-down list, select the type of reachability test you want to run:

"Timeout" Specify the timeout (in seconds) for the test.

"Number of tries" Set the overall number of tries to be performed.

"Number of successful
tries"

"Arguments" Specify the arguments to be used in the test, e.g. IP addresses that will be

●

ping – This mode sends ping signals to the target.

●

tcp_probe – This mode tests the capacity of a TCP connection.

Set the number of successful tries required for a successful heartbeat.

pinged.

63User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

If you have defined a backup Internet connection on the "Failover" tab and the auto­matic heartbeat test defines the state of the connection as disconnected, the gate­protect Firewall automatically switches to the backup connection with the highest prior­ity available.

The buttons at the bottom of the "Heartbeat" editor panel allow you to discard your
changes to the heartbeat test ("Reset") and to run the connection test manually
("Test"). Furthermore, you can reject ("Cancel") or confirm your changes ("OK") to the
test, close the editor panel and return to the "Network Connection" editor panel. The
specified test is displayed as an entry in the list under "Heartbeats" on the "Failover"
tab.

PPP Connections

Use the "PPP Connections" settings to configure existing PPP connections and to add
new ones.

For more detailed information on PPP connections, see the following sections.

User Interface

Menu Reference

PPP Connections Overview

Navigate to "Network > Connections > PPP Connections" to display the list of connec­tions using the Point-to-Point Protocol that are currently defined on the system in the
item list bar.

In the expanded view, the columns of the table display the "Name" of the connection,
whether it is "Active" or not, its "Interface", and the "Type" of the connection. The but­tons in the last column allow you to view and adjust the settings for an existing PPP
connection, create a new connection based on a copy of an existing connection or
delete a PPP connection from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

PPP Connections Settings

Under "Network > Connections > PPP Connections", you can add a new or edit an
existing network connection.

The "PPP Connections" settings contain the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the PPP connection is active ("ON") or inac-

tive ("OFF"). By clicking the slider switch, you can toggle the state of the con­nection. A new PPP connection is enabled by default.

"Name" Specify the name of the network connection.

If you leave this field empty, a name containing the selected interface and con­nection type is automatically generated.

"Interface" Assign an interface to the connection. You may only select a PPP interface that

has not yet been used in another connection.

64User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Type" Select the connection type from the drop-down list, depending on your Internet

"Used by" Displays the components that use the PPP connection.

"Status" Displays the status (up, disconnected or disabled) of the connection.

On the "Configuration" tab:

Field Description

"Auth. Method" Select an authentication method for the connection, depending on your Internet

User Interface

Menu Reference

service provider: PPPoE or PPTP. Use the PPPoE mode to connect via Point-to­Point Protocol over Ethernet. PPPoE is typically used to share a broadband
connection, such as a single DSL line or cable modem. Use the PPTP mode to
connect via Point-to-Point Tunneling Protocol.

Note: Once you click "Create" to establish the PPP connection, you will no lon­ger be able to change the connection type.

Tip: The elements on the "Configuration" tab differ depending on the selected
connection type.

service provider:

None

●

●

auto - Automatically selects the authentication method which best
matches the Internet service provider.

●

pap-only - password authentication

●

chap-only - handshake authentication

●

ms-chap2 - handshake authentication for Microsoft

"Username" Enter the username required to connect to your Internet service provider.

"Password" Enter the password required to connect to your Internet service provider.

"PPTP Server IP" If you chose PPTP as connection type, enter the IP address of the PPTP

server.

"MPPE" If you chose PPTP as connection type, select the Microsoft Point-to-Point

Encryption key length:

mppe-40

●

mppe-56

●

mppe-128

●

"Local IP" Optional: Enter your local IP address only if your Internet service provider

explicitly requires this.

"Remote IP" Optional: Enter the remote IP address only if your Internet service provider

explicitly requires this.

"AC Hardware Address" Optional: Enter the hardware MAC address of the Access Concentrator used by

your Internet service provider. Only do so if your Internet service provider
explicitly requires this.

"Force disconnect" Optional: Select this checkbox if you wish to enforce a disconnect process at a

specified time. Enter the time in the format HH:MM:SS.

Some Internet service providers force a disconnect at specific intervals (usually
every 24 hours). With this setting enabled, the gateprotect Firewall disconnects
itself at a specific time thereby preventing the auto-disconnect from the Internet
service provider. This allows you to control when the disconnect happens.

On the "WAN" tab:

65User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Time Restrictions" Select this checkbox if you want to limit the time when the connection is

"Multi WAN Weight" Specify how much of the internet traffic is routed through this connection by

"Desktop Object" Select an Internet object that is used in firewall rules for this connection. For fur-

On the "Failover" tab:

Field Description

User Interface

Menu Reference

enabled.

Click "Edit" to open the "Time Restrictions" editor panel that provides the follow­ing options:

●

Set specific times and weekdays using the sliders.

●

"Always On" - The connection is always enabled.

●

"Always Off" - The connection is always disabled.

entering a value from 1 to 256. The higher the set value, the higher the per­centage of the internet traffic being routed through the connection will be. Set­ting the same value for all connections results in equal traffic distribution across
all connections.

ther information, see Chapter 3.4.4.1, "Internet Objects", on page 78.

"Heartbeats" Specify how reachability of the connection is to be tested by adding ping tests.

The default settings contain a ping test of the Google server (8.8.8.8). Click
"Add" to add another test to the list. For information on configuring the reacha­bility test, see "Heartbeat Settings" on page 66.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

"Use as backup connec­tion"

"Backup connections" Select any backup connection you wish to assign to the connection and specify

Select this checkbox if you want to configure the connection as backup Internet
connection.

their "Priority". If the current connection fails, the gateprotect Firewall switches
to the available backup connection with the highest priority. Click "Add" to add
the backup connection to the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

Heartbeat Settings

The "Heartbeats" allow you to configure automatic heartbeat tests to test the connec­tion. The editor panel contains the following elements:

Field Description

"Type" Select the type of reachability test you want to run:

●

ping - Sends ping signals to the target.

●

tcp_probe - Tests the capacity of a TCP connection.

"Timeout" Specify the timeout (in seconds) for the test.

"Number of tries" Set the overall number of tries to be performed.

66User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

User Interface

Menu Reference

"Number of successful
tries"

"Arguments" Specify the arguments to be used in the test, e.g. IP addresses that will be

Click "Test" to run the connection test manually. Click "OK" to save the settings and
return to the "Network Connection" settings panel.

The buttons at the bottom right of the editor panel depend on whether you add a new
PPP connection or edit an existing connection. For a newly configured PPP connec­tion, click "Create" to add the connection to the list of available PPP connections or
"Cancel" to discard your changes. To edit an existing PPP connection, click "Save" to
store the reconfigured connection or "Reset" to discard your changes. You can click
"Close" to shut the editor panel as long as no changes have been made on it.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.2.3 WLAN Settings

All gateprotect Firewall models can be enhanced with a wireless USB flash drive to
create a wireless access point in your network.

Connect a compatible wireless USB adapter to the USB port of your gateprotect Fire­wall to configure a wireless access point. A successful configuration allows wireless cli­ents to connect to this access point to join the wireless local area network (WLAN).

Set the number of successful tries required for a successful heartbeat.

pinged.

Navigate to "Network > Connections > WLAN Settings" to display and edit the WLAN
settings of your gateprotect Firewall.

The "WLAN Settings" panel allows you to configure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether WLAN is active ("ON") or inactive ("OFF"). By

clicking the slider switch, you can toggle the state.

"Device Status" Displays the status of the device.

"License" Displays your license information.

"Mode" From the drop-down list, select the communication specifications according to

The status can be one of the following:

●

Plugged – a wireless USB flash drive is connected to the gateprotect
Firewall

●

Unplugged – a previously connected wireless USB flash drive has been
disconnected from the gateprotect Firewall

IEEE 802.11.
The mode can be one of the following:

●

a – up to 54 Mbit/s 5 GHz

●

an – up to 300 Mbit/s 5 GHz

●

b – up to 11 Mbit/s 2.4 GHz

●

g – up to 54 Mibt/s 2.4 GHz (default setting)

●

gn – up to 300 Mbit/s 2.4 GHz

67User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Country Code" From the drop-down list, select the correct two-letter code for your country. The

"SSID" Enter an identifier for the wireless local area network.

"Show SSID" Optional: Select this checkbox if you want the SSID to be visible to the public.

"Encryption Mode" From the drop-down list, select the desired encryption mode. The mode can be

"Encryption Protocol" From the drop-down list, select one of the following encryption protocols to be

"Preshard Key" Enter the pre-shared key to be used for encryption. Clients need to supply this

User Interface

Menu Reference

set default value is the standard country code 00 which provides compatibility
for all countries.

one of the following:

WPA

●

WPA2

●

●

WPA+WPA2 (default setting)

used:

●

TKIP – Temporal Key Integrity Protocol

●

CCMP – Counter-Code/CBC-MAC Protocol

●

TKIP+CCMP – a combination of the above two methods

password in order to establish a secured connection to the gateprotect Firewall.

On the "Advanced" tab:

Field Description

"Channel Width" If you selected an or gn as the communication mode, you can now select the

channel width from the drop-down list:

Disabled

●

●

[HT-40] - 40MHz below the selected channel for the channels 5 to 13 in
mode g

●

[HT40+] - 40MHz above the selected channel for the channels 1 to 9 in
mode g

For the remaining communication modes, this field is disabled and set to 20 by
default.

"Channel Number/
Frequency"

"Transmit Power" Specify the transmit power (in decibel-milliwatts) to be used. The value can be

"Access Point Station
Isolation"

"Log Level" Define the log level from level 0 to 4.

From the drop-down list, select the channel number (frequency). The options
available for selection depend on the chosen communication mode and on the
selected country code.

any integer from 1 to the maximum transmit power. It is set to 20 dBm by
default.

Optional: Select this checkbox to prevent the clients from communicating
directly with each other.

On the "MAC Filter" tab:

68User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"MAC Filter Mode" Use the MAC filter to determine whether a wireless device is to be granted

"MAC Addresses" Enter MAC addresses to be applied when filtering and click "Add" after each

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

User Interface

Menu Reference

access to the WLAN. The default setting is "Disabled", that is to say that no fil­tering is performed, but you can adjust the settings to one of the following val­ues as necessary:

●

"Blacklist" – the specified MAC addresses and therefore clients are
blocked

●

"Whitelist" – the specified MAC addresses and therefore clients are gran­ted access to the network

entry. You can edit or delete each single entry in the list by clicking the appro­priate button next to an entry.

Click "
changes.

3.4.2.4 Routing

Use the "Routing" settings to configure routing tables and routing rules.

The routing settings allow you to define custom routes that are used to reach devices
on a given destination network.

Routes between network objects are created automatically and hidden. You should not
normally need to create routes unless you have an upstream router that requires spe­cial routes. To influence traffic between network objects, create a firewall rule as
described under Chapter 3.3, "Firewall Rule Settings", on page 19.

Routing Tables

Routing tables route packets through the network based on the destination IP address.

For more detailed information on routing tables, see the following sections.

Routing Tables Overview

Navigate to "Network > Routing > Routing Tables" to display the list of routing tables
that are currently defined on the system in the item list bar.

Activate" in the toolbar at the top of the desktop to apply your configuration

Deselect the "Show configurable tables only" checkbox if you want to display all tables
on the system. Otherwise, only tables that can be edited are displayed.

The following tables are preset on the system:

●

Table 254 is the main routing table. You can add custom routes to this table. The
entries are then adopted in all existing routing tables.

●

Table 255 contains local routes for all configured interfaces.

●

Tables 1 to 63 are reserved for the management of the Internet connections.

69User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

●

Tables 64 to 250 are reserved for routes with a source address and appear with a
source IP address during the set-up of routes.

●

Table 293 is reserved for the transparent proxy.

In the expanded view, the columns of the table display the name of the routing table.
The buttons in the last column allow you to view and adjust the settings for an existing
routing table or delete a table from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Routing Tables Settings

The "Routing Tables" settings allow you to add a new or edit existing routing tables.

The "Routing Table" settings allow you to configure the following elements:

Field Description

"Table Number" Enter an ID for the routing table. Custom routing tables receive the ID 512 or

User Interface

Menu Reference

higher. You need to configure routing rules pointing to custom routing tables,
otherwise those tables are not used (see "Routing Rules" on page 71).

"Routes" This table displays the custom routes that are specified in the routing table.

Click "Add" to open the "Edit Route" panel and define a new route. You can edit
or delete each single entry in the list by clicking the appropriate button next to
an entry.

The "Edit Route" panel allows you to configure the following elements:

Field Description

"Interface" Select an interface for the route.

"Destination" Enter the IP address of the destination network in CIDR notation (IP address

followed by a slash »/« and the number of bits set in the subnet mask, for
example 192.168.50.0/24).

"Gateway" Enter an IP address as the gateway for this route. Traffic from the source zone

to the destination network will be routed via this gateway (rather than the stan­dard gateway).

"Type" Select the address type from the drop-down list.

"Preferred Source" Only packets with the selected sender address will be routed.

"Metric" Define the costs for the route. The value entered here concerns routing proto-

cols. A higher metric means the route is considered costly and is less likely to
be chosen.

Click "OK" to save the route settings and return to the "Routing Table" panel.

The buttons at the bottom right of the editor panel depend on whether you add a new
routing table or edit an existing table. For a newly configured routing table, click "Cre­ate" to add the table to the list of available routing tables or "Cancel" to discard your
changes. To edit an existing routing table, click "Save" to store the reconfigured table
or "Reset" to discard your changes. You can click "Close" to shut the editor panel as
long as no changes have been made on it.

70User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Routing Rules

Routing rules specify which packets are managed by which routing table. This allows
for more differentiated routing as routing rules include more fields of the IP header in
the routing decision, while routing tables only consider the destination IP address.

Routing Rules Overview

Navigate to "Network > Routing Rules" to display the list of routing rules that are cur­rently defined on the system.

User Interface

Menu Reference

The plus button

above the filter settings allows you to add new routing rules.

The "Filter Settings" allow you to narrow the list of results in the table to display only
entries that include a certain search string. You can filter the contents by choosing the
required options in the drop-down list and/or entering search strings in the respective
input fields. Click "Apply" to apply the selected filter options. The list of routing rules is
adjusted to reflect your filter results. Click "Reset" to delete the selected filter options
and display an unfiltered view of the list of routing rules.

The table columns of the routing rules list display the priority of the routing rule,
whether it is a system rule or not, and the selectors that can be used to define which
traffic should be routed where. The buttons in the right column allow you to view and
adjust the settings of a routing rule or delete a rule from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

System routing rules cannot be modified or deleted.

To close the "Routing Rules" panel, click in the upper right corner of the panel.

Routing Rules Settings

Under "Network > Routing Rules", you can add a new or edit an existing routing rule.

The "Routing Rule" settings allow you to configure the following elements:

Field Description

"Priority" Set the priority of the routing rule by entering an integer value from 64 to 32767

for custom rules.

The rules are sorted by priority in ascending order. This means the system runs
through the rules list starting with the system rule with priority 0 until all selec­tors in a rule match the packet. The action of this rule is then carried out.

"Source Subnet" Optional: Enter the IP address of the source subnet in CIDR notation (IP

address followed by a slash »/« and the number of bits set in the subnet mask,
for example 192.168.50.0/24).

"Destination Subnet" Optional: Enter the IP address of the destination subnet in CIDR notation (IP

address followed by a slash »/« and the number of bits set in the subnet mask,
for example 192.168.50.0/24).

"Input Interface" Optional: Select one of the interfaces defined on the gateprotect Firewall as

input interface.

71User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Output Interface" Optional: Select one of the interfaces defined on the gateprotect Firewall as

"TOS" Optional: Specify the Type of Service value by entering a hexadecimal number

User Interface

Menu Reference

output interface.

from 0 to FF.

"Action" Specify the rule action:

If you specify none of the selectors, the entire traffic matches the rule.

The buttons at the bottom right of the editor panel depend on whether you add a new
routing rule or edit an existing rule. For a newly configured routing rule, click "Create"
to add the rule to the list of available routing rules or "Cancel" to reject the creation of
the new rule. To edit an existing rule, click "Save" to store the reconfigured rule or
"Reset" to discard your changes. You can click "Close" to shut the editor panel as long
as no changes have been made on it.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.2.5 DHCP Settings

●

"Goto" - Enter the "Priority" of another routing rule. If a packet matches the
selectors in the rule, it goes to the rule with the specified goto priority.

●

"Table" - Enter the number of a routing table. If a packet matches the
selectors in the rule, it runs through the specified routing table. If one of the
routes in the table matches the packet, it is routed accordingly. Otherwise,
the packet continues to run through the routing rules list.

Navigate to "Network > DHCP Settings" to configure the DHCP settings on the gate­protect Firewall.

Field Description

"ON"/"OFF" A slider switch indicates whether the DHCP settings are enabled ("ON") or dis-

abled ("OFF"). By clicking the slider switch, you can toggle the state.

"Operation Mode" Select if you want to set up a DHCP server or a DHCP relay. The remaining

fields on the screen depend on the chosen operation mode.

DHCP Server Settings

With the DHCP server running on the gateprotect Firewall, you can assign IP
addresses and transfer them to other configuration parameters (gateway, DNS server,
NTP server etc.). Alternatively, it is possible to forward DHCP requests to an existing
DHCP server in another network.

Configure the following elements for the DHCP server:

72User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Default Lease Time" Enter the default lease time (in seconds) to determine the amount of time that a

"Lease Time" Enter the maximum lease time (in seconds).

"Prevent IP Conflicts" Select this checkbox to have the DHCP server ping an IP address to check that

"Port" Specify the port that is used to listen for and transmit queries. This is useful for

"Interfaces" This table displays all interfaces (Ethernet, VLAN and bridge) on which a static

The interface "DHCP Settings" panel contains the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the DHCP server is active ("ON") or not

User Interface

Menu Reference

computer has a valid IP address.

it is not yet in use before assigning it to a new client.

debugging purposes. The default port for DHVPv4/BOOTP is port 67.

connection has been configured and their DHCP settings.

Click to open the "DHCP Settings" panel for the respective interface.

("OFF") on this interface. By clicking the slider switch, you can toggle the state
of the DHCP server on this interface.

On the "General" tab:

Field Description

"Network" Select the subnet whose IP addresses are distributed by the DHCP server.

"Range Start IP" Enter a start IP to specify the range of IP addresses that are distributed to the

client computers.

"Range End IP" Enter an end IP to specify the range of IP addresses that are distributed to the

client computers.

Note: Make sure that the permanent IP addresses are not inside the IP address
range of the DHCP server as permanent IP addresses are not excluded automat­ically during dynamic address assignment. Otherwise, addresses may be
assigned twice.

"Lease Time" Specify the time that a computer has a valid IP address in minutes. The default

lease time is 60 minutes.

"Gateway" Specify the default gateway IP address, usually the IP address of your gatepro-

tect Firewall, to be pushed to the client.

"Preferred DNS
server"/"Alternative
DNS server"

"WINS server" If there is a WINS server in the network, use this input field to communicate it to

"Preferred NTP
server"""Alternative
NTP server"

Optional: If the gateprotect Firewall does not carry out name resolution, enter
internal DNS servers that are located in the network or the Internet. Otherwise,
the clients are allocated the IP address of the gateprotect Firewall as DNS server.

the clients.

Clients may use NTP servers to determine the exact time. This is particularly
important for user authentication via Windows servers.

On the "Static IP Addresses" tab:

73User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

User Interface

Menu Reference

"MAC Address"/"IP
Address"/"Host Name"

"Add from ARP Cache" From the drop-down list, select the addresses you want to add from the ARP

Specify a static IP address for a host in the network by entering the host's MAC
address and IP address. Aditionally, you can enter the host name. Click "Add"
to add the static IP address to the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.

cache.

Click "OK" to save the interface settings and return to the "DHCP Settings" settings
panel.

DHCP Relay Settings

A DHCP relay redirects incoming requests to a DHCP server to another network
because DHCP requests cannot be routed.

Field Description

"DHCP Server IP
Address"

"Relay through these
interfaces"

Enter the IP address of the server to which the DHCP requests will be redirec­ted.

Select one or more interfaces from which DHCP requests will be forwarded.
Also select the interface that the DHCP server is connected to.

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

3.4.3 WAN

The " WAN" settings allow you to set up the WAN access of your gateprotect Firewall
by configuring DNS settings, DynDNS accounts, and QoS settings.

3.4.3.1 DNS Settings

Navigate to "WAN > DNS Settings" to configure the DNS settings of your gateprotect
Firewall.

Usually, the DNS server settings are provided by the WAN connection. You should
have to configure the DNS server settings only if you cannot obtain them via the WAN
connection.

74User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

The "DNS Settings" panel allows you to configure the following elements:

Field Description

"Acquire DNS server" Select this checkbox to connect to a DNS server selected by the router or the

"Nameserver" Specify an alternative DNS server by entering its IP address.

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

User Interface

Menu Reference

provider.

Note: In case you are using several Internet lines from different providers,
make sure that the DNS servers you use can be reached from all lines. If nec­essary, use public DNS servers on the Internet.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.3.2 DynDNS Accounts

To be able to connect from the external network to your gateprotect Firewall, for exam­ple via a VPN connection, the IP address of your device has to be recognized on the
Internet. Using dynamic DNS (»DynDNS«), your gateprotect Firewall gets a fixed host­name (for example yourcompany.dyndns.org) on the Internet, even if it has no
fixed public IP address. This is accomplished by sending the current IP address to a
DynDNS provider that maps it to a domain name so that the firewall is accessible using
that domain name. If the IP address changes due to a DSL disconnect forced by your
Internet service provider, for example, the IP address is re-sent to the DynDNS pro­vider. This ensures that the dynamic DNS always points to the current IP address.

To set up DynDNS on your gateprotect Firewall, you require a configured DynDNS
account with a DynDNS provider. Further information on dynamic DNS and the regis­tration for the dynamic DNS process can be found at, for example, www.dyndns.org.

For more detailed information on dynamic DNS accounts, see the following sections.

DynDNS Accounts Overview

Navigate to "WAN > DynDNS Accounts" to display the list of DynDNS accounts that
are currently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Hostname" of the DynDNS
account, indicate the "Status" of the account, and show the "Server Type". The buttons
in the last column allow you to view and adjust the settings for an existing DynDNS
account, create an account based on a copy of an existing DynDNS account or delete
an account from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

75User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

DynDNS Accounts Settings

The "WAN > DynDNS Accounts" settings allow you to define custom accounts for
WAN access in general. You can add a new or edit an existing DynDNS account.

The "DynDNS Account" settings allow you to configure the following elements:

Field Description

"ON"/"OFF" A slider switch indicates whether the DynDNS account is active ("ON") or inac-

"Internet Connection" From the drop-down list, select the internet connection to be used by the

"Server Type" From the drop-down list of supported DynDNS services, select the type of

"Hostname" DynDNS services provide a domain name entry under their authority. So a reg-

User Interface

Menu Reference

tive ("OFF"). By clicking the slider switch, you can toggle the state of the
DynDNS account. A new DynDNS account is enabled by default.

account.

server to be used.

istered host always has the suffix of the service provider (for example
yourname.dynamicdns.org). Enter the complete host name in this input
field.

"Username" Enter the user name with which your account is registered with the DynDNS

provider.

"Password" Enter the password with which your account is registered with the DynDNS pro-

vider.

"Show Password" Optional: Select this checkbox to verify the password.

"Custom Server
Address"

"MX Record" Optional: If you wish to use an MX record, enter its IP address or hostname.

"Wildcards" Optional: Select this checkbox to activate the possibility to use wildcards in host

Optional: Enter the address of the server if your DynDNS provider requires the
definition of a different server address.

names if you plan to use subdomains of your DynDNS account (for example,

*.yourname.dynamicdns.org will resolve for any domains ending with
yourname.dynamicdns.org).

The buttons at the bottom right of the editor panel depend on whether you add a new
DynDNS account or edit an existing account. For a newly configured account, click
"Create" to add the account to the list of available DynDNS accounts or "Cancel" to dis­card your changes. To edit an existing account, click "Save" to store the reconfigured
account or "Reset" to discard your changes. You can click "Close" to shut the editor
panel as long as no changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

3.4.3.3 QoS Settings

Quality of Service (QoS) prioritizes the processing of queued network packets in the
gateprotect Firewall based on Type of Service (ToS) flags. This way, performance-criti­cal applications like Voice over IP (RTP) can be prioritized.

76User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

A precondition for Quality of Service is that applications or devices (such as VoIP tele­phone systems) set the ToS field in IP data packets. The gateprotect Firewall then
sorts the packets based on the value of the ToS field and assigns them to several
queues with different priorities. Data packets from the queue with the highest priority
are forwarded immediately. Data packets from queues with lower priority are only for­warded when all the queues with higher priority have been emptied.

Navigate to "WAN > QoS Settings" to configure Quality of Service:

Field Description

"ON"/"OFF" A slider switch indicates whether Quality of Service is active ("ON") or inactive

"QoS Services" Enter a "Service" you want to activate QoS for. Specify the hexadecimal

User Interface

Menu Reference

("OFF"). By clicking the slider switch, you can toggle the state.

"Value" of the ToS field which defines the application or the device for the ser­vice.

Click "Add" to add the service to the list. You can edit or delete each single
entry in the list by clicking the appropriate button next to an entry. For further
information, see Chapter 3.2, "Icons and Buttons", on page 17.

Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.

Click / to change the priority of an entry. The first entry in the list has the
highest priority.

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

3.4.3.4 QoS Connection Settings

Navigate to "WAN > QoS Connection Settings" to set up Quality of Service for your
Internet connections, in other words, for the network and PPP connections for which
you configured a default gateway.

The "QoS Connection Settings" configured here take effect only if Quality of Service
has been activated for Internet connections. For more information, see Chap-

ter 3.4.3.3, "QoS Settings", on page 76.

For more detailed information on the QoS connection settings, see the following sec­tions.

QoS Connection Settings Overview

Navigate to "WAN > QoS Connection Settings" to display the list of network and PPP
connections that are currently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Name" of the connection
as well as the configured "Download" and "Upload" bandwidth thresholds. The button
in the last column allows you adjust the Quality of Service connection settings.

77User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

QoS Connection Settings

The "QoS" settings allow you to configure the following elements for every Internet
connection:

Field Description

"QoS Down"/"QoS Up" To ensure Quality of Service, enter the bandwidth thresholds that should be

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

User Interface

Menu Reference

reserved for QoS services using this connection. The two input fields determine
the maximum bandwidth (in kilobits per second) for download and upload.

If you set the fields to 0, Quality of Service is not applied for this connection.

3.4.4 Network Objects

The " Network Objects" settings allow you to organize your network by setting up sin­gle and group objects for hosts, users, networks, VPN, and IP ranges. The created
objects are displayed as nodes on the desktop and can be used as sources and/or
destinations in connections to apply firewall rules.

The item list bar displays all network objects that are defined on the system. If you click
on an entry in the item list bar, the respective desktop object is highlighted on the desk­top. All connections it is used in are highlighted as well.

Alternatively, you can create the objects from the toolbar above the desktop.

3.4.4.1 Internet Objects

Create Internet objects for your Internet connections. Internet objects are used to cre­ate connections between other network objects (such as VPN objects, etc.) and the
Internet.

Internet Objects Overview

Navigate to "Network Objects > Internet Objects" to display the list of Internet objects
that are currently defined on the system in the item list bar.

In the expanded view, the table displays the "Object Name" of the Internet object. The
buttons in the last column allow you to view and adjust the settings for an existing
Internet object, create an object based on a copy of an existing Internet object or
delete an object from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

78User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Internet Objects Settings

The "Internet Object" settings allow you to configure the following elements:

Field Description

"Object Name" Specify a name for the Internet object.

"Color" Select the color to be used for this object on the desktop.

"Connections" Select the Internet connection(s) that this object is part of. For further informa-

The buttons at the bottom right of the editor panel depend on whether you add a new
Internet object or edit an existing object. For a newly configured object, click "Create"
to add the object to the list of available Internet objects or "Cancel" to discard your
changes. To edit an existing object, click "Save" to store the reconfigured object or
"Reset" to discard your changes. You can click "Close" to shut the editor panel as long
as no changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

User Interface

Menu Reference

tion, see "Network Connections Settings" on page 60.

3.4.4.2 Hosts

Create a host object that can be used to create connections between the host and
other network objects (such as VPN objects, etc.). A host (for example a printer or a
VoIP phone) can be assigned a dedicated IP address so that firewall rules can be spe­cifically applied to it. For further information on creating firewall rules, see Chapter 3.3,

"Firewall Rule Settings", on page 19.

Hosts Overview

Navigate to "Network Objects > Hosts" to display the list of host objects that are cur­rently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Name" and the "IP" of the
host object as well as the interface it is connected to. The buttons in the last column
allow you to view and adjust the settings for an existing host object, create an object
based on a copy of an existing host object or delete an object from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Hosts Settings

The "Host" settings allow you to configure the following elements:

Field Description

"Name" Specify a name for the host object.

"Color" Select the color to be used for this object on the desktop.

"Allow login" Select this checkbox to allow the user to log on to the gateprotect Firewall via

the IP address of this host object. This allows your gateprotect Firewall to apply
user-specific firewall rules to the user being logged on.

79User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Icon" Select an icon to represent the host on the desktop.

"Connected to" Select an interface that the host is connected to.

"IP Address" Enter the IP address of the host object.

The buttons at the bottom right of the editor panel depend on whether you add a new
host object or edit an existing object. For a newly configured object, click "Create" to
add the object to the list of available host objects or "Cancel" to discard your changes.
To edit an existing object, click "Save" to store the reconfigured object or "Reset" to
discard your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

User Interface

Menu Reference

Click "
changes.

3.4.4.3 Users

Create desktop objects for users that can be used to display the users on the desktop
and to create connections between the users and other network objects (such as VPN
objects, etc.).

The menu "Network Objects > Users" only serves to create desktop objects for users
that already exist in the system. For information on how to add and manage users, see

Chapter 3.4.1.4, "User Authentication", on page 28.

Users Overview

Navigate to "Network Objects > Users" to display the list of user objects that are cur­rently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Name" of the user object
and the "User Name" associated with it. The buttons in the last column allow you to
view and adjust the settings for an existing user object, create an object based on a
copy of an existing user object or delete an object from the system.

Activate" in the toolbar at the top of the desktop to apply your configuration

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Users Settings

The "User" settings allow you to configure the following elements:

Field Description

"Object Name" Specify a name for the user object.

"Color" Select the color to be used for this object on the desktop.

"User Name" Select the user to be used for the object.

Note: Users may belong to multiple user objects.

80User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

The buttons at the bottom right of the editor panel depend on whether you add a new
user object or edit an existing object. For a newly configured object, click "Create" to
add the object to the list of available user objects or "Cancel" to discard your changes.
To edit an existing object, click "Save" to store the reconfigured object or "Reset" to
discard your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

User Interface

Menu Reference

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.4.4 User Groups

Create desktop objects for user groups that can be used to create connections
between multiple users and other network objects (such as VPN objects, etc.) applying
a common rule set to multiple users.

User Groups Overview

Navigate to "Network Objects > User Groups" to display the list of user group objects
that are currently defined on the system in the item list bar.

In the expanded view, the table displays the "Name" of the user group object. The but­tons in the last column allow you to view and adjust the settings for an existing user
group object, create an object based on a copy of an existing user group or delete an
object from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

User Groups Settings

The "User Group" settings allow you to configure the following elements:

Field Description

"Object Name" Specify a name for the user group.

"Color" Select the color to be used for this object on the desktop.

"User" Select the users you want to add to the group.

The left-hand list displays the users belonging to the group. The right-hand list
displays the users available in the system that do not belong to the group.

To add a user to the group, click . Click if you want to add all available
users at once.

To remove a user from the group, click . Click if you want to remove all
users at once.

Use the "Filter" field to narrow the list of users to display only entries that
include a certain search string. Click to display an unfiltered view of the list of

users.

Note: Users may belong to multiple user groups.

The buttons at the bottom right of the editor panel depend on whether you add a new
user group or edit an existing group. For a newly configured group, click "Create" to
add the group to the list of available user groups or "Cancel" to discard your changes.
To edit an existing group, click "Save" to store the reconfigured group or "Reset" to dis-

81User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

card your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

User Interface

Menu Reference

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.4.5 VPN Users

Create desktop objects for users that can be used in VPN connections. VPN users are
displayed at the VPN node on the desktop.

The menu "Network Objects > VPN Users" only serves to create desktop objects for
users that already exist in the system. For information on how to add and manage
users, see Chapter 3.4.1.4, "User Authentication", on page 28.

VPN Users Overview

Navigate to "Network Objects > VPN Users" to display the list of user objects that are
currently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Object Name" of the VPN
user object and the "User Name". The buttons in the last column allow you to view and
adjust the settings for an existing VPN user object, create an object based on a copy of
an existing VPN user object or delete an object from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

VPN Users Settings

The "VPN User" settings allow you to configure the following elements:

Field Description

"Object Name" Specify a name for the VPN user object.

"Color" Select the color to be used for this object on the desktop.

"User Name" Select the user to be used for the VPN user object.

Note: Users may belong to multiple user objects.

The buttons at the bottom right of the editor panel depend on whether you add a new
VPN user object or edit an existing object. For a newly configured object, click "Create"
to add the object to the list of available VPN user objects or "Cancel" to discard your
changes. To edit an existing object, click "Save" to store the reconfigured object or
"Reset" to discard your changes. You can click "Close" to shut the editor panel as long
as no changes have been made on it.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

82User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

User Interface

Menu Reference

3.4.4.6 VPN User Groups

Create desktop objects for VPN user groups that can be used to create connections
between multiple users and other network objects applying a common rule set to multi­ple VPN users. VPN user groups are displayed at the VPN node on the desktop.

VPN User Groups Overview

Navigate to "Network Objects > VPN User Groups" to display the list of VPN user
group objects that are currently defined on the system in the item list bar.

In the expanded view, the table displays the "Name" of the VPN user group object. The
buttons in the last column allow you to view and adjust the settings for an existing VPN
user group object, create an object based on a copy of an existing VPN user group or
delete an object from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

VPN User Groups Settings

The "VPN User Group" settings allow you to configure the following elements:

Field Description

"Name" Specify a name for the VPN user group.

"Color" Select the color to be used for this object on the desktop.

"User" Select the users you want to add to the VPN user group.

The left-hand list displays the users belonging to the group. The right-hand list
displays the users available in the system that do not belong to the group.

To add a user to the group, click . Click if you want to add all available
users at once.

To remove a user from the group, click . Click if you want to remove all
users at once.

Use the "Filter" field to narrow the list of users to display only entries that
include a certain search string. Click to display an unfiltered view of the list of

users.

Note: Users may belong to multiple VPN user groups.

The buttons at the bottom right of the editor panel depend on whether you add a new
VPN user group or edit an existing group. For a newly configured group, click "Create"
to add the group to the list of available VPN user groups or "Cancel" to discard your
changes. To edit an existing group, click "Save" to store the reconfigured group or
"Reset" to discard your changes. You can click "Close" to shut the editor panel as long
as no changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

83User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

User Interface

Menu Reference

3.4.4.7 Networks

Create a network that can be used to create connections between the network and
other objects (such as VPN objects, etc.).

Networks Overview

Navigate to "Network Objects > Networks" to display the list of networks that are cur­rently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Name" and the "IP" of the
network as well as the "Interface" it is connected to. The buttons in the last column
allow you to view and adjust the settings for an existing network, create a network
based on a copy of an existing network or delete a network from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Networks Settings

The "Network" settings allow you to configure the following elements:

Field Description

"Name" Specify a name for the network.

"Color" Select the color to be used for this object on the desktop.

"Allow login" Select this checkbox to allow the user to log on to the gateprotect Firewall via

"Interface" Select the interface that the network is connected to.

"Network IP" Enter the IP address of the network in CIDR notation (IP address followed by a

The buttons at the bottom right of the editor panel depend on whether you add a new
network or edit an existing network. For a newly configured network, click "Create" to
add the network to the list of available networks or "Cancel" to discard your changes.
To edit an existing network, click "Save" to store the reconfigured network or "Reset" to
discard your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

3.4.4.8 Host Groups

Create desktop objects for host groups that can be used to create connections
between multiple hosts and other network objects (such as VPN objects, etc.). Host
groups can be used as sources and/or destinations to apply firewall rules and web fil­ters to multiple computers.

the IP address of this network object. This allows your gateprotect Firewall to
apply user-specific firewall rules to the user being logged on.

slash »/« and the number of bits set in the subnet mask, for example

192.168.50.0/24).

84User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Host Groups Overview

Navigate to "Network Objects > Hosts Groups" to display the list of host groups that
are currently defined on the system in the item list bar.

In the expanded view, the table displays the "Name" of the host group. The buttons in
the last column allow you to view and adjust the settings for an existing host group,
create a group based on a copy of an existing host group or delete a group from the
system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Host Groups Settings

The "Host Group" settings allow you to configure the following elements:

Field Description

"Name" Specify a name for the host group.

"Color" Select the color to be used for this object on the desktop.

User Interface

Menu Reference

"Hosts" Specify the hosts you want to add to the host group. Define the "Name",

The buttons at the bottom right of the editor panel depend on whether you add a new
host group or edit an existing group. For a newly configured group, click "Create" to
add the group to the list of available host groups or "Cancel" to discard your changes.
To edit an existing group, click "Save" to store the reconfigured group or "Reset" to dis­card your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

3.4.4.9 IP Ranges

Create IP address ranges to group hosts by indicating a start and end IP address. If a
DHCP server is configured for the selected interface, you can also use the address
range of the DHCP server.

whether login is allowed, the "Interface", and the "IP Address" of each host.
Click "Add" to add a host to the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.

IP Ranges Overview

Navigate to "Network Objects > IP Ranges" to display the list of IP ranges that are cur­rently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Object Name" of the IP
range, the "Interface" it is connected to, as well as its "Start IP" and "End IP". The but­tons in the last column allow you to view and adjust the settings for an existing IP

85User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

range, create an object based on a copy of an existing IP range or delete an IP range
from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

IP Ranges Settings

The "IP Range" settings allow you to configure the following elements:

Field Description

"Name" Specify a name for the IP range.

"Color" Select the color to be used for this object on the desktop.

"Allow login" Select this checkbox to allow the user to log on to the gateprotect Firewall via

"Interface" Select an interface to assign it to the IP range. Select any if you do not want to

User Interface

Menu Reference

the IP range of this object. This allows your gateprotect Firewall to apply user­specific firewall rules to the user being logged on.

assign this object to a certain interface. That way all interfaces will accept pack­ets from the IP range of this object.

"Start IP" Specify the start IP address of the IP range.

"End IP" Specify the end IP address of the IP range.

If you want to use the address range of the DHCP server of the selected interface, click
the "Use DHCP IP range" button at the bottom left of the editor panel.

The buttons at the bottom right of the editor panel depend on whether you add a new
IP range or edit an existing IP range. For a newly configured IP range, click "Create" to
add the IP range to the list of available IP ranges or "Cancel" to discard your changes.
To edit an existing IP range, click "Save" to store the reconfigured IP range or "Reset"
to discard your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.4.10 VPN Hosts

Create a VPN host object that can be used to configure firewall rules for VPN Client-to­Site connections.

VPN Hosts Overview

Navigate to "Network Objects > VPN Hosts" to display the list of VPN hosts that are
currently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Name" of the host object,
the "Type" of the VPN connection as well as the VPN connection that the VPN host
belongs to. The buttons in the last column allow you to view and adjust the settings for
an existing VPN host, create a host based on a copy of an existing VPN host or delete
a host from the system.

86User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

VPN Hosts Settings

The "VPN Host" settings allow you to configure the following elements:

Field Description

"Name" Specify a name for the VPN host object.

"Color" Select the color to be used for this object on the desktop.

"Icon" Select an icon to represent the VPN host on the desktop.

"VPN Connection Type" Select the type of the VPN connection by clicking the respective radio button.

User Interface

Menu Reference

"IPsec Connec­tion"/"VPN-SSL Connec­tion"

The buttons at the bottom right of the editor panel depend on whether you add a new
VPN host or edit an existing host. For a newly configured host, click "Create" to add
the host to the list of available VPN hosts or "Cancel" to discard your changes. To edit
an existing host, click "Save" to store the reconfigured object or "Reset" to discard your
changes. You can click "Close" to shut the editor panel as long as no changes have
been made on it.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.4.11 VPN Groups

Create VPN groups that can be used to create connections between multiple VPN con­nections and other network objects applying a common rule set to multiple VPN con­nections.

VPN Groups Overview

Navigate to "Network Objects > VPN Groups" to display the list of VPN group objects
that are currently defined on the system in the item list bar.

This field depends on the selected VPN connection type. Select the connection
you want to associate to the VPN host from the drop-down list.

In the expanded view, the table displays the "Name" of the VPN group. The buttons in
the last column allow you to view and adjust the settings for an existing VPN group,
create a group based on a copy of an existing VPN group or delete a group from the
system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

VPN Groups Settings

The "VPN Group" settings allow you to configure the following elements:

87User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Object Name" Specify a name for the VPN group.

"Color" Select the color to be used for this object on the desktop.

"VPN Connections" Select the VPN connections you want to add to the group.

The buttons at the bottom right of the editor panel depend on whether you add a new
VPN group or edit an existing group. For a newly configured group, click "Create" to
add the group to the list of available VPN groups or "Cancel" to discard your changes.
To edit an existing group, click "Save" to store the reconfigured group or "Reset" to dis­card your changes. You can click "Close" to shut the editor panel as long as no
changes have been made on it.

User Interface

Menu Reference

Select the "Type" of the VPN connection you want to add from the drop-down
list. Under "Name", choose the desired connection from the drop-down list.
Click "Add" to add the connection to the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.

Note: VPN connections may belong to multiple VPN groups.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.4.12 VPN Networks

Create a VPN network object that can be used to configure firewall rules for VPN Site­to-Site connections.

VPN Networks Overview

Navigate to "Network Objects > VPN Networks" to display the list of VPN networks that
are currently defined on the system in the item list bar.

In the expanded view, the columns of the table display the "Name" of the VPN network,
the "Type" of the VPN connection as well as the VPN connection that the VPN network
belongs to. The buttons in the last column allow you to view and adjust the settings for
an existing VPN network, create a network based on a copy of an existing VPN net­work or delete a network from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

VPN Networks Settings

The "VPN Network" settings allow you to configure the following elements:

Field Description

"Name" Specify a name for the VPN network.

"Color" Select the color to be used for this object on the desktop.

88User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"VPN Connection Type" Select the type of the VPN connection by clicking the respective radio button.

User Interface

Menu Reference

"IPsec Connec­tion"/"OpenVPN Connec­tion"

The buttons at the bottom right of the editor panel depend on whether you add a new
VPN network or edit an existing network. For a newly configured network, click "Cre­ate" to add the v to the list of available VPN networks or "Cancel" to discard your
changes. To edit an existing network, click "Save" to store the reconfigured network or
"Reset" to discard your changes. You can click "Close" to shut the editor panel as long
as no changes have been made on it.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

3.4.4.13 Connections

Navigate to "Network Objects > Connections" to display and edit the connections
between various network objects that are defined on the system.

Connections Overview

In the expanded view, the columns of the table display the nodes of the connection.
The buttons in the last column allow you to view and adjust the settings for an existing
connection, create a connection based on a copy of an existing connection or delete a
connection from the system.

This field depends on the selected connection type. Select the VPN connection
you want to associate to the VPN network from the drop-down list.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Copied connections are always set up between the same nodes as the original.

Connections Settings

When you edit a connection, the "Connection" panel opens where the rule set for this
connection can be modified. For further information on creating firewall rules, see

Chapter 3.3, "Firewall Rule Settings", on page 19.

Furthermore, the "URL / Content Filter" tab allows you to configure the URL and con­tent filter for this connection:

Field Description

"Block all by default" Select this checkbox to add all URL filters that are currently defined on the sys-

tem to the blacklist and to select all content filters.

"Name" Displays the name of the URL and content filter.

"URL Filter
Black"/"White"

Add the URLs in the respective filters to the blacklist or whitelist by clicking the
appropriate checkboxes.

89User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Content Filter" Select the content filters by clicking the appropriate checkboxes.

"Schedule" Displays whether the filter is always active, always inactive or active for a limi-

If you have created application filter profiles as described under Chapter 3.4.6.1,

"Application Filter", on page 91, you can enable or disable the application filter for

this connection. On the "Application Filter" tab, you can set the "Mode" of the applica­tion filter to "Blacklist" or "Whitelist" or disable the application filter for each selected
profile by selecting the respective radio button.

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

User Interface

Menu Reference

ted time schedule.

Click the entry to modify the schedule.

Click "
changes.

For further information on URL and content filters and the application filter, see Chap-

ter 3.4.6.2, "URL/Content Filter", on page 93 and Chapter 3.4.6.1, "Application Filter",

on page 91.

3.4.5 Desktop

The " Desktop" settings display a list of all available services and the firewall rules
defined in the system.

3.4.5.1 Services

Navigate to "Desktop > Services" to display a list of all services available in the system.
When you click a service in the list, the objects and connections that use this service
are highlighted on the desktop.

When you click an object on the desktop, the services it uses are highlighted in the list
of services.

The "In Use" section at the top of the list displays the services that are actively used in
connections. The remaining sections group the services by purpose.

Activate" in the toolbar at the top of the desktop to apply your configuration

In the expanded view, the columns of the table display the "Name" of the service and
of the rule that uses the service, if applicable. Furthermore, they indicate whether the
service is used in a connection (green) or not (orange) as well as the "Ports" used.

3.4.5.2 Desktop Rules

Use these settings to display and modify the rules which are used to manage network
traffic. For more detailed information on firewall rules, see Chapter 3.3, "Firewall Rule

Settings", on page 19.

90User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Navigate to "Desktop > Desktop Rules" to display the list of rules that are currently
defined on the system.

The "Filter Settings" allow you to narrow the list of rules to display only rules that
include a certain search string. You can filter the contents by choosing the required
options in the drop-down lists and/or entering search strings in the respective input
fields. Click "Apply" to make use of the selected filter options. The list of firewall rules is
adjusted to reflect your filter results. Click "Reset" to delete the selected filter options
and display an unfiltered view of the list of rules.

The table columns of the rules list display the following information:

Column Description

"Object A" This column indicates the source object in the connection.

"Direction" This column displays the direction in which the rule is applied.

"Object B" This column indicates the destination object in the connection.

"Service" This column displays the name of the service of the rule.

User Interface

Menu Reference

The buttons in the last column allow you to view and adjust the settings for an existing
rule. Click and the "Connection" dialog opens. For more detailed information on how
to create firewall rules and editing connections, see Chapter 3.3, "Firewall Rule Set-

tings", on page 19 and Chapter 3.4.4.13, "Connections", on page 89.

To close the "Desktop Rules" panel and return to the desktop, click
corner of the panel.

3.4.6 UTM

The " UTM" settings allow you to create and edit application filter profiles, define
URL/content filters and to configure antivirus, email security settings, and proxies to
protect your network.

3.4.6.1 Application Filter

Application filters provide a way of filtering the network traffic based on the behavior of
the data stream. This way, parts of an application, e.g. the Skype chat function, can be
systematically filtered out, even if they are encrypted.

The application filter profiles defined here are available for use in custom firewall rules
where the selected applications are blacklisted or whitelisted (see Chapter 3.3, "Fire-

wall Rule Settings", on page 19 for further information).

in the upper right

In some cases, for example with Skype, the application filter can only classify applica­tions after a certain number of packets has been exchanged. This means that a first
contact cannot be prevented. However, any subsequent packets are blocked.

The "Application Filter Settings" allow you to activate and deactivate the application fil­ter in general.

91User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"ON"/"OFF" A slider switch indicates whether the application fil-

"License" This field displays license information for your appli-

For more detailed information on application filters, see the following sections.

Application Filter Overview

Navigate to "UTM > Application Filter" to display the application filter profiles currently
defined on the system.

In the expanded view, the columns of the table display the "Name" of the profile and
the number of selected applications. The buttons in the last column allow you to view
and adjust the settings for an existing application filter profile, create a profile based on
a copy of an existing profile or delete a profile from the system.

User Interface

Menu Reference

ter is active ("ON") or inactive ("OFF"). By clicking
the slider switch, you can toggle the state of the
application filter. The application filter is disabled by
default.

cation filter.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

Application Filter Settings

The "Application Filter Profile" settings allow you to configure the following options:

Field Description

"Profile Name" Specify a name for the application filter profile.

"SSL Interception" Select this checkbox to enable SSL interception. With SSL interception, the

gateprotect Firewall can evaluate the incoming traffic routed through SSL
encrypted connections and apply the configured application filter profile to it.

In the "Rules" section:

Select the applications to be added to the profile. The table groups the applications by
"Category".

Use the "Filter" field to narrow the list of applications to display only entries that include
a certain search string. Click

to display an unfiltered view of the list of applications.

Click the button next to a category to display the applications it contains as well as
short descriptions of all applications. Choose entire categories or single applications by
selecting the appropriate checkboxes. Clear the checkbox next to a category or a
application to remove it from the application filter profile. To hide the applications, click
the button next to the category.

The buttons at the bottom right of the editor panel depend on whether you add a new
application filter profile or edit an existing profile. For a newly configured application fil­ter profile, click "Create" to add it to the list of available profiles or "Cancel" to discard
your changes. To edit an existing application filter profile, click "Save" to store the
reconfigured profile or "Reset" to discard your changes. You can click "Close" to shut
the editor panel as long as no changes have been made on it.

92User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

User Interface

Menu Reference

3.4.6.2 URL/Content Filter

URL and content filters determine which websites are available to computers on the
protected network.

The URL filter function of your gateprotect Firewall checks Internet addresses (URL,
Uniform Resource Locator consisting of server name, path and filenames) received in
the HTTP traffic for allowed and/or not allowed terms according to their classification in
the black- and whitelists.

A »blacklist« approach defines a list of sites to block and grants access to all sites that
have not been explicitly forbidden. For example, if the URL of a website is on a black­list, access to this site is blocked. Therefore, with the category "Ordering" being black­listed, the URL http://www.amazon.de is blocked.

A »whitelist« approach can be used to limit access to a list of sites that have specifi­cally been approved for usage and block all others. For example, if the subcategory
"Shopping" is on the blocking list but you want to allow access to the URL
http://www.amazon.de, this URL must be entered into a whitelist.

If websites do not contain any verifiable terms in their URLs, a URL filter on its own is
not enough. Therefore, the gateprotect Firewall also filters the HTTP data communica­tion by the content of the websites. Similar to a search engine, the content filter
searches websites available on the Internet, analyzes and categorizes them and com­piles the results in a database.

To use the URL and content filter, the HTTP proxy is essential. The HTTP data com­munication of a connection can only be filtered by URL lists and content if the HTTP
proxy is activated for this connection in the rules editor.

The URL and content filters defined here are available for use in custom firewall rules
(see Chapter 3.3, "Firewall Rule Settings", on page 19 for further information).

For more detailed information on URL/content filters, see the following sections.

URL/Content Filter Settings

Navigate to "UTM > URL/Content Filter > Settings" to configure the URL and content
filter on your gateprotect Firewall.

93User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Content Filter License" This field displays your license information for the content filter.

"URLs" Select this checkbox to exclude sections behind a ? (which serves to transfer

"Safesearch" Select this checkbox to automatically configure the setting

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

User Interface

Menu Reference

variable values in PHP) from blacklists and whitelists.

SafeSearch=strict for searches using the search engines Google, Bing
and Yahoo which hides any adult content in search requests. This setting can­not be changed by the users.

Note: SafeSearch works only if the HTTPS proxy is active because most
search engine providers use encrypted HTTPS connections on their websites.

URL/Content Filter Overview

Navigate to "UTM > URL/Content Filter > URL/Content Filter" to display the URL and
content filters currently defined on the system.

In the expanded view, the columns of the table display the "Name" of the filter and the
number of selected content filter, blacklist and whitelist entries. The buttons in the last
column allow you to view and adjust the settings for an existing URL and content filter,
create a filter based on a copy of an existing filter or delete a filter from the system.

For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

URL/Content Filter Settings

The settings allow you to configure the following options:

Field Description

"Name" Specify a name for the URL and content filter.

In the "Content Filter" section:

Determine which websites should be available to users on the network and which
should be blocked.

Click the button next to a category to display its available subcategories. Choose
entire categories or single subcategories by selecting the appropriate checkboxes.
Clear the checkbox next to a category or a subcategory to remove it from the blacklist
or whitelist. To hide the subcategories, click the button next to the category.

In the "URL Filter" section:

94User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Blacklist" /"Whitelist" You can specify a blacklist and/or a whitelist by adding as many terms as you

To create the "Blacklist" or "Whitelist", you can enter the search terms directly or use
regular expressions (RegEx):

User Interface

Menu Reference

like into the respective list. If both lists are applied at the same time, the white­list has higher priority.
There are two possibilities to add terms to either list:

●

Search terms can be manually added by entering a term in the input field
under the appropriate list and clicking "Add".

●

Search terms can be imported from a text file by clicking "
right under the appropriate list and opening the file. The default maximum
file size for imports is 1 megabyte. Each non-empty line of the selected
text file adds an entry to the appropriate list.

You can edit or delete each single entry in the lists by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

You can export a complete term list as a text file to the local disk by clicking "
Export" on the right under the appropriate list.

Tip: The terms in either list can contain wildcards: * for whole words, ? for sin­gle characters.

Import" on the

RegEx Description Example

.

*

.*

^

$ End of a line. home$ - home only at the end of the line

The buttons at the bottom right of the editor panel depend on whether you add a new
URL and content filter or edit an existing filter. For a newly configured URL and content
filter, click "Create" to add it to the list of available filters or "Cancel" to discard your
changes. To edit an existing URL and content filter, click "Save" to store the reconfig­ured filter or "Reset" to discard your changes. You can click "Close" to shut the editor
panel as long as no changes have been made on it.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

3.4.6.3 Antivirus Settings

gateprotect Firewall protects your internal network from computer viruses using the
integrated virus scanner.

Placeholder for any single character. ho.me - e.g. home, hole

Any number of repetitions of the charac­ter.

Any number of characters. ho.*e - e.g. home, house

Start of a line. ^home - home only at the start of the line

hom* - e.g. hom, homm

Under "UTM > Antivirus Settings", you can configure an antivirus scanner for your mail
proxy.

The antivirus settings allow you to configure the following elements:

95User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"License" This field displays your license information for the antivirus scanner.

"Signatures" This field displays the number of malware signatures that have been downloa-

"Updates" This field displays the date of the last attempt to update the antivirus scanner.

User Interface

Menu Reference

The gateprotect Firewall uses an antivirus scanner provided by Kaspersky
which is included in the UTM license.

Note: When the firewall is started for the first time, the virus scanner runs as a
test version for 30 days. When this period has expired, the virus scanner is still
active but no updates or upgrades are carried out. For further information about
licensing, see Chapter 3.4.1.1, "License Settings", on page 22.

ded and are currently active in the antivirus scanner.

Click the "Update now" link, to manually update the antivirus scanner.

TM

"Last Successful
Update"

This field displays the date and time of the last successful antivirus scanner
update.

On the "Scanner" tab:

Field Description

"ON"/"OFF" A slider switch indicates whether the antivirus scanner for emails, HTTP(s) and

FTP is active ("ON") or inactive ("OFF"). By clicking the slider switch, you can
toggle the state of the respective service. This option is activated by default for
all services.

"Scan archived files" This checkbox is pre-selected by default. Clear the checkbox if you do not want

the antivirus scanner to check archived files for viruses.

"Scan packed files" This checkbox is pre-selected by default. Clear the checkbox if you do not want

the antivirus scanner to check compressed files for viruses.

"Block files containing
viruses"

"Block suspicious files" This checkbox is pre-selected by default. Clear the checkbox if you do not want

This checkbox is pre-selected by default. Clear the checkbox if you do not want
the antivirus scanner to scan attachments in emails and to block files with
clearly identified viruses. If a virus is detected, the recipient will receive the
email without the attachment but with the notification that the attachment was
infected.

the antivirus scanner to scan attachments in emails and to block files which the
antivirus scanner cannot allocate, unpack or analyze. If an attachment looks
suspicious, the recipient will receive the email without the attachment but with
the notification that the attachment might be infected.

"Block files if scan fails" Optional: Select this checkbox to block emails if the scan with the antivirus

scanner was not completed successfully. If an error occurs during the scan, the
email will be blocked and the recipient will receive a notification. If this check­box is cleared, the recipient will receive a replacement email that contains the
original email as an encrypted attachment and the password required to decrypt
it.

"Heuristic analysis" Set the depth of the heuristic analysis by selecting an option from the drop-

down list. Binary data are checked for code which has similar characteristics to
a virus or could cause other damage. This method enables recognition of sub
variations of viruses which have no signature of their own under certain circum­stances.

96User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

User Interface

Menu Reference

"Max. size of files for
main memory scan"

"Max. size of files to be
scanned"

Define the maximum size of files which are scanned directly in the main mem­ory. The default maximum size is set to 15360 kilobytes. If the files exceed the
specified size, they are not scanned for viruses.

Define the maximum size (in megabyte) for an attachment to be scanned. Files
exceeding the limit are not scanned. The default maximum file size is set to 15
megabytes.

On the "Whitelist" tab, you can add trusted hosts and servers to a whitelist. Data trans­mitted from these hosts via HTTP or FTP is not scanned for viruses.

Under "Trusted Hosts", enter the IP address or the domain name. Click "Add" to add
the host or server to the whitelist.

You can use wildcards (* for whole words, ? for single characters) to include subdo­mains.

You can edit or delete each single entry in the list by clicking the appropriate button
next to an entry. For further information, see Chapter 3.2, "Icons and Buttons",
on page 17.

If you edit an entry, a check mark appears on the right of the entry. Click the check
mark to apply your changes.

Click " Export" to export your whitelist to the file system. Click " Import" to import a
whitelist.

On the "Updates" tab, you can set up automatic updates of the antivirus scanner:

97User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"Update Servers" The standard update server is preconfigured: http://kav-8-5.gateprotect.com.

"Automatic Updates" Enter the date and time for the first automatic update of the antivirus scanner.

User Interface

Menu Reference

You can add as many update servers as you like. Enter the IP address or the
domain name of an update server and click "Add" to put the update server on
the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

Note: If you edit an update server, a check mark appears on the right of the
entry. You have to click the check mark before being able to save the settings
of the update server.

You can enter a date in the format MM/DD/YYYY or use the date picker to set a
date. Set a time by entering the time in the format hh:mm:ss.

Specify the "Interval" for updating the antivirus scanner in hours. If you enter 0
h, the update is performed immediately. Click "Add" to add the update schedule
to the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

Note: If you edit an entry, a check mark appears on the right of the entry. Click
the check mark to apply your changes.

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

The antivirus settings for a certain protocol (HTTP, FTP, Mail) are only applied to traffic
which matches a rule with an active proxy for that protocol. Additionally, for HTTP and
Mail the proxy must be activated as described under "HTTP Proxy Settings"
on page 101 and Chapter 3.4.6.4, "Email Security", on page 98.

3.4.6.4 Email Security

Under "UTM > Email Security" you can manage your mail filter and antispam settings.

Mail Filter Settings

Under "UTM > Email Security > Mail Filter Settings", you can activate the mail proxy on
your gateprotect Firewall. Once the mail proxy is enabled, you can filter emails by their
destination address. If filtered, these mails do not reach the recipient and/or the mail
server.

The "Mail Filter Settings" settings allow you to configure the following elements:

98User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"ON"/"OFF" A slider switch indicates whether the mail proxy is active ("ON") or inactive

"Filter Mode" Select the button with the filter mode you desire. If "Blacklist" (default setting) is

"Action" Select the button with the action you wish to be applied to the filtered emails.

"Blacklist"/"Whitelist" Depending on the selected filter mode, you can add as many email addresses

User Interface

Menu Reference

("OFF"). By clicking the slider switch, you can toggle the state of this service.
The mail proxy is deactivated by default.

selected, emails of all addresses in the blacklist (see below) will never be for­warded to the mail server. Selecting "Whitelist" will forward only addresses in
the whitelist (see below) to the mail server.

While "Reject emails" (default setting) will reject unwanted emails with an RFC­conform answer, "Delete emails" will drop unwanted emails, letting the sender
believe the email has reached the mail server.

Important: The "Delete emails" option is NOT RFC-conform. Misconfiguration
can delete important emails.

as you like to a blacklist or a whitelist.
There are two possibilities to add email addresses to either list:

●

Email addresses can be manually added by entering an email address in
the input field and clicking "Add".

●

Email addresses can be imported from a text file by clicking "
and opening the file. The default maximum file size for imports is 1 mega­byte. Each non-empty line of the selected text file adds an entry to the list.

You can edit or delete each single entry in the list by clicking the appropriate
button next to an entry. For further information, see Chapter 3.2, "Icons and

Buttons", on page 17.

You can export the complete mail filter list as a text file to the local disk by click­ing " Export".

Tip: The email addresses in either mail filter list can contain wildcards: * for
whole words, ? for single characters (for example *@example.*).

Import"

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

Click " Activate" in the toolbar at the top of the desktop to apply your configuration
changes.

Only if the mail proxy has been activated, the other mail filter, antispam and antivirus
settings will have an impact. For more information, see "Antispam Settings"
on page 99 and Chapter 3.4.6.3, "Antivirus Settings", on page 95.

If you use SSL inspection both in the mail filter and in firewall rules, you need to add
your CA to the truststore of your gateprotect Firewall and of your client machines.

Antispam Settings

Under "UTM > Email Security > Antispam Settings", you can configure your gatepro­tect Firewall to protect your system from email spam.

The "Antispam Settings" allow you to configure the following elements:

99User Manual 3646.3836.02 ─ 01

R&S®GP-U/GP-E/GP-S/GP-T

Field Description

"ON"/"OFF" A slider switch indicates whether antispam is active ("ON") or inactive ("OFF").

"License" This field displays your license information for the commercial spam filter.

User Interface

Menu Reference

By clicking the slider switch, you can toggle the state of this service. This option
is activated by default.

Note: When the firewall is started for the first time, the spam filter runs as a test
version for 30 days. For further information about licensing, see Chap-

ter 3.4.1.1, "License Settings", on page 22.

"Spam Detection" Select one of the following options by clicking the appropriate button:

"Spam Tag" Specify how spam is tagged by selecting one of the following options:

"Subject Tag format" Specify how to tag emails which are identified as spam. The subject tag can be

"Mail Lists" You can specify a blacklist and/or a whitelist by adding as many email

●

"Confirmed" – Emails containing known and verified spam patterns are
classified as spam.

●

"Bulk" – Additionally to Confirmed, emails from accounts known to send
bulk emails (mass mailing) are classified as spam (default setting).

●

"Suspect" – Additionally to Confirmed and Bulk, emails from accounts
sending suspicious amounts of emails are classified as spam.

●

"Header" – The original email is marked as spam in the header.

●

"Subject" – The original email is marked as spam in the header and the
subject is changed according to the subject formatting (default setting).

●

"Attachment" – An email detected as spam is attached to a new email that
is marked as spam both in the subject (according to the subject formatting)
and in the header.

any text and contain the variables %SUBJECT% (original subject of the spam
email), %SPAMCLASS%, and %SPAMCLASSNUM% (spam category). By

clicking , the subject tag format is set to the default *****SPAM*****
[%SUBJECT%].

addresses as you like into the respective list. Both mail lists can be applied at
the same time.
There are two possibilities to add email addresses to either list:

●

Email addresses can be manually added by entering an email address in
the input field under the appropriate list and clicking "Add".

●

Email addresses can be imported from a text file by clicking "
the right under the appropriate list and opening the file. The default maxi­mum file size for imports is 1 megabyte. Each non-empty line of the
selected text file adds an entry to the appropriate list.

If a sender's email address matches both lists, the email is treated as a whitelis­ted item. You can edit or delete each single entry in the lists by clicking the
appropriate button next to an entry. For further information, see Chapter 3.2,

"Icons and Buttons", on page 17.

You can export a complete mail list as a text file to the local disk by clicking "
Export" on the right under the appropriate list.

Tip: The email addresses in either mail list can contain wildcards: * for whole
words, ? for single characters.

Import" on

The buttons at the bottom right of the editor panel allow you to shut ("Close") the editor
panel as long as no changes have been made and to store ("Save") or to discard
("Reset") your changes.

Click "

Activate" in the toolbar at the top of the desktop to apply your configuration

changes.

100User Manual 3646.3836.02 ─ 01