Stonesoft stonegate 5.2 Installation Manual
STONEGATE 5.2
INSTALLATION GUIDE
INTRUSION PREVENTION SYSTEM
Legal Information
End-User License Agreement
The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at
the Stonesoft website:
www.stonesoft.com/en/support/eula.html
Third Party Licenses
The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for
those products at the Stonesoft website:
www.stonesoft.com/en/support/third_party_licenses.html
U.S. Government Acquisitions
If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions
apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is
defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is
supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as
defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the
Government is subject to such restrictions or successor provisions.
Product Export Restrictions
The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC)
N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as
amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.
General Terms and Conditions of Support and Maintenance Services
The support and maintenance services for the products described in these materials are provided pursuant to the general terms for
support and maintenance services and the related service description, which can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/terms/
Replacement Service
The instructions for replacement service can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/return_material_authorization/
Hardware Warranty
The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the
Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/warranty_service/
Trademarks and Patents
The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos.
1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095,
131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284;
7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534;
7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the
Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered
trademarks are property of their respective owners.
Disclaimer
Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes
no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of
the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.
Copyright © 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.
Revision: SGIIG_20110816
2
TABLE OF CONTENTS
INTRODUCTION
CHAPTER 1
Using StoneGate Documentation . . . . . . . . . . . 7
How to Use This Guide . . . . . . . . . . . . . . . . . . 8
Documentation Available. . . . . . . . . . . . . . . . . 9
Product Documentation. . . . . . . . . . . . . . . . . 9
Support Documentation . . . . . . . . . . . . . . . . 9
System Requirements. . . . . . . . . . . . . . . . . . 10
Supported Features . . . . . . . . . . . . . . . . . . . 10
Contact Information . . . . . . . . . . . . . . . . . . . . 10
Licensing Issues . . . . . . . . . . . . . . . . . . . . . 10
Technical Support. . . . . . . . . . . . . . . . . . . . . 10
Your Comments . . . . . . . . . . . . . . . . . . . . . . 10
Other Queries. . . . . . . . . . . . . . . . . . . . . . . . 10
PREPARING FOR INSTALLATION
CHAPTER 2
Planning the IPS Installation . . . . . . . . . . . . . . 13
Introduction to StoneGate IPS . . . . . . . . . . . . . 14
Example Network Scenario . . . . . . . . . . . . . . . 14
Overview to the Installation Procedure . . . . . . . 15
Important to Know Before Installation . . . . . . . 15
Supported Platforms. . . . . . . . . . . . . . . . . . . 15
Date and Time Settings . . . . . . . . . . . . . . . . 15
Capture Interfaces . . . . . . . . . . . . . . . . . . . . 16
Switch SPAN Ports . . . . . . . . . . . . . . . . . . . 16
Network TAPs. . . . . . . . . . . . . . . . . . . . . . . 16
Cabling Guidelines . . . . . . . . . . . . . . . . . . . . 16
Speed And Duplex . . . . . . . . . . . . . . . . . . . . 17
Installing IPS Licenses. . . . . . . . . . . . . . . . . . . 19
CHAPTER 3
Getting Started with IPS Licenses . . . . . . . . . . 20
Configuration Overview . . . . . . . . . . . . . . . . . 20
Generating New Licenses . . . . . . . . . . . . . . . . 20
Installing Licenses . . . . . . . . . . . . . . . . . . . . . 21
CHAPTER 4
Configuring NAT Addresses . . . . . . . . . . . . . . . 23
Getting Started with NAT Addresses. . . . . . . . . 24
Configuration Overview . . . . . . . . . . . . . . . . . 25
Defining Locations . . . . . . . . . . . . . . . . . . . . . 25
Adding SMC Server Contact Addresses . . . . . . 26
CONFIGURING SENSORS AND ANALYZERS
CHAPTER 5
Defining Sensors and Analyzers . . . . . . . . . . . . 31
Getting Started with Defining Sensors and
Analyzers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Creating Engine Elements. . . . . . . . . . . . . . . . 32
Defining System Communication Interfaces for IPS
Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Defining Physical Interfaces . . . . . . . . . . . . . 34
Defining VLAN Interfaces . . . . . . . . . . . . . . . 35
Defining IP Addresses . . . . . . . . . . . . . . . . . 36
Setting Interface Options for IPS Engines. . . . . 37
Defining Traffic Inspection Interfaces for Sensors 38
Defining Logical Interfaces . . . . . . . . . . . . . . 39
Defining Reset Interfaces . . . . . . . . . . . . . . . 40
Defining Capture Interfaces . . . . . . . . . . . . . 41
Defining Inline Interfaces . . . . . . . . . . . . . . . 42
Bypassing Traffic on Overload . . . . . . . . . . . . . 43
Finishing the Engine Configuration. . . . . . . . . . 44
CHAPTER 6
Saving the Initial Configuration . . . . . . . . . . . . 45
Configuration Overview . . . . . . . . . . . . . . . . . . 46
Saving the Initial Configuration for Sensors and
Analyzers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Transferring the Initial Configuration to Sensors
and Analyzers . . . . . . . . . . . . . . . . . . . . . . . . 49
CHAPTER 7
Configuring Routing and Installing Policies . . . 51
Configuring Routing . . . . . . . . . . . . . . . . . . . . 52
Adding Next-hop Routers . . . . . . . . . . . . . . . 53
Adding the Default Route . . . . . . . . . . . . . . . 54
Adding Other Routes . . . . . . . . . . . . . . . . . . 54
Installing the Initial Policy . . . . . . . . . . . . . . . . 55
Commanding IPS Engines. . . . . . . . . . . . . . . 57
INSTALLING SENSORS AND ANALYZERS
CHAPTER 8
Installing the Engine on Intel-Compatible
Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Installing the Sensor or Analyzer Engine. . . . . . 62
Configuration Overview . . . . . . . . . . . . . . . . . 62
Obtaining Installation Files . . . . . . . . . . . . . . . 62
Table of Contents
3
Downloading the Installation Files . . . . . . . . . 62
Checking File Integrity . . . . . . . . . . . . . . . . . . 62
Creating the Installation CD-ROM. . . . . . . . . . 63
Starting the Installation. . . . . . . . . . . . . . . . . . 63
Configuring the Engine . . . . . . . . . . . . . . . . . . 64
Configuring the Engine Automatically with a
USB Stick . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configuring the Engine in the Engine
Configuration Wizard. . . . . . . . . . . . . . . . . . . 65
Configuring the Operating System Settings . . . 65
Configuring the Network Interfaces . . . . . . . . 67
Contacting the Management Server . . . . . . . . 68
Activating the Initial Configuration . . . . . . . . 68
Filling in the Management Server
Information . . . . . . . . . . . . . . . . . . . . . . . . 69
Selecting the Engine Type . . . . . . . . . . . . . . 69
After Successful Management Server Contact 70
Installing the Engine in Expert Mode . . . . . . . . 70
Partitioning the Hard Disk Manually . . . . . . . . 70
Allocating Partitions . . . . . . . . . . . . . . . . . . . 71
UPGRADING
CHAPTER 9
Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Getting Started with Upgrading . . . . . . . . . . . . 76
Configuration Overview . . . . . . . . . . . . . . . . . 77
Obtaining Installation Files . . . . . . . . . . . . . . 77
Upgrading or Generating Licenses . . . . . . . . . . 78
Upgrading Licenses Under One Proof Code. . . 78
Upgrading Licenses Under Multiple Proof
Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Installing Licenses . . . . . . . . . . . . . . . . . . . . 80
Checking the Licenses . . . . . . . . . . . . . . . . . 81
Upgrading Engines Remotely . . . . . . . . . . . . . . 82
Upgrading Engines Locally . . . . . . . . . . . . . . . . 84
Upgrading from an Engine Installation CD-ROM 84
Upgrading from a ZIP Archive File. . . . . . . . . . 85
APPENDIX B
Default Communication Ports . . . . . . . . . . . . . 95
Management Center Ports . . . . . . . . . . . . . . . 96
IPS Engine Ports . . . . . . . . . . . . . . . . . . . . . . 98
APPENDIX C
Example Network Scenario . . . . . . . . . . . . . . . 101
Overview of the Example Network . . . . . . . . . . 102
Example Headquarters Intranet Network . . . . . 103
HQ Sensor Cluster . . . . . . . . . . . . . . . . . . . . 103
Example Headquarters Management Network . 104
HQ Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . 104
HQ Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 104
Management Center Servers . . . . . . . . . . . . 104
Example Headquarters DMZ Network . . . . . . . 105
DMZ Sensor . . . . . . . . . . . . . . . . . . . . . . . . 105
Example Branch Office Network. . . . . . . . . . . . 106
Branch Office Sensor-Analyzer. . . . . . . . . . . . 106
Branch Office Firewall. . . . . . . . . . . . . . . . . . 106
Branch Office Log Server . . . . . . . . . . . . . . . 106
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
APPENDICES
APPENDIX A
Command Line Tools . . . . . . . . . . . . . . . . . . . . 89
StoneGate-Specific Commands . . . . . . . . . . . . 90
General Tools . . . . . . . . . . . . . . . . . . . . . . . . . 93
4
Table of Contents
INTRODUCTION
In this section:
Using StoneGate Documentation - 7
5
6
CHAPTER 1
USING STONEGATE DOCUMENTATION
Welcome to Stonesoft’s StoneGate™ IPS. This chapter describes how to use the StoneGate
IPS Installation Guide and lists other available documentation. It also provides directions for
obtaining technical support and giving feedback.
The following sections are included:
How to Use This Guide (page 8)
Documentation Available (page 9)
Contact Information (page 10)
7
How to Use This Guide
This IPS Installation Guide is intended for administrators who install the StoneGate IPS system.
It describes the IPS Sensor and Analyzer engine installation step by step. The chapters in this
guide are organized in the general order you should follow when installing the system.
Most tasks are explained using illustrations that include explanations on the steps you need to
complete in each corresponding view in your own environment. The explanations that
accompany the illustrations are numbered when the illustration contains more than one step for
you to perform.
Typographical Conventions
The following conventions are used throughout the documentation:
Table 1.1 Typographical Conventions
Formatting Informative Uses
User Interface text
References, terms
Command line
User input User input on screen is in monospaced bold-face.
Command parameters Command parameter names are in monospaced italics.
Text you see in the User Interface (buttons, menus, etc.) and any
other interaction with the user interface are in bold-face.
Cross-references and first use of acronyms and terms are in
italics.
File names, directories, and text displayed on the screen are
monospaced.
We use the following ways to indicate important or additional information:
Note – Notes prevent commonly-made mistakes by pointing out important points.
Caution – Cautions prevent breaches of security, information loss, or system downtime.
Cautions always contain critical information that you must observe.
Tip – Tips provide additional helpful information, such as alternative ways to complete steps.
Example Examples present a concrete scenario that clarifies the points made in the adjacent text.
8
Chapter 1 Using StoneGate Documentation
Documentation Available
StoneGate documentation is divided into two main categories: Product Documentation and
Support Documentation. Each StoneGate product has a separate set of manuals.
Product Documentation
The table below lists the available product documentation. PDF guides are available on the
Management Center CD-ROM and at http://www.stonesoft.com/support/.
Table 1.2 Product Documentation
Guide Description
Explains the operation and features of StoneGate comprehensively.
Reference Guide
Installation Guide
Online Help
Demonstrates the general workflow and provides example scenarios
for each feature area. Available for StoneGate Management Center,
Firewall/VPN, and StoneGate IPS.
Instructions for planning, installing, and upgrading a StoneGate
system. Available for StoneGate Management Center, Firewall/VPN,
and IPS.
Describes how to configure and manage the system step-by-step.
Accessible through the Help menu and by using the Help button or
the F1 key in any window or dialog. Available in the StoneGate
Management Client and the StoneGate Web Portal. An HTML-based
system is available in the StoneGate SSL VPN Administrator through
help links and icons.
Describes how to configure and manage the system step-by-step.
Administrator’s Guide
User’s Guide
Appliance Installation Guide
Available as a combined guide for both StoneGate Firewall/VPN and
StoneGate IPS, and as separate guides for StoneGate SSL VPN and
StoneGate IPsec VPN Client.
Instructions for end-users. Available for the StoneGate IPsec VPN
Client and the StoneGate Web Portal.
Instructions for physically installing and maintaining StoneGate
appliances (rack mounting, cabling, etc.). Available for all StoneGate
hardware appliances.
Support Documentation
The StoneGate support documentation provides additional and late-breaking technical
information. These technical documents support the StoneGate Guide books, for example, by
giving further examples on specific configuration scenarios.
The latest StoneGate technical documentation is available at the Stonesoft website at
http://www.stonesoft.com/support/.
Documentation Available
9
System Requirements
The certified platforms for running StoneGate engine software can be found at the product
pages at http://www.stonesoft.com/en/products/ips/Software_Solutions/.
The hardware and software requirements for the version of StoneGate you are running can also
be found in the Release Notes available at the StoneGate Support Documentation pages.
Supported Features
Not all StoneGate features are supported on all platforms. See the Appliance Software Support
Table at the Stonesoft Support Documentation pages for more information.
Contact Information
For street addresses, phone numbers, and general information about StoneGate and Stonesoft
Corporation, visit our website at http://www.stonesoft.com/.
Licensing Issues
You can view your current licenses at the License Center section of the Stonesoft website at
https://my.stonesoft.com/managelicense.do.
For license-related queries, e-mail order@stonesoft.com.
Technical Support
Stonesoft offers global technical support services for Stonesoft’s product families. For more
information on technical support, visit the Support section at the Stonesoft website at
http://www.stonesoft.com/support/.
10
Your Comments
We want to make our products fulfill your needs as well as possible. We are always pleased to
receive any suggestions you may have for improvements.
• To comment on software and hardware products, e-mail feedback@stonesoft.com.
• To comment on the documentation, e-mail documentation@stonesoft.com.
Other Queries
For queries regarding other matters, e-mail info@stonesoft.com.
Chapter 1 Using StoneGate Documentation
PREPARING FOR
INSTALLATION
In this section:
Planning the IPS Installation - 13
Installing IPS Licenses - 19
Configuring NAT Addresses - 23
11
12
CHAPTER 2
PLANNING THE IPS INSTALLATION
This chapter provides important information to take into account before the installation can
begin. The chapter also includes an overview to the installation process.
The following sections are included:
Introduction to StoneGate IPS (page 14)
Example Network Scenario (page 14)
Overview to the Installation Procedure (page 15)
Important to Know Before Installation (page 15)
Capture Interfaces (page 16)
13
Introduction to StoneGate IPS
A StoneGate IPS system consists of Sensors, Analyzers, and the StoneGate Management
Center. Sensors pick up network traffic, inspect it, and create event data for further processing
by the Analyzers.
StoneGate Sensors and Analyzers can be distributed as follows:
• a combined Sensor-Analyzer with these two components on a single machine.
• a single node Sensor.
• a Sensor cluster, which consists of 2 to 16 machines with Sensors called cluster nodes or
nodes for short.
• an Analyzer, which is required when a single node Sensor or a Sensor cluster is used.
You can install sensors in two basic ways:
• IDS (intrusion detection system) installation: Sensors capture and inspect all traffic in the
connected network segment, but do not, by default, interrupt the flow of traffic in any way.
• IPS (intrusion prevention system) installation: Sensors are installed inline, so that all traffic
that is to be inspected flows through the Sensor. In this setup, the Sensor itself can also be
used to automatically block selected traffic according to how you configure it. Inline sensors
in transparent access control mode (requires a separate license) provide transparent access
control and logging for Ethernet (layer 2) traffic.
The main features of StoneGate IPS include:
• Multiple detection methods: misuse detection uses fingerprints to detect known attacks.
Anomaly detection uses traffic statistics to detect unusual network behavior. Protocol
validation identifies violations of the defined protocol for a particular type of traffic. Event
correlation in the Analyzer processes event information received from the Sensors to detect a
pattern of events that might indicate an intrusion attempt.
• Response mechanisms: There are several response mechanisms to anomalous traffic. These
include different alerting channels, traffic recording, TCP connection termination, traffic
blacklisting, and traffic blocking with inline IPS.
The sensors and analyzers are always managed centrally through the StoneGate Management
Center (SMC). You must have an SMC configured before you can proceed with installing the
sensors and analyzers. The SMC can be used to manage a large number of different StoneGate
products. The SMC installation is covered in a separate guide. See the SMC Reference Guide for
more background information on the SMC, and the IPS Reference Guide for more background
information on the StoneGate sensors and analyzers.
Example Network Scenario
To get a better understanding of how StoneGate fits into a network, you can consult the Example
Network Scenario that shows you one way to deploy StoneGate. See Example Network Scenario
(page 101).
14
Chapter 2 Planning the IPS Installation
Overview to the Installation Procedure
1. Check the surrounding network environment as explained in Capture Interfaces (page 16).
2. Install licenses for the IPS engines. See Installing IPS Licenses (page 19).
3. If network address translation (NAT) is applied to communications between system
components and the IPS engines, define Contact Addresses. See Configuring NAT
Addresses (page 23).
4. Define the Sensor and Analyzer element(s) in the Management Client. See Defining
Sensors and Analyzers (page 31).
5. Generate the initial configuration for the sensor and analyzer engine(s). See Saving the
Initial Configuration (page 45).
6. Install and configure the sensors and analyzers.
•For hardware installation and initial configuration of StoneGate appliances, see the
Appliance Installation Guide that is delivered with each appliance.
•For software installations, see Installing the Engine on Intel-Compatible Platforms
(page 61).
7. Configure routing and install a policy on the sensor(s). See Configuring Routing and
Installing Policies (page 51).
The chapters and sections of this guide proceed in the order outlined above.
Important to Know Before Installation
Before you start the installation, you need to carefully plan the site that you are going to install.
Consult the Reference Guide if you need more detailed background information on the operation
of StoneGate than what is offered in this chapter.
Supported Platforms
Sensors and analyzers can be run on the following general types of platforms:
• Purpose-built StoneGate IPS appliances.
• Standard Intel-compatible servers. Search for the version-specific Hardware Requirements in
the technical documentation search at http://www.stonesoft.com/en/support/.
• As a VMware virtual host. There are some additional requirements and limitations when
StoneGate IPS is run as a virtual host. See the Release Notes for more information. Detailed
instructions can be found in Installing and Activating StoneGate IPS in VMWare ESX Server in
the StoneGate Technical Documentation database.
The sensors and analyzers have an integrated, hardened Linux operating system that is always
a part of the StoneGate engine software, eliminating the need for separate operating system
installation, configuration, and patching.
Date and Time Settings
The time settings of the engines do not need to be adjusted, as they are automatically
synchronized to the Management Server’s time setting. For this operation, the time is converted
to UTC time according to the Management Server’s time zone setting.
Overview to the Installation Procedure
15
Capture Interfaces
Switch/firewall
Host
Switch/firewall
Switch
Straight cable
Crossover cable
Straight cable
Straight cable
Sensors can be connected to a switch SPAN port or a network TAP to capture network traffic.
Hubs can be used, but are not recommended. The considerations for these connection methods
are explained below. Additionally, the IPS Sensor can be installed in-line, so that the network
traffic is routed through the Sensor, allowing active blocking of any connection.
For more specific information on compatibility of different network devices and StoneGate IPS,
refer to the Stonesoft website at http://www.stonesoft.com/support/.
Switch SPAN Ports
A Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on a
switch. This is also known as port mirroring. The capturing is done passively, so it does not
interfere with the traffic.
A Sensor’s capture interface can be connected directly to a SPAN port of a switch. All the traffic
to be monitored must be copied to this SPAN port.
Network TAPs
A Test Access Port (TAP) is a passive device located at the network wire between network
devices. The capturing is done passively, so it does not interfere with the traffic. With a network
TAP, the two directions of the network traffic is divided to separate wires. For this reason, the
Sensor needs two Capture interfaces for a network TAP; one capture interface for each direction
of the traffic. The two related Capture interfaces must have the same Logical interface that
combines the traffic of these two interfaces for inspection. You could also use the pair of
Capture interfaces to monitor traffic in two separate network devices.
16
Cabling Guidelines
Follow standard cabling with inline IPS: use straight cables to connect the sensor to switches/
hubs and crossover cables to connect the sensor to hosts. Both crossover and straight cables
may work when the sensors are operating normally due to software-level correction, but only the
correct type of cable allows traffic to flow when fail-open network cards must pass traffic without
the help of higher-level features.
Also, make sure the cables are correctly rated (CAT 5e or CAT 6 in gigabit networks).
Illustration 2.1 Correct Cable Types
Chapter 2 Planning the IPS Installation
Speed And Duplex
100/Full
100/Full
Correct Incorrect
100/Full
1000/Full
Mismatched speed and duplex settings are a frequent source of networking problems. The
basic principle for speed and duplex is simply that network cards at both ends of each cable
must have identical settings. This principle also applies to the automatic negotiation setting: if
one end of the cable is set to autonegotiate, the other end must also be set to autonegotiate
and not to any fixed setting. Gigabit standards require interfaces to use autonegotiation—fixed
settings are not allowed at gigabit speeds.
Inline interfaces of sensors require additional consideration: since the sensor is a “smart
cable”, the settings must be matched on both links within each inline interface pair (identical
settings on all four interfaces) instead of just matching settings at both ends of each cable (two
+ two interfaces). If one of the links has a lower maximum speed than the other link, the higherspeed link must be set to use the lower speed.
Illustration 2.2 Speed/Duplex Settings
Important to Know Before Installation
17
18
Chapter 2 Planning the IPS Installation
CHAPTER 3
INSTALLING IPS LICENSES
This chapter instructs how to generate and install licenses for sensors and analyzers.
The following sections are included:
Getting Started with IPS Licenses (page 20)
Generating New Licenses (page 20)
Installing Licenses (page 21)
19
Getting Started with IPS Licenses
Each analyzer and sensor engine must have its own license. You must generate the license files
and install them on the Management Server using the Management Client before you can bring
your system fully operational. The Management Server’s license may also be limited to
managing only a certain number of engines.
Your system may be able to automatically generate licenses for new StoneGate appliances. For
automatic licensing to work, ensure that automatic updates are working in the Management
Center. A factory-installed temporary license is automatically replaced with a permanent license
bound to the serial code (POS) of the appliance after the appliance is configured for use.
If you do not need to install licenses for the IPS engines at this time, proceed to one of the
following:
• If NAT is applied to communications between any system components, proceed to Configuring
NAT Addresses (page 23).
• If NAT is not applied to the communications, you are ready to define the Sensor and Analyzer
element(s). Proceed to Defining Sensors and Analyzers (page 31).
Configuration Overview
The following steps are needed for installing licenses for sensors and analyzers.
1. Generate the licenses at the Stonesoft website. See Generating New Licenses (page 20).
2. Install the licenses in the Management Client. See Installing Licenses (page 21).
Generating New Licenses
You generate the licenses at the Stonesoft website based on your proof-of-license (POL),
included in the order confirmation message sent by Stonesoft or the proof-of-serial-number
(POS) printed on the side of StoneGate appliances. Evaluation licenses are also available at the
website. If you are licensing several components of the same type, remember to generate one
license for each.
To generate a new license
1. Browse to the Stonesoft License Center at my.stonesoft.com/managelicense.do.
2. Enter the POL code in the License Identification field and click Submit. The license page
opens.
3. Click Register. The license generation page opens.
4. Enter the Management Server’s proof-of-license code or the engine’s primary control IP
address for the engines you want to license.
•The Management Server’s proof-of-license can be found in the e-mail you received
detailing your licenses or in the Management Client for all licenses imported into the
system.
5. Click Submit Request. The license file is sent to you in a moment. It also becomes
available for download at the license page.
Note – Evaluation license requests may need manual processing. See the license page for
current delivery times and details.
20
Chapter 3 Installing IPS Licenses
Installing Licenses
1
2
To install licenses, the license files must be available to the computer you use to run the
Management Client.
Note – All licenses can be installed even though you have not yet defined all the elements
the licenses will be bound to.
To install StoneGate licenses
1. Select File→System Tools→Install Licenses.
2. Select one or more license files in the dialog that opens.
To check that the licenses were installed correctly
1. Click the Configuration icon in the toolbar and select Administration. The Administration
Configuration view opens.
2. Expand the Licenses branch and select IPS.
Installing Licenses
21
You should see one license for each analyzer and sensor engine. If you have Managementbound engine licenses, you must bind them manually to the correct engines once you have
configured the engine elements.
What’s Next?
If NAT is applied to communications between system components, proceed to
Configuring NAT Addresses (page 23).
Otherwise, you are ready to define the Sensor and Analyzer element(s). Proceed to
Defining Sensors and Analyzers (page 31).
22
Chapter 3 Installing IPS Licenses
CHAPTER 4
CONFIGURING NAT ADDRESSES
This chapter contains the steps needed to configure Locations and contact addresses when a
NAT (network address translation) operation is applied to the communications between the
sensor or analyzer and other StoneGate components.
The following sections are included:
Getting Started with NAT Addresses (page 24)
Defining Locations (page 25)
Adding SMC Server Contact Addresses (page 26)
23
Getting Started with NAT Addresses
Internet
Headquarters Location Branch Office
Management/
Log Server
Analyzer
Sensor Sensor
Analyzer
Firewall Firewall
Intranet Intranet
If there is network address translation (NAT) between communicating system components, the
translated IP address may have to be defined for system communications. All communications
between the StoneGate components are presented as a table in Default Communication Ports
(page 95).
You use Location elements to configure StoneGate components for NAT. There is a Default
Location to which all elements belong if you do not assign them a specific Location. If NAT is
applied between two system components, you must separate them into different Locations and
then add a contact address for the component that needs to be contacted.
You can define a Default contact address for contacting a component (defined in the Properties
dialog of the corresponding element). The component’s Default contact address is used in
communications when components that belong to another Location contact the component and
the component has no contact address defined for their Location.
Illustration 4.1 An Example Scenario for Using Locations
In the example scenario above, a Management Server and a Log Server manage StoneGate
components both at a company’s headquarters and in a branch office.
NAT could typically be applied at the following points:
• The firewall at the headquarters or an external router may provide the SMC servers external
• The branch office firewall or an external router may provide external addresses for the
When contact addresses are needed, it may be enough to define a single new Location element,
for example, for the branch office, and to group the StoneGate components at the branch office
into the “Branch Office” Location. The same Location element could also be used to group
together StoneGate components at any other branch office when they connect to the SMC
servers at the headquarters.
24
Chapter 4 Configuring NAT Addresses
IP addresses on the Internet. The external addresses must be defined as contact addresses
so that the components at the branch offices can contact the servers across the Internet.
StoneGate components at the branch office. Also in this case, the external IP addresses
must be defined as contact addresses so that the Management Server can contact the
components.
Configuration Overview
1
2
3
To add contact addresses, proceed as follows:
1. Define Location element(s). See Defining Locations (page 25).
2. Define contact addresses for the Management Server and Log Server(s). See Adding SMC
Server Contact Addresses (page 26).
3. Select the correct Location for the IPS engines when you create the Sensor and Analyzer
elements. See Defining Sensors and Analyzers (page 31).
Defining Locations
The first task is to group the system components into Location elements based on which
components are on the same side of a NAT device. The elements that belong to the same
Location element always use the primary IP address (defined in the main Properties dialog of
the element) when contacting each other.
To create a new Location element
1. Click the Configuration icon in the toolbar, and select Administration. The Administration
Configuration view opens.
2. Expand Other Elements in the tree view.
Defining Locations
25
3. Right-click Locations and select New Location. The Location Properties dialog opens.
5
6
1
4. Type in a Name.
5. Select element(s).
6. Click Add.
7. Repeat steps 5-6 until all necessary elements are added.
8. Click OK.
Repeat to add other Locations as necessary.
What’s Next?
If your Management Server or Log Server needs a contact address configuration,
proceed to Adding SMC Server Contact Addresses (page 26).
If you plan to add contact addresses only for Sensor or Analyzer elements, proceed to
Defining Sensors and Analyzers (page 31).
Adding SMC Server Contact Addresses
The Management Server and the Log Server can have more than one contact address for each
Location. This allows you, for example, to define a contact address for each Internet link in a
Multi-Link configuration for remotely managed components.
To define the Management Server and Log Server contact addresses
1. Right-click a server and select Properties. The Properties dialog for that server opens.
26
Chapter 4 Configuring NAT Addresses
2. Select the Location of this server.
4
3. Enter the Default contact address. If the server has multiple alternative IP addresses,
separate the addresses with commas.
4. Click Exceptions and define Location-specific contact addresses if the Default Contact
Address(es) are not valid from all other Locations.
Note – Elements grouped in the same Location element always use the primary IP address
(defined in the main Properties dialog of the element) when contacting each other. All
elements not specifically put in a certain Location are treated as if they belonged to the
same Location.
Close the server properties and define the contact addresses for other servers in the same way.
What’s Next?
Defining Sensors and Analyzers (page 31).
Adding SMC Server Contact Addresses
27
28
Chapter 4 Configuring NAT Addresses
CONFIGURING SENSORS
AND
ANALYZERS
In this section:
Defining Sensors and Analyzers - 31
Saving the Initial Configuration - 45
Configuring Routing and Installing Policies - 51
29
30
Loading...