Symantec 460R - Gateway Security, Gateway Security400 Series, Gateway Security420, Gateway Security440, Gateway Security460 Administrator's Manual
Page 1
Symantec™ Gateway Security
400 Series
Administrator’s Guide
Supported models:
Models 420, 440, 460, and 460R
Page 2
Symantec™ Gateway Security 400 Series
Administrator’s Guide
The software described in this book is furnished under a license agreement and may be used only in
accordance with the terms of the agreement.
Documentation version 2.1
June 23, 2004
Copyright notice
Copyright 1998–2004 Symantec Corporation.
All Rights Reserved.
Any technical documentation that is made available by Symantec Corporation is the copyrighted work
of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec
Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or
the information contained therein is at the risk of the user. Documentation may include technical or
other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior
notice.
No part of this publication may be copied without the express written permission of Symantec
Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec, the Symantec logo, and Norton AntiVirus are U.S. registered trademarks of Symantec
Corporation. LiveUpdate, LiveUpdate Administration Utility, Symantec AntiVirus, and Symantec
Security Response are trademarks of Symantec Corporation.
Other brands and product names mentioned in this manual may be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Printed in the United States of America.
10987654321
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains
support centers throughout the world. The Technical Support group’s primary role is to respond to
specific questions on product feature/function, installation, and configuration, as well as to author
content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively
with the other functional areas within Symantec to answer your questions in a timely fashion. For
example, the Technical Support group works with Product Engineering as well as Symantec Security
Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.
Symantec technical support offerings include:
■ A range of support options that give you the flexibility to select the right amount of service for any
size organization
■ Telephone and Web support components that provide rapid response and up-to-the-minute
information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Content Updates for virus definitions and security signatures that ensure the highest level of
protection
■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days
a week worldwide in a variety of languages for those customers enrolled in the Platinum Support
program
■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role,
offer enhanced response and proactive security support
Please visit our Web site for current information on Support Programs. The specific features available
may vary based on the level of support purchased and the specific product that you are using.
Page 3
Licensing and registration
See “Licensing” on page 111.
Contacting Technical Support
Customers with a current maintenance agreement may contact the Technical Support group by phone
or online at www.symantec.com/techsupp.
Customers with Gold or Platinum support agreements may contact Platinum Technical Support by the
Gold or Platinum Web site at https://www-secure.symantec.com/gold or https://www-
secure.symantec.com/platinum. When contacting the Technical Support group, please have the
following:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description
■ Error messages/log files
■ Troubleshooting performed prior to contacting Symantec
■ Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com/techsupp, select the
appropriate Global Site for your country, then select the enterprise Continue link. Customer Service is
available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec’s technical support options
■ Nontechnical presales questions
■ Missing or defective CD-ROMs or manuals
Page 4
Page 5
Contents
Chapter 1 Introducing the Symantec Gateway Security 400 Series
About Symantec Gateway Security 400 Series ...........................................................................................11
Key features ......................................................................................................................................................11
Firewall technology .................................................................................................................................12
Virtual Private Network (VPN) technology .........................................................................................12
Antivirus policy enforcement (AVpe) ...................................................................................................12
Static content filtering ............................................................................................................................12
Intrusion detection and intrusion prevention (IDS and IPS) ............................................................12
LiveUpdate support .................................................................................................................................12
Managing Symantec Gateway Security 400 Series locally ................................................................12
Managing Symantec Gateway Security 400 Series through SESA ..................................................13
Intended audience ...........................................................................................................................................14
Where to find more information ...................................................................................................................14
Network security best practices ....................................................................................................................15
Chapter 2 Administering the security gateway
Logging on to the Security Gateway Management Interface ...................................................................17
Navigating the user interface ........................................................................................................................18
Understanding left pane main menu options .....................................................................................19
Understanding right pane features ......................................................................................................19
Tips for using the SGMI ..........................................................................................................................20
Managing administrative access ...................................................................................................................20
Setting the administration password ...................................................................................................20
Configuring remote management .........................................................................................................21
Managing the security gateway using the serial console ..........................................................................23
Chapter 3 Configuring a connection to the outside network
About connecting to the outside network ....................................................................................................25
Network examples ...........................................................................................................................................26
Understanding the Setup Wizard .................................................................................................................29
About dual-WAN port appliances .................................................................................................................30
Understanding connection types ..................................................................................................................31
Configuring connectivity ................................................................................................................................32
DHCP ..........................................................................................................................................................32
PPPoE .........................................................................................................................................................32
Static IP and DNS .....................................................................................................................................35
PPTP ...........................................................................................................................................................36
Dial-up accounts ......................................................................................................................................37
Configuring advanced connection settings .................................................................................................40
Advanced DHCP settings ........................................................................................................................40
Advanced PPP settings ............................................................................................................................41
Maximum Transmission Unit (MTU) ...................................................................................................41
Configuring dynamic DNS ..............................................................................................................................42
Forcing dynamic DNS updates ..............................................................................................................43
Disabling dynamic DNS ..........................................................................................................................43
Configuring routing .........................................................................................................................................44
Enabling dynamic routing ......................................................................................................................44
Page 6
6 Contents
Configuring static route entries ............................................................................................................44
Configuring advanced WAN/ISP settings ....................................................................................................45
High availability .......................................................................................................................................45
Load balancing .........................................................................................................................................46
SMTP binding ...........................................................................................................................................46
Binding to other protocols .....................................................................................................................47
Configuring failover ................................................................................................................................47
DNS gateway .............................................................................................................................................47
Optional network settings ......................................................................................................................48
Chapter 4 Configuring internal connections
Configuring LAN IP settings ..........................................................................................................................51
Configuring the appliance as a DHCP server ..............................................................................................52
Monitoring DHCP usage .........................................................................................................................53
Configuring port assignments .......................................................................................................................53
Standard port assignment ......................................................................................................................53
SGS Access Point Secured port assignment ........................................................................................53
Enforce VPN tunnels port assignment .................................................................................................53
Chapter 5 Network traffic control
Planning network access ................................................................................................................................55
Understanding computers and computer groups ......................................................................................55
Defining computer group membership ................................................................................................56
Defining computer groups .....................................................................................................................57
Defining inbound access .................................................................................................................................58
Defining outbound access ..............................................................................................................................59
Outbound rule example ..........................................................................................................................60
Configuring services .......................................................................................................................................61
Redirecting services ................................................................................................................................61
Configuring special applications ...................................................................................................................62
Configuring advanced options .......................................................................................................................64
Enabling the IDENT port ........................................................................................................................64
Disabling NAT mode ...............................................................................................................................64
Blocking ICMP requests ..........................................................................................................................65
Enabling WAN broadcast storm protection ........................................................................................65
Enabling IPsec pass-thru ........................................................................................................................65
Configuring an exposed host .................................................................................................................66
Chapter 6 Establishing secure VPN connections
How to use this chapter ..................................................................................................................................67
Creating security policies ...............................................................................................................................68
Understanding VPN policies ..................................................................................................................68
Creating custom Phase 2 VPN policies .................................................................................................69
Viewing VPN Policies List ......................................................................................................................70
Identifying users ..............................................................................................................................................70
Understanding user types ......................................................................................................................70
Defining users ..........................................................................................................................................71
Viewing the User List ..............................................................................................................................72
Configuring gateway-to-gateway tunnels ...................................................................................................72
Understanding gateway-to-gateway tunnels ......................................................................................72
Configuring dynamic gateway-to-gateway tunnels ...........................................................................74
Configuring static gateway-to-gateway tunnels .................................................................................75
Sharing information with the remote gateway administrator .........................................................77
Configuring client-to-gateway VPN tunnels ...............................................................................................78
Page 7
Understanding Client-to-Gateway VPN tunnels .................................................................................78
Defining client VPN tunnels ..................................................................................................................80
Configuring global policy settings for client-to-gateway VPN tunnels ..........................................81
Sharing information with your clients .................................................................................................81
Monitoring VPN tunnel status .......................................................................................................................82
Chapter 7 Advanced network traffic control
How antivirus policy enforcement (AVpe) works .......................................................................................83
Before you configure AVpe ............................................................................................................................84
Configuring AVpe ............................................................................................................................................85
Enabling AVpe ..........................................................................................................................................86
Configuring the antivirus clients ..........................................................................................................87
Monitoring antivirus status ...........................................................................................................................87
Viewing AVpe log messages ...................................................................................................................87
Verifying AVpe operation ..............................................................................................................................87
About content filtering ...................................................................................................................................88
Managing content filtering lists ....................................................................................................................89
Enabling content filtering ......................................................................................................................89
Monitoring content filtering ..........................................................................................................................90
7Contents
Chapter 8 Preventing attacks
Intrusion detection and intrusion prevention ............................................................................................91
Atomic packet inspection .......................................................................................................................91
Trojan horse notification ........................................................................................................................92
Setting protection preferences ......................................................................................................................92
Enabling advanced protection settings ........................................................................................................93
IP spoofing protection .............................................................................................................................93
TCP flag validation ..................................................................................................................................93
Chapter 9 Logging, monitoring and updates
Managing logging ............................................................................................................................................95
Configuring log preferences ...................................................................................................................95
Managing log messages ..........................................................................................................................98
Updating firmware ..........................................................................................................................................99
Automatically updating firmware .........................................................................................................99
Upgrading firmware manually ........................................................................................................... 102
Checking firmware update status ...................................................................................................... 104
Backing up and restoring configurations ................................................................................................. 105
Resetting the appliance ....................................................................................................................... 106
Interpreting LEDs ......................................................................................................................................... 107
LiveUpdate and firmware upgrade LED sequences ......................................................................... 108
Appendix A Troubleshooting
About troubleshooting ................................................................................................................................. 109
Accessing troubleshooting information ................................................................................................... 110
Appendix B Licensing
Appendix C Field descriptions
Logging/Monitoring field descriptions ..................................................................................................... 119
Status tab field descriptions ............................................................................................................... 120
View Log tab field descriptions ........................................................................................................... 121
Log Settings tab field descriptions ..................................................................................................... 122
Page 8
8 Contents
Troubleshooting tab field descriptions ............................................................................................. 123
Administration field descriptions .............................................................................................................. 123
Basic Management tab field descriptions ......................................................................................... 123
Advanced Management tab field descriptions ................................................................................. 124
SNMP tab field descriptions ................................................................................................................ 125
Trusted Certificates tab field descriptions ....................................................................................... 125
LiveUpdate tab field descriptions ...................................................................................................... 126
LAN field descriptions ................................................................................................................................. 127
LAN IP & DHCP tab field descriptions ............................................................................................... 127
Port Assignments tab field descriptions ........................................................................................... 129
WAN/ISP field descriptions ........................................................................................................................ 129
Main Setup tab field descriptions ...................................................................................................... 130
Static IP & DNS tab field descriptions ............................................................................................... 131
PPPoE tab field descriptions ............................................................................................................... 131
Dial-up Backup & Analog/ISDN tab field descriptions ................................................................... 132
PPTP tab field descriptions ................................................................................................................. 134
Dynamic DNS tab field descriptions .................................................................................................. 135
Routing tab field descriptions ............................................................................................................ 136
Advanced tab field descriptions ......................................................................................................... 138
Firewall field descriptions ........................................................................................................................... 139
Computers tab field descriptions ....................................................................................................... 139
Computer Groups tab field descriptions ........................................................................................... 140
Inbound Rules field descriptions ........................................................................................................ 141
Outbound Rules tab field descriptions .............................................................................................. 142
Services tab field descriptions ............................................................................................................ 142
Special Applications tab field descriptions ...................................................................................... 143
Advanced tab field descriptions ......................................................................................................... 145
VPN field descriptions ................................................................................................................................. 146
Dynamic Tunnels tab field descriptions ........................................................................................... 147
Static Tunnels tab field descriptions ................................................................................................. 150
Client Tunnels tab field descriptions ................................................................................................. 151
Client Users tab field descriptions ..................................................................................................... 152
VPN Policies tab field descriptions .................................................................................................... 153
VPN Status tab field descriptions ...................................................................................................... 154
Advanced tab field descriptions ......................................................................................................... 155
IDS/IPS field descriptions ........................................................................................................................... 156
IDS Protection tab field descriptions ................................................................................................. 156
Advanced tab field descriptions ......................................................................................................... 157
Antivirus Policy field descriptions ............................................................................................................ 158
Content Filtering field descriptions ........................................................................................................... 159
Appendix D Joining security gateways to SESA
About joining SESA ...................................................................................................................................... 161
Preparing to join SESA ................................................................................................................................ 162
Trusted certificates ...................................................................................................................................... 162
Joining Symantec Gateway Security 400 Series to SESA ....................................................................... 163
Determining your options for joining SESA ..................................................................................... 163
Joining SESA .......................................................................................................................................... 164
Viewing SESA Agent status ................................................................................................................. 165
Understanding how security gateways obtain configurations from SESA ................................. 166
Logging on to the Symantec Management Console ................................................................................ 166
Troubleshooting problems when joining SESA ....................................................................................... 166
Leaving SESA ................................................................................................................................................. 166
Glossary
Page 9
Chapter
Introducing the Symantec Gateway
Security 400 Series
This chapter includes the following topics:
■ About Symantec Gateway Security 400 Series
■ Key features
■ Intended audience
■ Where to find more information
1
■ Network security best practices
About Symantec Gateway Security 400 Series
The Symantec Gateway Security 400 Series appliances are Symantec’s integrated security solution for
enterprise remote and small branch office environments, with support for secure wireless LANs.
The Symantec Gateway Security 400 Series provides integrated security by offering six security functions
in the base product:
■ Firewall
■ IPSec virtual private network (VPN) tunnels with hardware-assisted 3DES and AES encryption
■ Antivirus policy enforcement (AVpe)
■ Static content filtering
■ Intrusion detection and intrusion prevention
■ LiveUpdate support
Key features
All features are designed specifically for the small office environment. These appliances are perfect for
stand-alone environments or as a complement to Symantec Gateway Security 5400 Series appliances
deployed at hub sites.
All of the Symantec Gateway Security 300/400 Series models are wireless-capable. They have special
wireless firmware and a CardBus slot that accommodates an optional wireless feature add-on, that consists
of an integrated 802.11b/g radio card and antenna. When used with the appliance’s VPN feature, the
security gateway offers the highest possible integrated security for wireless LANs.
LiveUpdate of firmware strengthens the Symantec Gateway Security 400 Series security response, making
it an ideal solution for remote or small branch offices.
Page 10
10 Introducing the Symantec Gateway Security 400 Series
Key features
Firewall technology
The Symantec Gateway Security 400 Series appliance protects enterprise assets and business transactions
with one of the most secure, high-performance solutions for ensuring safe connections with the Internet and
between networks. Its unique architecture delivers security and speed, providing strong and transparent
firewall protection against unwanted intrusion without slowing the flow of approved traffic on enterprise
networks.
Virtual Private Network (VPN) technology
Symantec Gateway Security 400 Series lets organizations securely extend their network perimeters beyond
the security gateway by providing VPN server proxy-secured scanning and personal firewall protection
using Symantec Client VPN. A completely integrated and standards-based solution, it lets organizations
establish safe, fast, and inexpensive connections, enabling new forms of business and secure access to
information for authorized partners, customers, telecommuters, and remote offices.
The security gateway appliance uses VPN tunnels to send encrypted and encapsulated IP packets over public
networks securely to another VPN server.
Antivirus policy enforcement (AVpe)
Symantec Gateway Security 400 Series provides antivirus policy enforcement (AVpe) at the security
gateway. Symantec Gateway Security 400 Series acts as an intermediary between Symantec AntiVirus
Corporate Edition servers and clients. The appliance validates that the clients are up-to-date with their virus
definitions prior to allowing inbound/outbound VPN client connections and other outbound traffic.
Static content filtering
Symantec Gateway Security 400 Series supports content filtering for outbound traffic using allow and deny
lists controlled by groups of security gateway users. When a group is configured to use an allow list, the
content filtering component filters and drops connection requests sent to a destination that does not match
an entry in the allow list.
Likewise, when a group is configured to use a deny list, the content filtering component filters and drops
connection requests sent to a destination that matches an entry in the deny list.
Intrusion detection and intrusion prevention (IDS and IPS)
Symantec Gateway Security 400 Series provides an intrusion detection and intrusion prevention component
that protects internal network resources from attack by pinpointing malicious activities and identifying
intrusions in real-time, letting you respond rapidly to the attacks.
LiveUpdate support
Symantec Gateway Security 400 Series incorporates patented LiveUpdate technology to keep your product
up-to-date by downloading firmware updates.
Managing Symantec Gateway Security 400 Series locally
You can manage the full set of features of the Symantec Gateway Security 400 Series using the local
interface, the Security Gateway Management Interface (SGMI). You can access the SGMI from an external
Web browser by entering the appliance’s WAN port IP address, and then supplying the administrator’s user
name and password.
The guide you are reading describes in detail the use of the SGMI.
See “Administering the security gateway” on page 15.
Page 11
Managing Symantec Gateway Security 400 Series through SESA
Symantec Event Manager and Advanced Manager for Security Gateways (Group 2) v2.1 are integrated with
the Symantec Enterprise Security Architecture (SESA) to provide a common framework to manage multiple
Symantec Gateway Security 400 Series appliances and third-party products from a single, centralized
location.
The SESA framework consists of a set of scalable, extensible, and secure technologies that make integrated
security products interoperable and manageable, regardless of the size and complexity of your network.
When managing security gateways through SESA, you can manage multiple security gateways from a
single user interface, regardless of the network on which your SESA Manager resides. You can group them
to reflect your organizational structure and create common configurations that are shared by security
gateways that have the same security postures.
The event management capabilities of Symantec Event Manager, installed with Symantec Advanced
Manager, give you up-to-date information that you need to make informed decisions about the security of
your network and related devices.
See the Symantec Event Manager and Advanced Manager for Security Gateways (Group 2) v2.1
Administrator’s Guide for details on using the Symantec Management Console.
Symantec Advanced Manager for Security Gateways (Group 2) v2.1
Symantec Advanced Manager for Security Gateways is a software security solution, installed on the SESA
Manager computer, that plugs into the Symantec management console. It provides a Web-based graphical
user interface through which you can monitor and organize a large number of security gateways, along
with other SESA-compliant products.
Advanced management through SESA lets you manage both policies and location settings of connected
security gateways, in addition to collecting events from those systems. SESA management also provides
scalable management by allowing multiple security gateways to share common policies and location
settings.
SESA management provides many features important to centralized and scalable management, including:
Key features
11Introducing the Symantec Gateway Security 400 Series
■ Logical grouping of security gateways into organizational units
■ Management of multiple configurations
■ Sharing of configurations across security gateways
■ Validation of multiple configurations in a single action
■ Distribution of configurations to many security gateways in a single action
The Symantec Advanced Manager also includes the Symantec Event Manager for Security Gateways
(Group 2) v2.1 product (described in the next section) for centralized event logging, alerting and reporting.
Symantec Event Manager for Security Gateways (Group 2) v2.1
Symantec Event Manager for Security Gateways is a standards-based software security solution that
provides centralized logging, alerting, and reporting across Symantec’s security gateway protection
solutions and select third-party products.
Symantec Event Manager delivers security information to the SESA DataStore, letting you see a
centralized, consistent view of your security events from the Symantec management console. Security
events and log messages can be viewed in a variety of predefined or custom report formats.
By collecting and formatting information from Symantec and third-party supported products, the
Symantec Event Manager consolidates and normalizes security event data, making impending threats
more easily identifiable.
Page 12
12 Introducing the Symantec Gateway Security 400 Series
Intended audience
Combining powerful alert notification, enterprise reporting and role-based administration with a highly
scalable secure architecture, the Symantec Event Manager is ideally suited for medium-to-large enterprises
and supported security services environments.
If you have separately purchased an Event Collector for a third-party firewall product, you can also view
events generated by that product.
Symantec Event Manager for Security Gateways is installed on the SESA Manager computer. You join each
local security gateway to SESA using the controls provided in the Security Gateway Management Interface
(SGMI).
Symantec Event Manager is automatically installed if you install the Symantec Advanced Manager for
Security Gateways.
Intended audience
This manual is intended for system managers or administrators responsible for installing and maintaining
the security gateway. It assumes that readers have a solid base in networking concepts and an Internet
browser.
Where to find more information
The Symantec Gateway Security 400 Series functionality is described in the following manuals:
■ Symantec™ Gateway Security 400 Series Administrator’s Guide
The guide you are reading describes how to configure the firewall, VPN, AntiVirus policy enforcement
(AVpe), content filtering, IDS, IPS, LiveUpdate, and all other features of the security gateway
appliance. It is provided in PDF format on the Symantec Gateway Security 400 Series software CDROM.
■ Symantec™ Gateway Security 400 Series Installation Guide
This guide describes in detail how to install the security gateway appliance and run the Setup Wizard
to get connectivity.
■ Symantec™ Gateway Security 400 Series Quick Start Card
This card provides abbreviated instructions for installing your appliance.
■ Symantec™ Gateway Security 400 Series Getting Started Guide
This guide lists the tasks that you need to perform after installing the appliance.
■ Symantec™ Gateway Security 400 Series Release Notes
This document provides a summary of new and changed product features, system requirements, and
issues and workarounds.
■ Symantec™ Gateway Security 300/400 Series Wireless Implementation Guide
This guide describes how to install and configure the wireless LAN card in the appliance to create a
secure WLAN.
■ Symantec™ Gateway Security 300/400 Series Wireless Release Notes
This document provides a summary of new and changed product features, system requirements, and
issues and workarounds.
■ Symantec™ Event Manager and Advanced Manager for Security Gateways (Group 2) v2.1 Integration
Guide
This guide describes how to integrate the Symantec security gateway into the SESA environment.
■ Symantec™ Event Manager and Advanced Manager for Security Gateways (Group 2) v2.1
Administrator’s Guide
This guide describes how to administer Symantec security gateways from the SESA environment using
the Symantec Advanced Manager and Symantec Event Manager products.
Page 13
■ Symantec™ Event Manager and Advanced Manager for Security Gateways (Group 2) v2.1 Release Notes.
This document provides a summary of new and changed product features, system requirements, and
issues and workarounds.
Network security best practices
Symantec encourages all users and administrators to adhere to the following security practices:
■ Turn off and remove unneeded services.
By default, many operating systems install auxiliary services that are not critical, such as an FTP
server, Telnet, and a Web server. These services are avenues of attack. If they are removed, blended
threats have less avenues of attack and you have fewer services to maintain through patch updates.
■ If a blended threat exploits one or more network services, disable, or block access to, those services
until a patch is applied.
■ Turn off unnecessary network services.
■ Automatically update your antivirus at the gateway, server, and client.
■ Always keep your patch levels up-to-date, especially on computers that host public services and are
accessible through the security gateway, such as HTTP, FTP, mail, and DNS services.
■ Enforce a password policy. Complex passwords make it difficult to crack password files on compromised
computers. This helps to prevent or limit damage when a computer is compromised.
■ Configure your email server to block or remove email that contains file attachments that are commonly
used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Network security best practices
13Introducing the Symantec Gateway Security 400 Series
■ Hackers commonly break into a Web site through known security holes, so make sure your servers and
applications are patched and up to date.
■ Eliminate all unneeded programs.
■ Isolate infected computers quickly to prevent further compromising your organization. Perform a
forensic analysis and restore the computers using trusted media.
■ Train employees not to open attachments unless they are expecting them. Also, do not execute software
that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a
compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Additional information, in-depth white papers, and resources regarding enterprise security solutions can
be found by visiting the Symantec Enterprise Solutions Web site at http://
enterprisesecurity.symantec.com.
Page 14
14 Introducing the Symantec Gateway Security 400 Series
Network security best practices
Page 15
Chapter
Administering the security gateway
This chapter includes the following topics:
■ Logging on to the Security Gateway Management Interface
■ Navigating the user interface
■ Managing administrative access
■ Managing the security gateway using the serial console
Logging on to the Security Gateway Management Interface
2
Symantec Gateway Security 400 Series appliances are managed using a browser-based console called the
Security Gateway Management Interface (SGMI). The SGMI is a standalone management console for local
management and log viewing.
Use one of the following supported Web browsers to connect to SGMI:
■ Microsoft Internet Explorer version 5.5 or 6.0 SP1
■ Netscape version 6.23 or 7.0
To ensure compatibility with Web site using older HTTP, you may need to clear the proxy settings in the
browser before connecting to the SGMI.
Install the appliance according to the instructions in the Symantec Gateway Security 400 Series Quick Start
Card or the Symantec Gateway Security 400 Series Installation Guide before connecting to the SGMI.
The interface you see when you connect to the SGMI may vary slightly depending on the model you are
managing because the number of LAN and WAN ports differs between models as shown in Table 2-1.
Table 2-1 Interfaces by model
Model Number of WAN
ports
420/440 1 4 1
460/460R 2 8 1
To connect to the SGMI
You can connect to the SGMI either locally or remotely.
Number of LAN
ports
Number of serial
(modem) ports
To connect to the SGMI locally
1 Browse to the LAN IP address of the appliance.
The default appliance LAN IP address is 192.168.0.1.
2 On your keyboard, press Enter.
The SGMI window displays (see Figure 2-1).
Page 16
16 Administering the security gateway
Navigating the user interface
To connect to the SGMI remotely
1 Browse to the appliance’s WAN port IP address followed by port 8088, for example:
http://206.7.7.14:8088
2 On your keyboard, press Enter.
The SGMI window displays (see Figure 2-1). If this is the first time you have connected, the Setup
Wizard runs automatically.
Navigating the user interface
Once you familiarize yourself with the basic structure of the user interface, you can create configurations,
view security gateway status, and access system event logs. The SGMI, shown in Figure 2-1, includes the
following controls:
■ Left pane main menu options
■ Right pane menu tabs
■ Right pane content
■ Command buttons (bottom)
■ Online Help button
Online help is available for each tab when you click the blue circle with a question mark in the top right
corner of each screen.
The main menu items are located in the left pane of the window at all times.
Figure 2-1 SGMI controls
Left pane main menu options
Command buttons
Right pane menu tabs
Right pane content
Online help button
Note: The wireless features do not appear in the SGMI until a compatible Symantec Gateway Security
WLAN (Wireless Local Area Network) Access Point option is properly installed and configured. See the
Symantec Gateway Security 300/400 Series Wireless Implementation Guide for more information.
Page 17
Understanding left pane main menu options
The menu options in the left pane of the SGMI let you do the following:
Logging/Monitoring Configure logging and monitoring functions. You can set up the size and rollover rate of the
system log file and view current log files, archived log files, and current system status.
Administration Configure administrative functions such as setting passwords, allowing remote management of
the security gateway, specifying advanced management parameters, viewing trusted certificates,
and scheduling LiveUpdate frequency.
LAN Specify usable LAN IP and DHCP addresses and port assignments.
WAN/ISP Specify network connection types, DNS settings, modem settings, and routing table information.
Firewall Control the firewall functionality of the security gateway. You can set up inbound and outbound
rules, enable system services, organize computer groups, map services to ports, and customize
connectivity for internal network nodes.
Wireless Control the wireless functionality supported by the security gateway.
VPN Build and manage Virtual Private Network (VPN) tunnels to connect securely to remote users and
gateways.
IDS/IPS Manage the level of Intrusion Detection and Intrusion Prevention you want to provide to internal
network nodes.
Navigating the user interface
17Administering the security gateway
Antivirus Policy Enable and manage antivirus protection for the security gateway and its protected network.
Content Filtering Control allow or deny lists with which you can filter or block Web sites and URLs.
Understanding right pane features
The right-pane features include the following:
Menu tabs For each left-pane menu option, there is a corresponding set of right-pane menu tabs that help
break down the tasks associated with the menu item into logical groupings. For example, the
Logging/Monitoring menu option contains the following tabs:
■ Status
View system status, including network connectivity, physical addresses, and appliance
version and model information.
■ View Log
View the appliance log file.
■ Log Settings
Set the parameters for viewing the appliance log file.
■ Troubleshooting
Enable testing tools and debugging utilities.
Command buttons Command buttons generally save, validate, or cancel changes you have to the right pane content.
They vary with the left pane menu option selected.
Content The right pane content consists of the group of fields within the menu tab selected. The valid
entries in each of the fields are described in “Field descriptions” on page 117.
Help button Clicking this button will open the help file to a page corresponding to the menu tab that is
currently selected. You can then navigate to other help pages by clicking the Previous and Next
buttons.
Page 18
18 Administering the security gateway
Managing administrative access
Tips for using the SGMI
The following list describes how to best work within the SGMI:
■ To submit a form, click the appropriate button in the user interface rather than pressing Enter on your
keyboard.
■ If you submit a form and receive an error, click the Back button in your Web browser. This retains the
data you entered.
■ In IP address text boxes, press the Tab key on your keyboard to switch between boxes.
■ If the appliance automatically restarts after you click a button to submit the form in the user interface,
wait approximately one minute before attempting to access the SGMI again.
Managing administrative access
You manage administrative access by setting a password for the administrator, as well as defining the IP
addresses of computers that are authorized to access the appliance from the WAN side.
You can also configure a range of IP addresses from which you can remotely manage the appliance. The
administration user name is always admin.
Note: You must set the administration password before you have remote access to the SGMI.
Setting the administration password
The administration password provides secure access to the SGMI. Setting and changing the password
periodically limits access to the SGMI to people who have been given the password. You must have installed
the appliance and connected your browser to the SGMI to set the password. See the Symantec Gateway
Security 400 Series Installation Guide for more information about setting up the appliance.
You can set or reset the administration password in a number of ways, including:
■ Running the Setup Wizard
The Setup Wizard will prompt you to change the password. The default password is password.
See “Understanding the Setup Wizard” on page 27.
■ In the SGMI, on the Administration > Basic Management tab
See “To set the administration password” on page 19.
■ Pushing Reset button on rear panel
Resetting the appliance using the Reset button resets the password to password, resets the LAN IP
address to 192.168.0.1, and enables the DHCP server.
See “Resetting the appliance” on page 104.
■ Connecting to the serial port
Resetting the appliance through the serial console resets the password to password.
See “Managing the security gateway using the serial console” on page 21.
■ Flashing the appliance
Reflashing the appliance with the app.bin version of the firmware resets the password to password.
See “Upgrading firmware manually” on page 100.
Note: You should change the administration password on a regular basis to maintain a high level of
security.
Page 19
To set the administration password
See “Basic Management tab field descriptions” on page 121.
To configure a password
1 In the SGMI, in the left pane, click Administration.
2 In the right pane, on the Basic Management tab, under Administration Password, in the admin’s
Password text box, type the password.
Passwords are case-sensitive.
3 In the Verify Password text box, type the password again.
4 Click Save.
To manually reset the password
1 On the back of the appliance, press the reset button for 10 seconds.
2 Repeat the procedure to configure a password. See “To configure a password” on page 19.
Configuring remote management
You can access the SGMI remotely, from the WAN, using a computer with an IP address that falls within a
range of addresses set on the security gateway. The range is defined by a start and end IP address, which
are configured in Administration > Basic Management > Remote Management in the SGMI. You should
configure the IP addresses for remote management when you first connect to the SGMI. Remote
management traffic is packaged and sent using the MD5 hash algorithm for security.
Managing administrative access
19Administering the security gateway
Note: For security reasons, you should perform all remote management through a VPN tunnel. This
provides an appropriate level of security and confidentiality for your management session.
See “Establishing secure VPN connections” on page 65.
Page 20
20 Administering the security gateway
Managing administrative access
Figure 2-2 shows a remote management configuration.
Figure 2-2 Remote management
SGMI
Symantec Gateway Security
400 Series appliance
192.168.0.3192.168.0.2
Protected devices
To configure remote management, specify both a start and end IP address. To remotely manage from only
one IP address, type it as both the start and end IP address. The start IP address is the lower number in the
range of IP addresses, and the end IP address is the higher number in the range of IP addresses. Leave these
fields blank to deny remote access to the SGMI.
To configure remote management
See “Basic Management tab field descriptions” on page 121.
1 In the SGMI, in the left pane, click Administration.
2 In the right pane, on the Basic Management tab, under Remote Management, in the Start IP Address
text boxes, type the first IP Address (lowest in the range).
3 In the End IP Address text boxes, type the last IP Address (highest in the range).
To permit only one IP address, type the same value in both text boxes. To prevent remote access, leave
these fields blank.
4 To enable remote Trivial File Transfer Protocol (TFTP) upgrades to the appliance’s firmware from the
configured IP address range, check Allow Remote Firmware Upgrade.
The default is disabled. See “Upgrading firmware manually” on page 100.
5 Click Save.
6 To access the SGMI remotely, browse to the <appliance IP address>:8088, where <appliance IP address>
is the WAN IP address of the appliance.
When you attempt to access the SGMI remotely, you must log in with the administration user name and
password.
Page 21
Managing the security gateway using the serial console
Managing the security gateway using the serial console
You can configure or reset the security gateway through the serial port using the null modem cable that is
supplied with the security gateway. Configuring the security gateway from the serial console is useful when
installing the appliance in an existing network, because it prevents the security gateway from interfering
with the network when it is connected.
You can configure the following subset of settings through the serial console:
■ LAN IP address (IP address of the security gateway)
■ LAN network mask
■ Enable or disable the DHCP server
■ Range of IP addresses for the DHCP server to allocate
To manage the security gateway using the serial console
1 On the rear of the appliance, connect the null modem cable to the serial port.
2 Connect the null modem cable to your computer’s COM port.
3 On the rear of the appliance, turn DIP switch 3 to the on position (up).
4 On your keyboard, ensure that the Scroll Lock is not on.
21Administering the security gateway
5 Run a terminal program, such as HyperTerminal.
6 In the terminal program, set the program to connect directly to the COM port on your computer to
which the appliance is physically connected.
7 Set the communication settings as follows:
Baud (Bits per second) 9600
Data bits 8
Pari ty None
Stop bits 1
Flow control None
8 Connect to the appliance.
Page 22
22 Administering the security gateway
Managing the security gateway using the serial console
9 After the terminal session has been established, on the rear panel of the appliance, quickly press the
reset button.
10 At the Select? prompt, do one of the following:
Local IP Address Type 1 to change the IP address of the appliance.
Local Network Mask Type 2 to change the netmask of the appliance.
DHCP Server Type 3 to enable or disable the DHCP server feature of the appliance.
Start IP Address Type 4 to specify the first IP address in the range that the DHCP server can allocate.
Finish IP Address Type 5 to specify the last IP address in the range that the DHCP server can allocate.
Restore to Defaults Type 6 to restore the appliance’s default settings for Local IP address, local network mask,
For example, if you are changing just the local IP address and local network mask, do the following:
■ Type 1.
■ Type the new IP address.
■ Type 7 to save the IP address.
■ Type 2.
■ Type the new netmask.
■ Type 7 to save the netmask.
■ Press Enter.
Or, to restore the default values for the appliance, press Enter.
DHCP server, and DHCP range.
11 Type 7.
The appliance restarts.
12 On the rear of the appliance, turn DIP switch 3 to the off position (down).
13 On the rear of the appliance, quickly press the reset button.
Page 23
Chapter
Configuring a connection to the
outside network
This chapter includes the following topics:
■ About connecting to the outside network
■ Network examples
■ Understanding the Setup Wizard
■ About dual-WAN port appliances
3
■ Understanding connection types
■ Configuring connectivity
■ Configuring advanced connection settings
■ Configuring dynamic DNS
■ Configuring routing
■ Configuring advanced WAN/ISP settings
About connecting to the outside network
The Symantec Gateway Security 400 Series WAN/ISP functionality lets you configure connections to the
outside world. This can be the Internet, a corporate network, or any other external private or public
network. WAN/ISP functionality can also be configured to connect to an internal LAN when the appliance
is protecting an internal subnet. Configure the WAN connections as soon as you install the appliance.
You can configure or change the appliance’s connectivity on the WAN ports using the Setup Wizard or the
WAN/ISP windows. The Setup Wizard is run automatically the first time you access the appliance after you
complete the hardware installation.
Before you start configuring a WAN connection, determine what kind of connection you have to the outside
network, and based on the connection type, gather information to use during the configuration procedure.
See the Symantec Gateway Security 400 Series Installation Guide for worksheets to help you plan the
configuration process.
Symantec Gateway Security 400 Series models 420 and 440 have one WAN port to configure. Models 460
and 460R appliances have two WAN ports that you can configure separately and differently depending on
your needs. Some settings apply to both WAN ports, while other settings apply specifically to WAN1 or
WAN2.
Warning: After you reconfigure WAN connections and restart the appliance, network traffic is temporarily
interrupted. Once the appliance is restarted, VPN connections are automatically reestablished.
Page 24
24 Configuring a connection to the outside network
Network examples
Network examples
This section describes the most common ways in which the Symantec Gateway Security 400 Series can be
installed and deployed in your network.
Figure 3-1 shows a network diagram of a Symantec Gateway Security 400 Series connected to the Internet.
The termination point represents any network termination type. This is a device that may be provided by
your Internet Service Provider (ISP), or a network switch. The computer used for appliance management is
connected directly to the appliance using one of the LAN ports on the appliance, and uses a browser to
connect to the Security Gateway Management Interface (SGMI). The users within the protected network
communicates through the Symantec Gateway Security 400 Series appliance to the Internet.
Figure 3-1 Connection to the Internet
SGMI
Termination point
Symantec Gateway
Security 400 Series
Protected network
Page 25
Network examples
Figure 3-2 shows a network diagram of an appliance connecting to an intranet. In this scenario, the
appliance protects an enclave of the larger internal network from unauthorized internal users. Enclave
traffic from the protected network passes through the Symantec Gateway Security 400 Series appliance
and through the Symantec Gateway Security 5400 Series appliance to the Internet.
Figure 3-2 Connection to an intranet
Symantec Gateway
Security 5400 Series
25Configuring a connection to the outside network
SGMI
Router
Symantec Gateway
Security 400 Series
Protected network
Enclave network
Page 26
26 Configuring a connection to the outside network
Network examples
Figure 3-3 shows parallel subnets protected by two Symantec Gateway Security 400 Series appliances. In
this scenario, each appliance protects its internal network from unauthorized internal users. Traffic from
each protected network passes through the Symantec Gateway Security 400 Series to the Internet. One
Symantec Gateway Security 400 Series is managed locally by the SGMI and the other is managed by the
Symantec management console.
For details on managing with the Symantec management console, see the Symantec Event Manager and
Advanced Manager for Security Gateways (Group 2) v2.1 Administrator’s Guide.
Figure 3-3 Parallel networks
Symantec Gateway
Security 400 Series
SGMI
Protected network
Protected network
Symantec Gateway
Security 400 Series
Symantec
management
console
Protected network
Page 27
Understanding the Setup Wizard
Figure 3-4 shows the addition of wireless clients, connecting to the Symantec wireless LAN card using VPN
tunnels. In this scenario, each appliance protects its internal network and its wireless clients from
unauthorized internal users. Traffic from the protected network passes through the Symantec Gateway
Security 400 Series to the Internet. Again, one network is managed using SGMI and one using the Symantec
management console.
For details on managing with the Symantec management console, see the Symantec Event Manager and
Advanced Manager for Security Gateways (Group 2) v2.1 Administrator’s Guide.
Figure 3-4 Network with wireless clients
27Configuring a connection to the outside network
Wireless clients
Symantec Gateway
Security 400 Series
SGMI
Protected network
Symantec Gateway
Security 400 Series
Symantec
management
console
Wireless clients
Protected network
Understanding the Setup Wizard
The Setup Wizard launches automatically the first time you browse to the appliance. The Setup Wizard
helps you to configure basic connectivity to the Internet or an intranet.
The Setup Wizard verifies the current status of the WAN connection before proceeding. If the WAN port
(called WAN 1 on model 460/460R) is connected to an active network, the Setup Wizard guides you through
configuring LiveUpdate and setting the administrator password. If the WAN port is not currently active,
the Setup Wizard guides you through entering your ISP-specific connection parameters. Later, for model
460/460R, use the WAN/ISP tab in the SGMI to configure WAN 2 or to configure advanced connection
settings for either WAN port.
Page 28
28 Configuring a connection to the outside network
About dual-WAN port appliances
You can rerun the Setup Wizard at any time after the initial installation. To run the Setup Wizard, on the
WAN/ISP tab > Main Setup window, click Run Setup Wizard. See the Symantec Gateway Security 400 Series
Installation Guide for more information.
Note: To change the language in which the SGMI appears, rerun the Setup Wizard and select a different
language.
Warning: Anything you type and save on the WAN/ISP tab overwrites what you entered previously in the
Setup Wizard. This may cause a loss of WAN connectivity.
About dual-WAN port appliances
Symantec Gateway Security 400 Series models 460 and 460R appliances have two WAN ports, WAN 1 and
WAN 2. Models 460 and 460R support different types of network settings on each of its WAN ports. For
example, you may have a static IP account through your business as the primary WAN connection and a
secondary (and less expensive) dynamic IP account for a backup connection. Each WAN port is treated as a
completely different connection.
While some configurations apply to both WAN ports and for other configurations you must configure each
WAN port separately. Table 3-1 describes WAN port configurations and whether you must configure one or
both WAN ports.
Table 3-1 WAN port configurations
Configuration WAN port For more information
Connection types Configure a connection type for each WAN
port.
Backup account You can configure a primary connection for
WAN1 and then connect a modem to the
serial port on the back of the appliance for
a backup connection.
Optional network settings You can specify different configurations for
each WAN port.
Dynamic DNS Applies to both WAN1 and WAN2. See “Configuring dynamic DNS” on
DNS G a teway Applies to b o t h WA N1 a n d WA N2 . See “DNS gateway” on page 45.
Alive Indicator Configure an alive indicator for each WAN
port.
Routing Configure routing for each WAN port. See “Configuring routing” on page 42.
WAN port load balancing
and bandwidth aggregation
Set the percentage of traffic you want sent
through WAN1; the remainder goes
through WAN2.
See “Understanding connection types” on
page 29.
See “Dial-up accounts” on page 35.
See “Optional network settings” on
page 46.
page 40.
See “Dial-up accounts” on page 35 or
“Configuring advanced WAN/ISP settings”
on page 43
See “Load balancing” on page 44.
Bind SMTP Bind SMTP to either WAN1 or WAN2. See “SMTP binding” on page 44.
High availability Specify whether high availability is used
See “High availability” on page 43.
for each port.
Page 29
Understanding connection types
To connect the appliance to an outside or internal network, you must understand your connection type.
First, determine if you have a dial-up or broadband account. Typical dial-up accounts are analog (through a
normal phone line connected to an external modem) and ISDN (through a special phone line). Typical
dedicated accounts are broadband cable, DSL, T1/E1, or T3 connected to a terminal adaptor.
Table 3-2 and Table 3-3 describe the supported connection types. including the following information:
■ The Connection type column correlates to the option button you click on the Main Setup tab or in the
Setup Wizard.
■ The Services column defines the types of accounts or protocols that are associated with the connection
type.
■ The Network termination types column lists the physical devices that a particular connection type
typically uses to connect to the Internet or a network.
Once you have determined your specific type of connection, refer to the appropriate configuration section
later in this chapter.
Note: Connect only RJ-45 cables to the WAN ports.
Understanding connection types
29Configuring a connection to the outside network
Table 3-2 Dial-up connection types
Connection type Services Network termination types
Analog or ISDN Plain Old Telephone Service
(POTS)
Integrated Services Digital
Network (ISDN)
Analog dial-up modem
Digital dial-up modem
An ISDN modem is sometimes called a terminal adaptor.
If you have a dedicated account, refer to Table 3-3 to determine which connection type you have.
Table 3-3 Dedicated connection types
Connection type Services Network termination types
DHCP Broadband cable Cable modem
Digital Subscriber Line (DSL) DSL modem with Ethernet cable
Direct Ethernet connection Ethernet Cable (usually an enclave network)
PPPoE PPPoE ADSL modem with Ethernet cable
Static IP (Static IP &
DNS)
Broadband cable Cable modem
Digital Subscriber Line (DSL) DSL modem
T1 Channel Service Unit/Digital Service Unit (CSU/DSU)
PPTP PPTP DSL modem with Ethernet cable
Your ISP or network administrator may also be able to help you determine your connection type.
Direct Ethernet connection Ethernet cable (usually an enclave network)
Page 30
30 Configuring a connection to the outside network
Configuring connectivity
Configuring connectivity
Once you have determined your connection type, you can configure the appliance to connect to the Internet
or intranet using the settings appropriate for that connection.
DHCP
Dynamic Host Configuration Protocol (DHCP) automates the network configuration of computers. It lets a
network with many clients extract configuration information from a single DHCP server. In the case of a
dedicated Internet account, the users are the clients extracting information from the ISP’s DHCP server,
and IP addresses are only assigned to connected accounts.
Your ISP account may use DHCP to allocate IP addresses. Account types that frequently use DHCP are
broadband cable and DSL. ISPs may authenticate broadband cable connections using the MAC (physical)
address of your computer or gateway.
Before configuring DHCP for your WAN ports, you must select DHCP (Auto IP) as your connection type on
the Main Setup window.
To configure DHCP
See “Main Setup tab field descriptions” on page 128.
PPPoE
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, do the following:
■ In the right pane, on the Main Setup tab, under Connection Type, click DHCP.
■ Click Save.
3 For models 460 and 460R, do the following:
■ To select a connection type for WAN1, under WAN1 (External), in the Connection Type drop-down
list, click DHCP.
■ To select a connection type for WAN2, under WAN2 (External), in the Connection Type drop-down
list, click DHCP.
4 Click Save.
Point-to-Point Protocol over Ethernet (PPPoE) is used by many Asymmetrical Digital Subscriber Line
(ASDL) providers. It is a specification for connecting many users on a network to the Internet through a
single dedicated medium, such as a DSL account.
You can specify whether to connect or disconnect your PPPoE account manually or automatically. This is
useful to verify connectivity.
You can configure the appliance to connect only when an Internet request is made from a user on the LAN
(for example, browsing to a Web site) and disconnect when the connection is idle (unused). This feature is
useful if your ISP charges on a per-usage time basis.
You can use multiple logins (if your ISP account allows multi-session PPPoE) to obtain additional IP
addresses for the WAN. These are called PPPoE sessions. The login may be the same user name and
password as the main session or may be different for each session, depending on your ISP. Up to five
sessions or IP addresses are allowed for models 420 and 440 and up to three sessions for each WAN port on
models 460 and 460R. LAN hosts are bound to a session on the Computers tab in the SGMI.
See “Configuring LAN IP settings” on page 49.
Note: Multiple IP addresses on a WAN port are only supported for PPPoE connections.
Page 31
Configuring connectivity
By default, all settings are associated with Session 1. For multi-session PPPoE accounts, configure each
session individually. If you have multiple PPPoE accounts, assign each one to a different session in the
SGMI.
Before configuring the WAN ports to use a PPPoE account, gather the following information:
■ User name and password
All PPPoE accounts require user names and passwords. Get this information from your ISP before
configuring PPPoE.
■ Static IP address
You may have purchased or are assigned a static IP address for the PPPoE account.
To configure PPPoE
See “PPPoE tab field descriptions” on page 129.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, do the following:
■ In the right pane, on the Main Setup tab, under Connection Type, click PPPoE.
■ Click Save.
3 For models 460 and 460R, do the following:
■ In the right pane, on the Main Setup tab, under WAN1 (External), in the Connection Type drop-
down list, click PPPoE (xDSL).
■ To use WAN 2, under WAN 2 (External), under HA Mode, click No rmal.
■ To use WAN2, under WAN2 (External), in the Connection Type drop-down list, click PPPoE (xDSL).
■ On the WAN Port drop-down list, select a WAN port to configure.
■ Click Save.
31Configuring a connection to the outside network
4 If you have a multi-session PPPoE account, under WAN Port and Sessions, on the PPPoE Session drop-
down list, select the appropriate session.
If you have a single-session PPPoE account, leave the PPPoE session at Session 1.
5 Under Connection, check Connect on Demand.
To connect to a PPPoE session manually, uncheck Connect on Demand, and then under Manual
Control, click Connect.
6 In the Idle Time-out text box, type the number of minutes of inactivity after which you want the
appliance to disconnect from the PPPoE account.
7 If you have a static IP PPPoE Internet account, in the Static IP Address text box, type the IP address.
Otherwise, leave the value at 0.
8 Under Choose Service, click Query Services.
You must be disconnected from your PPPoE account to use this feature. See “Connecting manually to
your PPTP account” on page 35.
9 From the Service drop-down list, select a PPPoE service.
You must click Query Services to select a service.
10 In the User Name text box, type your PPPoE account user name.
11 In the Password text box, type your PPPoE account password.
12 In the Verify Password text box, retype your PPPoE account password.
13 Click Save.
Page 32
32 Configuring a connection to the outside network
Configuring connectivity
Verifying PPPoE connectivity
Once the appliance is configured to use the PPPoE account, verify that it connects correctly.
To verify connectivity
See “PPPoE tab field descriptions” on page 129.
See “Status tab field descriptions” on page 118.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 In the right pane, on the PPPoE tab, under Manual Control, click Connect.
3 In the left pane, click Logging/Monitoring.
In the right pane, on the Status tab, under WAN1 (External Port), the connection status is displayed.
If you are not connected, verify the following items:
■ Your user name and password are correct. Some ISPs expect the user name to be in email address
format, for example, johndoe@myisp.net.
■ Check that all the cables are firmly plugged in.
■ Verify your account information with your ISP and check that your account is active.
Connecting manually to your PPPoE account
You can manually connect or disconnect from your PPPoE account. For models 460 and 460R, you can
manually control the connection for either WAN port. This is useful to troubleshoot the connection to the
ISP.
To manually control your PPPoE account
You can manually control your PPPoE account through the SGMI.
See “PPPoE tab field descriptions” on page 129.
To manually connect to the PPPoE account
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, in the right pane, on the PPPoE tab, under Manual Control, click Connect.
3 For models 460 and 460R, do the following:
■ In the right pane, on the PPPoE tab, under WAN Port and Sessions, in the WAN Port drop-down
list, select the WAN port to connect.
■ In the Session drop-down list, select a PPPoE session.
■ Under Manual Control, click Connect.
To manually disconnect from the PPPoE account
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, in the right pane, on the PPPoE tab, under Manual Control, click Disconnect.
3 For models 460 and 460R, do the following:
■ In the right pane, on the PPPoE tab, under WAN Port and Sessions, in the WAN Port drop-down
list, select the WAN port to disconnect.
■ In the Session drop-down list, select a PPPoE session.
■ Under Manual Control, click Disconnect.
Page 33
Static IP and DNS
When you establish an account with an ISP, you may have the option to purchase a static (permanent) IP
address. This lets you run a Web or FTP server, because the address remains the same all of the time. Any
type of account (dial-up or dedicated) can have a static IP address.
The appliance forwards DNS lookup requests to the specified DNS server for name resolution. The
appliance supports up to three DNS servers. When you specify multiple DNS servers, they are used in
sequence. After the first server is used, the next request is forwarded to the second server and so on.
If you have a static IP address with your ISP or are using the appliance behind another security gateway,
select Static IP and DNS for your connection type. You can specify your static IP address and the IP
addresses of the DNS servers you want to use for name resolution.
Before configuring the appliance to connect with your static IP account, gather the following information:
■ Static IP address, netmask, and default gateway addresses
■ DNS addresses
Configuring connectivity
33Configuring a connection to the outside network
Contact your ISP or IT department for this information.
You must specify the IP address for at least one, and up to three, DNS servers. Contact your ISP or IT
department for this information. You do not need DNS IP address entries for dynamic Internet
accounts or accounts where a DHCP server assigns the IP addresses.
If you have a static IP address with PPPoE, configure the appliance for PPPoE.
To configure static IP
See “Static IP & DNS tab field descriptions” on page 129.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 In the right pane, on the Main Setup tab, under Connection Type, click Static IP.
3 Click Save.
4 For models 420 and 440, do the following:
■ In the right pane, on the Static IP & DNS tab, under WAN IP, in the IP Address text boxes, type the
desired IP address of the external (WAN) side of the appliance.
■ In the Network Mask text box, type the network mask.
Change this only if required by your ISP.
■ In the Default Gateway text box, type the IP address of the default security gateway.
■ In the Domain Name Servers text boxes, type the IP address for at least one, and up to three,
domain name servers.
■ Click Save.
5 For models 460 and 460R, do the following:
■ Under WAN1 (External), in the Connection Type drop-down list, click Static IP.
■ To use WAN 2, under WAN 2 (External), under HA Mode, click No rmal.
■ To use WAN 2, under WAN2 (External), in the Connection Type drop-down list, click Static IP.
■ Click Save.
■ In the right pane, on the Static IP & DNS tab, under either WAN 1 IP or WAN2 IP, in the IP Address
text boxes, type the desired IP address of the external (WAN) side of the appliance.
■ In the Network Mask text box, type the network mask.
■ In the Default Gateway text box, type the IP address of the default security gateway.
The appliance sends any packet it does not know how to route to the default security gateway.
■ In the Domain Name Servers text boxes, type the IP address for at least one, and up to three,
domain name servers.
6 Click Save.
Page 34
34 Configuring a connection to the outside network
Configuring connectivity
PPTP
Point-to-Point-Tunneling Protocol (PPTP) is a protocol that enables secure data transfer from a client to a
server by creating a tunnel over a TCP/IP-based network. Symantec Gateway Security 400 Series
appliances act as a PPTP access client (PAC) when you connect to a PPTP Network Server (PNS), generally
with your ISP.
Before beginning PPTP configuration, gather the following information:
■ PPTP server IP address
IP address of the PPTP server at the ISP.
■ Static IP address
IP address assigned to your account.
■ Account information
User name and password to log in to the account.
To configure PPTP
See “PPTP tab field descriptions” on page 132.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, do the following:
■ In the right pane, on the Main Setup tab, under Connection Type, click PPTP.
■ Click Save.
3 For models 460 and 460R, do the following:
■ Under WAN1 (External), in the Connection Type drop-down list, click PPTP.
■ To use WAN 2, under WAN 2 (External), under HA Mode, click No rmal.
■ To use WAN 2, under WAN2 (External), in the Connection Type drop-down list, click PPTP.
■ Click Save.
4 In the right pane, on the PPTP tab, under Connection, check Connect on Demand.
5 In the Idle Time-out text box, type the number of minutes of inactivity after which you want the
appliance to disconnect the PPTP connection.
6 In the Server IP Address text box, type the IP address of the PPTP server.
7 If you have a static IP PPTP Internet account, in the Static IP Address text boxes, type the IP address.
Otherwise, leave the value at 0.
8 Under User Information, in the User Name text box, type your ISP account user name.
9 In the Password text box, type your ISP account password.
10 In the Verify text box, type your ISP account password.
11 Click Save.
Verifying PPTP connectivity
Once the appliance is configured to use the PPTP account, verify that it connects correctly.
To verify PPTP connectivity
See “PPTP tab field descriptions” on page 132.
See “Status tab field descriptions” on page 118.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, in the right pane, on the PPTP tab, under Manual Control, click Connect.
Page 35
Configuring connectivity
3 For models 460 and 460R, do the following:
■ In the right pane, on the PPTP tab, under WAN Port, in the WAN Port drop-down list, select the
WAN port to connect.
■ Under Manual Control, click Connect.
4 In the left pane, click Logging/Monitoring.
In the right pane, on the Status tab, under WAN1 (External Port), the connection status is displayed.
If you are not connected, verify that you have typed your user name and password correctly. If you are still
not connected, call your ISP and verify your account information and that your account is active.
Connecting manually to your PPTP account
You can manually connect to or disconnect from your PPTP account. For models 460 and 460R, you can
manually control the connection for either WAN port. This is helpful for troubleshooting connectivity.
To manually connect to your PPTP account
For models 420 and 440, you can connect or disconnect to your PPTP account. For models 460 and 460R,
you select the WAN port to control, and then connect or disconnect.
See “PPTP tab field descriptions” on page 132.
35Configuring a connection to the outside network
To manually connect your PPTP account
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, in the right pane, on the PPTP tab, under Manual Control, click Connect.
3 For models 460 and 460R, do the following:
To manually disconnect your PPTP account
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, in the right pane, on the PPTP tab, under Manual Control, click Disconnect.
3 For models 460 and 460R, do the following:
Dial-up accounts
There are two basic types of dial-up accounts: analog and ISDN. Analog uses a modem that connects to a
regular telephone line (using an RJ-11 connector). ISDN is a digital dial-up account type that uses a special
telephone line.
■ In the right pane, on the PPTP tab, under WAN Port, in the WAN Port drop-down list, select the
WAN port to connect.
■ Under Manual Control, click Connect.
■ In the right pane, on the PPTP tab, under WAN Port, in the WAN Port drop-down list, select the
WAN port to connect.
■ Under Manual Control, click Disconnect.
On the appliance, you can use a dial-up account as your primary connection to the Internet, or as a backup
to your dedicated account. In backup mode, the appliance automatically dials the ISP if the dedicated
connection fails. The appliance re-engages the dedicated account when it is stable; failover from the
primary connection to the modem or from the modem to the primary connection can take 30 to 60 seconds.
You can configure a primary dial-up account and a backup dial-up account. You may configure a backup
dial-up account if your primary dedicated account fails. First, you must connect the modem to the
appliance. Then, you use the SGMI to configure the dial-up account.
You can also connect or disconnect your account manually at any time.
Page 36
36 Configuring a connection to the outside network
Configuring connectivity
You must use an external modem for dial-up accounts. You connect the modem, both analog and ISDN, to
the appliance through the serial port on the back of the appliance. Figure 3-5 shows the serial port on the
rear panel of the models 420 and 440 appliances. Figure 3-6 shows the serial port on the rear panel of the
models 460 and 460R appliances.
Figure 3-5 Rear panel of Symantec Gateway Security models 420 and 440 appliances
Figure 3-6 Rear panel of Symantec Gateway Security models 460 and 460R appliances
Before configuring the appliance to use your dial-up account as either the primary or backup connection,
gather the following information and equipment:
Serial port
Serial port
Account information User name, which may be different from your account name, and password for the dial-up
account.
Dial-up numbers At least one, and up to three, telephone numbers for the dial-up account.
Static IP address Some ISPs assign static IP addresses to their accounts, or you may have purchased a static IP
address.
Modem/cables An external modem and a serial cable to connect the modem to the serial port on the back of the
appliance.
Modem
documentation
You may need to consult your modem’s documentation for modem command or model
information.
To configure dial-up accounts
First, you must connect the modem to the appliance. Then, you use the SGMI to configure the dial-up
account.
Note: If your ISP gateway blocks ICMP requests such as PING, on the Main Setup tab, if you leave the Alive
Indicator Site IP or URL text box blank, the appliance PINGs the default gateway to determine connectivity.
See “Dial-up Backup & Analog/ISDN tab field descriptions” on page 130.
To connect your modem
1 Plug one end of the serial cable into your modem.
2 Plug one end of the serial cable into the serial port on the back of the appliance.
3 If it requires external power, plug the modem into a wall socket.
4 Turn on the modem.
To configure your primary dial-up account
1 In the SGMI, in the left pane, click WA N/ I S P.
Page 37
Configuring connectivity
2 In the right pane, on the Main Setup tab, under Connection Type, click Analog/ISDN.
3 Click Save.
4 On the Dial-up Backup & Analog/ISDN tab, under ISP Account Information, do the following:
User Name Type the account user name.
Password Type the account password.
Verify Password Retype the account password.
Dial-up Telephone 1 Type the dial-up telephone number.
Dial-up Telephone 2 Optionally, type a backup dial-up telephone number.
Dial-up Telephone 3 Optionally, type a backup dial-up telephone number.
5 Under Modem Settings, do the following:
Model Select the model of your modem.
Line Speed Select the speed at which you want to connect.
Dial Type Select the dial type.
37Configuring a connection to the outside network
Redial String Type a redial string.
Initialization String Type an initialization string.
If you select a modem type other than Other, the initialization string is provided. If you
select Other, you must type an initialization string.
Line Type Select the type of telephone line.
Dial String Type a dial string.
Idle Time Out Type the amount of time, in minutes, after which the connection is closed if idle.
6 Click Save.
After you click Save, the appliance restarts. Network connectivity is briefly interrupted until the restart
completes.
To enable the backup dial-up account
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Dial-up Backup and Analog/ISDN tab, under Backup Mode, do the following:
■ Check Enable Backup Mode.
■ In the Alive Indicator Site IP or URL text box, type the IP address or fully-qualified domain name
of the site to check connectivity.
3 Under Modem Settings, click Save.
Controlling your dial-up account manually
You can force the appliance to connect or disconnect from your dial-up account. This is helpful for
verifying connectivity.
To manually control the dial-up account
See “Dial-up Backup & Analog/ISDN tab field descriptions” on page 130.
1 In the SGMI, in the left pane, click WA N/ I S P.
Page 38
38 Configuring a connection to the outside network
Configuring advanced connection settings
2 To connect to the dial-up account, on the Dial-up Backup & Analog/ISDN tab, under Manual Control,
click Dial.
3 To disconnect from the dial-up account, on the Dial-up Backup & Analog/ISDN tab, under Manual
Control, click Hang Up.
Verifying dial-up connectivity
Once you have configured the appliance to use your dial-up account, verify that it connects correctly.
If you are not connected, verify the following information:
■ You have typed your user name and password correctly.
■ Initialization string is correct for your model modem. Check your modem documentation for more
information.
■ Cables are securely plugged in.
■ Phone jack to which the modem is connected is functioning.
■ Verify your account information with your ISP and that your account is active.
To verify dial-up connectivity
See “Dial-up Backup & Analog/ISDN tab field descriptions” on page 130.
See “Status tab field descriptions” on page 118.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 In the right pane, on the Dial-up Backup & Analog/ISDN tab, under Manual Control, click Dial.
3 In the left pane, click Logging/Monitoring.
4 In the right pane, on the Status tab, under WAN1 (External Port), next to Connection Status, your
connection status is displayed.
Monitoring dial-up account status
You can view and refresh the status of your dial-up account connection.
To monitor dial-up account status
See “Dial-up Backup & Analog/ISDN tab field descriptions” on page 130.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Dial-up Backup & Analog/ISDN tab, scroll to Analog Status.
3 To refresh the dial-up account status, on the Dial-up Backup & Analog/ISDN tab, under Modem
Settings, click Refresh.
Configuring advanced connection settings
Advanced connection settings let you control your connectivity parameters more closely. If you have a
DHCP connection, you can configure the renew settings. For PPPoE accounts, you can configure echo
requests. For all connection types, you can specify packet size by setting the Maximum Transfer Unit
(MTU).
Advanced DHCP settings
If you selected DHCP as your connection type, you can instruct the appliance to send a renew request,
which tells the ISP to allocate a new IP address to the appliance.
Page 39
Configuring advanced connection settings
You can tell the appliance at any time to request a new IP address by forcing a DHCP renew. However, you
should only do this if requested by Symantec Technical Support.
To configure advanced DHCP settings
You can configure the idle renew time and manually force a DHCP renew request.
See “Advanced tab field descriptions” on page 136.
To configure idle renew time
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Advanced tab, under Optional Connection settings, in the Idle Renew DHCP text box, type the
number of minutes after which a renew lease request is sent.
3 Click Save.
To force a DHCP renew
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, on the Advanced tab, under Optional Connection settings, click Force Renew.
3 For models 460 and 460R, do one of the following:
■ To renew WAN1, on the Advanced tab, under Optional Connection Settings, click Renew WAN1.
■ To renew WAN2, on the Advanced tab, under Optional Connection Settings, click Renew WAN2.
39Configuring a connection to the outside network
Advanced PPP settings
You can configure the echo requests that the appliance sends to verify that the appliance is connected to
the PPPoE account.
To configure PPP settings
See “Advanced tab field descriptions” on page 136.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Advanced tab, under PPP settings, do the following:
■ In the Time-out text box, type the number of seconds before trying another echo request.
■ In the Retries text box, type the number of times for the appliance to attempt to reconnect.
3 Click Save.
Note: To reset the echo request settings, click Restore Defaults. This also resets the MTU number and the
DHCP Idle Renew settings to their default values.
Maximum Transmission Unit (MTU)
You can specify the maximum size of the packets that arrive at and leave the appliance through the WAN
port. This is useful if a computer or another appliance along the transmission path requires a smaller MTU.
On models 460 and 460R, if you are configuring WAN1 and WAN2, you can set a different MTU for each
port.
To specify MTU size
See “Advanced tab field descriptions” on page 136.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 In the right pane, on the Advanced tab, under Optional Connection Settings, in the WAN port text box,
type the MTU size.
Page 40
40 Configuring a connection to the outside network
Configuring dynamic DNS
3 Click Save.
Note: To reset the MTU size, click Restore Defaults. This also resets the echo request information and the
DHCP Idle Renew settings to their default values.
Configuring dynamic DNS
Symantec Gateway Security 400 Series can use a dynamic DNS service to map dynamic IP addresses to a
domain name to which users can connect.
If you receive your IP address dynamically from your ISP, dynamic DNS services let you use your own
domain name (mysite.com, for example) or their domain name and your subdomain to connect to your
services, such as a VPN gateway, Web site, or FTP. For example, if you set up a virtual Web server and your
ISP assigns you a different IP address each time you connect the server, your users can always access
www.mysite.com.
The appliances support two types of dynamic DNS services: standard and TZO. You can configure either
service by specifying account information, or you can disable dynamic DNS completely.
See the Symantec Gateway Security 400 Series Release Notes for the list of supported services.
When you create an account with TZO, your ISP sends you the following information to log in and use your
account: key (password), email (user name), and domain. Gather this information before configuring the
appliance to use TZO. For more information about TZO dynamic DNS, go to http://www.tzo.com.
To use standard service DNS, gather the following information:
■ Account information
User name (which may be different from the account name) and password for the dynamic DNS
account.
■ Server
IP address or resolvable name of the dynamic DNS server. For example, members.dyndns.org.
To configure dynamic DNS
For models 420 and 440, you can configure the WAN port to use dynamic DNS. For models 460 and 460R,
you can configure WAN1, WAN2, or both ports to use dynamic DNS.
See “Dynamic DNS tab field descriptions” on page 133.
See “Main Setup tab field descriptions” on page 128.
To configure TZO dynamic DNS
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Dynamic DNS tab, under Service Type, click TZO.
3 Do one of the following:
■ For models 420 and 440, skip to step 4.
■ For models 460 and 460R, in the WAN Port drop-down list, select the WAN port for which you are
configuring TZO.
4 Under TZO Dynamic DNS Service, do the following:
■ In the Key text box, type the key that TZO sent when the account was created.
■ In the Email text box, type the email address you specified when you created the TZO account.
■ In the Domain text box, type the domain name that TZO handles. For example,
marketing.mysite.com.
5 Click Save.
Page 41
Configuring dynamic DNS
To configure standard service DNS
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Dynamic DNS tab, under Service Type, click Standard.
3 Do one of the following:
■ For models 420 and 440, skip to step 4.
■ For models 460 and 460R, in the WAN Port drop-down list, select the WAN port for which you are
configuring dynamic DNS.
4 Under Standard Service, do the following:
User Name Type the dynamic DNS account user name.
Password Type the dynamic DNS account password.
Verify Password Retype the dynamic DNS account password.
Server Type the IP address or DNS-resolvable name for the dynamic DNS server.
Host Name Type the host name that you want to use.
5 Optionally, under Standard Optional Settings, do the following:
■ To access your network with *.yourhost.yourdomain.com, where * is a CNAME like FTP or www,
yourhost is the host name, and yourdomain.com is your domain name, check Wildcards.
■ To use a backup mail exchanger, check Backup MX.
■ In the Mail Exchanger text box, type the domain name of the mail exchanger.
6 Click Save.
41Configuring a connection to the outside network
Forcing dynamic DNS updates
When you force a dynamic DNS update, the appliance sends its current IP address, host name, and domain
to the service. Do this only if requested by Symantec Technical Support.
For models 420 and 440, you can force a dynamic DNS update for the WAN port. For models 460 and 460R,
you can force a dynamic DNS update for WAN1, WAN2, or both ports.
To fo r c e a D NS update
See “Dynamic DNS tab field descriptions” on page 133.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, on the Dynamic DNS tab, under Service Type, click Update.
3 For models 460 and 460R, do the following:
■ On the Dynamic DNS tab, under Service Type, in the WAN Port drop-down list, select the WAN
port for which you are configuring TZO.
■ Click Update.
Disabling dynamic DNS
You can disable dynamic DNS if you are hosting your own domain. On model 460 or 460R, you can disable
dynamic DNS for both WAN ports.
To disable dynamic DNS
See “Dynamic DNS tab field descriptions” on page 133.
1 In the SGMI, in the left pane, click WA N/ I S P.
Page 42
42 Configuring a connection to the outside network
Configuring routing
2 For models 420 and 440, on the Dynamic DNS tab, under Service Type, click Disable.
3 For models 460 and 460R, do the following:
■ On the Dynamic DNS tab, under Service Type, in the WAN Port drop-down list, select the WAN
port to disable.
■ Click Disable.
4 Click Save.
Configuring routing
If you install Symantec Gateway Security 400 Series appliances on a network with more than one directly
connected router, you must specify to which router to send traffic. The appliance supports two types of
routing: dynamic and static. Dynamic routing chooses the best route for packets and sends the packets to
the appropriate router. Static routing sends packets to the router you specify. Routing information is
maintained in a routing table.
Dynamic routing is administered using the RIP v2 protocol. When it is enabled, the appliance listens and
sends RIP requests on both the internal (LAN) and external (WAN) interfaces. RIP v2 updates the routing
table based on information from untrusted sources, so you should only use dynamic routing for intranet or
department gateways where you can rely on trusted routing updates.
Routing helps the flow of traffic when you have multiple routers on a network. Configure dynamic or static
routing to fit your needs.
Enabling dynamic routing
You do not need routing information to use dynamic routing.
To enable dynamic routing
See “Routing tab field descriptions” on page 134.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Routing tab, under Dynamic Routing, check Enable RIP v2.
3 Click Save.
Configuring static route entries
Before adding static routing entries to the routing table, gather the destination IP, netmask, and gateway
addresses for the router to which you want traffic to be routed. Contact your IT department for this
information.
You can add new route entries, edit existing entries, delete entries, or view a table of entries.
Note: If NAT is enabled, only six routes display in Routing List. When NAT is disabled, all configured routes
appear in the list.
To configure static route entries
You can add, edit, or delete a static routing entry, or view the list of existing entries.
See “Routing tab field descriptions” on page 134.
To add a route entry
1 In the SGMI, in the left pane, click WA N/ I S P.
Page 43
Configuring advanced WAN/ISP settings
2 On the Routing tab, under Static Routes, do the following:
Destination IP Type the IP address to which to send packets.
Netmask Type the net mask of the router to which to send packets.
Gateway Type the IP address of the interface to which packets are sent.
Interface Select the interface from which traffic is sent.
Metric Type a number to represent the order in which you want the entry evaluated. For example, to
evaluate the entry third, type 3.
3 Click Add.
To edit a route entry
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Routing tab, under Static Routes, in the Route Entry drop-down list, select a route entry.
3 Under Static Routes, change information in any of the fields.
4 Click Update.
43Configuring a connection to the outside network
To delete a route entry
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Routing tab, under Static Routes, in the Route Entry drop-down list, select an entry.
3 Click Delete.
To view the routing list table
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Routing tab, scroll to the bottom of the page.
Configuring advanced WAN/ISP settings
You can set advanced connectivity settings such as a DNS gateway, high availability/load balancing (HA/
LB), SMTP binding, and failover. You can also set optional network settings, which identify the appliance to
a network.
Note: Models 420 and 440 appliances have one WAN port, and do not support high availability, load
balancing, and bandwidth aggregation.
High availability
On dual-WAN port appliances, you can configure each WAN port to failover to the other in the case of line
connection failure.
You can configure high availability for each WAN port in one of three ways: Normal, Off, or Backup. Table
3-4 describes each mode.
Table 3-4 High availability modes
Mode Description
Normal Load balancing settings apply to the port when it is enabled and operational.
Off WAN port is not used at all.
Page 44
44 Configuring a connection to the outside network
Configuring advanced WAN/ISP settings
Table 3-4 High availability modes (Continued)
Mode Description
Backup WAN port only passes traffic if the other WAN port is not functioning.
By default, WAN1 is set to Normal and WAN2 is set to Off.
Bandwidth aggregation lets you combine the amount of traffic that goes over WAN1 and WAN2 to increase
the amount of bandwidth your clients can use. For WAN data transfer, data aggregation can provide up to
double the WAN throughput, depending on traffic characteristics. If you
To configure high availability
See “Main Setup tab field descriptions” on page 128.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 In the right pane, on the Main Setup tab, do the following:
■ To configure the WAN1 port, under WAN1, select a high availability mode.
The options are Normal, Off, and Backup. The default for WAN 1 is Normal.
■ To configure the WAN2 port, under WAN2, select a high availability mode.
The options are Normal, Off, and Backup. The default for WAN 2 is Backup.
3 Click Save.
Load balancing
SMTP binding
Symantec Gateway Security 400 Series models 460 and 460R appliances each have two WAN ports. On
these appliances, you can configure HA/LB between the two WAN ports.
You can set the percentage of packets that is sent over WAN1 or WAN2. You enter a percentage only for
WAN1; the remainder of the packets are then sent over WAN2. If you have a slower connection, use a lower
value for that WAN port for best performance.
To configure load balancing
See “Advanced tab field descriptions” on page 136.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Advanced tab, under Load Balancing, in the WAN 1 Load text box, type the percentage of traffic
to pass through WAN 1.
The value in the WAN 2 (Calculated) % display is calculated automatically such that the sum of the two
values is 100%.
3 Click Save.
Use SMTP binding when you have two different Internet connections with different ISPs used over
different WAN ports. It ensures that email sent by a client goes over the WAN port associated with your
email server.
If the SMTP server is on the same subnet as one of the WAN ports, the security gateway automatically
binds the SMTP server to that WAN port, and you do not have to specify the bind information.
To configure SMTP binding
See “Advanced tab field descriptions” on page 136.
1 In the SGMI, in the left pane, click WA N/ I S P.
Page 45
2 On the Advanced tab, under Load Balancing, in the Bind SMTP with WAN Port drop-down list, select a
binding option.
3 Under DNS Gateway, click Save.
Binding to other protocols
You can use the routing functionality of the firewall to bind other traffic. You add a static route to route
traffic for the IP address of the destination server to a specific WAN port.
See “Configuring routing” on page 42.
Configuring failover
You can configure the appliance to periodically test the connectivity to ensure that your connection is
available to your clients. After the amount of time that you specify (for example, 10 seconds), the appliance
issues a PING command to the URL you specify as the Alive Indicator. If you do not specify an Alive
Indicator, the default gateway is used.
Note: When selecting a URL to check, choose a fully-qualified domain name or IP address that you are sure
will respond to a request, or you may receive a false positive when the connection is actually available.
Configuring advanced WAN/ISP settings
45Configuring a connection to the outside network
When the WAN port on model 420 or 440 fails, the security gateway fails over to the serial port, which is
connected to a modem. On model 460 or 460R, if one of the WAN ports fails, the security gateway fails over
to the other WAN port. If both WAN ports fail, the security gateway fails over to the serial port.
If a line is physically disconnected, then the line is considered disconnected and the appliance attempts to
route traffic to the serial port or the other WAN port.
If the cable is not physically disconnected, the appliance performs line checking every few seconds to
determine if a line is active. If the line fails, it is shown as disconnected on the Logging/Monitoring > Status
tab and an alternate route for traffic is attempted.
See “Dial-up accounts” on page 35 to configure failover for a dial-up account.
See “Connecting manually to your PPPoE account” on page 32 to configure a echo request for accounts that
use PPP.
To configure failover
See “Main Setup tab field descriptions” on page 128.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 To configure an alive indicator for WAN1, on the Main Setup tab, under WAN1 (External), in the Alive
Indicator Server text box, type the IP address or fully-qualified domain name of a server to which to
send packets.
3 To configure an alive indicator for WAN2, on the Main Setup tab, under WAN2 (External), in the Alive
Indicator Server text box, type the IP address or fully-qualified domain name of a server to which to
send packets.
4 Click Save.
DNS gateway
You can specify a DNS gateway for local and remote name resolution over your VPN. For local and remote
name resolution over VPN (gateway-to-gateway or client-to-gateway), the appliance can use a DNS
gateway.
A backup DNS gateway can be specified. The DNS gateway handles name resolution, but should it become
unavailable, the backup (generally a DNS gateway through your ISP) can take over.
Page 46
46 Configuring a connection to the outside network
Configuring advanced WAN/ISP settings
To configure a DNS gateway
You can configure a primary and backup DNS gateway.
See “Advanced tab field descriptions” on page 136.
To configure a DNS gateway
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Advanced tab, under DNS Gateway, in the DNS Gateway text boxes, type the IP address of the
DNS gateway.
3 Click Save.
To configure DNS gateway backup
1 In the SGMI, in the left pane, click WA N/ I S P.
2 On the Advanced tab, under DNS Gateway, check Enable DNS Gateway Backup.
3 Click Save.
Optional network settings
Optional network settings identify your appliance to the rest of your network. If you plan to connect to or
refer to your appliance by name, you must configure these settings.
Some ISPs authenticate by the MAC (physical) address of your Ethernet port. This is common with
broadband cable (DHCP) services. You can clone your computer’s adapter address to connect to your ISP
with the Symantec Gateway Security 400 Series appliances. This is called MAC cloning or masking.
For models 420 and 440, you configure the settings for the WAN port. For models 460 and 460R, you can
configure the network settings for one or both WAN ports.
Before you configure optional network settings, gather the following information:
Host name Name of the appliance. For example, marketing.
Domain name Name by which you address the appliance over the Internet. For example, mysite.com. If the host
name is marketing, the appliance would be marketing.mysite.com.
MAC address Physical address of the WAN of the appliance. If you are performing MAC cloning, get the MAC
address that your ISP is expecting to see rather than the address of the appliance.
To configure optional network settings
See “Advanced tab field descriptions” on page 136.
1 In the SGMI, in the left pane, click WA N/ I S P.
2 For models 420 and 440, do the following:
■ In the right pane, on the Main Setup tab, under Optional Network Settings, in the Host Name text
box, type a host name.
The host and domain names are case-sensitive.
■ In the Domain Name text box, type domain name for the appliance.
■ In the MAC Address text boxes, type the WAN network adapter address (MAC) that you are
cloning.
Page 47
Configuring advanced WAN/ISP settings
3 For models 460 and 460R, do the following:
■ To configure WAN1 or WAN 2, in the right pane, on the Main Setup tab, under Optional Network
Settings, under WAN1 (External) or WAN 2 (External), do the following:
Host Name text box Type a host name.
The host and domain names are case-sensitive.
Domain Name text box Type a domain name for the appliance
MAC Address text boxes Type the WAN network adapter address (MAC) you are cloning.
4 Click Save.
After you click Save, the appliance restarts. Network connectivity is interrupted.
47Configuring a connection to the outside network
Page 48
48 Configuring a connection to the outside network
Configuring advanced WAN/ISP settings
Page 49
Chapter
Configuring internal connections
This chapter includes the following topics:
■ Configuring LAN IP settings
■ Configuring the appliance as a DHCP server
■ Configuring port assignments
Configuring LAN IP settings
LAN settings let you configure your Symantec Gateway Security 400 Series appliance to work in a new or
existing internal network.
Each appliance is assigned an IP address and netmask by default; you can change these settings at any time.
This way, you can specify an IP address and netmask for the appliance that fits your existing network.
4
You can also configure the appliance to work as a DHCP server for LAN clients. This assigns IP addresses to
the clients dynamically so that you do not have to configure each client to use a static IP address.
Note: Models 420 and 440 have four LAN ports, while models 460 and 460R have eight LAN ports. For each
port, you must specify the port settings using the port assignments. These settings are used to configure
secure wireless and wired LANs.
Each appliance has a default LAN IP address of 192.168.0.1 with a default network mask of 255.255.255.0.
You can configure the appliance to use a different IP address and netmask for the LAN. This is useful if you
want to configure a LAN to use a unique subnet for your network environment. For example, if your
network already uses 192.168.0.x, you can change the appliance’s IP address to 10.10.10.x, so you do not
have to reconfigure your existing network.
Ensure that the IP address you choose for the appliance does not have zero (0) as the last octet.
You cannot set the appliance IP address to 192.168.1.0.
Note: After you change the appliance’s LAN IP address, you must browse to the new appliance IP address to
use the SGMI. If you click the Back button in the browser, it attempts to access the old IP address.
To configure LAN IP settings
See “LAN IP & DHCP tab field descriptions” on page 125.
1 In the SGMI, in the left pane, click LAN.
2 In the right pane, on the LAN IP & DHCP tab, under Unit LAN IP, in the IP Address text boxes, type the
new IP address.
3 In the Network Mask text box, type the new network mask.
4 Click Save.
Page 50
50 Configuring internal connections
Configuring the appliance as a DHCP server
Configuring the appliance as a DHCP server
Dynamic Host Configuration Protocol (DHCP) allocates local IP addresses to computers on the LAN without
manually assigning each computer its own IP address. This eliminates the need to have a static
(permanent) IP address for each computer on the LAN and is useful if you have a limited number of IP
addresses available. Each time a computer connected to the LAN is turned on, DHCP assigns it an IP address
from the range of available addresses.
Note: Each client computer that you want to use DHCP must have its network configuration set to obtain its
IP address automatically.
By default, the range of IP addresses that the appliance can assign is from 192.168.0.2 to 192.168.0.xxx,
where xxx is the number of clients to support, plus two. For example, if you support 50 clients on your
appliance, the last IP address in the range is 192.168.0.52. The DHCP server on the appliance serves IP
addresses to up to 253 computers connected to it. If you change the IP address of the appliance, adjust the
DHCP IP address range appropriately. See “Monitoring DHCP usage” on page 51.
Table 4-1 shows the default start and end IP addresses for each model. The default range is based on the
recommended number of concurrent clients for each model. The number of clients you can support may
vary depending on your traffic characteristics.
Table 4-1 Default DHCP IP address ranges
Model Number of Clients Start IP Address End IP Address
420, 440 50 192.168.0.2 192.168.0.51
460, 460R 75 192.168.0.2 192.168.0.76
The DHCP server only supports class C networks. Class C networks have addresses from 192.0.0.0 through
223.255.255.0. The network number is the first three octets: 192.0.0 through 223.255.255. Each class C
network can have one octet worth of hosts.
Note: You can place the appliance in any class network, but the DHCP server does not support this.
If you have a mix of clients that use DHCP and static IP addresses, the static IP addresses must be outside of
the range of DHCP IP addresses. Also, you may want to assign static IP addresses to some services. For
example, if you have a Web server on your site, you want to assign it a static IP address.
The DHCP server in the appliance is enabled by default. If you disable the DHCP server, each client
connecting to the LAN must be assigned an IP address that is within the range. If you enable roaming on the
appliance as a secondary wireless access point, the DHCP server is disabled.
To configure the appliance as a DHCP server
See “LAN IP & DHCP tab field descriptions” on page 125.
1 In the SGMI, in the left pane, click LAN.
2 In the right pane, on the LAN IP & DHCP tab, under DHCP, do one of the following:
■ To enable the appliance as a DHCP server, check Enable.
■ To disable the appliance as a DHCP server, check Disable.
3 In the Range Start IP text boxes, type the first IP address.
4 In the End IP text boxes, type the last IP address.
5 Click Save.
Page 51
Monitoring DHCP usage
The DHCP Table lists the IP addresses that are assigned to connected clients. You can view the host name,
IP address, physical address, and status for each client. This table takes up to one hour to fully update after
the appliance has been rebooted.
To view DHCP usage
See “LAN field descriptions” on page 125.
◆ In the SGMI, in the left pane, click LAN.
Configuring port assignments
Port assignments on the security gateway let you specify if the LAN port resides on a trusted or untrusted
network. Trusted ports are for networks not using VPN authentication to connect to the LAN. Untrusted
ports are for wireless or wired networks using VPN clients to connect to LAN resources.
You can connect many network devices to the LAN ports: routers, switches, client machines, or other
Symantec Gateway Security 400 Series appliances. For these options, select the standard port assignment.
If you are connecting a Symantec Gateway Security 400 Series appliances that is configured as a wireless
access point to a LAN port, you can secure the wireless connection using VPN technology. See the Symantec
Gateway Security 300/400 Series Wireless Implementation Guide.
Once a port assignment is set, the untrusted ports enable and enforce encrypted VPN traffic, using global
tunnels, to the appliance or using IPsec pass-thru to WAN-side endpoints.
Configuring port assignments
51Configuring internal connections
Standard port assignment
When LAN ports are designated as standard, the appliance acts as a typical switch; it forwards traffic based
on MAC address and traffic does not reach the security gateway engine unless it was specifically designated
for it.
This option does not support client VPN tunnels terminating at the LAN. When a LAN port is set to
standard, it is not considered part of the VLAN.
When you select standard, VPN traffic is not enforced at the switch; that is, a trusted private network is
assumed.
SGS Access Point Secured port assignment
The SGS Access Point Secured port assignment enforces VPN security at the roaming access point or the
switch level. This setting is used for connecting Symantec Gateway Security appliances.
Enforce VPN tunnels port assignment
The Enforce VPN tunnels/Allow IPsec pass-thru port assignment requires a VPN tunnel between a wireless
VPN client and the security gateway. IPsec traffic is allowed to pass through a subsidiary switch with
tunnel termination points located at the primary security gateway and the client.
To configure port assignments
You can set a specific LAN port to use a port assignment, or you can restore the default port settings.
See “Port Assignments tab field descriptions” on page 127.
To configure a port assignment
1 In the SGMI, in the left pane, click LAN.
Page 52
52 Configuring internal connections
Configuring port assignments
2 In the right pane, on the Port Assignments tab, under Physical LAN Ports, from the Port numbers drop-
down list, select a port assignment.
3 Click Save.
The appliance reboots when the port settings are saved.
To restore port assignment default settings
1 In the SGMI, in the left pane, click LAN.
2 In the right pane, on the Port Assignments tab, under Physical LAN Ports, click Restore Defaults.
The appliance reboots when the port settings are saved.
Page 53
Network traffic control
This chapter includes the following topics:
■ Planning network access
■ Understanding computers and computer groups
■ Defining inbound access
■ Defining outbound access
■ Configuring services
■ Configuring special applications
■ Configuring advanced options
Chapter
5
Planning network access
The Symantec Gateway Security 400 Series appliance includes firewall technology that lets you configure
the firewall component to meet your security policy requirements. When configuring the firewall, identify
all computers (nodes) to be protected on your network.
Note: This chapter uses the term computer to define anything that has its own IP address in the network;
for example: a desktop PC, laptop, server, print server, terminal server, network photocopier, and so on.
Developing a security policy helps you to identify what you need to configure. See Appendix A in the
Symantec Gateway Security 400 Series Installation Guide.
Before configuring the security gateway’s firewall component, consider the following:
■ Learn about computers and computer groups.
See “Understanding computers and computer groups” on page 53.
■ What kinds of users will be protected by the security gateway? Will all users have the same access and
privileges?
■ What types of services do you want to make available to internal users?
■ What standard application services do you want to make available to external users?
■ What types of special application services do you want to allow for external users and hosts?
Understanding computers and computer groups
Computers are nodes behind the appliance. This includes permanent resident desktops or laptops on the
LAN, application servers, and any host or printer. You configure the appliance to recognize the computer
by its MAC (physical) address.
Page 54
54 Network traffic control
Understanding computers and computer groups
Computer groups let you create outbound rules and apply them to computers who should have the same
access. Instead of creating a traffic rule for each individual computer in your network, you define computer
groups, assign each computer to a computer group, and then create rules for the group.
By default, all computers are part of the Everyone group and have no restrictions on Internet use until they
are assigned to another computer group, which has traffic rules configured. You can create rules that apply
to the Everyone group, or, for greater control, you can divide the computers into one of four computer
groups, and then assign each group different rules. If a computer is not defined in the computers table, it
belongs to the Everyone computer group.
Note: The security gateway has five computer groups: Everyone, Group 1, Group 2, Group 3, and Group 4.
You cannot add, delete, or rename computer groups.
Before you create inbound and outbound rules to govern traffic, perform the following tasks in this order:
■ Define the computer groups.
See “Defining computer groups” on page 55.
■ Define computers behind the appliance and assign them to computer groups.
See “Defining computer group membership” on page 54.
Defining computer group membership
Defining computers is the first step in configuring the firewall component of the appliance.
When creating your security policy, leave the largest group of hosts in the Everyone computer group to
minimize the input and management of MAC addresses. By default, all hosts belong to the Everyone
computer group until you configure them to belong to one of the four other computer groups.
Review your security policy to determine how many computer groups you need (if any) and which users
should be assigned to each computer group.
The Computers tab lets you identify each computer by typing its MAC address, assigning a static IP address,
assigning it to a computer group, and binding it to a PPPoE session (if your ISP offers multiple PPPoE
sessions). See “PPPoE” on page 30.
Note: To find the MAC address of a Microsoft Windows-based computer, at a DOS prompt, type ipconfig /all
and look for the physical address.
On models 460 and 460R, you can restrict the computer to use only one of the WAN ports. This is useful if
you have two broadband accounts, one on each WAN port, and you want a particular computer to use only
one. This is useful for servers or applications that must always use a specific WAN IP address such as FTP.
The default is disabled.
Defining computers
If you are using an ISP with PPPoE sessions, you bind a host to a session (WAN IP) on this tab.
Checking Reserved Host ensures that the DHCP server always offers the defined IP address to the computer
you are defining, or you can set this IP address as a static address on the computer.
See “Computers tab field descriptions” on page 137.
To configure a new computer
1 In the left pane, click Firewall.
2 On the Computers tab, in the Host Name text box, type a host name.
3 In the Adapter (MAC) Address text box, type the address of the host’s network interface card (NIC).
Page 55
Understanding computers and computer groups
4 If the computer is an application server to which you want to allow access to an inbound rule, or to
reserve an IP address for a computer that is not an application server, under Application Server, check
Reserved Host.
See “Defining inbound access” on page 56.
5 In the IP Address text box, type the IP address of the host.
6 Under Computer Group, on the Computer Group drop-down list, select a group for your host to join.
The computer group properties are defined on the Firewall > Computer Groups tab.
See “Defining inbound access” on page 56.
7 Under Session Association - Optional, in the Bind with PPPoE Session drop-down list, select the session
to bind to this host.
You must have a multi-session PPPoE account with your ISP if you want to bind a host to a PPPoE
session. If you do not have an PPPoE account with your ISP, leave the Bind with PPPoE Session drop-
down list at Session 1.
8 Click Add.
To verify that a host has been configured, you can check the Host List displayed at the bottom of the
window. The fields in the list map to the fields entered when you configured the host.
Once you have finished adding computers to a computer group, you can configure the properties for each
computer group on the Computer Groups tab in the SGMI.
55Network traffic control
To update an existing computer
1 In the left pane, click Firewall.
2 In the right pane, on the Computers tab, under Host Identity, in the Select Host drop-down list, select a
host.
3 Make the changes to the computers fields.
4 Click Update.
The updated computer is displayed in the Host List.
To delete an existing computer
1 In the left pane, click Firewall.
2 In the right pane, on the Computers tab, under Host Identity, in the Select Host drop-down list, select a
host.
3 Click Delete.
Defining computer groups
Computer groups are logical groups of network entities used for outbound rules. You must configure and
bind all local hosts (nodes) to the computer group they are in using the Computers tab.
See “Defining computer group membership” on page 54.
You can configure the following properties for a computer group:
■ Antivirus policy enforcement
See “How antivirus policy enforcement (AVpe) works” on page 81.
■ Content filtering
See “Advanced network traffic control” on page 81.
■ Access control
See “Defining inbound access” on page 56.
Page 56
56 Network traffic control
Defining inbound access
To define computer groups
See “Computer Groups tab field descriptions” on page 138.
1 In the left pane, click Firewall.
2 In the right pane, on the Computer Groups tab, under Security Policy, on the Computer Group drop-
down list, select the computer group that you want to configure.
3 To enable AVpe, Under Antivirus Policy Enforcement, check Enable AntiVirus Policy Enforcement,
and then click one of the following:
■ Warn Only
■ Block Connections
4 To enable content filtering, check Enable Content Filtering, and then select one of the following:
■ Use Allow List
■ Use Deny List
5 Under Access Control (Outbound Rules) select one of the following:
■ No restrictions
■ Block ALL outbound access
■ Use rules defined in Outbound Rules Screen.
See “Defining outbound access” on page 57.
6 Click Save.
Defining inbound access
Inbound rules control the type of traffic flowing into application servers on your appliance-protected
networks. The default state for inbound traffic is that all traffic is denied (automatically blocked) until you
configure inbound rules for each kind of traffic you want to allow. If the inbound traffic contains a protocol
or application that is not part of an enabled rule, the connection request is denied and logged. The security
gateway supports a maximum of 25 inbound rules.
When creating inbound rules, you must specify the applications server, the service, protocols, and ports
that the rule allows, and source and destination information for each rule. When an inbound rule exists,
any external host can successfully pass inbound traffic matching the rule.
Inbound rules redirect traffic that arrives on the WAN ports to another internal server on the protected
LAN. For example, an inbound rule enabled for HTTP results in all HTTP traffic arriving on the WAN port
to be redirected to the server specified as the HTTP application server. You must define the server before
using it in a rule.
Inbound rules are not bound to a computer group.
To define inbound access
See “Inbound Rules field descriptions” on page 139.
To define a new inbound rule
1 In the SGMI, in the left pane, click Firewall.
2 To create a new rule, in the right pane, on the Inbound Rules tab, under Rule Definition, in the Name
text box, type a unique name for the inbound rule.
3 Check Enable Rule.
4 In the Application Server drop-down list, select a defined computer.
Computers are defined on the Computers tab in the Firewall section. See “Computers tab field
descriptions” on page 137.
Page 57
5 On the Service drop-down list, select an inbound service.
6 Click Add.
To update an existing inbound rule
1 In the left pane, click Firewall.
2 In the right pane, on the Inbound Rules tab, in the Rule drop-down list, select an existing inbound rule.
3 Click Select.
4 Make the changes to the inbound rules fields.
5 Click Update.
To delete an inbound rule
1 In the left pane, click Firewall.
2 In the right pane, on the Inbound Rules tab, in the Rule drop-down list, select an existing inbound rule.
3 Click Delete.
Defining outbound access
Defining outbound access
57Network traffic control
By default, all computer groups are allowed outbound access. Also by default, all computers that you
protect are in the Everyone computer group. When you define an outbound rule for a given computer
group, and check the Use rules defined in Outbound Rules Screen check box, then all other traffic is blocked
unless an outbound rule is defined to allow it. You must give each outbound rule a unique name.
You must also specify the type of traffic that the rule allows. Outbound rules let you define traffic to permit,
rather than specifying traffic to deny or block. Once an outbound rule is added to the computer group, all
other traffic is denied unless there is a specific rule to let it pass.
Following are the predefined outbound services:
■ DNS
■ FTP
■ HTTP
■ HTTPS
■ Mail (SMTP)
■ Mail (POP3)
■ RADIUS Auth
■ Tel ne t
■ VPN IPSec
■ VPN PPTP
■ LiveUpdate
■ SESA Server
■ SESA Agent
■ RealAudio1
■ RealAudio2
■ RealAudio 3
■ PCA TCP
■ PCA UDP
Page 58
58 Network traffic control
Defining outbound access
■ TFTP
■ SNMP
If you have services that are not on this list, or a service that does not use its default port, you can create
your own custom services. You must create the custom services before creating the outbound rule.
See “Configuring services” on page 59.
Outbound rule example
As shown in Figure 5-1, an outbound rule enabled for FTP service for computer group 2 allows the members
of computer group 2 outbound FTP service. An outbound rule enabled for Mail (SMTP) service for the
Everyone computer group lets all members of the Everyone group send outbound email. An outbound rule
enabled for FTP service for computer group 2 would allow the members of group 2 outbound FTP service. If
computer group 1 has no rules, all outbound traffic is allowed by default.
Figure 5-1 Outbound rules example
Outbound rule
Name: E_Mail_1
Computer group:
Everyone
Service:
Mail(SMTP)
Everyone computer group
Computer group 1
Outbound rule
Name: FTP_2
Computer group:
Group 2
Service: FTP
Computer group 2
Define outbound access
You can manage your outbound access by creating a rule, updating it when your needs change, or deleting
it when you no longer need it. You can also temporarily disable outbound access for troubleshooting or
controlling traffic.
See “Outbound Rules tab field descriptions” on page 140.
To define an outbound rule
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Outbound Rules tab, under Computer Groups, in the Computer Group drop-
down list, select a computer group.
To see a list of rules for the selected computer group, click View.
3 In the Name text box, type a unique name for the outbound rule.
4 Check Enable Rule.
5 On the Service drop-down list, select an outbound service.
6 Click Add.
Page 59
Configuring services
To update an existing outbound rule
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Outbound Rules tab, under Computer Groups, on the Computer Group drop-
down list, select a computer group.
To see a list of rules for the selected computer group, click View.
3 In the Rule drop-down list, select an existing outbound rule.
4 Make the changes to the outbound rules fields.
5 Click Update.
To delete an outbound rule
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Outbound Rules tab, under Computer Groups, in the Computer Group drop-
down list, select a computer group.
To see a list of rules for the selected computer group, click View.
3 In the right pane, on the Outbound Rules tab, on the Rule drop-down list, select an existing outbound
rule.
4 Click Delete.
59Network traffic control
Configuring services
You can define additional service applications used in inbound rules and outbound rules that are not
already covered by the predefined services. You must configure these services before you can use them in
any rules. The name of the service should identify the protocol or type of traffic that the rule allows.
You must specify the type of traffic and the destination server for that traffic. The type of traffic is selected
from the list of predefined services and custom services.
Note: On models 460 and 460R, FTP application servers must be bound to a WAN port, WAN 1 or WAN 2.
All other applications, such as HTTP, do not require binding to a WAN port.
See “Binding to other protocols” on page 45.
There are two types of protocols used by services: TCP and UDP. The port range specifies which port filter
can communicate on the appliance. For protocols that allow for a port range, you must specify the listen on
port starting and ending port numbers. For protocols that use a single port number, the listen on port
starting and ending port numbers are the same.
Redirecting services
You can also configure services to be redirected from the ports they would normally enter (Listen on Port)
to another port (Redirect to Port). Service redirection only applies to inbound rules. Outbound rules ignore
this setting.
For example, to redirect inbound Web traffic entering on port 80 using TCP protocol, to an internal Web
server listening for TCP on port 8080, you would create a new service application called WEB_8080. Select
TCP as the protocol, and type 80 for both the listen on port starting and ending port numbers. For both the
start and end redirect to ports, type 8080. Then create and enable an inbound rule for the Web application
server that uses WEB_8080 as a service.
Note: Redirection port range sizes must be the same as the listen on port ranges. For example, if the listen
on port range is 21 to 25, the redirection port range must also be four ports.
Page 60
60 Network traffic control
Configuring special applications
To redirect inbound traffic to the original destination port, leave the redirect fields blank.
Configuring a service
Create a service before you add it to an inbound rule. Once you create a service, you can update or delete it.
See “Services tab field descriptions” on page 140.
To configure a service
1 In the SGMI, in the left pane, click Firewall.
2 On the Services tab, under Application Settings, in the Name text box, type a name for the service that
represents the application.
3 In the Protocol drop-down list, select TCP or UDP.
4 In the Listen on Port(s): Start text box, type a port number.
5 In the Listen on Port(s): End text box, type a port number.
6 In the Redirect to Port(s): Start text box, type a port number.
Redirect only applies to inbound rules. If you are creating a service for an outbound rule, leave the
Redirect to Port(s) text boxes blank.
To redirect inbound traffic to the original destination port, leave the Redirect text boxes blank.
7 In the Redirect to Port(s): End text box, type a port number.
8 Click Add.
To update an existing service
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Services tab, on the Application drop-down list, select an existing service.
3 Make the changes to the services fields.
4 Click Update.
To delete a service
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Services tab, on the Application drop-down list, select an existing service.
3 Click Delete.
Configuring special applications
Special applications are used for dynamic port forwarding. To determine what ports and protocols an
application needs for operation, consult the application’s documentation for information on firewall or
Network Address Translation (NAT) usage.
Some applications may need more than one entry defined and enabled; for example, when they have
multiple port ranges in use. Special applications are global in scope and overwrite any computer group
specific outbound rules or inbound rules. When enabled, the traffic specified can pass in either direction
from any host.
Certain applications with two-way communication (such as games and video conferencing) need ports open
in the firewall. Normally, you open ports with the Inbound Rules tab. But inbound rules only open ports for
the application server IP address defined in its settings, because firewalls using NAT can only open a
defined service for a single computer on the LAN (when using a single external IP).
The Special Applications tab works around this limitation by letting you set port triggers. The appliance
listens for outgoing traffic on a range of ports from computers on the LAN and, if it sees traffic, it opens an
Page 61
Configuring special applications
incoming port range for that computer. Once the communication is done, the appliance starts listening
again so that another computer can trigger the ports to be opened for it.
Port triggers can be used very quickly (milliseconds), but for only one computer at a time. The speed with
which port triggers are used gives the illusion of allowing multiple computers having the same ports
opened.
Special Applications entries work best with applications that require low throughput. You may experience
reduced performance with multiple computers activating streaming media or a heavy incoming or
outgoing volume.
The appliance only listens for traffic on the LAN. The computer on the LAN activates the trigger, not traffic
from the outside. The LAN application must initiate traffic and you must know the ports or range of ports it
uses to set up a special applications entry. If traffic initiates from the outside, you must use an inbound
rule.
Configuring a special application
Special applications help with dynamic packet forwarding. Configure a special application for two-way
communication. You can then edit it or delete it as your needs change.
See “Special Applications tab field descriptions” on page 141.
To configure a special application
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Special Applications tab, under Select Applications, in the Name text box, type
a name that represents the application.
61Network traffic control
3 Check Enable.
4 On the Outgoing Protocol drop-down list, select TCP or UDP.
5 In the Outgoing Port Range Start text box, type the first port number of the port range to listen on.
6 In the Outgoing Port Range End text box, type the last number of the port range to listen on.
7 In the Incoming Port Range Start text box, type the first port number in the range to open.
8 In the Incoming Port Range End text box, type the last port number in the range to open.
9 Click Add.
To update an existing special application
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Special Application tab, in the Special Application drop-down list, select an
existing special application.
3 Make the changes to the special applications fields.
4 Click Update.
To delete an special application
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Special Applications tab, on the Application drop-down list, select an existing
special application.
3 Click Delete.
Page 62
62 Network traffic control
Configuring advanced options
Configuring advanced options
Symantec Gateway Security 400 Series has several advanced firewall options for special circumstances.
These include:
■ Enabling the IDENT port
■ Disabling NAT mode
■ Blocking ICMP requests
■ Enabling WAN broadcast storm protection
■ Enabling IPsec pass-thru
■ Configuring an exposed host
Enabling the IDENT port
Queries to the TCP Client Identity Protocol (IDENT) port (113) normally result in the host name and
company name information being returned. However, this service poses a security risk since attackers can
use this information to hone in their attack methodology. By default, the appliance sets all ports to stealth
mode. This configures a computer to appear invisible to those outside of the network. Some servers (like a
certain email or Microsoft Internet Relay Chat (MIRC) servers) use the IDENT port of the system accessing
them.
You can configure the appliance to enable the IDENT port. Enabling this setting makes port 113 closed (not
open) and not stealth. You should enable this setting only if there are problems accessing a server (server
time-outs).
Note: If you experience time-outs when using your mail (SMTP) service, enabling the IDENT port may
correct this problem.
To enable the IDENT Port
See “Advanced tab field descriptions” on page 143.
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Advanced tab, under Optional Security Settings, check Enable IDENT Port.
3 Click Save.
Disabling NAT mode
You can configure the security gateway to work as a standard network router to separate different subnets
on an internal network. Disabling NAT Mode disables the firewall security functions. This setting should
only be used for intranet deployments where the security gateway is used as a bridge on a protected
network. When the security gateway is configured for NAT mode, it behaves as a 802.1D (MAC bridge)
device.
To disable NAT Mode
See “Advanced tab field descriptions” on page 143.
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Advanced tab, under Optional Security Settings, check Disable NAT Mode.
3 Click Save.
Page 63
Blocking ICMP requests
You can configure the security gateway to drop and log any Internet Control Message Protocol (ICMP)
redirect requests received on a WAN interface.
To blo c k I C MP request s
See “Advanced tab field descriptions” on page 143.
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Advanced tab, under Optional Security Settings, next to Block ICMP Requests,
do one of the following:
■ To block ICMP requests, click Enable.
■ To allow ICMP requests, click Disable.
3 Click Save.
Enabling WAN broadcast storm protection
Broadcast storm protection protects regular traffic from an overabundance of broadcast traffic. For
example, a condition may exist in which a broadcast message results in many responses, each of which
results in still more responses. This filter triggers when 63% of the WAN buffers are taken up by broadcast
packets.
Configuring advanced options
63Network traffic control
You may want to disable this feature to allow applications that require broadcast packets.
To enable WAN broadcast storm protection
See “Advanced tab field descriptions” on page 143.
1 In the SGMI, in the left pane, click Firewall.
2 In the right pane, on the Advanced tab, under Optional Security Settings, next to WAN Broadcast Storm
Protection, check Enable.
3 Click Save.
Enabling IPsec pass-thru
IPSec pass-thru is supported by the security gateway. If the VPN client used in Exposed Host has problems
connecting from behind the security gateway, use the None setting.
The following list includes the supported IPsec types:
■ 1 SPI
ADI - Assured Digital
■ 2 SPI (default)
Standard (Symantec, Cisco Pix, and Nortel Contivity) clients
■ 2 SPI-C
Cisco Concentrator 30X0 Series clients
■ Others
Redcreek Ravlin
■ None
Note: Only change the IPsec pass-thru setting if instructed to do so by Symantec Technical Support.
Page 64
64 Network traffic control
Configuring advanced options
To configure IPsec pass-thru settings
See “Advanced tab field descriptions” on page 143.
1 In the SGMI, in the left pane, click Firewall.
2 On the Advanced tab, under IPsec Passthru Settings, select the IPsec types that you want to allow
through the security gateway.
3 Click Save.
Configuring an exposed host
Exposed Host opens all ports so that one computer on a LAN has unrestricted two-way communication with
Internet servers or users. This is useful for hosting games or special server applications.
All traffic that is not specifically allowed by inbound rules is directed to the exposed host.
Warning: Because of the security risk, activate Exposed Host only when required to do so.
To configure an exposed host
See “Advanced tab field descriptions” on page 143.
1 In the left pane, click Firewall.
2 In the right pane, on the Advanced tab, under Exposed Host, check Enable Exposed Host.
3 In the LAN IP Address text boxes, type the IP address of the host you want to expose.
4 In the Bind with WAN Port drop-down list (models 460 and 460R only), select the WAN port the exposed
host is bound to.
The default is WAN port 1.
5 In the Session drop-down list, select the session to bind to the exposed host.
6 Click Save.
Page 65
Establishing secure VPN
connections
This chapter includes the following topics:
■ How to use this chapter
■ Creating security policies
■ Identifying users
■ Configuring gateway-to-gateway tunnels
Chapter
6
■ Configuring client-to-gateway VPN tunnels
■ Monitoring VPN tunnel status
Virtual Private Networks (VPNs) let you securely extend the boundaries of your internal network and use
insecure communication channels (such as the Internet) to safely transport sensitive data. VPNs let a single
user or a remote network safely access the protected resources of another network.
Symantec Gateway Security 400 Series appliances support three types of VPN tunnels: gateway-togateway, client-to-gateway, and wireless client-to-gateway. To configure wireless client-to-gateway
tunnels, see the Symantec Gateway Security 300/400 Series Wireless Implementation Guide.
Securing your network connections using VPN technology is an important step in ensuring the quality and
integrity of your data. This section describes some key concepts and components you need to understand to
configure and use the appliance’s VPN feature.
VPN tunnels can also support dynamic and static gateway-to-gateway configurations, where tunnel
parameters are created at each security gateway. Both ends must have the same parameters, including
secret keys, security parameter indexes (SPIs), authentication schemes, and encryption methods.
How to use this chapter
Each section begins with an explanation of the feature it is describing (such as what a VPN policy is, how it
works, and how you use it). If you are an experienced network or IT administrator, you may want to proceed
directly to the latter half of the section for configuration instructions.
If you do not have significant network or IT experience or have never configured a security gateway
(Symantec or otherwise), you should read the first half of each section before configuring the feature.
At the end of “Configuring gateway-to-gateway tunnels” on page 70 and “Configuring client-to-gateway
VPN tunnels” on page 76, there are worksheets for you to fill out with the information you entered so that
you may easily share connection information with your clients and remote gateway administrators.
Page 66
66 Establishing secure VPN connections
Creating security policies
Creating security policies
VPN tunnel negotiation occurs in two phases. In Phase 1, the Internet Key Exchange (IKE) negotiation
creates an IKE security association with its peer to protect Phase 2 of the negotiation, which determines the
protocol security association for the tunnel. For gateway-to-gateway connections, either security gateway
can initiate Phase 1 or Phase 2 renegotiation at any time. Either security gateway can also specify intervals
after which to renegotiate. For client-to-gateway connections, only the client can initiate Phase 1 or Phase
2 renegotiation. Phase 2 renegotiation is referred to as quick mode renegotiation.
Note: Symantec Gateway Security 400 Series does not support VPN tunnel compression. To create a
gateway-to-gateway tunnel between a Symantec Gateway Security 400 Series appliance and a remote
Symantec Gateway Security 5400 Series appliance or Symantec Enterprise Firewall, set the compression to
NONE on the remote gateway.
Understanding VPN policies
For each phase of negotiation, the appliance uses a policy, which is a predefined set of parameters. The
appliance supports two types of security policies, Global IKE and VPN.
Global IKE Policy (Phase 1, non-configurable, except for SA lifetime parameter)
The security gateway includes a predefined global IKE policy that automatically applies to your IKE Phase 1
negotiations for all tunnels defined on the security gateway. This global IKE policy works in conjunction
with the VPN policy you configure for Phase 2 negotiations. The Global IKE Policy provides the parameters
that define Phase 1 negotiations of the IKE tunnel, while the VPN policy you configure and select provides
the parameters for Phase 2 negotiations. There can only be one global IKE policy on a security gateway.
The only parameter in the Global IKE Policy whose setting can be changed is the SA (security association)
Lifetime, which specifies the period of time after which the tunnel rekeys (in minutes). This parameter is
located in VPN > Advanced > Global IKE Settings (Phase 1 Rekey). The default is 1080 minutes (18 hours).
The other parameters cannot be altered.
When two security gateways are negotiating Phase 1, the first security gateway sends a list of proposals,
called a transform proposal list. The security gateway to which it is connecting then selects a proposal from
the list that it likes best, generally the strongest available option. You cannot change the transform
proposal list on the appliance; however this information may be useful to give to the remote gateway
administrator. Table 6-1 lists the order of the Symantec Gateway Security 400 IKE proposals.
Table 6-1 IKE proposal order
Data privacy Data integrity Diffie-Hellman
3DES SHA1 Group 5
3DES MD5 Group 5
3DES SHA1 Group 2
3DES MD5 Group 2
DES SHA1 Group 1
DES MD5 Group 1
Some settings are configurable at a global level for client-to-gateway tunnels. See “Configuring global
policy settings for client-to-gateway VPN tunnels” on page 79.
Page 67
Creating security policies
VPN Policies (Phase 2, configurable)
The security gateway includes the following four pre-defined, configurable VPN policies that apply to
Phase 2 tunnel negotiations:
■ Ike_default_crypto
■ Ike_default_crypto_strong
■ Static_default_crypto
■ Static_default_crypto_strong
Rather than configuring data privacy, data integrity, and data compression algorithms for each tunnel you
create, the security gateway lets you configure standard, reusable VPN policies and then later associate
them with multiple secure tunnels. You can select a pre-defined policy, or you can create your own using
the VPN Policies tab.
VPN policies group together common characteristics for tunnels, and allow rapid setup of additional
tunnels with the same characteristics. The security gateway also includes a handful of commonly used VPN
policies for both static and dynamic tunnels.
You can define more than one VPN policy, varying the components you select for each one. If you do this,
ensure that your naming conventions let you distinguish between policies that use the same encapsulation
mode. When you are ready to create your secure tunnels, clearly defined naming conventions will make
selecting the correct VPN policy easier.
67Establishing secure VPN connections
Note: You cannot delete pre-defined VPN policies.
Creating custom Phase 2 VPN policies
VPN Policies are pre-configured for typical VPN setups. If you require customized settings (for
compatibility with third-party equipment, for example), then you can create a custom Phase 2 Policy.
A VPN policy groups together common characteristics for VPN tunnels. Rather than configuring data
privacy, data integrity, and data compression algorithms for each tunnel that you create, you can configure
standard, reusable VPN policies, and then apply them to multiple secure tunnels.
Note: Configuring a VPN policy is optional for dynamic tunnels.
To create a custom Phase 2 VPN policy
See “VPN Policies tab field descriptions” on page 151.
1 In the SGMI, in the left pane, click VPN.
2 In the right pane, on the VPN Policies tab, under IPsec Security Association (Phase 2) Parameters, in
the Name text box, type a name for the VPN policy.
3 To edit an existing policy, from the VPN Policy drop-down list, select a VPN policy.
4 On the Data Integrity (Authentication) drop-down list, select a type of authentication.
5 On the Data Confidentiality (Encryption) drop-down list, select an encryption type.
6 In the SA Lifetime text box, type the number of minutes you want the security association to stay alive
before a rekey occurs.
The VPN tunnel is temporarily interrupted when rekeys occur.
7 In the Data Volume Limit text box, type the number of kilobytes of traffic to allow before a rekey occurs.
8 In the Inactivity Timeout text box, type the number of minutes of inactivity before a rekey occurs.
Page 68
68 Establishing secure VPN connections
Identifying users
9 To use Perfect Forward Secrecy, do the following:
■ On the Perfect Forward Secrecy drop-down list, select a Diffie-Hellman group.
■ Next to Perfect Forward Secrecy, click Enable.
10 Click Add.
Viewing VPN Policies List
The VPN Policies List section of the VPN Policies window displays a summary of each VPN Policy that is
configured on the appliance. Table 6-2 defines each field in the VPN Policies List summary.
Table 6-2 VPN Policies List fields
Field Description
Name Displays the name of the VPN Policy.
Encryption Method Displays the encryption method selected for the VPN Policy.
SA Lifetime Displays the configured SA Lifetime setting.
Data Volume Limit Displays the configured Data Volume Limit setting.
Inactivity Timeout Displays the configured inactivity timeout setting.
PFS Shows the Perfect Forward Secrecy setting.
Identifying users
The appliance lets you configure two types of VPN clients: static users and dynamic users with extended
authentication.
Understanding user types
Defined users authenticate directly with the security gateway when connecting through a VPN tunnel.
Static users are defined on the security gateway Client Users tab. Users with extended authentication are
not defined on the security gateway; they are defined on a RADIUS authentication server. You must
configure the appliance to support remote administration of users with extended authentication.
Defined users
These users authenticate using a client ID (user name) and pre-shared key that you assign to them. They
enter the user name and password in their client software. That information is then sent when they
attempt to create a VPN tunnel to the security gateway.
These users are defined on the appliance, and may also use extended authentication.
Users with extended authentication
Users with extended authentication are not defined on the appliance; rather, they use extended
authentication with RADIUS to authenticate their tunnels. You define these users on the RADIUS server.
When a user with extended authentication attempts to authenticate, the appliance looks for that user name
in the defined users list. When it does not find the user there, the appliance then uses the shared secret
used by the client software. This shared secret should match the secret on the Advanced screen for the
security gateway to which it is connecting. The appliance then starts extended authentication and prompts
for whatever information the RADIUS server requires (such as a user name or password). The RADIUS
server authenticates the user and returns the RADIUS group of the user to the security gateway. The
security gateway checks that the group matches one of the client tunnels and that the group is allowed to
connect to the WAN, LAN, or WLAN. If so, the user’s tunnel is established.
Page 69
Defining users
Identifying users
69Establishing secure VPN connections
Ensure that you obtain all pertinent authentication information from your RADIUS administrator to pass
on to your users with extended authentication.
To define users
Users must be defined on the appliance, and may also use extended authentication. Dynamic users must
use extended authentication and are not defined on the appliance.
To configure users
See “Client Users tab field descriptions” on page 150.
1 In the SGMI, in the left pane, click VPN.
2 In the right pane, on the Client Users tab, under VPN User Identity, in the User Name text box, type the
name of a new user.
3 To edit an existing user, in the User drop-down list, select a user.
4 Check Enable.
5 In the Pre-shared Key text box, type the pre-shared key.
6 From the VPN Group drop-down list, select a VPN group for the user to join.
7 Click Add.
To configure users with extended authentication
See “Advanced tab field descriptions” on page 153.
1 In the SGMI, in the left pane, click VPN.
2 On the Advanced tab, in the Dynamic VPN Client Settings section, do the following:
■ Check Enable Dynamic VPN Client Tunnels.
■ In the Pre-shared Key text box, type a key that your dynamic users will enter in their client
software.
3 In the RADIUS Settings section, do the following:
Primary RADIUS Server Type the IP address or fully qualified domain name of the RADIUS server.
Secondary RADIUS Server Type the IP address or fully qualified domain name of the RADIUS server that the
security gateway uses for authentication should the primary server become
unavailable.
Authentication Port (UDP) Type the port on the RADIUS server on which the RADIUS service runs.
Shared Secret or Key Type the RADIUS server key.
4 Click Save.
5 On the Client Tunnels tab, in the VPN Group drop-down list, select the VPN group to which the users
that use extended authentication belong.
6 Under Extended User Authentication, do the following:
■ Check Enable Extended User Authentication.
■ In the RADIUS Group Binding text box, type the name of the user’s RADIUS group.
The RADIUS group is assigned to the user on the RADIUS server. The RADIUS server must return
the value that you type in the RADIUS Group Binding text box in the filterID attribute.
7 Click Save.
Page 70
70 Establishing secure VPN connections
Configuring gateway-to-gateway tunnels
Viewing the User List
The User List section in the Client Users window displays a summary of each static user that is configured
on the appliance. Table 6-3 defines each field in the summary.
Table 6-3 User list fields
Field Description
User Name User name entered for the static VPN user.
Enable Indicates whether a particular user can establish VPN
tunnels to the security gateway.
Pre-Shared Key Displays the pre-shared key entered for the user.
VPN Group Lists the VPN Groups for which a user is configured.
Configuring gateway-to-gateway tunnels
Gateway-to-gateway tunnels help secure your internal network by providing a secure bridge to an external
LAN. There are several tasks involved in successfully securing the network with gateway-to-gateway
tunnels. The following section describes the gateway-to-gateway tunnels, and then provides procedures for
configuring the tunnels.
Understanding gateway-to-gateway tunnels
You might want to make your network resources available to an outside group, such as another office of the
company. Instead of requiring each user on the second network to establish their own, private secure
connection, you can create one gateway-to-gateway tunnel, which makes resources on each network
available to the other. This type of tunnel is LAN-to-LAN, instead of user-to-LAN.
The appliance supports gateway-to-gateway tunnel configurations. A gateway-to-gateway configuration is
created when two security gateways are connected, through an internal network, or the Internet, from
WAN port to WAN port.
Figure 6-1 Gateway-to-gateway VPN tunnel configuration
This type of network configuration usually connects two subnets on the same network or, as shown in
Figure 6-1, two remote offices through the Internet. Once a VPN tunnel is established, users protected by a
security gateway at one site can establish a tunneled connection to the security gateway protecting the
remotely located site. The remote user can connect to and access the resources of the private network as if
the remote workstation was physically located inside the protected network.
Page 71
Configuring gateway-to-gateway tunnels
The Symantec Gateway Security 400 Series can connect to another Symantec Gateway Security 400 Series
appliance or to one of the following appliances:
■ Symantec Gateway Security 5400 Series
■ Symantec Gateway Security 300 Series
■ Symantec Firewall/VPN Appliance
Symantec Gateway Security 400 Series security gateways support creating a VPN tunnel to up to five
remote subnets behind Symantec Enterprise Firewall or Symantec Gateway Security 5400 Series
appliances, but not to another Symantec Gateway Security 400 Series appliance or Symantec Firewall/VPN
Appliance. Tunnels between two Symantec Gateway Security 400 Series appliances are only made to the
subnet on the LAN side of the appliance and only support the first set (subnet/mask) of the five sets of
fields, which you define on the VPN > Dynamic Tunnels or VPN > Static Tunnels tabs.
If you have another (additional) subnet on the LAN side of the Symantec Gateway Security 400 Series
security gateway, VPN client tunnels to the LAN side of the security gateway are not supported for
computers on this separate subnet. Only computers residing on the appliance subnet (found on the LAN IP
screen) are supported for LAN/WLAN-side VPN tunnels.
You can also create global gateway-to-gateway tunnels. See “Understanding global tunnels” on page 77.
Note: Gateway-to-gateway VPN tunnels are supported on the appliance’s WAN ports; you cannot define
gateway-to-gateway VPN tunnels on the appliance’s LAN or WLAN ports.
71Establishing secure VPN connections
Supported gateway-to-gateway VPN tunnels
The Symantec Gateway Security 400 Series appliance lets you configure two types of gateway-to-gateway
VPN tunnels:
Dynamic The security gateway comes with a predefined global IKE policy that automatically applies to your IKE
Phase 1 negotiations. You can change the setting of the SA Lifetime parameter in the Global IKE Policy.
SA Lifetime specifies the amount of time that the tunnel rekeys (in minutes). This parameter is located in
VPN > Advanced > Global IKE Settings (Phase 1 Rekey).
Static Static gateway-to-gateway configurations require you to manually enter tunnel parameters at each
security gateway. Both ends must have the same parameters, including secret keys, security parameter
indexes (SPIs), authentication schemes, encryption methods.
See “Configuring gateway-to-gateway tunnels” on page 70. See “Configuring static gateway-to-gateway
tunnels” on page 73.
Gateway-to-gateway VPN tunnel persistence and high-availability
After the security gateway restarts, dynamic gateway-to-gateway VPN tunnels are re-established. Dynamic
gateway-to-gateway VPN tunnels are also re-established if the WAN port status changes from disconnected
to connected. This feature reduces management overhead by providing automatic reconnection of tunnels.
If the VPN tunnel fails to establish after two attempts, the security gateway waits between one and five
minutes before attempting to reconnect. This process continues until the VPN tunnel is re-established.
If there is a network failure, the security gateway automatically re-establishes the VPN tunnel through a
backup port (WAN port or serial port). If the IP address of the security gateway changes, it re-establishes
gateway-to-gateway VPN tunnels with the remote gateway using the new IP address.
Gateway-to-gateway VPN tunnel interoperability
When Symantec Gateway Security 5400 Series or Symantec Enterprise Firewall initiates a gateway-togateway tunnel to a Symantec Gateway Security 400 Series appliance, it begins negotiation in Main Mode.
Page 72
72 Establishing secure VPN connections
Configuring gateway-to-gateway tunnels
The Symantec Gateway Security 400 Series VPN tunnel definition must be Main Mode (default), or the VPN
tunnel will not be established.
While the Symantec Gateway Security 5400 Series and Symantec Enterprise Firewall accept either Main
Mode or Aggressive Mode Phase 1 negotiations from a remote gateway. When initiating a VPN tunnel to
Symantec Gateway Security 5400 or Symantec Enterprise Firewall, configure the Symantec Gateway
Security 400 Series appliance to use Main Mode so that if the remote end initiates the VPN tunnel, it does
not establish a connection.
When a non-Symantec gateway initiates a VPN tunnel to an Symantec Gateway Security 400 Series
appliance, the Symantec Gateway Security 400 Series appliance accepts the mode set by the administrator
on the tunnel definition.
When a Symantec Gateway Security 400 Series appliance initiates a VPN tunnel to a non-Symantec
security gateway, the Symantec Gateway Security 400 Series appliance should use the mode set by the
administrator on the tunnel definition; the default setting is Main Mode. If Main Mode is not used, it may
cause rekey problems if the remote security gateway tries to rekey first.
Creating VPN tunnels to Symantec Gateway Security 5400 Series clusters
To create a VPN tunnel to a Symantec Gateway Security 5400 Series appliance high-availability/load
balancing cluster, define the VPN tunnel using the virtual IP address of the cluster. Tunnels between
Symantec Gateway 400 Series and Symantec Gateway Security 5400 Series appliances are supported in
high-availability only.
Configuring dynamic gateway-to-gateway tunnels
Dynamic tunnels, also known as IKE (Internet Key Exchange) tunnels, automatically generate
authentication and encryption keys. Typically, a long password, called a pre-shared key (also known as a
shared secret), is entered. The target security gateway must recognize this key for authentication to
succeed. If the key matches, then Security Parameter Index (SPI), authentication, and encryption keys are
automatically generated and the tunnel is created. The security gateway usually re-keys (generates a new
key) automatically at set intervals to ensure the continued integrity of the key.
Dynamic tunnels always use the Global IKE Policy for Phase 1 negotiation. Each tunnel uses its own VPN
Policy for Phase 2. The default Phase 1 mode is Main Mode. Dynamic tunnels support up to five remote
subnets or a global tunnel can be enforced. If a global tunnel is enforced, all traffic leaving the unit on the
WAN port goes through the tunnel. There can be only one tunnel per WAN port which forces a global
tunnel. You may configure up to 50 tunnel definitions per unit.
See “Understanding global tunnels” on page 77.
Configuration tasks for dynamic gateway-to-gateway tunnels
Table 6-4 summarizes the tasks that are required to configure dynamic gateway-to-gateway VPN tunnels.
Note: Complete each step in Table 6-4 twice: first for the local security gateway and then for the remote
security gateway.
Table 6-4 Dynamic gateway-to-gateway configuration tasks
Task Location in SGMI
Configure a VPN Policy (Phase 2 IKE negotiation)
(Optional)
Create a dynamic tunnel VPN > Dynamic Tunnels
VPN > VPN Policies
Page 73
Configuring gateway-to-gateway tunnels
Table 6-4 Dynamic gateway-to-gateway configuration tasks (Continued)
Task Location in SGMI
73Establishing secure VPN connections
Define IPsec Security Association Parameters
Select VPN Policy
Define the local security gateway VPN > Dynamic Tunnels > Local Security Gateway
Define the remote security gateway VPN > Dynamic Tunnels > Remote Security Gateway
Repeat the above steps for the remote security gateway.
VPN > Dynamic Tunnels > IPsec Security Association
To configure a dynamic gateway-to-gateway tunnel
For information on creating global tunnels, see “Understanding global tunnels” on page 77.
See “Dynamic Tunnels tab field descriptions” on page 145.
1 In the left pane, click VPN.
2 On the Dynamic Tunnels tab, in the Name text box, type a name for the new tunnel.
To edit an existing tunnel, from the VPN Tunnel drop-down list, select a VPN tunnel.
3 Check Enable VPN Tunnel.
4 On the VPN Policy drop-down list, select a VPN policy to which you want to bind to the tunnel.
5 If you have a multi-session PPPoE ISP account, under Local Security Gateway, in the PPPoE Session
drop-down list, select a PPPoE session to which you want to bind to the tunnel.
If you do not have a multi-session PPPoE ISP account, skip this step.
6 For models 460 and 460R, on the Local Endpoint drop-down list, select an endpoint for the tunnel.
7 On the ID Type drop-down list, select a Phase 1 ID type.
8 In the Phase 1 ID text box, type the Phase 1 ID.
9 Under Remote Security Gateway, do the following:
■ In the Gateway Address text box, type the remote gateway address.
■ Optionally, in the ID Type drop-down list, select a Phase 1 ID type.
■ Optionally, in the Phase 1 ID text box, type the Phase 1 ID.
■ In the Pre-Shared Key text box, type a key.
■ In each Remote Subnet IP text box, type the IP address of the destination network.
When defining a global tunnel to Symantec Enterprise Firewall or Symantec Gateway Security
5400 Series appliance, for the remote gateway, enter 0.0.0.0 for the remote subnet IP address.
For global tunnels to another Symantec Gateway Security 400 Series appliance, enter 0.0.0.0 for
the remote subnet IP address.
■ In each Mask text box, type the netmask of the destination network.
When defining a global tunnel to Symantec Enterprise Firewall or Symantec Gateway Security
5400 Series appliance, for the remote gateway, enter 0.0.0.0 for the netmask.
For global tunnels to another Symantec Gateway Security 400 Series appliance, enter 255.0.0.0 for
the netmask.
10 Click Add.
Configuring static gateway-to-gateway tunnels
Static tunnels do not use any information from the Global IKE Policy (Phase 1 negotiation). You must
manually type all of the information necessary to establish the tunnel. However, you can define a VPN
Policy for Phase 2 negotiation.
Page 74
74 Establishing secure VPN connections
Configuring gateway-to-gateway tunnels
When defining static tunnels, you must enter an authentication key, as well as an encryption key (if
encryption is used). The keys must match on both sides of the VPN. In addition, a Security Parameter Index
(SPI) is manually typed and included with every packet transmitted between security gateways. The SPI is a
unique gateway identifier that indicates the set of keys that belongs to each packet.
Static tunnels support up to five remote subnets or a global tunnel can be enforced. If a global tunnel is
enforced, all traffic leaving the unit on the WAN port goes through the tunnel. There can be only one
tunnel per WAN port which forces a global tunnel. You may configure up to 50 tunnel definitions per unit.
See “Understanding global tunnels” on page 77.
Encryption and authentication key lengths
When you define a static tunnel, you must type an encryption key and an authentication key. Each key has
a specific key length based on the method that you chose. For each method, a key length is shown for both
ASCII characters and Hex characters. Table 6-5 defines encryption key lengths.
Table 6-5 Encryption key lengths
Method Key length in character bytes Key length in Hex
DES 8 18 (0x + 16 hex digits)
3DES 24 50 (0x + 20 hex digits)
AES-128 16 18 (0x + 20 hex digits)
AES-192 24 50 (0x + 20 hex digits)
AES-256 32 66 (0x + 20 hex digits)
Table 6-6 defines authentication key lengths.
Table 6-6 Authentication key lengths
Method Key length in character bytes Key length in Hex
MD5 16 34 (0x + 16 hex digits)
SHA1 20 42 (0x + 20 hex digits)
Configuration tasks for static gateway-to-gateway tunnels
Table 6-7 describes the tasks that are required to configure a static gateway-to-gateway VPN tunnel.
Note: Complete each step in Table 6-7 twice; first for the local security gateway, and then for the remote
security gateway.
Table 6-7 Static gateway-to-gateway configuration tasks
Task Location in SGMI
Configure a VPN Policy (Phase 2 IKE negotiation)
(Optional)
Create a static tunnel VPN > Static Tunnels
Define IPsec Security Association Parameters VPN > Static Tunnels > IPsec Security Association
Define the remote security gateway VPN > Static Tunnels > Remote Security Gateway
Repeat the previous steps for the remote security gateway
VPN > VPN Policies
Page 75
Configuring gateway-to-gateway tunnels
To add a static gateway-to-gateway tunnel
See “Static Tunnels tab field descriptions” on page 148.
1 In the SGMI, in the left pane, click VPN.
2 In the right pane, on the Static Tunnels tab, under IPsec Security Association, in the Tunnel Name text
box, type a name for the tunnel.
To edit an existing static tunnel, on the VPN Tunnel drop-down list, select a VPN Tunnel.
3 Check Enable VPN Tunnel.
4 If you have a multi-session PPPoE ISP account, under Local Security Gateway, in the PPPoE Session
drop-down list, select a PPPoE session to which you want to bind to the tunnel. If you do not have a
multi-session PPPoE ISP account, skip this step.
5 For models 460 and 460R, on the Local Endpoint drop-down list, select the endpoint for the tunnel.
6 In the Incoming SPI text box, type the incoming SPI to match the outgoing SPI of the remote SPI.
7 In the Outgoing SPI text box, type the outgoing SPI to match the incoming SPI on the remote side.
8 On the VPN Policy drop-down list, select a VPN policy to which you want to bind to the tunnel.
Use an existing VPN policy or create a new one.
See “Understanding VPN policies” on page 66.
9 In the Encryption Key text box, type the encryption key to match the chosen VPN policy.
Entry length must match the chosen VPN policy.
75Establishing secure VPN connections
10 In the Authentication Key text box, type the authentication key to match the chosen VPN policy.
11 Under Remote Security Gateway, in the Gateway Address text box, type the gateway address to be the
gateway address of the Symantec Enterprise VPN.
12 Next to NetBIOS Broadcast, click Disable.
13 Next to Global Tunnel, click Disable.
14 In the Remote Subnet IP text boxes, type the IP address of the remote subnet to the destination
network.
When defining a global tunnel to Symantec Enterprise Firewall or Symantec Gateway Security 5400
Series appliance, for the remote gateway, enter 0.0.0.0 for the remote subnet IP address.
For global tunnels to another Symantec Gateway Security 400 Series appliance, enter 0.0.0.0 for the
remote subnet IP address.
15 In the Mask text boxes, type the netmask of the destination network.
When defining a global tunnel to Symantec Enterprise Firewall or Symantec Gateway Security 5400
Series appliance, for the remote gateway, enter 0.0.0.0 for the netmask.
For global tunnels to another Symantec Gateway Security 400 Series appliance, enter 255.0.0.0 for the
netmask.
16 Click Add.
Sharing information with the remote gateway administrator
Use the worksheet in Table 6-8 to list the administration information that you should provide to the
administrator of the remote appliance.
Table 6-8 Configuration information to provide the remote gateway administrator
Information Value
IP address
Authentication key (static tunnel)
Encryption key (static tunnel)
Page 76
76 Establishing secure VPN connections
Configuring client-to-gateway VPN tunnels
Table 6-8 Configuration information to provide the remote gateway administrator (Continued)
Information Value
SPI (Static tunnel)
Pre-shared key
Local subnet/mask
VPN policy encryption method
VPN policy authentication method
(Optional) Local phase 1 ID
Configuring client-to-gateway VPN tunnels
Client-to-gateway VPN tunnels let remote users running the Symantec Client VPN software (or any IPseccompliant VPN client software) safely connect over the Internet to a network secured by a Symantec
security gateway.
Understanding Client-to-Gateway VPN tunnels
Symantec Gateway Security 400 Series models 460 and 460R support client-to-gateway VPN tunnel
configurations. A client-to-gateway configuration is created when a workstation, running Symantec Client
VPN software, connects to the security gateway from either inside the protected network or from a remote
location through the Internet. This minimizes costs associated with modem pools and costly 800 dial-up
charges, as clients can use ISPs with local dial-up numbers to transparently connect to the security
gateway.
Note: Wireless clients can use client-to-gateway tunnels to secure their connections. See Symantec Gateway
Security 300/400 Series Wireless Implementation Guide.
When Symantec Client VPN begins to negotiate a VPN tunnel with the security gateway, it does so in
Aggressive mode. The security gateway will respond to this negotiation. Client-to-gateway VPN tunnels are
always initiated by the client and are always in Aggressive mode.
See “Gateway-to-gateway VPN tunnel interoperability” on page 71.
Page 77
Configuring client-to-gateway VPN tunnels
Once a VPN tunnel is established, remote users can connect to and safely access the resources of the
private network, through the Internet, as if the remote workstation was physically located inside the
protected network (see Figure 6-2).
Figure 6-2 Client-to-gateway VPN tunnel configuration
Symantec Client VPN (LAN)
77Establishing secure VPN connections
Symantec Client VPN (WAN)
Symantec Gateway
Security 400 Series
Symantec Client VPN (LAN)
Symantec Client VPN (LAN)
In this diagram, a client establishes a tunnel remotely through the WAN and three internal clients establish
a tunnel internally through the LAN.
For each VPN group, you can define network settings to download to the client during Phase 1
configuration mode. The settings include the primary and secondary DNS servers, the WINS servers, and
the primary domain controller. By pushing this information to the clients during configuration mode, each
client will not have to configure them individually, saving management time, and reducing the possibility
of error.
For LAN-side VPN client tunnels, the only subnet that the client can access is the one defined on the LAN IP
screen.
See “Configuring LAN IP settings” on page 49.
Symantec client-to-gateway VPN tunnels require a client ID and a shared key. You can also apply extended
authentication using a RADIUS server to client-to-gateway VPN tunnels for additional authentication.
See “Defining users” on page 69.
You can configure two types of client-to-gateway users when configuring VPN tunnels: dynamic and static.
See “Identifying users” on page 68.
Understanding global tunnels
When a client establishes a VPN tunnel on the LAN, a global tunnel (0.0.0.0) is configured for the client.
This forces all client traffic through the VPN tunnel terminating at the appliance. This is useful for
untrusted networks, such as wireless, to keep traffic secure.
When establishing a tunnel on the WAN, the appliance’s subnet (192.168.0.0 by default) is configured for
the client and allows a split tunnel so that the client can still access the Internet directly and only traffic
destined for the LAN is sent through the VPN tunnel.
Global tunnels terminating on the WAN port of a Symantec Gateway Security 400 Series appliance are only
able to access networks on the LAN side of the appliance. When the VPN traffic arrives on the WAN port, it
is decrypted and sent out on the LAN. The appliance does not support the transmission of decrypted VPN
traffic on the WAN port. This means that, if a global tunnel is defined between two Symantec Gateway
Security 400 Series appliances, traffic is only allowed to pass between the LAN of one appliance and the
LAN of the other. No client can access the networks between the two appliances, including the Web.
Page 78
78 Establishing secure VPN connections
Configuring client-to-gateway VPN tunnels
Configuration tasks for client-to-gateway VPN tunnels
Table 6-9 describes the tasks that are required to configure a client-to-gateway VPN tunnel.
Table 6-9 Client-to-gateway VPN tunnel configuration tasks
Task SGMI
Configure a VPN Policy (Phase 2 IKE negotiation) (optional) VPN > VPN Policies
Select the VPN policy that applies to the tunnel VPN > Advanced > Global VPN Client Settings
Identify remote users VPN > Client Tunnels > VPN User Identity
Enable client tunnel for selected VPN Group VPN > Client Tunnels > Group Tunnel Definition
Optionally, configure VPN network parameters (pushed to
client during negotiations)
Optionally, configure RADIUS authentication VPN > Client Tunnels > Extended User Authentication
Optionally, configure Antivirus Policy Enforcement (AVpe) VPN > Client Tunnels > Antivirus Policy
Defining client VPN tunnels
This section describes how to define client VPN tunnels.
To define client tunnels
See “Client Tunnels tab field descriptions” on page 149.
1 In the SGMI, in the left pane, click VPN.
2 In the right pane, on the Client Tunnels tab, under Group Tunnel Definition, in the VPN Group drop-
down list, select a VPN group.
3 To enable client VPNs for the chosen VPN Group on WAN or WLAN/LAN connections, click one of the
following:
■ Enable client VPNs on WAN side
■ Enable client VPNs on WLAN/LAN side
4 Optionally, under VPN Network Parameters, in the Primary DNS text box, type the name of the primary
DNS server.
5 Optionally, in the Secondary DNS text box, type the name of the secondary DNS server.
Domain Name System or Service (DNS) is an Internet service that translates domain names into IP
addresses.
6 Optionally, in the Primary WINS text box, type the name of the primary WINS server.
This is an optional step. Windows Internet Naming Service (WINS) is a system that determines the IP
address associated with a particular network computer.
7 Optionally, in the Secondary WINS text box, type the name of the secondary WINS server.
VPN > Client Tunnels > VPN Network Parameters
VPN > Advanced > RADIUS Settings
8 Optionally, in the Primary Domain Controller text box, type the name of the primary domain controller.
9 Optionally, under Extended User Authentication, check Enable Extended User Authentication.
10 Optionally, in the RADIUS Group Binding text box, type the RADIUS Group Binding name.
The RADIUS Group Binding name must match the filter ID parameter returned from the RADIUS
server.
11 To enable Antivirus Policy Enforcement (AVpe), under WAN Client Policy, do the following:
■ Check Enable Antivirus Policy Enforcement.
Page 79
Configuring client-to-gateway VPN tunnels
■ To log a warning to the Symantec Gateway Security log that a user is connecting that is not
compliant with AVpe policy, click Warn Onl y.
■ To stop the user’s traffic if they are not compliant with the AVpe policy, click Block Connections.
12 To enable content filtering, do the following:
■ Under VPN Network Parameters, in the Primary DNS text box, type the IP address or fully-
qualified domain name of the security gateway.
■ Under WAN Client Policy, check Enable Content Filtering.
■ To permit traffic and block other traffic, click Use Allow List.
■ To block traffic and permit other traffic, click Use Deny List.
13 Click Update.
Configuring global policy settings for client-to-gateway VPN tunnels
Some settings are configurable at a global level for client-to-gateway VPN tunnels. These settings configure
the Phase 1 ID type for all client VPN tunnels connecting to the security gateway.
These settings are shared by all three VPN groups.
To configure global policy settings for client-to-gateway VPN tunnels
See “Advanced tab field descriptions” on page 153.
1 In the SGMI, in the left pane, click VPN.
79Establishing secure VPN connections
2 In the right pane, on the Advanced tab, under Global VPN Client Settings, do the following:
■ On the Local Gateway Phase 1 ID Type drop-down list, select an ID type.
■ In the Local Gateway Phase 1 ID text box, type the value that corresponds to the ID type you
selected.
■ On the VPN Policy drop-down list, select a VPN policy to apply to all client tunnels.
3 Under Dynamic VPN Client Settings, do the following:
■ To enable dynamic users for all three VPN groups, click Enable Dynamic VPN Client Tunnels.
■ In the Pre-shared Key text box, type a string of characters for the key.
4 Click Save.
5 Click Update.
Sharing information with your clients
Use Table 6-10 to record information to give to your clients so that they may connect to the security
gateway.
Table 6-10 Client configuration information
Information Value
Gateway IP address or fully qualified
domain name
Pre-shared key (user) Share this information only verbally or by other secure means.
Client ID
RADIUS user name
(Optional)
Page 80
80 Establishing secure VPN connections
Monitoring VPN tunnel status
Table 6-10 Client configuration information (Continued)
Information Value
RADIUS shared secret (user with extended
authentication)
(Optional)
Phase 1 ID
(Optional)
Monitoring VPN tunnel status
The VPN Status window lets you view the status for each configured dynamic and static gateway-togateway VPN tunnel. The status for static tunnels is either Enabled or Disabled; the status for dynamic
tunnels is Connected, Enabled, or Disabled. The status for static tunnels is never connected because there is
no negotiation for static tunnels.
The information on the Status window is current when you select it. Conditions may change while you are
viewing the screen. Refresh displays the most current conditions.
To monitor VPN tunnel status
You can monitor tunnel status by verifying both ends of the tunnel, and by monitoring the Status window.
See “VPN Status tab field descriptions” on page 152.
To verify that the tunnel is operational on both ends
◆ From a local host, issue a PING command to a computer on the remote network.
To refresh the information on the Status window
◆ In the right pane, on the Status tab, on the bottom of the Status window, click Refresh.
Page 81
Chapter
Advanced network traffic control
This chapter includes the following topics:
■ How antivirus policy enforcement (AVpe) works
■ Before you configure AVpe
■ Configuring AVpe
■ Monitoring antivirus status
■ Verifying AVpe operation
■ About content filtering
7
■ Managing content filtering lists
■ Monitoring content filtering
How antivirus policy enforcement (AVpe) works
Advanced network traffic control features of the Symantec Gateway Security 400 Series appliance include
antivirus policy enforcement (AVpe) and content filtering.
AVpe lets you monitor client antivirus configurations and, if necessary, enforce security policies to restrict
network access to only those clients who are protected by antivirus software with the virus definitions
defined by the policy master.
The appliance also supports basic content filtering for outbound traffic. You use content filtering to restrict
the URLs to which clients have access. For example, to restrict your users from seeing gambling sites, you
configure content filtering to deny access to gambling URLs that you specify.
AVpe monitors the AV configuration of supported Symantec connected policy masters and client
workstations attempting to gain access to your corporate network. See the Symantec Gateway Security 400
Series Release Notes for the version of the product you are using to determine the supported AV products
and how their configuration and usage differs from the information in this chapter.
AVpe works in two different environments: a network with an internal Symantec AntiVirus Corporate
Edition server that maintains antivirus information or a network of clients that are unmanaged.
If your network has an internal Symantec AntiVirus Corporate Edition server, when you configure AVpe,
you designate a primary and optionally a secondary antivirus server that is accessible to your network
through LAN or WAN connections. If your network has clients that are unmanaged, you designate one
client as master, and all other clients verify their versions against the master.
The first time an internal client requests a DHCP connection, attempts an external connection, or any time
a client initiates a VPN tunnel (originating from your LAN or remotely through the Internet), the appliance
retrieves the client’s antivirus policy configuration and compares it against the current antivirus policy
requirements. If the client is not in compliance, the traffic is warned or blocked (as indicated when you
configure AVpe) and a message is logged.
Page 82
82 Advanced network traffic control
Before you configure AVpe
You can configure the appliance to monitor client or server configurations at specified intervals (the
default setting is every 10 minutes). Once a client is connected, the appliance rechecks the client’s antivirus
compliance at user-defined intervals. After the specified interval (the default interval is eight hours),
clients are re-queried to check for compliance. If the AV policy master shows updates were made, the
clients are allowed an eight-hour grace period (the default LiveUpdate interval on unmanaged clients) in
which they will still be compliant if they have the last AV policy master definition version. After this grace
period, the clients will be considered non-compliant with the AV policy.
Table 7-1 describes client compliance and the subsequent actions taken.
Table 7-1 Client compliance actions
Client status Action
Compliant with current antivirus
policies
Antivirus protection is out-of-date The connection is allowed to pass, but the appliance logs a warning or
Clients who have been denied access can still connect to Symantec AntiVirus Corporate Edition or
Symantec LiveUpdate servers to update their virus definitions.
You determine whether to enforce antivirus compliance for local clients using computer groups or VPN
groups. All local clients belong to computer groups. For each computer group, you enable or disable AVpe.
The default AVpe status for all computer groups is disabled.
See “Understanding computers and computer groups” on page 53.
Similarly, all VPN users are members of VPN groups. For each VPN group, you can enable or disable AVpe
on the Client Tunnels tab in the SGMI. The default AVpe status for all VPN groups is disabled.
See “Defining client VPN tunnels” on page 78.
If content filtering and antivirus policy enforcement are enabled at the same time, content filtering takes
precedence over antivirus policy enforcement processing for outbound traffic only. If a content filtering
violation occurs and a client is blocked from viewing content, a message is logged and no antivirus policy
enforcement rules are processed.
AVpe is supported for outbound connections and VPN client connections (LAN or WAN) only.
Before you configure AVpe
Client is granted access to the firewall.
completely blocks access, depending on the option you select.
Before configuring the AVpe feature, do the following:
■ Include your AVpe needs in your strategy for group assignments. AVpe is supported for outbound
connections and VPN client connections only. Determine those clients whose virus definitions will be
checked and those (if any) who will be allowed conditional or unconditional network access. Then
assign users to the appropriate access or VPN groups and select whether you will warn or block noncompliant clients who attempt to access the local network.
See “Defining computer groups” on page 55 or “Viewing the User List” on page 70.
Note: You must place UNIX/Linux clients or clients with a non-supported AV client in a computer
group where AVpe is disabled.
■ If you plan to use Symantec AntiVirus Corporate Edition servers, obtain the name of the primary and
optionally the secondary servers used in your network.
■ If your network is comprised of clients that are unmanaged and access LiveUpdate directly for their AV
updates, decide which client to designate as the master. The master should always be turned on, have
Page 83
an active Symantec antivirus client, and have a connection to the Internet where it can download virus
definition updates.
■ If your network topology includes a configuration in which client workstations are located behind an
enclave firewall, and if the firewall performs address transforms, which changes the client’s actual IP
address, the security gateway is unable to communicate with the client (as is required to validate client
virus definitions). In this configuration, the security gateway contacts the firewall, not the client.
■ Ensure that traffic is not being blocked by a personal firewall. You must allow UDP/Port 2967 on all
personal firewalls. This is set by default in Symantec Client VPN version 8.0.
Configuring AVpe
Configuring AVpe for a Symantec AntiVirus Corporate Edition environment and a client-only network is
similar.
Configuring for Symantec AntiVirus Corporate Edition servers involves the following tasks:
■ Defining the location of the primary and (optionally) a secondary Symantec AntiVirus server and
verifying that a client has the Symantec AntiVirus Corporate Edition client installed and that the virus
definitions and the scanning engine on client computers are up-to-date.
See “Configuring AVpe” on page 83.
■ Enabling AVpe for Computer or VPN Groups.
See “Enabling AVpe” on page 84.
Configuring for networks with unmanaged antivirus clients (without Symantec AntiVirus Corporate
Edition) involves the following tasks:
■ Defining the location of the policy master client and verifying that it has a supported Symantec
antivirus client installed and that the virus definitions and the scanning engine on client computers
are up-to-date.
Configuring AVpe
83Advanced network traffic control
■ Enabling AVpe for Computer or VPN Groups.
See “Enabling AVpe” on page 84.
■ Configuring the AV clients.
See “Configuring the antivirus clients” on page 85.
To configure antivirus policy enforcement
See “Antivirus Policy field descriptions” on page 156.
1 In the SGMI, in the left pane, click Antivirus Policy.
2 In the Primary AV Master text box, in the right pane, under Server Location, type the IP address or fully
qualified domain name of your primary antivirus server or master client.
3 Optionally, in the Secondary AV Master text box, type the IP address or fully qualified domain name of
a backup antivirus server, if supported in your environment.
4 In the Query AV Master Every text box, type an interval (in minutes) for the appliance to query the
antivirus server for updated virus definitions.
5 To fo rce a manual u p date , click Query Master.
6 Under Policy Validation, next to Verify AV Client is Active, select one of the following:
■ Latest Product Engine
To check a client’s antivirus configuration to ensure it uses a supported Symantec antivirus
product with the latest product scan engine.
■ Any Version
To check a client’s antivirus configuration to verify that the correct version of a supported
Symantec antivirus product is installed on the client’s workstation.
Page 84
84 Advanced network traffic control
Configuring AVpe
7 To enable the appliance to validate whether a client is using the latest virus definitions, check Ve r i f y
Latest Virus Definitions.
8 In the Query Clients Every text box, type an interval (in minutes) for the appliance to query clients to
validate whether they are using updated virus definitions.
9 Click Save.
Enabling AVpe
AVpe is enforced at the computer group and VPN group level. To enable AVpe, you first select a group, and
then enable AVpe once for all members of that group. You also decide whether you want to warn or to deny
WAN access to clients if their antivirus configuration is not compliant with expected security policies.
To enable AVpe
After you have configured AVpe, you must enable it for each computer group or VPN group.
Enabling AVpe for VPN groups is for WAN clients only. You enable AVpe for LAN VPN clients on the Client
Tunnels tab in the VPN section. You enable AVpe for computer groups on the Computer Groups tab in the
Firewall section.
See “Defining computer groups” on page 55.
See “Defining client VPN tunnels” on page 78.
See “Computer Groups tab field descriptions” on page 138.
See “Client Tunnels tab field descriptions” on page 149.
To enable antivirus policy enforcement for computer groups
1 In the SGMI, in the left pane, click Firewall.
2 On the Computer Groups tab, under Security Policy, on the Computer Group drop-down list, select the
computer group for which you want to enable AVpe.
3 Under Antivirus Policy Enforcement, check Enable Antivirus Policy Enforcement, and then do one of
the following:
■ To log warnings for clients with out-of-date virus definitions, click Warn Only.
■ To completely block connections from clients with out-of-date virus definitions, click Block
Connections.
4 Click Save.
5 Repeat steps 2 through 4 to enable AVpe for each computer group.
To enable antivirus policy enforcement for VPN groups
1 In the SGMI, in the left pane, click VPN.
2 In the right pane, on the Client Tunnels tab, under Group Tunnel Definition, on the VPN Group drop-
down list, select the VPN group for which you want to enable AVpe.
3 Under WAN Client Policy, check Enable Antivirus Policy Enforcement, and then do one of the
following:
■ To log warnings for clients with out-of-date virus definitions, click Warn Only.
■ To completely block connections from clients with out-of-date virus definitions, click Block
Connections.
4 Click Save.
5 Repeat steps 2 through 4 to enable AVpe for each desired VPN group.
Page 85
Configuring the antivirus clients
If the clients on your network are unmanaged and use LiveUpdate to install current virus definitions and
engines, you must configure each client before it can be validated using AVpe. Each client that you want to
validate with AVpe must have a supported Symantec antivirus product installed in unmanaged mode.
When you uninstall the client software, the registry keys that are created by this procedure are also
removed.
Warning: Do not use this procedure for clients managed by a Symantec AntiVirus server.
To configure the AV clients
1 Install or configure each client’s supported Symantec antivirus product in unmanaged mode.
2 Insert the Symantec Gateway Security 400 Series product CD into the CD-ROM drive on a client
computer.
3 In the Tools folder on the CD-ROM, copy SGS300_AVpe_client_Activation.reg to the client’s desktop.
4 Double-click the file.
5 Repeat steps 2-4 for each client that you want to be validated using AVpe.
Monitoring antivirus status
85Advanced network traffic control
Monitoring antivirus status
The AV Master Status and AV Client Status sections of the AVpe tab lets you obtain an operational status of
the primary and secondary antivirus master and clients configured in your network.
Any changes you make to the configuration of the primary or secondary antivirus server, once saved, are
reflected in the AV Master Status field.
Viewing AVpe log messages
When you enable AVpe and a client connection is denied (either because it is blocked or warned), a message
is logged. You can view these log messages periodically to monitor your traffic.
To view AVpe log messages
See “View Log tab field descriptions” on page 119.
1 In the SGMI, in the left pane, click Logging/Monitoring.
2 On the View Log tab, click Refresh.
Verifying AVpe operation
After you have enabled AVpe, you can test its operation by disabling Symantec AntiVirus Corporate Edition
on a client workstation and then attempting to connect to the local network. If antivirus policy
enforcement is properly configured, in the absence of enabled Symantec antivirus software, all connection
attempts should be blocked or warned.
The status of the secondary antivirus server is not displayed unless the primary server is unreachable.
Note: The client workstation does not receive any notification that network access is blocked and a message
is logged.
Page 86
86 Advanced network traffic control
About content filtering
To verify antivirus policy enforcement operation
See “Logging/Monitoring field descriptions” on page 117.
1 Uninstall Symantec AntiVirus Corporate Edition from a client workstation that has been configured as
part of a computer group with AVpe enabled, with connections blocked.
2 Open a Web browser and attempt to connect to www.symantec.com.
The connection attempt should fail and all communication through the firewall should be blocked.
3 In the SGMI, in the left pane, click Logging/Monitoring.
4 Click View Log and check for a warning message indicating that all connection attempts for the
particular client are blocked due to policy non-compliance.
If this message is present, then your AVpe feature is correctly configured and operational.
5 If you are able to connect to www.symantec.com, recheck your AVpe configuration settings and group
assignments. Make sure that you uninstalled Symantec AntiVirus Corporate Edition from the client
workstation, and that the client is a member of a group with AVpe enabled, with connections blocked.
Retry steps 1 through 4 above.
About content filtering
Symantec Gateway Security 400 Series supports basic content filtering for outbound traffic. You use
content filtering to restrict the content to which clients have access. For example, to restrict your users
from seeing gambling sites, you configure content filtering to deny access to gambling URLs that you
specify.
Content filtering is administered through computer groups and VPN groups. A computer group is a group
of computers defined in the Firewall section to which you apply the same rules. Similarly, a VPN group is a
group of VPN users defined in the VPN section to which you apply the same rules. When you define a
computer group or VPN group, you specify if the group uses a content filtering deny or allow list. Deny lists
(black lists) block internal access to sites on the list and allows all others sites. Allow lists (white lists)
permit internal access to sites on the list, and blocks access to all other sites.
Note: By default, content filtering is disabled for all computer groups and VPN groups.
The allow list permits traffic to pass to sites that exactly match entries in the list. The content filtering
engine drops connection requests sent to a destination that do not match the entries in the list. If the allow
list is empty, all traffic is blocked.
If the deny list is empty, traffic is not filtered. Once entries are added to the deny list, the content filtering
engine drops connection requests sent to a destination that exactly matches an entry. Traffic that does not
match an entry is allowed to pass.
Special considerations
When content filtering and AVpe are concurrently enabled, content filtering is performed first. If the
content filtering results in a blocked connection, AVpe is not processed; only a content filtering message is
logged.
If you make changes to content filtering on the appliance, clear the DNS and browser caches on the client
machine. If a URL is accessed by a client, but then the content filtering settings change to deny access to
that URL, the cache may be used and allow the client access to the URL. Refer to your operating system
documentation for information on clearing DNS caches and your browser’s documentation for clearing the
browser cache.
If you enable content filtering for remote WAN-side VPN clients, you must have DNS servers on the local
LAN.
Page 87
If a site or security gateway uses redirection to transfer users from one URL to another, you must include
both URLs in the list. For example, www.disney.com redirects users to www.disney.go.com. To let your
users view this Web site, you must specify both www.disney.com and www.disney.go.com in the allow list.
If a site brings in content from other sites, you must add both URLs to the list. For example, www.cnn.com
uses content from www.cnn.net.
Managing content filtering lists
When you create allow and deny lists, you provide the allowed or denied fully qualified domain names. The
appliance filters traffic by checking DNS lookup requests. There must be an exact match on the destination
for action (blocking or warning) to occur.
For wild card functionality, specify only the domain name in the allow or deny list for specific sites. For
example, to allow traffic to any Symantec site, add symantec.com to the allow list. This allows traffic to
liveupdate.symantec.com, www.symantec.com, fileshare.symantec.com, and so on.
Content filtering applies to all outbound traffic, not just HTTP (Web) traffic.
To manage allow and deny lists
By default, the allow and deny lists are empty. Each filtering list can hold up to 100 entries. Each entry can
be up to 128 characters long.
Managing content filtering lists
87Advanced network traffic control
See “Content Filtering field descriptions” on page 157.
To add a URL to an allow or deny list
1 In the SGMI, in the left pane, click Content Filtering.
2 Under Select List, next to List Type, select Allow or Deny.
3 In the Input URL text box, type the name of a site that you want to add to the list. For example,
yoursite.com.
4 Click Add.
Repeat steps 3 and 4 until you have added all URLs to the list.
5 Click Save List.
To remove a URL from an allow or deny list
1 In the SGMI, in the left pane, click Content Filtering.
2 From the Delete URL drop-down list, select the URL that you want to delete.
3 Click Delete Entry.
4 Click Save List.
Enabling content filtering
Content filtering is enforced at the computer group and VPN group level. After you have set up the allow or
deny lists, you must enable content filtering for each computer group or VPN group for which you want to
filter traffic. See “Defining inbound access” on page 56.
To enable content filtering
You can enable content filtering for LAN-based clients using the Computer Groups tab in the Firewall
section. You can enable content filtering for WAN-based clients using the Client Tunnels tab in the VPN
section.
Page 88
88 Advanced network traffic control
Monitoring content filtering
To enable content filtering for a computer group
See “Computer Groups tab field descriptions” on page 138.
1 In the left pane, click Firewall.
2 On the Computer Groups tab, under Security Policy, in the Computer Group drop-down list, select the
computer group for which you want to enable content filtering.
3 Under Content Filtering, check Enable Content Filtering and do one of the following:
■ To filter content based on the deny list, click Use Deny List.
■ To filter content based on the allow list, click Use Allow List.
4 Click Save.
To enable content filtering for a VPN group
See “Client Tunnels tab field descriptions” on page 149.
1 In the left pane, click VPN.
2 On the Client tunnels tab, under Group Tunnel Definition, in the VPN Group drop-down list, select the
VPN group for which you want to enable content filtering.
3 Under WAN Client Policy, check Enable Content Filtering and do one of the following:
■ To filter content based on the deny list, click Use Deny List.
■ To filter content based on the allow list, click Use Allow List.
4 Click Save.
Monitoring content filtering
Content filtering logs a message in the log files if packets are dropped due to a user attempting to access a
URL on the deny list, or attempting to access a URL that is not specifically permitted on the allow list.
See “Logging, monitoring and updates” on page 93.
You can view the URLs and their status that are on either the allow or deny list.
To view a list of URLs on the allow or deny list
See “Content Filtering field descriptions” on page 157.
1 In the left pane, click Content Filtering.
2 Under Select List, under List Type, do one of the following:
■ To view the URLs on the Deny list, click Deny.
■ To view the URLs on the Allow list, click Allow.
3 Click View /Edi t.
Page 89
Chapter
Preventing attacks
This chapter includes the following topics:
■ Intrusion detection and intrusion prevention
■ Setting protection preferences
■ Enabling advanced protection settings
Intrusion detection and intrusion prevention
The Symantec Gateway Security 400 Series intrusion detection and intrusion prevention (IDS and IPS)
feature helps secure your network against unwanted intruders and attacks. IDS/IPS monitors the network
for suspicious behavior, and lets you respond to detected intrusions in real-time.
IDS/IPS functionality is enabled by default, but you can disable it using the Security Gateway Management
Interface (SGMI). IDS/IPS logging is also enabled by default. Any event logged by the IDS engine is
identified as such in log messages. If you disable IDS and IPS logging, the security gateway still blocks any
connection attempt to an unauthorized service for inbound connections, but the Trojan horse lookup is
disabled and log messages are limited to an access denied message.
8
The number of log messages that are tracked depends on the attack type. There is no limit to the number of
logged management login attempts. Attack logging is limited to one message in five seconds; if more than
one occurrence of the same attack is discovered within a five second window, only one message is
generated. When ICMP blocking is enabled, the log messages are not limited.
Atomic packet inspection
The IDS engine provides atomic packet inspection by comparing each inbound packet against a list of
signatures (known attacks). Matching packets are considered intrusion attempts and dropped.
The Symantec Gateway Security 400 Series has signatures for, and can detect, the following types of
intrusions:
■ Bonk
■ Fawx
■ Jolt
■ Land
■ Nestea
■ Newtear
■ Overdrop
■ Ping of Death
■ Syndrop
Page 90
90 Preventing attacks
Setting protection preferences
■ Tea rd rop
■ Winnuke
■ HTML buffer overflow
■ TCP/UDP flood protection
Trojan horse notification
Any attempt to connect to a blocked port that is commonly used by Trojan horse programs is logged and
classified as a possible attack. The log message warns the user that an illegal connection attempt was made
and that they should audit their internal systems to verify they are not compromised. Trojan horse
protection is overridden if traffic is explicitly allowed in an inbound rule.
Connections to the ports listed in Table 8-1 generate warnings in the log file, unless you specifically have a
rule configured to allow inbound traffic on that port.
Table 8-1 Trojan horse ports and protocols
Trojan horse Protocol Ports
Back Orifice TCP 31337
UDP 31337
Girlfriend TCP 21554
Portal of Doom TCP 3700, 9872, 9873, 9874, 9875, 10067, 10167
UDP 10067, 10167
SubSeven TCP 1243, 6711, 6712, 6713, 6766, 27374, 27573
UDP 27573
Setting protection preferences
For each atomic IDS and IPS signature, you can set the action to take with detection of each individual
signature, as follows:
■ Block and Warn
Drop and log packets identified as containing the specific signature.
■ Block/Don’t Warn
Drop the packet; but do not log.
You can configure the following options for enabling and disabling IDS and IPS signature detection and
logging:
■ Select All to enable or disable detection of ALL signatures.
■ Enable/disable detection of each signature individually.
To set protection preferences
See “IDS Protection tab field descriptions” on page 154.
1 In the SGMI, in the left pane, click IDS/IPS.
2 In the right pane, on the IDS Protection tab, under IDS Signatures, from the Name drop-down list,
select an IDS signature.
To apply the preferences to all the signatures, click >>Select All<<.
3 Under Protection settings, next to Action, select an action.
Page 91
4 Next to Protection Area, select an interface to protect.
5 Click Update.
Enabling advanced protection settings
Advanced protection settings help you protect your network beyond attacks that can be identified by
atomic signatures.
IP spoofing protection
Any non-broadcast or multicast packet arriving on a WAN interface with a source IP address that matches
any internal subnet is blocked and flagged as an IP spoofing attempt. Internal subnets are derived from the
LAN side subnet address of the appliance and the static route entries on the appliance for the LAN
interface.
Likewise, any non-broadcast or non-multicast traffic that arrives at the internal or wireless interface with a
source IP address that does not match any predefined internal network is blocked and logged as an internal
IP spoofing attempt. Internal networks are derived from static routes on the unit and the internal LAN/
WLAN address of the unit. Spoof protection can be disabled for the internal LANs and WAN.
To enable IP spoof protection
See “IDS Protection tab field descriptions” on page 154.
Enabling advanced protection settings
91Preventing attacks
1 In the SGMI, in the left pane, click IDS/IPS.
2 In the right pane, on the Advanced tab, under IP Spoof Protection, check WA N or WLAN/LAN.
3 Click Save.
TCP flag validation
Certain port mapping tools, such as NMAP, use invalid TCP flag combinations to detect a firewall on a
network or map the security policy implemented on the firewall. Symantec Gateway Security 400 Series
blocks and logs any traffic with illegal flag combinations for traffic that is not being denied by the security
policy. Any traffic denied by the security policy that has one or more bad TCP flag combinations is
classified as one of several NMAP port scanning techniques (NMAP Null Scan, NMAP Christmas Scan, and
so on).
To enable TCP flag validation
See “IDS Protection tab field descriptions” on page 154.
1 In the SGMI, in the left pane, click IDS/IPS.
2 In the right pane, on the Advanced tab, under TCP Flag Validation, check Enable.
Page 92
92 Preventing attacks
Enabling advanced protection settings
Page 93
Chapter
Logging, monitoring and updates
This chapter includes the following topics:
■ Managing logging
■ Updating firmware
■ Backing up and restoring configurations
■ Interpreting LEDs
■ LiveUpdate and firmware upgrade LED sequences
9
Managing logging
The firewall, IDS, IPS, VPN, content filtering, and AVpe features log messages when certain events occur.
You can configure the events that are logged so you view only the log messages of interest.
You can view the log messages through the SGMI, or forward them to external services. Log messages are
maintained until the appliance is restarted. On all appliances, the 100 most current messages are available
to view and are maintained, even if the appliance is restarted.
When the log is full, new entries overwrite the oldest ones. You should set up either email forwarding or a
Syslog server if you want to retain old log messages. See “Emailing log messages” on page 93 or “Using
Syslog” on page 94.
Configuring log preferences
Logging preferences let you set the way in which log messages are viewed, the amount of logging that is
performed, and how to log files are handled when the log becomes full. The following settings help you
create logging scenarios that are appropriate to your network’s needs:
■ Emailing log messages
■ Using Syslog
■ Configuring and verifying SNMP
■ Selecting logging levels
■ Setting log times
Emailing log messages
You can configure the appliance to automatically email log entries when the log is full or if an attack is
detected. The log file is sent as a text message.
Page 94
94 Logging, monitoring and updates
Managing logging
To configure email forwarding
See “Log Settings tab field descriptions” on page 120.
1 In the SGMI, in the left pane, click Logging/Monitoring.
2 On the right pane, on the Log Settings tab, in the SMTP Server text box, type the IP address or DNS
name of the Simple Mail Transfer Protocol (SMTP) server that you want to receive the Log file.
3 In the Send Email From text box, type the email address of the sender of the email.
4 In the Send Email To text box, type the email address of the receiver of the email.
5 Click Save.
6 To send the current log messages without waiting for the log to become full, click Email Log Now.
Using Syslog
Sending log messages to a Syslog server lets you store log messages for long term. A Syslog server listens
for log entries forwarded by the appliance and stores all log information for future analysis. The Syslog
server can be on the LAN or WAN, or behind a VPN tunnel.
Note: The date and time on messages in the Syslog server are the time they arrived at the Syslog server, and
not the time that the appliance logged the event that triggered the log message.
To use S y s log
See “Log Settings tab field descriptions” on page 120.
1 In the SGMI, in the left pane, click Logging/Monitoring.
2 In the right pane, on the Log Settings tab, under Syslog, in the Syslog Server text box, type the IP
address of a host running a standard Syslog utility to receive the log file.
3 Click Save.
Configuring and verifying SNMP
The appliance supports Simple Network Management Protocol (SNMP) version 1.0 and generates network
event alert messages, copies them into an SNMP TRAP or GET with the associated community name, and
then sends them to registered SNMP servers. This capability lets the appliance report status information to
network-wide SNMP-based management applications. The appliance generates SNMP messages for the
following events:
■ Start-up of the appliance
■ SGMI authentication failure
■ Ethernet WAN ports up and down
■ No trap when WAN ports comes alive as part of system startup
■ WAN disconnect
■ WAN coming back after a previous disconnect
■ Serial WAN port (PPPoE or Analog)
■ WAN Link up (connected)
■ WAN Link down (disconnected)
A GET is a request from the SNMP server for status information from the Symantec Gateway Security 400
Series appliance. The appliance supports all SNMP v1 MIBS (information variables) using GETs. A TRAP
collects status information set from Symantec Gateway Security 400 Series appliance to the SNMP server.
Configuring SNMP sets the IP addresses of the SNMP servers to receive status information (TRAPS) alerts
from the SNMP agent running on the appliance. This feature provides minimal protection over a public
Page 95
Managing logging
network; therefore, for highest security, remote access administration should be done through a VPN
tunnel.
To monitor the appliance on the LAN side, browse to the appliance’s LAN IP address (by default,
192.168.0.1) using an SNMP v1 MIB browser. To allow external access to SNMP GET on the appliance, check
Enable Remote Monitoring on the Administration > SNMP tab in the SGMI.
Configuring SNMP
There are two parts to configuring SNMP:
■ Configuring SNMP
■ Verifying communication between the SNMP server and the Symantec Gateway Security 400 Series
appliance.
Before you begin configuring SNMP, collect the following information:
■ For TRAPs, you must have SNMP v 1.0 servers or applications running on your network to receive the
network event alert messages and you need the SNMP server IP addresses to configure SNMP on the
appliance.
■ You also need the community string for the SNMP server. The SNMP server IP address and community
string should be available from the administrator running the SNMP server.
■ You can configure SNMP at anytime after the appliance is installed and the SNMP servers are running.
See “Administration field descriptions” on page 121.
95Logging, monitoring and updates
To configure SNMP
1 In the SGMI, in the left pane, click Administration.
2 In the right pane, on the SNMP tab, under SNMP Read-only Managers (GETS and TRAPS), in the
Community String text box, type the name of the community.
The default is Public.
3 In the IP Address text boxes, type the IP addresses of the SNMP read-only managers (for TRAP
collection only).
4 Click Save.
To verify SNMP communication
◆ Contact the SNMP server administrator and have them send a GET from the SNMP server to your
appliance.
The appliance responds by sending status information to the SNMP server.
If it does not respond, check that the SNMP server IP address and community string are correct. Also check
that the SNMP server is accessible from the appliance.
Selecting logging levels
The log file contains only the types of information you choose. This is useful for isolating a problem or
attack.
If you select Debug information, performance may be affected by the number of messages that are created.
You should select this option only for troubleshooting purposes, and then disable it when you are done.
To select log levels
See “Logging/Monitoring field descriptions” on page 117.
1 In the SGMI, in the left pane, click Logging/Monitoring.
Page 96
96 Logging, monitoring and updates
Managing logging
2 In the right pane, on the Log Settings tab, under Log Type, check the types of information you want to
be logged.
3 Click Save.
Setting log times
Network Time Protocol (NTP) is an Internet standard protocol that ensures accurate synchronization, to
the millisecond, of computer clock times in a network.
If you do not configure an NTP server, standard public NTP servers are used. If an NTP server is not
reachable, when an event occurs, the appliance records the time (in seconds) since the last reboot.
To set log times
See “Log Settings tab field descriptions” on page 120.
1 In the SGMI, in the left pane, click Logging/Monitoring.
2 In the right pane, on the Log Settings tab, under Time, in the NTP Server text box, type the IP address
or fully qualified domain name of the non-public NTP Server.
3 Click Save.
Managing log messages
The View Log tab shows the current conditions of the appliance. Models 460 and 460R have a WAN 2
section for the second WAN port status.
The information on the View Log tab is current when you click it. Conditions may change while you are
viewing the screen. Refresh updates the View Log tab to display the most current messages.
You can manually delete the contents of the log at any time.
To manage log messages
After log messages have been generated, you can view them, refresh them to see the most current
messages, or clear the log if you no longer want those messages.
See “View Log tab field descriptions” on page 119.
To view log messages
1 In the SGMI, in the left pane, click Logging/Monitoring.
2 Do one of the following:
■ On the View Log tab, view the log messages.
■ To view older log messages, click Next Page.
To refresh log messages
1 In the SGMI, in the left pane, click Logging/Monitoring.
2 In the right pane, on the View Log tab, click Refresh.
To clear log messages
1 In the SGMI, in the left pane, click Logging/Monitoring.
2 In the right pane, on the View Log tab, click Clear Log.
Page 97
Updating firmware
The appliance runs using a set of instructions that are coded into its permanent memory called firmware.
The firmware contains all of the features and functionality of the appliance. There are two types of
firmware updates: destructive and non-destructive. Destructive firmware updates completely overwrite the
firmware and all of the configuration settings. Non-destructive firmware updates overwrite the firmware
but keep the configurations intact.
Symantec periodically releases updates to the firmware. There are three ways to update the firmware on
your appliance:
■ Automatically using the Scheduler in LiveUpdate
■ Manually using LiveUpdate
■ Manually by receiving firmware from Symantec Technical Support and applying it using the symcftpw
tool.
By default, LiveUpdate checks for updates at the end of the Setup Wizard. You may disable this feature. See
the Symantec Gateway Security 400 Series Installation Guide.
Warning: Performing a manual firmware upgrade with app.bin may overwrite your configuration settings.
Before performing an upgrade, make note of your settings. Do not use a configuration backup file of older
firmware on newer firmware. LiveUpdate firmware upgrades never overwrite your configuration.
Updating firmware
97Logging, monitoring and updates
When you apply a firmware upgrade manually or through LiveUpdate, the LEDs flash in a unique sequence
that indicates the progress.
See “LiveUpdate and firmware upgrade LED sequences” on page 106.
Automatically updating firmware
LiveUpdate is a Symantec technology that enables you to automatically keep your Symantec products upto-date with the latest revision. You can configure LiveUpdate to check for updates automatically, or you
can manually run LiveUpdate at any time to check for updates.
Symantec periodically releases firmware updates to ensure the highest level of security available. Run
LiveUpdate as soon as your Symantec Gateway Security 400 Series appliance is connected to the Internet.
See “Running LiveUpdate Now” on page 101.
When LiveUpdate checks for firmware updates, if a new firmware package is found, LiveUpdate downloads
and begins applying the firmware without prompting the administrator. During the download and
application, the SGMI displays a message stating that an update is being applied and to wait a few minutes
before attempting to log into the SGMI. Afterwards, the appliance may restart. When firmware application
is complete, a message is logged.
If LiveUpdate checks for firmware updates and none are available (the current firmware is up-to-date), a
message is logged.
All LiveUpdate packages posted by Symantec are tested and validated by Symantec. These packages do not
intentionally overwrite your current configuration. However, they require an automatic restart of the
appliance. To minimize downtime or interruption to your network connectivity, use the Preferred Time
feature to schedule updates during off hours.
The LiveUpdate functionality provides a fail-safe mechanism for firmware updates if the appliance
becomes non-usable (such as a power outage during the LiveUpdate upload). If the appliance is unable to
pass its self-check test with a new LiveUpdate package, it reverts to the factory firmware stored in
protected memory. LiveUpdate only downloads and applies non-destructive firmware.
Page 98
98 Logging, monitoring and updates
Updating firmware
Scheduling automatic updates
LiveUpdate runs in automatic or manual mode. In automatic mode, the appliance checks for new updates. If
you schedule automatic updates, each time the appliance is restarted, LiveUpdate checks for updates. Also,
if you change the appliance from manual updates to automatic, LiveUpdate checks for updates at the next
time you specify in the UTC text box.
If LiveUpdate downloads and applies a new firmware update, the appliance may restart. For this reason,
you should schedule automatic updates to occur during your network’s down time.
To schedule LiveUpdate for automatic updates
See “Trusted Certificates tab field descriptions” on page 123.
1 In the SGMI, in the left pane, click Administration.
2 In the right pane, on the LiveUpdate tab, under Automatic Updates, check Enable Scheduler.
3 From the Frequency drop-down list, select the frequency with which the appliance checks for updates.
4 In the Preferred Time (UTC) text box, type the time of day, in hours and minutes, that you want the
appliance to check for updates; for example 20:00 for 8:00 PM.
5 Click Save.
Allowing automatic updates through an HTTP proxy server
LiveUpdate optional settings let you configure a connection to a LiveUpdate server through an HTTP proxy
server. Use this feature only in the following situations:
■ The appliance is located behind a Symantec Gateway Security appliance using an HTTP proxy server.
■ The appliance is located behind a third party device using HTTP proxy server.
■ Your ISP uses an HTTP proxy server.
For more information, refer to Symantec LiveUpdate documentation.
See “Trusted Certificates tab field descriptions” on page 123.
To allow automatic updates through an HTTP proxy server
1 In the SGMI, in the left pane, click Administration.
2 In the right pane, on the LiveUpdate tab, under Optional Settings, check HTTP proxy Server.
3 In the Proxy Server Address text box, type the IP address or fully qualified domain name of the HTTP
proxy server.
4 In the Port text box, type the port number.
5 In the User Name text box, type the proxy user name.
6 In the Password text box, type the proxy password.
7 Click Save.
Changing the LiveUpdate server location
By default, the LiveUpdate settings point to liveupdate.symantec.com. You can also configure the appliance
to use your own LiveUpdate staging server instead of the Symantec LiveUpdate site.
The internal LiveUpdate servers shown in Figure 9-1 are configured using the Symantec LiveUpdate
Administration Utility. Rather than the appliance contacting the Symantec servers to obtain product
updates, the appliance can contact the LiveUpdate server on the local network. This greatly reduces
network traffic and increases transfer speeds. It also lets you stage, manage, and validate updates before
applying them. The LiveUpdate Administration Utility and instructions for installation are available on the
Symantec Technical Support Web page http://www.symantec.com/techsupp/.
Page 99
Table 9-1 shows and lists the LiveUpdate server configurations shown in Figure 9-1.
Figure 9-1 LiveUpdate configurations.
Symantec Gateway
Security 5400 Series
Updating firmware
99Logging, monitoring and updates
Symantec
LiveUpdate
server
VPN tunnel
Internal
LiveUpdate
server
SGMI
Protected devices
Symantec Gateway
Security 400 Series
Internal
LiveUpdate
server
Table 9-1 LiveUpdate server configurations
Location Description
1 Symantec LiveUpdate server: http://liveupdate.symantec.com. This is the standard Symantec
corporate LiveUpdate site which broadcasts firmware availability. It is the default configuration in
your appliance.
2 Internal Live Update server at a remote internal location, protected by a VPN tunnel.
3 Internal LiveUpdate server at a local location.
LiveUpdate servers can be on the WAN or LAN, or accessible through a Gateway-to-Gateway VPN tunnel.
See “Trusted Certificates tab field descriptions” on page 123.
To change the LiveUpdate server location
1 In the SGMI, in the left pane, click Administration.
2 In the right pane, on the LiveUpdate tab, under General Settings, in the LiveUpdate Server text box,
type the IP address or fully qualified domain name for your LiveUpdate server.
3 Click Save.
Page 100
100 Logging, monitoring and updates
Updating firmware
Upgrading firmware manually
Firmware upgrades are available from Symantec's Web site. If you do not configure LiveUpdate to
automatically download and apply firmware upgrades; or if you are instructed to manually perform an
upgrade by Symantec Technical Support, you should check the Symantec Web for the latest version of the
firmware. Your current firmware version number is available on the Status tab.
The firmware file that is available from Symantec Technical Support is called all.bin. It overwrites your
configuration, so before you begin a manual firmware upgrade, make note of your configuration. The only
setting that it leaves intact is the administrator’s password.
See “Setting the administration password” on page 18.
Warning: Re-flashing the firmware with an old version of the firmware erases all previous configuration
information including the password.
Apply the firmware by using the Symantec FTP utility (included on the Symantec Gateway Security 400
Series CD-ROM), or you can use the DOS TFTP command with the -i (binary) option. This transfers the
firmware file to the appliance, applies it, and then restarts the appliance.
Flashing the firmware
Before you perform a manual firmware upgrade, ensure you have the following items:
■ symcftpw utility
Located on the Tools folder on the CD-ROM included with your appliance. You may also use the TFTP
command to put firmware on the appliance.
■ Firmware file
Download the latest firmware file from Symantec’s Web site.
Note: If the computer on which you run symcftpw has Norton Internet Security installed, you must
configure both an inbound rule and an outbound rule in Norton Internet Security to permit the traffic
between the computer and the appliance.
Figure 9-2 shows the rear panel on models 420 and 440. This figure is for reference only; the full
description of each feature is available in the Symantec Gateway Security 400 Series Installation Guide.
Figure 9-2 Models 420 and 440 rear panel
Loading...