Symantec Security 5600 Series, Security 5400 Series, Clientless VPN 4400 Series Administration Manual

Symantec™ Gateway Security 5000
Series v3.0

Administration Guide

Supported hardware platforms:

Symantec Gateway Security 5600 Series, Symantec Gateway Security 5400 Series,
Symantec Clientless VPN Gateway 4400 Series

Symantec™ Gateway Security 5000 Series v3.0
Administration Guide

Documentation version 8.0
September 16, 2005
Copyright © 2005 Symantec Corporation. All rights reserved.
Federal Acquisitions: Commercial Software - Government Users Subject to Standard License Terms

and Conditions.
Symantec, the Symantec Logo, Bloodhound, NAVEX, LiveUpdate, Striker, Symantec Client Firewall,

Symantec Security Response, and Symantec DeepSight Analyzer are trademarks or registered
trademarks of Symantec Corporation in the United States and certain other countries. Additional
company and product names may be trademarks or registered trademarks of the individual companies
and are respectfully acknowledged.

The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be reproduced in
any form by any means without prior written authorization of Symantec Corporation and its licensors,
if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID.

Printed in the United States of America.
10987654321

Technical support

As part of Symantec Security Response, the Symantec global Technical Support group maintains
support centers throughout the world. The Technical Support group’s primary role is to respond to
specific questions on product feature/function, installation, and configuration, as well as to author
content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively
with the other functional areas within Symantec to answer your questions in a timely fashion. For
example, the Technical Support group works with Product Engineering as well as Symantec Security
Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.

Symantec technical support offerings include:

■ A range of support options that give you the flexibility to select the right amount of service for any

size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute

information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure the highest level of

protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days

a week worldwide in a variety of languages for those customers enrolled in the Platinum Support
program

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role,

offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features available
may vary based on the level of support purchased and the specific product that you are using.

Licensing and registration

This product requires a license file. The fastest and easiest way to register your service is to access the
Symantec licensing and registration site at https://licensing.symantec.com.

Contacting Technical Support

Customers with a current maintenance agreement may contact the Technical Support group by phone
or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical Support by the
Platinum Web site at https://www-secure.symantec.com/platinum. When contacting the Technical
Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com/techsupp, select the
appropriate Global Site for your country, then select the enterprise Continue link. Customer Service is
available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec’s technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Chapter 1 Introducing the security gateway

About Symantec Gateway Security 5000 Series v3.0 ...........................................................................................15

Key components of the security gateway ..............................................................................................................15

Firewall technology ...........................................................................................................................................16

Virtual Private Network (VPN) server technology .......................................................................................16

Antispam scanning ............................................................................................................................................17

Antivirus scanning ............................................................................................................................................18

Intrusion detection and prevention ................................................................................................................18

Content filtering ................................................................................................................................................19

High availability/load balancing .....................................................................................................................19

LiveUpdate support ...........................................................................................................................................19

Security Gateway Management Interface ......................................................................................................20

Network security best practices ..............................................................................................................................20

Chapter 2 Becoming familiar with the SGMI

About the SGMI ..........................................................................................................................................................21

Logging on to the SGMI ............................................................................................................................................21

Logging on to the SGMI for the first time ......................................................................................................22

Integrating the SGMI to the desktop ..............................................................................................................24

Logging on to the SGMI from the desktop .....................................................................................................25

Logging on to the SGMI from a browser ........................................................................................................26

Avoiding hostname mismatches .....................................................................................................................27

Using the SGMI home page ......................................................................................................................................29

Viewing Quick Status ........................................................................................................................................29

Accessing commonly used configuration wizards .......................................................................................30

Viewing DeepSight’s ThreatCon status ..........................................................................................................31

Leaving the SGMI .......................................................................................................................................................31

Navigating in the SGMI ............................................................................................................................................33

Using the SGMI menus .....................................................................................................................................35

Using the SGMI toolbar ....................................................................................................................................37

Navigating from the left pane ..........................................................................................................................38

Navigating the right pane .................................................................................................................................43

Using online Help ......................................................................................................................................................45

Displaying Help ..................................................................................................................................................45

Searching Help ...................................................................................................................................................46

Printing Help ......................................................................................................................................................47

Working with configurations of objects .................................................................................................................47

Changing the display of objects in a table .....................................................................................................48

Viewing and modifying object properties ......................................................................................................50

Adding configuration objects ...........................................................................................................................52

Configuring objects that reference other objects .........................................................................................55

Saving and activating configuration changes ...............................................................................................59

Deleting configuration objects ........................................................................................................................61

Using the lower pane when you change configurations ..............................................................................62

Viewing system information ....................................................................................................................................63

Using wizards to simplify configuration ...............................................................................................................64

Contents

6 Contents

Chapter 3 Managing administrative access

Providing access to the security gateway ..............................................................................................................67

Creating administrator accounts ............................................................................................................................67

Creating machine accounts for security gateway access from remote computers .........................................69

Changing passwords .................................................................................................................................................70

Changing administrator passwords ................................................................................................................71

Changing the root password ............................................................................................................................73

Changing a machine account password .........................................................................................................74

Enabling SSH for command-line access to the appliance ...................................................................................74

Chapter 4 Maintaining your security gateway

Performing maintenance tasks ...............................................................................................................................77

Installing and uninstalling hotfixes .......................................................................................................................77

Configuring and running LiveUpdate ....................................................................................................................79

Defining a LiveUpdate server ..........................................................................................................................79

LiveUpdating components ...............................................................................................................................81

Starting and stopping the security gateway .........................................................................................................84

Rebooting the security gateway appliance ............................................................................................................85

Shutting down the security gateway appliance ....................................................................................................86

Understanding and using licenses ..........................................................................................................................86

Viewing the license status of security gateway components .....................................................................87

Viewing license usage .......................................................................................................................................88

Viewing installed licenses ................................................................................................................................88

Obtaining licenses .............................................................................................................................................89

Installing licenses ..............................................................................................................................................94

Removing all license files .................................................................................................................................95

Enabling and disabling security gateway features .......................................................................................96

Backing up and restoring configurations ..............................................................................................................98

Backing up configuration files from the SGMI .............................................................................................98

Restoring security gateway configuration files from the SGMI .................................................................99

Using command-line utilities to perform a local or remote backup ........................................................101

Making system changes with the System Setup Wizard ...................................................................................104

Adding a network interface ............................................................................................................................104

Modifying a network interface ......................................................................................................................108

Modifying system information ......................................................................................................................109

Configuring network interface properties ...................................................................................................112

Maintaining traffic flow .........................................................................................................................................113

Chapter 5 Establishing your network

Understanding security gateway networking components ..............................................................................115

Deployment scenarios .............................................................................................................................................115

Basic deployment .............................................................................................................................................116

Fault tolerant deployment .............................................................................................................................117

Advanced deployment ....................................................................................................................................118

Enclave deployment ........................................................................................................................................119

Advanced enclave deployment ......................................................................................................................120

Defining security gateway routing .......................................................................................................................125

Understanding static routing ........................................................................................................................125

Understanding dynamic routing ...................................................................................................................126

How the security gateway routes traffic ......................................................................................................127

Configuring static routes ................................................................................................................................128

Configuring dynamic routing ........................................................................................................................129

Allowing DHCP traffic .............................................................................................................................................131

How the security gateway handles DHCP traffic ........................................................................................131

Configuring the security gateway to allow DHCP traffic ..........................................................................132

Allowing multicast traffic ......................................................................................................................................135

How the security gateway handles multicast traffic ..................................................................................136

Configuring the security gateway to allow multicast traffic ....................................................................136

About the security gateway’s implementation of DNS ......................................................................................138

Configuring a caching name server with no internal name server .........................................................138

Configuring a caching name server with an internal name server ..........................................................140

Configuring an authoritative name server for a domain ..........................................................................140

Configuring an authoritative name server with delegation .....................................................................142

Configuring enclave DNS ...............................................................................................................................143

Understanding the security gateway’s DNS resource records .................................................................143

Configuring resource records for the security gateway ............................................................................145

DNS alternatives ..............................................................................................................................................153

Enabling reverse lookups ...............................................................................................................................157

Solving DNS problems ....................................................................................................................................157

Chapter 6 Defining your security environment

Identifying the objects used to pass traffic .........................................................................................................159

Defining traffic endpoints with network entities ...............................................................................................160

Configuring a single computer with a host network entity ......................................................................160

Defining a network or subnet with a subnet entity ....................................................................................162

Defining a registered domain with a domain name network entity ........................................................163

Creating security gateway network entities for use in tunnels ................................................................164

Creating a network entity group for rules that apply to multiple entities .............................................166

Defining an entity and security gateway pair with a VPN security entity .............................................167

Understanding how protocols affect traffic ........................................................................................................168

Using protocols that are paired with proxies ..............................................................................................168

Using protocols that are not paired with proxies .......................................................................................169

Viewing reserved ports ...................................................................................................................................173

Configuring custom protocols to handle data from special applications ...............................................178

About service groups ...............................................................................................................................................183

Creating service groups ..................................................................................................................................183

Using service groups to customize protocols for rules ..............................................................................185

Understanding proxies ...........................................................................................................................................187

Configuring a GSP for protocols without proxies .......................................................................................188

Configuring the Oracle Net9 Connection Manager proxy .........................................................................189

Controlling full application inspection of traffic ...............................................................................................192

Defining file control and access ....................................................................................................................192

Sending and receiving files ............................................................................................................................198

Controlling Internet-based data communications .....................................................................................203

Controlling Web traffic ...................................................................................................................................208

Controlling news feeds ....................................................................................................................................216

Synchronizing security gateway time ..........................................................................................................222

Supporting UNIX services ..............................................................................................................................223

Handling streaming audio and video ............................................................................................................225

Managing electronic mail ...............................................................................................................................227

Enabling remote logon ....................................................................................................................................236

Allowing ICMP traffic ......................................................................................................................................238

7Contents

8 Contents

Chapter 7 Limiting user access

Understanding authentication ..............................................................................................................................243

Configuring users for internal authentication ...................................................................................................243

Creating a user account on the internal server ...........................................................................................244

Creating an IKE-enabled user ........................................................................................................................245

Ensuring that the internal server is enabled ...............................................................................................247

Configuring user groups for internal and external authentication .................................................................247

Configuring user groups to authenticate with the internal authentication server ..............................248

Creating an IKE user group ............................................................................................................................250

Importing users and user groups ..................................................................................................................251

Authenticating with an external authentication server ...................................................................................253

Creating authentication server records .......................................................................................................253

Configuring an authentication scheme ........................................................................................................260

Adding an authentication scheme to a rule .................................................................................................261

Authenticating users on external servers ...................................................................................................262

Authenticating using Out-Of-Band Authentication (OOBA) .............................................................................264

Configuring the OOBA service .......................................................................................................................265

Adding OOBA authentication to a rule .........................................................................................................266

Chapter 8 Controlling traffic at the security gateway

How the security gateway controls traffic ..........................................................................................................269

Creating rules and filters to control traffic through the firewall ....................................................................270

Understanding and using rules .............................................................................................................................271

How rules are applied ......................................................................................................................................271

Planning to create rules ..................................................................................................................................272

Configuring rules .............................................................................................................................................272

Rule examples ..................................................................................................................................................280

Configuring HTTP, FTP, and mail (SMTP and POP3) rules with the Firewall Rule Wizard .................284

Using protocols and proxies for specific rules ............................................................................................286

Controlling traffic by date and time .....................................................................................................................287

Configuring a time period range ...................................................................................................................287

Configuring a time period group ...................................................................................................................288

Using packet filters to allow or deny traffic ........................................................................................................289

When to use packet filters ..............................................................................................................................289

Creating a packet filter ...................................................................................................................................290

Understanding packet filter groups .............................................................................................................291

Applying filters and filter groups .................................................................................................................292

Blocking inappropriate content with content filtering .....................................................................................295

Content filtering processing order ...............................................................................................................296

Filtering content by allowing or denying access to defined settings ......................................................296

Filtering by subject matter .............................................................................................................................306

Understanding content filtering and newsgroups .....................................................................................314

Adding content filtering protection to a rule ..............................................................................................316

Chapter 9 Preventing attacks

About preventing attacks .......................................................................................................................................319

Blocking suspicious or malicious traffic with IDS ..............................................................................................319

About intrusion detection and prevention ..................................................................................................320

About IDS/IPS policies ....................................................................................................................................320

Creating IDS/IPS policies ...............................................................................................................................321

Applying IDS/IPS policies ..............................................................................................................................322

Managing intrusion events ............................................................................................................................326

Managing portmap settings ...........................................................................................................................331

Protecting your network resources from virus infections ................................................................................333

About antivirus scanning ...............................................................................................................................333

Preventing denial of service attacks .............................................................................................................335

Blocking files that cannot be scanned ..........................................................................................................336

Optimizing scanning resources .....................................................................................................................337

Avoiding potential session time-out errors .................................................................................................340

Blocking mail attachments that are known threats ...................................................................................342

Responding to virus detections .....................................................................................................................344

Adding antivirus protection to a rule ...........................................................................................................347

Troubleshooting antivirus protection ..........................................................................................................349

Increasing productivity by identifying spam email ...........................................................................................349

About the antispam scanning process ..........................................................................................................350

Identifying spam email ...................................................................................................................................351

Reducing false positives .................................................................................................................................356

Adding antispam protection to a rule ...........................................................................................................358

Making your network more secure by hiding addresses ...................................................................................359

Controlling IP addresses with address transforms ....................................................................................359

Mapping addresses with NAT pools ..............................................................................................................361

Redirecting connections to unpublished addresses with service redirections ......................................364

Creating virtual clients by using NAT pools and address transforms ....................................................366

Enabling protection for logical network interfaces ...........................................................................................368

Enabling port scan detection .........................................................................................................................368

Enabling SYN flood protection ......................................................................................................................369

Enabling spoof protection ..............................................................................................................................370

9Contents

Chapter 10 Providing remote access using VPN tunnels

About VPN tunnels ..................................................................................................................................................373

Understanding gateway-to-gateway tunnels ..............................................................................................374

Understanding Client VPN tunnels ..............................................................................................................374

Tunnel endpoints .............................................................................................................................................375

Tunnel indexes .................................................................................................................................................376

Tunnel communication ...................................................................................................................................376

Tunnel security ................................................................................................................................................377

Types of tunnels ...............................................................................................................................................377

Understanding VPN policies ..................................................................................................................................378

Understanding tunnel negotiation ...............................................................................................................379

Using pre-configured VPN policies ...............................................................................................................379

Creating custom VPN policies ........................................................................................................................380

Creating a VPN policy for IPsec with static key ..........................................................................................382

Viewing or modifying the global IKE policy ................................................................................................384

Configuring tunnels ................................................................................................................................................385

Running the Gateway-to-Gateway Tunnel Wizard ....................................................................................385

Using the Remote Access Tunnel Wizard to create Client VPN tunnels ................................................389

Creating tunnels manually .............................................................................................................................392

Ensuring compliance of remote Client VPN computers ....................................................................................397

Applying client compliance to user groups .................................................................................................398

Simplifying multiple Client VPN computer configuration ...............................................................................399

Delivering Client VPN packages to users .....................................................................................................400

How the Client VPN package is processed on the Symantec Client VPN ................................................400

Importing Client VPN information .......................................................................................................................401

Creating the pkimpvpn file ............................................................................................................................401

Authenticating tunnels using Entrust certificates .............................................................................................402

Multicast traffic through gateway-to-gateway IPsec tunnels ..........................................................................403

How multicast traffic passes through a gateway-to-gateway IPsec tunnel ...........................................404

Configuring multicast support for a gateway-to-gateway IPsec tunnel .................................................406

10 Contents

Chapter 11 Enabling remote access with clientless VPN

About clientless VPN ...............................................................................................................................................409

Clientless VPN concepts .................................................................................................................................410

How clientless VPN controls authentication and remote access .............................................................410

Managing clientless VPN users .............................................................................................................................411

Controlling remote access ......................................................................................................................................412

Defining VPN profiles to allow communication between the security gateway and clientless users ........413

Using rules to allow or deny clientless VPN access ...........................................................................................415

Rule components .............................................................................................................................................415

About simple rules ...........................................................................................................................................415

About advanced rules ......................................................................................................................................419

Using rule sets to group clientless VPN access rules .........................................................................................423

Creating and populating rule sets .................................................................................................................423

Using roles to assign rules to users ......................................................................................................................424

Role structure and inheritance ......................................................................................................................425

Role attributes ..................................................................................................................................................426

Creating and assigning roles ..........................................................................................................................426

Assigning a rule or rule set to a role .............................................................................................................430

Configuring clientless VPN logon policy .....................................................................................................430

Using portal pages to customize the user experience .......................................................................................432

Creating a user portal page ............................................................................................................................433

Creating resource QuickLinks ........................................................................................................................434

Grouping resources .........................................................................................................................................435

Adding resource links to portal pages ..........................................................................................................436

Adding a corporate name and logo ...............................................................................................................437

Adding news items to a portal page ..............................................................................................................437

Removing news items from a portal page ....................................................................................................438

Assign the portal page to a role .....................................................................................................................438

Enabling single sign-on for remote users ............................................................................................................439

Collecting resource logon information ........................................................................................................439

Creating a single sign-on rule ........................................................................................................................439

Deleting user sign-on data .............................................................................................................................440

Using reverse proxy translation ...........................................................................................................................441

Using the Remote Access Tunnel Wizard to set up clientless VPN connections ..........................................442

Clientless VPN connection types ...................................................................................................................442

Advanced mail actions ............................................................................................................................................446

Ensuring client compliance for clientless VPN users ........................................................................................449

Applying client compliance to clientless VPN roles ...................................................................................450

Specifying the SSL cipher suite for data encryption .........................................................................................451

Configuring access to common applications .......................................................................................................452

Identifying resources with URLs ...........................................................................................................................454

Resource URL syntax ......................................................................................................................................455

Chapter 12 Monitoring the security gateway

About monitoring ....................................................................................................................................................461

Viewing system health ............................................................................................................................................462

Monitoring network throughput ...................................................................................................................462

Monitoring system usage and connections .................................................................................................463

Monitoring disk usage .....................................................................................................................................463

Monitoring appliance temperature and fan status ....................................................................................464

Changing the health check poll interval ......................................................................................................465

Viewing quick status .......................................................................................................................................465

Monitoring connections .........................................................................................................................................466

Viewing the connection summary ................................................................................................................466

Viewing active connections ............................................................................................................................467

Viewing antivirus server status .....................................................................................................................468

Testing the hardware accelerator chip with hardware encryption diagnostics ....................................469

Viewing clientless VPN failed logon attempts ............................................................................................469

Unlocking user accounts ................................................................................................................................469

Monitoring log files .................................................................................................................................................470

Configuring the logging service ....................................................................................................................470

Using the Event Logs toolbars .......................................................................................................................472

Viewing, copying, and printing current log files ........................................................................................473

Viewing cluster log files ..................................................................................................................................474

Opening, deleting, and backing up archived log files ................................................................................475

Adding or removing Event Log table columns ............................................................................................475

Starting a new log file .....................................................................................................................................476

Displaying selected log messages ..................................................................................................................476

Managing log files remotely ...........................................................................................................................480

Monitoring IDS/IPS alerts ......................................................................................................................................482

Displaying selected IDS/IPS alerts ................................................................................................................484

Alerting using notifications ...................................................................................................................................486

Configuring IDS/IPS blacklist notifications ................................................................................................486

Configuring a client program notification ...................................................................................................488

Configuring an email notification .................................................................................................................489

Configuring a pager notification ...................................................................................................................490

Configuring SNMPv1 and SNMPv2 notifications .......................................................................................491

Integrating Symantec DeepSight Threat Management System .......................................................................494

Reducing the volume of log messages ..................................................................................................................495

Modifying firewall rules to reduce log messages ........................................................................................495

Including host names in log entries ..............................................................................................................495

Configuring reverse lookup timeout value ..................................................................................................496

11Contents

Chapter 13 Generating reports

About reports ...........................................................................................................................................................497

Analysis reports .......................................................................................................................................................497

Generating and viewing an analysis report .................................................................................................498

Printing and saving analysis reports ............................................................................................................498

Analysis report descriptions ..........................................................................................................................499

Configuration reports .............................................................................................................................................501

Generating and viewing a configuration report .........................................................................................502

Printing and saving a configuration report .................................................................................................502

Configuration report descriptions ................................................................................................................503

Viewing validation reports .....................................................................................................................................506

Upgrade reports .......................................................................................................................................................506

Retrieving upgrade reports using FTP or SSH ............................................................................................507

Chapter 14 High availability and load balancing using clusters

About clustering ......................................................................................................................................................509

How clusters work ...................................................................................................................................................509

Cluster prerequisites .......................................................................................................................................511

Creating a new cluster with the Cluster Wizard .................................................................................................512

12 Contents

Changing cluster settings .......................................................................................................................................514

Changing global cluster configurations .......................................................................................................515

Changing virtual IP addresses for clusters ..................................................................................................515

Monitoring cluster processes .........................................................................................................................516

Configuring ping groups for clusters ...........................................................................................................517

Configuring NIC monitoring on a cluster ....................................................................................................517

Changing traffic groupings for clusters .......................................................................................................518

Managing clusters ...................................................................................................................................................519

Changing the cluster account password ......................................................................................................519

Adding or removing a cluster member .........................................................................................................520

Dissolving a cluster .........................................................................................................................................521

Rebooting a cluster ..........................................................................................................................................523

Using stateful failover to maintain cluster connections ...........................................................................524

Updating interfaces in a cluster configuration ...................................................................................................524

Adding a network interface to a cluster member .......................................................................................525

Removing a network interface from a cluster member .............................................................................526

Changing a network interface .......................................................................................................................527

Monitoring cluster status .......................................................................................................................................528

Viewing the cluster status in the SGMI ........................................................................................................528

Viewing cluster status using the bfstat utility ............................................................................................529

Cluster interactions with other security gateway features ..............................................................................530

Modifying redirected services for clustering ..............................................................................................530

Modifying the RIP daemon for use with clusters .......................................................................................533

Using hot standby mode .................................................................................................................................533

Configuring gateway-to-gateway VPN tunnels that use NAT ..................................................................534

Backing up and restoring cluster configurations ...............................................................................................534

Restoring a cluster configuration .................................................................................................................535

Troubleshooting cluster configuration problems ..............................................................................................539

Errors on the cluster member that propagates the configuration ..........................................................540

Errors when adding a cluster member .........................................................................................................540

Appendix A Advanced system settings

Configuring advanced options ...............................................................................................................................545

Appendix B SSL server certificate management

About SSL certificates .............................................................................................................................................553

Installing a certificate authority ...........................................................................................................................553

Creating a new certificate ......................................................................................................................................554

Generating a request file ........................................................................................................................................555

Installing a signed certificate ................................................................................................................................555

Appendix C Troubleshooting and problem solving

About troubleshooting ............................................................................................................................................557

Accessing Symantec Gateway Security 5000 Series troubleshooting information ..............................557

Important reminders ..............................................................................................................................................558

Isolating a problem ..................................................................................................................................................558

Using an IP address .........................................................................................................................................558

Using the security gateway ............................................................................................................................559

Troubleshooting utilities ........................................................................................................................................560

Setting up the flatten utility ..........................................................................................................................560

Using the FTP client ........................................................................................................................................561

About listlicense ..............................................................................................................................................561

Using tcpdump .................................................................................................................................................562

Troubleshooting problems with the SGMI display ............................................................................................562

Appendix D Field descriptions

Monitors field descriptions ....................................................................................................................................563

Status .................................................................................................................................................................564

Logs ....................................................................................................................................................................570

Open Archived Log File dialog box ................................................................................................................574

IDS/IPS Alerts tab ............................................................................................................................................574

Notifications .....................................................................................................................................................579

Policy field descriptions .........................................................................................................................................589

Firewall ..............................................................................................................................................................589

Packet Filters ....................................................................................................................................................600

Time Periods .....................................................................................................................................................602

VPN Tunnels .....................................................................................................................................................605

VPN Policies ......................................................................................................................................................609

IPsec static key policy Properties—Data Privacy Preference tab .............................................................616

Clientless VPN ..................................................................................................................................................617

Antivirus ...........................................................................................................................................................630

Antispam ...........................................................................................................................................................637

IDS/IPS—Policies tab .......................................................................................................................................641

IDS/IPS—Configuration tab ............................................................................................................................642

IDS/IPS—Portmap tab .....................................................................................................................................644

Content Filtering—Advanced Restrictions tab ............................................................................................646

Content Filtering Profile Properties—General tab ......................................................................................649

URL Ratings tab ...............................................................................................................................................650

Newsgroups tab ................................................................................................................................................651

Newsgroup Profiles .........................................................................................................................................652

Client Compliance ............................................................................................................................................653

Policy Parameters ............................................................................................................................................654

Assets field descriptions .........................................................................................................................................655

Network Entities ..............................................................................................................................................655

Network Interfaces ..........................................................................................................................................663

Address Transforms ........................................................................................................................................668

NAT pools ..........................................................................................................................................................670

Redirected Services .........................................................................................................................................672

DNS ....................................................................................................................................................................673

Routes ................................................................................................................................................................685

Authentication Servers ...................................................................................................................................685

Schemes .............................................................................................................................................................693

Network Users ..................................................................................................................................................694

User Groups ......................................................................................................................................................696

Proxies ...............................................................................................................................................................699

H.323 Aliases ....................................................................................................................................................720

Protocols ...........................................................................................................................................................721

Service Groups .................................................................................................................................................726

Parameters for protocols within service groups .........................................................................................728

Portal Pages ......................................................................................................................................................737

Secure Desktop Mail Access ...........................................................................................................................741

Secure Web Mail Access .................................................................................................................................741

Asset Parameters .............................................................................................................................................742

System field descriptions .......................................................................................................................................743

SESA Event Gating ..........................................................................................................................................751

LiveUpdate ........................................................................................................................................................754

SSL Server Certificates ...................................................................................................................................757

Administration .................................................................................................................................................758

SYN Flood Allowed Hosts ...............................................................................................................................766

Licensing ...........................................................................................................................................................767

13Contents

14 Contents

Cluster field descriptions .......................................................................................................................................767

Cluster Status ...................................................................................................................................................768

Cluster Members window ...............................................................................................................................768

VIPs window .....................................................................................................................................................769

Watchlist window ............................................................................................................................................770

Ping Groups window .......................................................................................................................................770

NIC Monitoring window ..................................................................................................................................771

Traffic Grouping window ...............................................................................................................................772

Menu option field descriptions ..............................................................................................................................773

Analysis reports ..............................................................................................................................................775

Configuration reports .....................................................................................................................................775

Client VPN Package Wizard ...........................................................................................................................776

Remote Access Tunnel Wizard for Client VPN ...........................................................................................777

Remote Access Tunnel Wizard for Clientless VPN ....................................................................................782

Gateway-to-Gateway Tunnel Wizard ...........................................................................................................786

Global IKE policy ..............................................................................................................................................792

System Setup Wizard ......................................................................................................................................795

Cluster Wizard .................................................................................................................................................801

Activate Changes Wizard ...............................................................................................................................807

Restore Wizard .................................................................................................................................................808

Firewall Rule Wizard .......................................................................................................................................812

License Installation Wizard ...........................................................................................................................816

SecurID Server Connection Wizard ..............................................................................................................819

Active Directory Server Connection Wizard ...............................................................................................819

Index

Chapter

Introducing the security gateway

This chapter includes the following topics:

■ About Symantec Gateway Security 5000 Series v3.0

■ Key components of the security gateway

■ Network security best practices

About Symantec Gateway Security 5000 Series v3.0

Symantec Gateway Security 5000 Series v3.0 is an integrated hardware and software appliance that
provides many security technologies in one rack-mountable, plug-and-protect appliance that acts as a
security gateway to your enterprise.

1

The security gateway includes firewall, antivirus, antispam, intrusion detection and prevention, and
content filtering components. The standards-based VPN components provide secure remote access to
both client VPN and clientless VPN users who are telecommuters, satellite office employees, and
authorized contractors. To protect your resources from catastrophic failures and to share traffic loads
among multiple security gateways, Symantec includes an optional high availability/load balancing
(HA/LB) component.

These features provide access control and security enforcement on traffic passing through the security
gateway. They control information entering and leaving networks by using full-inspection scanning
techniques to ensure that data is validated up through the application layer.

Through the Security Gateway Management Interface (SGMI), you can remotely and securely control
and monitor individual or clustered security gateways and create configurable policies for users and
user groups. In addition to its simplified policy management, the Symantec Gateway Security 5600
Series appliance makes installation and configuration quick and easy, with pre-configured and
hardened operating system software and an array of setup wizards.

Key components of the security gateway

Key components of the security gateway include:

■ Firewall technology

■ Virtual Private Network (VPN) server technology

■ Antispam scanning

■ Antivirus scanning

■ Intrusion detection and prevention

■ Content filtering

16 Introducing the security gateway

Key components of the security gateway

■ High availability/load balancing

■ LiveUpdate support

■ Network security best practices

Firewall technology

The security gateway’s firewall component uses a unique architecture to provide strong, transparent
firewall protection against unwanted intrusion without slowing the flow of approved traffic on
enterprise networks. Some key firewall features include:

Standard application
proxies

Security gateway rules You enforce your corporate security policies by creating rules to control traffic through the

Address transforms
and service redirection

The standard proxies that are built into the security gateway work in conjunction with the
firewall driver to handle common services, such as Telnet, HTTP, FTP, and RealAudio.
Standard proxies offer the highest level of protocol checking and logging, as well as ease of
use.

The security gateway uses proxies with both standard and custom protocols:

■ Standard protocols

The most commonly used protocols, such as FTP, HTTP, NNTP, POP3, and SMTP, are
predefined on the security gateway. Over 150 protocols are included.
Unless specifically stated otherwise, when this manual describes how traffic is
passed, it uses standard proxies.

■ Custom protocols

You can add custom protocols for generic services provided by the hosts residing on
either side of the security gateway.
These protocols can represent services that are not supported by the standard proxies
that are provided with the security gateway. A configurable Generic Service Proxy
(GSP) is used with custom protocols.

security gateway. Rules can include alert thresholds, and content security protection such
as antispam and antivirus configuration. Rules also let you authenticate users through the
use of authentication servers.

You can hide internal addresses by using address transforms and service redirection. You
can assign Network Address Translation (NAT) pool addresses to designate replacement
addresses for client IP addresses that are used in tunneled or non-tunneled connections.
With redirected services, you can redirect connections to non-published destinations.

Firewall log and IDS/
IPS alert viewing

Configuration reports You can generate and print reports for every configurable feature of the security gateway.

The security gateway’s log and IDS/IPS alert viewing capabilities let you identify threats.
The information from log messages and alerts can help you reconfigure the security
gateway to stop attacks.

Virtual Private Network (VPN) server technology

Symantec Gateway Security 5000 Series v3.0 includes VPN technology that lets organizations securely
extend their network perimeters beyond the enterprise.

The security gateway uses VPN tunnels to send encrypted and encapsulated IP packets over public
networks securely to another VPN server. VPN tunnels can be created for connections from IPsec­compliant clients or clientless VPN access.

Note: The base license that is included with your appliance includes support for one concurrent VPN
user connection and unlimited gateway-to-gateway VPN connections.

Key components of the security gateway

VPN features include:

VPN policies Symantec Gateway Security 5000 Series v3.0 ships with pre-configured VPN policies that

you can apply to your secure IPsec tunnels.

For example, you can apply pre-configured IPsec/IKE policies and IPsec/Static policies to
the IPsec/IKE or IPsec/Static secure tunnel that you create.

17Introducing the security gateway

Symantec Client VPN
tunnel configurations

Gateway-to-gateway
VPN tunnel
configurations

Clientless VPN Clientless VPN technology is integrated into the security gateway. It provides portal-based

Client compliance The security gateway enforces security parameters set by the administrator prior to

Antispam scanning

Spam is unsolicited bulk email, most often advertising messages for a product or service. Spam email
wastes user productivity and consumes network and mail server resources. The security gateway
provides scanning processes that let you optimize spam detection and reduce false positives. You can
also configure how to respond to spam email.

Client VPN tunnels let remote users running the Symantec Client VPN software (or any
IPsec compliant VPN client software) safely connect over the Internet to a network secured
by a Symantec security gateway.

A Client configuration is created when a workstation, running Symantec Client VPN
software, connects to the security gateway from either inside the protected network or
from a remote location through the Internet.

A gateway-to-gateway configuration is created when two security gateways are connected,
across an internal network, or the Internet, through a VPN tunnel.

Gateway-to-gateway tunnels help secure your internal network by providing a secure
bridge to an external LAN.

access for Web-enabled and non-Web based applications, connecting large numbers of
remote users to your corporate network.

Clientless VPN lets users at any dial-up, broadband, or wireless access point gain
authenticated and controlled remote access to email, shared network files and resources,
corporate applications, corporate intranets, and corporate Web-based applications from
any location.

establishing a VPN tunnel. This includes determining if the client is running the expected
corporate profile for required security products.

When antispam protection is enabled in a rule, the security gateway scans emails that are handled by
the SMTP and POP3 proxies.

The security gateway lets you configure the following options to optimize spam detection:

Real-Time blacklist servers Blocks mail that comes from mail servers known or believed to send spam.

Heuristic sensitivity Sets the sensitivity level of the heuristic antispam scanner.

Email senders identified as spam Identifies spam based on addresses or domains that you specify.

Subject patterns identified as spam Identifies spam based on subject line content that you specify.

Identify messages with no subject line
as spam

Identifies spam based on subject lines that do not contain content.

To minimize false positives, you can define a list of sender domains that are not evaluated by the real­time blacklists. You can also specify email addresses and domains that are allowed to bypass scanning
processes.

18 Introducing the security gateway

Key components of the security gateway

Antivirus scanning

The security gateway lets you configure antivirus scanning and filtering policies for any traffic that
uses the FTP, HTTP, POP3, and SMTP protocols. Some scanning and filtering policy features differ
depending on the protocol that you are using.

Configurable options include the following:

Protect your
environment from
threats

Optimize scanning
performance

Provide user
comforting

Respond to threats You can configure the security gateway to respond to virus detections in the following

The security gateway offers settings to help prevent denial of service attacks, which are
caused by large container files or files that contain multiple, embedded compressed files.
You can also protect your security gateway by configuring settings to block files that
cannot be scanned.

You can use some scanning and blocking policy settings during a virus outbreak to
further protect your security gateway. Once you have information on the characteristics
of a new virus, you can use this information to block the infected attachment or email
immediately, before virus definitions for the new virus are posted. For maximum
coverage, you can scan all file types rather than limiting the file types that are scanned
for viruses.

You can configure settings to restrict the resources that handle certain types of files and
specify the file types to be scanned.

The security gateway lets you enable data trickle user comforting for the POP3, HTTP,
and FTP protocols. The data comforting feature trickles small amounts of the file to the
user while the file is being scanned. This prevents the user from receiving a session time­out error when downloading a large file. Using data comforting can compromise virus
integrity. Serious consideration should be given to a number of factors before you use the
data comforting feature.

ways:

■ Add an x-virus header to an email message and deliver the email and attachment to

the recipient.

■ Repair the infection or delete the infected file if it is unable to be repaired.

■ Automatically delete the infected file.

You can configure these settings separately for each protocol. You can also notify users
when a virus has been detected and what actions the security gateway took with the
infected file.

Intrusion detection and prevention

Symantec Gateway Security 5000 Series v3.0 provides an intrusion detection and prevention
component that protects internal network resources from attack by pinpointing malicious activities,
identifying intrusions, and responding rapidly to attacks.

Traditionally, network intrusion detection systems (NIDS) consist of one or more sensors deployed
across an enterprise and a console to aggregate and analyze the collected data. The majority of
commercial IDS products are based on a system that examines network traffic for special patterns of
attack. This method of detection is called signature-based detection. Some NIDS systems miss attacks
because they cannot keep pace with the high traffic volumes, or generate unmanageable numbers of
alerts due to false positives.

Symantec’s intrusion detection and prevention component provides a common, highly coordinated
approach to detect attacks at very high speeds within the network environment. Using an array of
detection methodologies to enhance attack identification, the intrusion detection and prevention
component monitors network traffic and collects evidence of malicious activity with a combination of
traffic rate monitoring, protocol state tracking, and IP packet reassembly.

The security gateway responds to detected intrusions using signatures to detect and prevent numerous
attacks. Symantec LiveUpdate technology ensures that new signatures are downloaded to address new
threats well before they become security issues.

Content filtering

The security gateway offers a variety of tools for managing Web access for both incoming and
outgoing traffic. You can customize HTTP and NNTP access to and from designated entities within
your network using the content management tools that are available through the appliance.

You can filter content based on the following criteria:

Key components of the security gateway

19Introducing the security gateway

HTTP inclusion/
exclusion lists

Subject matter of
Web cont e nt

Newsgroup profiles
and subject matter of
newsgroups

Configure rules for the HTTP proxy based on inclusion and exclusion lists. This includes
URL address, URL pattern matching, MIME type, and file extensions. Configuring the
security gateway to provide filtering based on these parameters conserves resources and
increases overall efficiency.

To provide content enforcement based on subject matter, you can create content profiles
that specify certain types of content for which access should be denied. You can create any
number of content profiles with different levels of content filtering and apply the
appropriate content profile when you configure a rule that contains HTTP. By specifying a
content profile in a rule, you restrict access to selected Web content for those users to which
the rule applies.

To provide comprehensive filtering of Web content based on subject matter, the security
gateway uses a combination of the following:

■ Predefined content categories

These are lists of URLs that contain related subject matter. Thirty-one pre-populated
content categories, which include subject matter ranging from pornography, crime,
and violence to news and humor, are currently provided with the security gateway.
Each content category has an associated DDR dictionary.

■ Dynamic Document Review (DDR) dictionaries

Predefined DDR dictionaries contain key words and phrases, in multiple languages.
DDR dictionaries provide real-time analysis of Web content. DDR dictionaries are used
in conjunction with Content Categories to provide comprehensive subject matter
filtering.

Newsgroup profiles let you can control access to newsgroups through the security gateway.
You do this by defining each newsgroup that you want to permit or deny access to, adding it
to a newsgroup profile, and then including that profile in a rule.

High availability/load balancing

Symantec security gateways include configurable clustering technology that ensures high availability
(HA) for your security gateways and increases performance through load balancing (LB).

To increase availability, you can cluster Symantec’s security gateways into groups of from two to eight
security gateways. When two or more security gateways are clustered, the failure of one security
gateway causes another security gateway to automatically pick up the workload of the failed cluster
member.

Security gateways in a cluster can also share the traffic load to maintain high throughput. With load
balancing configured, the cluster spreads out connections more evenly over several security gateways
instead of always sending requests to one computer. This makes more efficient use of your network
resources.

LiveUpdate support

The Symantec Gateway Security 5000 Series v3.0 software incorporates patented LiveUpdate
technology to keep your security gateway components up-to-date.

20 Introducing the security gateway

Network security best practices

To use the security gateway’s LiveUpdate capabilities, you must purchase subscription licenses that
entitle you to updates of the following content security services:

■ Antivirus

■ Antispam

■ Content filtering

■ Dynamic document rating

■ Intrusion detection and prevention

Security Gateway Management Interface

The Security Gateway Management Interface (SGMI) is a Web-based graphical user interface for
managing and monitoring all functions on the security gateway.

SGMI wizards help you configure the objects that represent your network environment and internal
and external resources. You combine these objects in rules, VPN tunnels, and packet filters that control
access through the security gateway.

The monitoring capabilities of the SGMI let you view the status of connections, the health of the
appliance, log messages generated by the security gateway, and IDS/IPS alerts.

The system management features of the SGMI let you create management accounts, configure and run
LiveUpdate of content security components, create SSL certificates, and manage licenses for the
security gateway features you have purchased.

Network security best practices

Symantec encourages all users and administrators to adhere to the following basic security practices:

■ Turn off or remove unnecessary operating system services.

By default, many operating systems install auxiliary services that are not critical, such as FTP,

Telnet, or Web servers. These services are avenues of attack. If they are removed, blended threats

have fewer exploitation points and you have fewer services to maintain through patch updates.

■ If there is a known exploit for one or more network services, disable or block access to those

services until they are properly patched.

■ Automatically update your antivirus definitions at the gateway, server, and client.

■ Always keep your patch levels up-to-date, especially on computers that host public services and are

accessible through the security gateway, such as HTTP, FTP, mail, and DNS services.

■ Enforce a password policy. Complex passwords make it difficult to crack password files on

compromised computers. This helps to prevent or limit damage when a computer is compromised.

■ Configure your email server to block or remove email that contains file attachments that are

commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

■ Isolate infected computers quickly to prevent further compromising your organization. Perform a

forensic analysis and restore the computers using trusted media.

■ Train employees not to open attachments unless they are expecting them. Also, do not execute

software that is downloaded from the Internet unless it has been scanned for viruses. Simply

visiting a compromised Web site can cause infection if certain browser vulnerabilities are not

patched.

You can find additional information, in-depth white papers, and resources regarding enterprise
security solutions by visiting the Symantec Enterprise Solutions Web site at

http://enterprisesecurity.symantec.com.

Chapter

Becoming familiar with the SGMI

This chapter includes the following topics:

■ Logging on to the SGMI

■ Using the SGMI home page

■ Leaving the SGMI

■ Navigating in the SGMI

■ Using online Help

■ Working with configurations of objects

■ Viewing system information

2

■ Using wizards to simplify configuration

About the SGMI

You manage Symantec Gateway Security 5000 Series v3.0 using the Security Gateway Management
Interface (SGMI). The SGMI is an easy to navigate graphical user interface that lets you perform a
variety of management functions.These include configuring the security gateway to meet the needs of
your security plan, monitoring the performance of the security gateway appliance, or monitoring log
and IDS/IPS alert messages to identify security threats.

To share administrative functions, you can create additional administrator accounts, with privileges
appropriate to the administrator. These accounts can be used for simultaneous access to the security
gateway. For example, the administrator who configures the security gateway can log on at the same
time as an administrator who is responsible for monitoring log messages and alerts. Only the first
workstation that connects to the security gateway has write access.

The SGMI runs as a Java application, giving you free access from the SGMI to the clipboard, the local
file system, and printers, making it easy to share log message details and configuration reports.

Logging on to the SGMI

You access the SGMI by performing a password controlled log on.

The SGMI uses Secure Sockets Layer (SSL) to make a secure connection between your workstation and
the appliance. You may see several security warnings regarding SSL certificates during logon. After
examining these certificates, you can safely accept them. You also have the option of installing a third­party certificate authority (CA), which eliminates some of these security warnings.

The first time you log on, the procedure ensures that you have the required Java environment and lets
you install an icon to the desktop for easy access in future logons.

22 Becoming familiar with the SGMI

Logging on to the SGMI

The following tasks are included in this section:

■ “Logging on to the SGMI for the first time” on page 22

■ “Integrating the SGMI to the desktop” on page 24

■ “Logging on to the SGMI from the desktop” on page 25

■ “Logging on to the SGMI from a browser” on page 26

Related information

For further information related to this topic, see the following:

■ “SSL server certificate management” on page 553

Logging on to the SGMI for the first time

The first time that you log on to the SGMI from your workstation, you initiate the log on from a
browser window.

The following are the supported browsers for use with the SGMI:

■ Microsoft Windows 2000; Internet Explorer 6.0

■ Windows XP; Internet Explorer 6.0, Mozilla Firefox 1.6

■ Windows 2003; Internet Explorer 6.0, Mozilla Firefox 1.6

■ Linux; Mozilla Firefox 1.6

■ Solaris; Mozilla Firefox 1.6

■ Macintosh OS X; Safari 1.2, Mozilla Firefox 1.6

The SGMI uses the Java Runtime Environment (JRE). The JRE includes Java Web Start, which lets you
install a desktop icon for the SGMI after your initial log on. Using this icon, during future log ons, you
can run the SGMI from the desktop instead of a browser window. If you choose not to install the
desktop SGMI icon, you can continue to log on from a browser.

The logon procedure can be affected by the computer from which you are connecting to the security
gateway appliance, the version of JRE that is running on it, and the browser you use. Read the following
issues to see if they affect you:

■ What to expect if you do not have the correct version of the JRE installed:

■ In most instances it is downloaded to your computer as part of the log on procedure.

The following procedure describes this scenario.

■ If you use Mozilla Firefox as your browser, a download Java page displays, from which you can

save the self-installing executable. Run the Java installation, and then begin the logon
procedure again.

■ What to do if you are running Microsoft Windows Server software and using Internet Explorer 6.0

as your browser.

Unless you change it, a a default security setting in Internet Explorer requires you to save the

JNLP file that downloads the SGMI application locally and then double click to run the saved file.

To change this behavior, before you log on for the first time, in your browser window, on the Tools

menu, click Internet Options. In the Internet Options dialog box, on the Advanced tab, scroll down

to the security options and uncheck Do not save encrypted pages to disk.

To log on, you need the following information:

■ The IP address or domain name of the appliance

Note: If logging on to a node in a cluster, do not log on using a virtual IP address (VIP). You must

log on using an actual address.

Logging on to the SGMI

■ Your user name and password

If you are the first administrator to access the security gateway after it is installed, you use the

admin user account and the password that was generated during the initial setup.

If the security gateway has already been configured, you may be logging on using a local

administrator account. In that case, the administrator who created the account must provide you

with your user name and password.

Prerequisites

Complete the following tasks before beginning this procedure:

■ Install and configure the appliance as described in the Symantec Gateway Security 5000 Series v3.0

Installation Guide.

To log on to the SGMI for the first time

1 In a browser window, enter the URL or domain name of the security gateway you want to manage,

in one of the following formats:

https://<URL>:2456 https://198.162.111.5:2456

https://<DOMAIN>.com:2456 https://symantecdomain.com

https://10.161.131.12:2456

23Becoming familiar with the SGMI

2 In the Security Alert dialog box, verify the temporary certificate that is generated by the appliance

and then click Yes to accept it.

3 Do one of the following:

■ If a second certificate security warning dialog box displays, continue at step 5.

■ If a Connect dialog box displays, continue at step 4.

■ If you are using Internet Explorer and nothing displays, below the browser’s Address field,

click on the message telling you that you may require an Active X control.
Select Install Active X control.
When prompted to install, click Install.
Continue at step 4.

4 To install the JRE, do the following:

■ In the Username text box, type the user name for your account on the security gateway.

■ In the Password text box, type the password for your account on the security gateway, and

then click OK.

24 Becoming familiar with the SGMI

Logging on to the SGMI

5 In the Warning-Security dialog box, verify the certificate, and then click Yes .

6 If a Hostname Mismatch dialog box is displayed, click Ye s .

7 When a message in the browser window notifies you that the application has started, close the

8 In the next Warning-Security dialog box, verify the certificate, and then click Ye s .

9 If additional Hostname Mismatch dialog boxes are displayed, click Ye s to close them.

10 In the Password Needed - Networking dialog box, do the following:

11 In the Warning - Security dialog box, click Ye s .

■ When a dialog box prompts you to install the JRE, click Ye s .

■ Perform a default installation.

When the installation is complete, a certificate security warning is displayed for the SSL
connection to the appliance.

window.

■ In the User name text box, type the user name for your account on the security gateway.

■ In the Password text box, type the password for your account on the security gateway.

■ Click Ye s .

A Java Web Start progress box shows files being downloaded to your computer, followed by a

security warning for a certificate that is signed by Symantec.

12 In a final Warning - Security dialog box from Sun Microsystems, Inc., click Yes .

13 If you had JRE 1.5 installed before you began the logon procedure, with the Advanced > Shortcut

Creation option set to Prompt user, a Create shortcut(s) dialog box is displayed.

To create an SGMI shortcut on your desktop, click Yes .

If you did not configure WebStart before logging on, you can integrate the SGMI to the desktop

after you finish logging on.

14 Optionally, when the SGMI displays, you can change your password using the Change Admin

Password option on the System menu.

Related information

For further information related to this topic, see the following:

■ “Logging on to the SGMI from the desktop” on page 25

■ “Logging on to the SGMI from a browser” on page 26

■ “Changing administrator passwords” on page 71

Integrating the SGMI to the desktop

Because the SGMI is a Java application, you can use Java Web Start to integrate it to your desktop. You
can then use the SGMI icon to begin the logon procedure, instead of the browser.

Prerequisites

Complete the following task before beginning this procedure:

■ “Logging on to the SGMI for the first time” on page 22

Integrate SGMI to the desktop

Using Web Start, you can add the SGMI icon to the desktop. You can integrate access to multiple
appliances, so that you have an icon on the desktop for each appliance.

You can also remove SGMI icons that you no longer use. For example, if you no longer manage a
specific appliance, you can remove its icon.

Logging on to the SGMI

To add the SGMI to the desktop

1 On the Start menu, click Control Panel.

2 In the Control Panel window, click Java.

3 In the Java Control Panel dialog box, under Temporary Internet Files, click Settings.

4 In the Temporary Files Settings dialog box, click View Applications.

5 In the Java Application Cache Viewer, on the User tab, highlight the application that is identified by

the URL you used to connect to the appliance.

6 On the Application menu, click Install Shortcuts.

7 On the File menu, click Exit.

8 In the Temporary Files Settings dialog box, click OK.

9 In the Java Control Panel dialog box, click OK.

10 Close the Control Panel.

To remove the SGMI icon from the desktop

1 On the Start menu, click Control Panel.

2 In the Control Panel window, click Java.

3 In the Java Control Panel dialog box, under Temporary Internet Files, click Settings.

4 In the Temporary Files Settings dialog box, click View Applications.

25Becoming familiar with the SGMI

5 In the Java Application Cache Viewer, on the User tab, highlight the application that is identified by

the URL you used to connect to the appliance.

6 On the Application menu, click Remove Shortcuts.

7 On the File menu, click Exit.

8 In the Temporary Files Settings dialog box, click OK.

9 In the Java Control Panel dialog box, click OK.

10 Close the Control Panel.

Related information

For further information related to this topic, see the following:

■ “Logging on to the SGMI from the desktop” on page 25

Logging on to the SGMI from the desktop

If you have installed an SGMI icon on your desktop, you can use it to initiate logging on to the SGMI.

Note: If the software of the security gateway to which you are connecting has been updated since you
last connected, while you are connecting, a Java window is displayed to show that the changes are
being downloaded.

Installing a hotfix may result in the JAR cache version being older or newer than that of the security
gateway. The hotfix documentation tells you whether you need to clear the JAR cache before logging
on.

Prerequisites

Complete the following task before beginning this procedure:

■ “Integrating the SGMI to the desktop” on page 24

26 Becoming familiar with the SGMI

Logging on to the SGMI

To log on to the SGMI from the desktop

1 On the desktop, double-click the SGMI icon.

2 If a Warning - Security dialog box displays, do one of the following:

3 If one or more Warning - HTTPS dialog boxes are displayed warning about a hostname mismatch,

4 In the Password Needed - Networking dialog box, do the following:

5 In the Warning - Security dialog box, verify the certificate, and then click Ye s .

■ Verify the certificate, and then click Ye s .

■ To proceed and to prevent the display of this dialog box during future log ons, click Always.

If you prefer to use a third-party certificate for greater security, you can purchase a certificate and

install it on your appliance.

click Ye s on each to proceed.

The mismatch occurs if you access the SGMI by entering a URL, and DNS is not set up to resolve

the URL to the host name of the security gateway. Receiving this message does not affect the logon

procedure.

■ In the Username text box, type your administrator name.

■ In the Password text box, type your password.

■ Click Ye s .

If another administrator is logged on to the SGMI, you are warned that you have read-only access.

You can continue the logon procedure and view status and configurations in the SGMI but you

cannot make any changes.

If necessary, you can gain write access by terminating the connection of the other administrator.

6 In the final Warning - Security dialog box, verify the certificate, and then click Yes .

Related information

For further information related to this topic, see the following:

■ “SSL server certificate management” on page 553

■ “Terminating an active connection” on page 467

Logging on to the SGMI from a browser

If you do not install an SGMI icon on your desktop, you can log on to the SGMI from a browser.

Note: If logging on to a node in a cluster, do not log on using a virtual IP address (VIP). You must log on
using an actual address.

Prerequisites

Complete the following task before beginning this procedure:

■ “Logging on to the SGMI for the first time” on page 22

To log on to the SGMI from a browser

1 In a browser window, enter the URL or host name of the appliance you want to manage, in one of

the following formats:

https://<URL>:2456 https://192.168.111.5:2456

https://<DOMAIN>.com:2456 https://symantecdomain.com

Logging on to the SGMI

2 In the Security Alert dialog box, verify the temporary certificate that is generated by the appliance

and then click Yes to accept it.

3 In the Warning-Security dialog box, verify the certificate, and then click Yes .

4 If a Hostname Mismatch dialog box is displayed, click Ye s .

5 When a message in the browser window notifies you that the application has started, close the

window.

6 In the next Warning-Security dialog box, verify the certificate, and then click Ye s .

7 If additional Hostname Mismatch dialog boxes are displayed, click Yes to close them.

8 In the Password Needed - Networking dialog box, do the following:

■ In the User name text box, type the user name for your account on the security gateway.

■ In the Password text box, type the password for your account on the security gateway.

■ Click Ye s .

9 In the Warning - Security dialog box, click Yes .

10 In a final Warning - Security dialog box from Sun Microsystems, Inc., click Yes .

Related information

For further information related to this topic, see the following:

27Becoming familiar with the SGMI

■ “Logging on to the SGMI from the desktop” on page 25

Avoiding hostname mismatches

When the security gateway is configured for the first time, a certificate is created for host.domain, the
default host name of the security gateway.

If all of the following are true, when you log on to the SGMI you receive a warning message that a host
name mismatch has occurred:

■ You log on using a URL

■ A domain name other than host.domain has been specified for the security gateway during setup

■ Your corporate DNS is not set up to resolve the URL to the host name

This message does not indicate a problem and can be accepted as part of the log on procedure.
Alternatively, you can configure your computer to avoid the display of the warning in the future.

Prerequisites:

Complete the following task before beginning this procedure:

■ “Logging on to the SGMI for the first time” on page 22

To avoid hostname mismatches:

1 Log on to the SGMI.

2 In the left pane, under System, click System Information.

3 In the right pane, view the system information and record the host name and domain name of the

security gateway.

The SSL certificate that secures your access to the security gateway uses the combination of these

names as the hostname of the security gateway.

4 On the File menu, click Log off.

5 From your desktop, open the etc/Hosts file.

28 Becoming familiar with the SGMI

Logging on to the SGMI

6 At the bottom of the file, add the IP address and host name of the security gateway.

7 Save the file.

8 In a browser window, enter the domain name of the security gateway, in the following format:

9 Verify the certificate, and then click Yes to accept it.

10 When a second certificate displays, click Yes to accept it.

11 Complete the procedure for logging on for the first time, starting at step 5.

For example:

192.168.123.4 sgs2.symantecdomain.com

https://<DOMAIN>.com:2456 https://sgs2.symantecdomain.com

A Security Alert dialog box is displayed for a temporary certificate that is generated by the

appliance.

When the procedure completes, a new icon is installed to your desktop, labeled with the host name

of the security gateway.

If you use this icon to log on, you do not see hostname mismatches.

Related information

For further information related to this topic, see the following:

■ “Viewing system information” on page 63

Uninstalling the SGMI application

If are no longer going to manage Symantec Gateway Security 5000 Series v3.0 appliances from your
computer, you can use the Web Start application to uninstall the SGMI application.

Uninstalling the SGMI from your management computer does not uninstall the security gateway
software from the appliance. It simply removes the management interface.

You can reinstall the SGMI by following the procedure for logging on for the first time.

Prerequisites

None.

To uninstall the SGMI application

1 On the Start menu, click Control Panel.

2 In the Control Panel window, click Java.

3 In the Java Control Panel dialog box, under Temporary Internet Files, click Settings.

4 In the Temporary Files Settings dialog box, click View Applications.

5 In the Java Application Cache Viewer, on the User tab, highlight the application that is identified by

the URL you use to connect to the appliance.

6 On the Application menu, click Remove Application.

7 On the File menu, click Exit.

8 In the Temporary Files Settings dialog box, click OK.

9 In the Java Control Panel dialog box, click OK.

10 Close the Control Panel.

Related information

For further information related to this topic, see the following:

■ “Logging on to the SGMI for the first time” on page 22

Using the SGMI home page

The SGMI home page displays when you log on. It provides:

■ Quick Status information

■ Access to commonly used security gateway configuration wizards

■ Information from Symantec’s DeepSight global threat correlation service, if there is Internet

access

Figure 2-1 SGMI home page

Quick Status

Using the SGMI home page

29Becoming familiar with the SGMI

DeepSight
threat alert

Configuration
wizards

The following topics describe the Homepage in more detail:

■ Viewing Quick Status

■ Accessing commonly used configuration wizards

■ Viewing DeepSight’s ThreatCon status

Viewing Quick Status

The Quick Status section of the Home page tells you:

■ Whether the security gateway is running and how long it has been running

■ The active configuration, identified by:

■ The comments entered by the administrator when the configuration was activated

■ When the configuration edits were made

■ Who made the edits

30 Becoming familiar with the SGMI

Using the SGMI home page

■ If changes are waiting to be activated, who made them, and when

■ If licenses are nearing expiration, the expiration dates

This notification includes a link to launch the License Installation Wizard.

For connection status, in the left pane, click Monitors > Status.

For a graphical view of active connections, disk usage, and the physical state of your appliance, in the
left pane, click Monitors > Overall Health.

Related information

For further information related to this topic, see the following:

■ “Understanding and using licenses” on page 86

■ “Monitoring connections” on page 466

■ “Viewing system health” on page 462

Accessing commonly used configuration wizards

When you log on to the SGMI with write privileges, the Home page includes links to frequently used
configuration wizards, including:

Firewall Rule Wizard Use this wizard to set up Web (HTTP), FTP, and Mail (SMTP and POP3) services if

you did not configure these services when you ran the System Setup Wizard
when first installing the appliance.

Client VPN Package Wizard Use this wizard to simplify the configuration of multiple Symantec Client VPN

computers. The wizard generates connection information for remote entities.
You provide these packages to remote users, who install them on computers that
are running Symantec Client VPN. The packages provide the information
necessary to connect to the security gateway.

Remote Access Tunnel Wizard Use this wizard to create local and remote endpoints and VPN policies for client

VPN tunnels and clientless VPN tunnels.

Gateway-to-Gateway Tunnel
Wiza rd

Use this wizard to construct VPN tunnels that are IKE-enabled between two
security gateways. This wizard collects the information that is necessary to
identify the local and remote tunnel endpoints and the VPN policy that governs
the traffic within them.

If you are logged on with read-only access, the links to the wizards are not available.

Related information

For further information related to this topic, see the following:

■ “Using wizards to simplify configuration” on page 64

■ “Installing licenses” on page 94

■ “Configuring HTTP, FTP, and mail (SMTP and POP3) rules with the Firewall Rule Wizard” on

page 284

■ “Managing clientless VPN users” on page 411

■ “Using the Remote Access Tunnel Wizard to create Client VPN tunnels” on page 389

■ “Running the Gateway-to-Gateway Tunnel Wizard” on page 385

Viewing DeepSight’s ThreatCon status

The Symantec ThreatCon rating, a feature of Symantec DeepSight, gives you a real-time measurement
of global threat exposure, providing early warning of active attacks. This lets you prioritize your IT
resources to better protect your critical information from a potential attack. With improved
protection, you can avoid down time and lost productivity.

The time shown above the ThreatCon rating indicates the time of the most recent change to the
ThreatCon status. The link below the Symantec ThreatCon indicator takes you to the Symantec
Security Response Web site, where you can learn more about using the Symantec DeepSight threat
management system to evaluate and improve your security posture.

A summary of current vulnerabilities is displayed below the Security Response link.

Note: If the security gateway has not been configured to access the Internet, this link is blank.

Related information

For further information related to this topic, see the following:

■ “Integrating Symantec DeepSight Threat Management System” on page 494

Leaving the SGMI

31Becoming familiar with the SGMI

Leaving the SGMI

You can leave the SGMI in three ways:

■ By logging off

The Symantec Gateway Security Series 5000 Series v3.0 logon dialog box is displayed on your

desktop to let you log on and manage the same appliance again or log on to another appliance.

■ By exiting from the SGMI

The SGMI closes without displaying a logon dialog box.

■ By allowing your connection to time out

When you leave the SGMI inactive, the application logs you off based on the UI inactivity timeout

value. You can change the inactivity timeout value on the Advanced Options tab of the System >

Administration window.

A Relogin dialog box displays to let you re-establish your connection to the security gateway from

which you timed out.

Note: Unless you log off completely by exiting from the SGMI, other administrators who try to access
the security gateway will only have read access.

Prerequisites

None.

Leave the SGMI

When you actively leave the SGMI by logging off or exiting, if you have made configuration changes,
you are prompted to save them.

When you time out, changes are preserved but they are not automatically saved. You must log on again
to save changes.

32 Becoming familiar with the SGMI

Leaving the SGMI

To log off from the SGMI

1 In the SGMI, on the File menu, click Log Off.

2 If you have unsaved changes, a message asks if you want to save the current changes before logging

3 The logon dialog box retains your user name and the IP address of the appliance you last managed.

If you have saved all of your changes, the Symantec Gateway Security 5000 Series v3.0 logon dialog

box is displayed.

off. Click one of the following:

■ Yes: Save the changes.

All current changes are saved to a temporary staging location. They are visible the next time
you log on.

■ No: Discard the changes.

All pending changes are discarded.

In either case, the logon dialog box is displayed.

You can do one of the following:

■ To return to managing the security gateway you logged off from, enter your password and

click Log On.

■ To manage a different security gateway, enter your user name and password for that gateway.

Enter the IP address or domain name of the security gateway.
If you have previously connected to a different security gateway, you can use the drop-down

list to display its IP address so that you can log on to it.
Click Log On.

To ex i t f r om the SGMI

1 In the SGMI, on the File menu, click Exit.

If you have saved all of your changes, the SGMI application closes.

2 If you have unsaved changes, a message asks if you want to save current changes before logging off.

Click one of the following:

■ Yes: Save the changes.

All current changes are saved to a temporary staging location, and the SGMI closes.
The changes are visible the next time you log on.

■ No: Discard the changes.

All unsaved changes are discarded, and the SGMI closes.

To respond to a timeout

1 To return to managing the security gateway, in the Relogin dialog box, in the Password text box,

enter your password, and then click Log On.

2 To exit from the SGMI, in the Relogin dialog box, click Cancel.

■ If there are no changes pending, the Relogin dialog box closes.

■ If you have unsaved changes, in the Confirm Log Off dialog box, click one of the following.

Yes: Save the changes.
No: Discard the changes.

When you next want to manage your security gateway from the SGMI, you initiate your logon by

clicking on the SGMI icon on your desktop or accessing the SGMI through a browser.

Related information

For further information related to this topic, see the following:

■ “Logging on to the SGMI” on page 21

■ “Terminating an active connection” on page 467

Navigating in the SGMI

Navigating in the SGMI

33Becoming familiar with the SGMI

By becoming familiar with the SGMI, you can more easily configure and manage the security gateway.
The SGMI user interface structure contains three panes:

■ The left pane provides navigation to SGMI pages that let you monitor and configure your security

gateway.

■ Depending on the folder you select in the left pane, the right pane displays security gateway status

or existing configurations, and provides controls you use to create and modify configurations.

■ A pane at the bottom of the window displays configuration errors, information about other objects

that are used by a selected object, and, if activation of a configuration fails, validation information

to help you locate the problem.

34 Becoming familiar with the SGMI

Navigating in the SGMI

Figure 2-2 SGMI user interface structure

Menus

Toolbar

Left pane
navigation

Right pane
configuration
or status
information

Lower pane
configuration
messages

Product name

Right pane tabs

Configuration
table

Status messages

This section contains the following topics:

■ Using the SGMI menus

■ Using the SGMI toolbar

■ Navigating from the left pane

■ Navigating the right pane

Using the SGMI menus

The SGMI menus provide access to the following functionality.

Table 2-1 SGMI menu options

Menu Option Description

File Save Saves changes to configurations.

Navigating in the SGMI

35Becoming familiar with the SGMI

See “Saving and activating configuration changes” on page 59.

Revert to Last Saved

Revert to Last Active

Backup

Restore

Import Users

Import VPN

Log Off

Exit

Edit Cut

Copy

Paste

New Opens a properties dialog box to let you create a new object.

Select All

Delete

Reverts to the last point that you saved or activated changes.

See “Reverting changes” on page 61.

Lets you backup your security gateway configurations.

Lets you restore your security gateway configurations.

See “Backing up and restoring configurations” on page 98.

Lets you import users, IPsec VPN tunnels, and LDIF settings for users
and user groups.

See the following:

■ “Importing users and user groups” on page 251

■ “Importing Client VPN information” on page 401

Logs you out temporarily, or lets you leave the SGMI by exiting.

See “Leaving the SGMI” on page 31.

Lets you perform cut, copy, and paste operations on selected
information, using the clipboard.

See “Adding configuration objects” on page 52.

See “Adding configuration objects” on page 52.

Selects all objects in a table.

Lets you delete selected objects.

See “Deleting configuration objects” on page 61.

Properties Lets you view the properties of the selected object.

See “Viewing and modifying object properties” on page 50.

View Show Columns Displays a list of all columns available for an object, so that you can

change the column display in a table.

See “Changing the display of objects in a table” on page 48.

In Use By Opens the lower pane to show the configurations that use the selected

object.

See “Viewing objects used by an object you want to modify” on page 62.

36 Becoming familiar with the SGMI

Navigating in the SGMI

Table 2-1 SGMI menu options (Continued)

Menu Option Description

Reports Analysis Lets you display reports based on statistics events.

Tools Firewall Rule Wizard Helps you configure SMTP, POP3, HTTP, and FTP rules.

See “Generating and viewing an analysis report” on page 498.

Configuration Lets you display reports that show the properties of configured objects

See “Generating and viewing a configuration report” on page 502.

Validation Displays a report that identifies problems when activation of a

configuration fails.

See “Viewing validation reports” on page 506.

Upgrade Displays a report that identifies issues that arise when you upgrade the

security gateway.

See “Upgrade reports” on page 506.

See “Configuring HTTP, FTP, and mail (SMTP and POP3) rules with the

Firewall Rule Wizard” on page 284.

System Setup Wizard Lets you add and change network interfaces, and other system

information.

See “Making system changes with the System Setup Wizard” on
page 104.

VPN Helps you create IPsec VPN tunnels and configuration packages for

remote users.

See the following:

■ “Simplifying multiple Client VPN computer configuration” on

page 399

■ “Using the Remote Access Tunnel Wizard to create Client VPN

tunnels” on page 389

■ “Managing clientless VPN users” on page 411

■ “Running the Gateway-to-Gateway Tunnel Wizard” on page 385

■ “Viewing or modifying the global IKE policy” on page 384

Scalable Management Helps you join and leave the Symantec Enterprise Security Architecture

(SESA) for scalable management of security gateway configurations.

Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec
Advanced Manager for Security Gateways v3.0.

Cluster Helps you create and manage a cluster of security gateways.

See “Creating a new cluster with the Cluster Wizard” on page 512.

System Activate Launches the Activation wizard to activate changes on the security

gateway.

See “Saving and activating configuration changes” on page 59.

Table 2-1 SGMI menu options (Continued)

Menu Option Description

Hotfix Lets you view, install, and remove hotfixes to the security gateway

software.

See “Installing and uninstalling hotfixes” on page 77.

Navigating in the SGMI

37Becoming familiar with the SGMI

Help Symantec Gateway

Using the SGMI toolbar

The SGMI tool bar buttons provide easy access to frequently used functions.

Table 2-2 SGMI toolbar

Icon Function Description

Change Admin Password

Change Root Password

Start/Stop security
gateway

Reboot

Shutdown

Security 5000 Series v3.0
Help

About Symantec
Gateway Security 5000
Series v3.0

Lets you change your log on password and the root password. The root
password is used when you log on to the appliance using SSH or a serial
connection.

See “Changing passwords” on page 70.

Lets you start and stop the security components of the security gateway,
reboot the appliance remotely, and shutdown the appliance.

See the following:

■ “Starting and stopping the security gateway” on page 84

■ “Rebooting the security gateway appliance” on page 85

■ “Shutting down the security gateway appliance” on page 86

Displays context sensitive Help.

See “Using online Help” on page 45.

Displays the Symantec Gateway Security software version and build
information.

Save Activated when you make a change.

Saves current changes.

Activate Activated when you make a change.

Launches the Activate Changes Wizard to activate pending changes. If there are
unsaved changes, you are prompted to save the changes.

If errors are found, the changes are not activated and a validation report is
generated.

Revert to last
activated

Cut Activated when you select a configuration object.

Copy Activated when you select a configuration object.

Paste Activated when you place a configuration object on the clipboard by cutting or

Activated when you make a change and save it to the security gateway.

Discards changes that have been made since you last activated changes.

Marks the object for deletion.

Copies the properties of the object to the clipboard.

pasting it.

Pastes the object on the clipboard into the table, giving it a new name.

38 Becoming familiar with the SGMI

Navigating in the SGMI

Table 2-2 SGMI toolbar

Icon Function Description

The right side of the tool bar also displays two status messages:

■ When you make and save changes, the message “Changes Pending” displays.

■ At all times, the security gateway status message tells you whether the security gateway is running

or if it has been stopped.

Navigating from the left pane

The left pane provides access to security gateway functions based on five sets of functionality, logically
grouped in sections for ease of use. The SGMI opens with all of the sections expanded. If you use a set
of features infrequently, you can collapse the section that contains them.

Refresh Activated when you are viewing active sessions, such as active connections, logs, and

IDS alerts.

Refreshes the table with current data.

AutoRefresh Activated when you are viewing active sessions, such as active connections, logs, and

IDS alerts.

Enables and disables automatic refresh of the data in the table.

Note: The Cluster section is only visible if the security gateway you are managing is part of a cluster.

To view a description of the folders within each section, click on the section heading. As shown in the
example of the Monitors section in Figure 2-3, the right pane summarizes the functionality contained
in the section and describes its folders, providing links to online Help topics about the tasks that you
can perform using each folder.

Figure 2-3 Example of right pane contents for Monitors section

Navigating in the SGMI

The following table summarizes the functions provided by the folders within each section:

Table 2-3 Section and folder descriptions

Section name Folder name Description

Monitors Lets you view current and archived information about your security gateway, such as

connections, resource usage, and log messages.

Overall Health Provides a snapshot of the current system condition.

Status Displays information about current connections, as well as

antivirus server status, clientless VPN failed logon attempts, and
hardware accelerator card diagnostics.

Logs Lets you view log event messages and IDS/IPS alerts, including the

ability to filter the view to see specific kinds of events and alerts.

Notifications Lets you set up notifications to alert administrators about security

problems so that they can take action.

Policy Lets you define your corporate security stance, and secure your network by defining traffic

rules and access for remote user. You can also configure the security gateways content security
features.

Firewall Lets you define rules, packet filters, and time periods to control

access to the security gateway.

39Becoming familiar with the SGMI

VPN Lets you configure virtual private network (VPN) tunnels to allow

access from remote IPsec-compliant clients and security gateways.
You can also configure policies to control tunnel negotiations.

Clientless VPN Lets you give external users SSL-secured, controlled access to your

corporate resources, within authentication requirements and
access restrictions that you set.

Antivirus Lets you configure the security gateway’s ability to scan mail, Web,

and FTP traffic for viruses and other mail restrictions.

Antispam Lets you configure the antispam scan engines heuristic detection

capability, create custom blacklists and whitelists, and specify
subject patterns to identify as spam.

IDS/IPS Lets you define IDS/IPS policies and enable blocking and logging

on a signature-specific level

Content Filtering Lets you define settings for use in blocking users from viewing

undesirable Web content and newsgroups.

Client Compliance Lets you set the security standards that must be met by remote

users who connect through the security gateway.

Policy Parameters Lets you define the policy settings that affect the system as a

whole.

40 Becoming familiar with the SGMI

Navigating in the SGMI

Table 2-3 Section and folder descriptions (Continued)

Section name Folder name Description

Assets Lets you define your organizations infrastructure and the external resources that you want to

make available to your users. You also configure how the security gateway functions within
your network.

Network Lets you configure the network assets users can access, such as

servers and subnets.

Authentication Servers Lets you configure the internal and external authentication

servers that are used to validate user when they connect.

Users Lets you create users accounts and user groups on the security

gateway, which are used in combination with authentication
servers to control user access.

Proxies Lets you configure the security gateway’s predefined proxies, that

allow you to control how data is passed.

Protocols Provides access to the security gateway’s predefined protocols and

lets you combine them in service groups for use in rules. You can
also create new protocols as needed for special kinds of traffic.

Portal Pages Lets you customize the user experience for clientless VPN users.

Remote Mail Lets you configure clientless VPN to handle non-standard mail

resources.

Asset Parameters Lets you specify asset parameters that affect the system as a

whole.

System Helps you manage your security gateway, including creating administrator and machine

accounts, using LiveUpdate, and configuring the use of self-signed SSL certificates.

System Information Displays system data such as system time, hardware model,

domain name, gateway address, and system ID.

Configuration Lets you enable and disable security gateway features, control how

events are sent to SESA, configure LiveUpdate of content security
components, and manage clientless VPN certificates.

Note: Symantec Gateway Security 5000 Series v3.0 requires
Symantec Advanced Manager for Security Gateways v3.0.

Administration Lets you define security gateway administrators and machine

accounts with access to the security gateway.

Licensing Lets you view and install licenses for security gateway components

and support, and view the use of those license.

Navigating in the SGMI

Table 2-3 Section and folder descriptions (Continued)

Section name Folder name Description

Cluster Lets you modify parameters of cluster members you have created to ensure high availability

(HA) and increases performance through load balancing (LB).

Cluster Status Lets you monitor a cluster of security gateways, including whether

each member is up and running, IP and Virtual IP (VIP) addresses,
and the relative load of traffic on each cluster member.

Cluster Members Lets you modify settings for hot standby, load balancing, and

weight on each cluster member.

VIPs Lets you add, modify, or delete virtual IP addresses used in a

cluster.

Watchlist Lets you select cluster processes to monitor.

Ping groups Lets you configure ping groups to monitor servers that are not part

of the cluster, but that offer services on the internal network.

NIC Monitoring Lets you monitor the status of network interfaces with the

exception of virtual local area network s (VLANs).

Traffic Grouping Lets you assign specific traffic, such as traffic from a Web server,

through a specific cluster member, regardless of load balancing.

41Becoming familiar with the SGMI

For a comparison of navigation in Symantec Gateway Security v2.0 and Symantec Gateway Security
5000 Series v3.0, see Table 2-4.

Changes to Symantec Gateway Security 5000 Series v3.0 navigation

This section is intended to ease the transition from the Symantec Gateway Security v2.0 SGMI to the
Symantec Gateway Security 5000 Series v3.0 SGMI. The table below compares the location of tasks in
the two versions of the user interface.

Table 2-4 Navigation for SGMI v2.0 mapped to SGMI v3.0

SGMI v2.0 SGMI v 3.0

Policy > Rules Policy > Firewall > Rules

Policy > Service Groups Assets > Protocols > Service Groups

Policy > Filters Policy > Firewall > Filters

Policy > Content Filtering Policy > Content Filtering

Policy > VPN Policies Policy > VPN > VPN Policies

Policy > Global IKE Policies Tools menu > VPN > Global IKE Policy

Policy > AntiVirus Policy > Antivirus

Policy > IDS/IPS Policy > IDS/IPS

Policy > Advanced > Logical Network Interfaces Assets > Network > Network Interfaces

Policy > Advanced > Network Protocols Assets > Protocols > Network Protocols

Policy > Advanced > Time Periods Policy > Firewall > Time Periods

42 Becoming familiar with the SGMI

Navigating in the SGMI

Table 2-4 Navigation for SGMI v2.0 mapped to SGMI v3.0

SGMI v2.0 SGMI v 3.0

Policy > Advanced > System Parameters

Host name included in log
Forwa rd ing fil ter

Reverse lookups
Reverse lookup timeout

Location Settings > Network Entities Assets > Network > Network Entities

Location Settings > DNS Assets > Network > DNS

Location Settings > Tunnels Policy > VPN > Tunnels

Location Settings > Users Assets > Users > Network Users

Location Settings > Groups Assets > Users > User Groups

Location Settings > Notifications Monitoring > Notifications

Location Settings > Advanced > Proxies Assets > Proxies > Proxies

Location Settings > Advanced > Services System > Configuration > Services

Location Settings > Advanced > Address Transforms Assets > Network > Address Transforms

Location Settings > Advanced > Redirected Services Assets > Network > Redirected Services

Location Settings > Advanced > NAT Pools Assets > Network > NAT Pools

Location Settings > Advanced > Authentication Assets > Authentication Servers

Policy > Policy Parameters

Include host name in log entries
Packet filter

Policy > Policy Parameters

Enable reverse lookups
Reverse lookup timeout

Location Settings > Advanced > H.323 Aliases Assets > Proxies > H.323 Aliases

Location Settings > Advanced > Local Administrators System > Administration > Local Administrators

Location Settings > Advanced > Machine Accounts System > Administration > Machine Accounts

Location Settings > Advanced > LiveUpdate System > Administration > LiveUpdate

Location Settings > Advanced > System Parameters

User password minimum length

System > System Home Page System > System Information

System > Network Interfaces Assets > Network > Network Interfaces

System > Routes Assets > Network > Routes

System > Clusters Clusters

System > Features System > Configuration > Features

System > Advanced > Advanced Options System > Administration > Advanced Options

System > Advanced > System Parameters System > Configuration > Features

System > Advanced > Hardware Encryption
Diagnostics

Monitoring > Summary Monitors > Status > Connection Summary

Monitoring > Active Connections Monitors > Status > Active Connections

Assets > Asset Parameters

Minimum user password length

Monitors > Status > Hardware Encryption Diagnostics

Monitoring > View Logs Monitors > Logging > View Logs

Monitoring > IDS Alerts Monitors > Logging > IDS Alerts

Table 2-4 Navigation for SGMI v2.0 mapped to SGMI v3.0

SGMI v2.0 SGMI v 3.0

Monitoring > Cluster Status Cluster > Clusters

Monitoring > SESA Event Gating System > Configuration > SESA Event Gating

Reports > Configuration Reports Reports menu > Configuration ....

Reports > Usage Reports Reports menu > Analysis .....

Reports > Reports Setup Setup is now done in the Reports dialog box that is

Navigating the right pane

Depending upon the folder that you select in the left pane, there are three basic ways in which the right
pane displays:

■ As a status page

■ As a table of objects that you can create or modify

Navigating in the SGMI

43Becoming familiar with the SGMI

Note: Symantec Gateway Security 5000 Series v3.0
requires Symantec Advanced Manager for Security
Gateways v3.0.

displayed for configuration and analysis reports.

■ As a set of properties that you can specify for a component that is integrated into the security

gateway, such as antivirus or antispam.

Figure 2-4 shows the status page that displays when you click Monitors > Overall Health.

Figure 2-4 Overall Health status page

44 Becoming familiar with the SGMI

Navigating in the SGMI

Figure 2-5 shows the Rules page, one of the pages that you can view when you click Policy > Firewall. It

contains a table of rule objects that you can create or modify.

Figure 2-5 Rules page showing table of objects

Figure 2-6 shows the Antivirus Configuration page, which displays when you select Policy > Antivirus.

This page lets you change settings that apply to all antivirus scanning.

Figure 2-6 Antivirus Configuration page

Using online Help

The Symantec Gateway Security 5000 Series v3.0 online Help system is context sensitive and is
available from any part of the SGMI. Help displays in a separate window, as shown in Figure 2-7.

Figure 2-7 Help window

Using online Help

45Becoming familiar with the SGMI

Displaying Help

The Help window includes the following features:

■ A left pane that displays the Help contents, index, and a search list.

■ A right pane that displays the Help topic.

■ Navigation buttons on the toolbar to redisplay Help topics you have already visited.

■ Printer icons to let you set up the page and print the currently displayed Help topic.

■ Navigation buttons at the top and bottom of the right pane to display the previous and next topics

in the Help system.

The following topics describe how to use Help:

■ Displaying Help

■ Searching Help

■ Printing Help

Your location in the SGMI determines the method you use to display Help and the kind of Help that
displays.

■ When a tab contains a table of objects, the Help window displays an introductory topic about the

table you are viewing.

For example, if you are on the Rules tab and display Help, the Help topic is “Understanding Rules.”

■ When the right pane tab contains fields that are used to configure a component, the Help window

describes what the tab is used for, provides one or more links to procedures that apply to the tab,

and contains a table of the fields on the tab and how you can use them.

For example, if you are on the Antivirus Configuration tab, the Help links to procedures for

configuring antivirus and describes the fields used to complete the configuration.

46 Becoming familiar with the SGMI

Using online Help

■ When viewing Help from a dialog box, the Help window describes what the dialog box tab is used

Prerequisites

None.

To display Help

1 In the SGMI, if your focus is on a right pane tab, do one of the following:

2 If you are creating or modifying an object using its properties dialog box, do one of the following:

Related information

For further information related to this topic, see the following:

■ “Field descriptions” on page 563

for, provides one or more links to procedures that apply to the tab, and contains a table of the fields

on the tab and how you can use them.

For example, when you click Help on the Alert Thresholds tab of the Rules dialog box, the Help

window describes the fields that you use to set up alert thresholds.

■ Click F1.

■ In the Help menu, click Symantec Gateway Security 5000 Series v3.0 Help.

■ Click FI.

■ On the properties tab, click Help.

Searching Help

The Help search engine uses different techniques to ensure that as many relevant topics are returned
as possible. For example, if you search for the term build, the terms build, built, builder, building, and
builds are also returned. If you search for the term best, the terms good and better are also returned.

The search engine also looks for help topics in which the query terms occur in the same form and
order. The search engine automatically relaxes these constraints to identify passages in which:

■ Not all of the terms occur ·

■ The terms occur in different forms ·

■ The terms occur in a different order ·

■ The terms occur with intervening words ·

For example, if you search for content filtering, you get results with the terms content filtering,
content filters, filtering content, or filtering unwanted content. You may also get topics returned that
have just the term content or just the term filtering.

The search engine returns a maximum of 100 topics.

JavaHelp 2.0 System User’s Guide. (2004). Santa Clara, CA: Sun Microsystems.

Working with configurations of objects

Prerequisites

Complete the following tasks before beginning this procedure:

■ “Displaying Help” on page 45

To se a r c h H elp

1 In the Symantec Gateway 5000 Series v3.0 Help window, on the Search tab, in the Find text box,

type a search term.

2 Press Enter.

To the right of the list of topics that is returned, two indicators help you choose a topic:

■ A full red circle indicates that the topic meets the entire search criteria.

When you use a multiple word search phrase, a half circle indicates that not all words are
found in the topic.

■ A numeral indicates how many instances of the search phrase are found.

3 Double-click a topic title to open it in the right pane.

Related information

None.

47Becoming familiar with the SGMI

Printing Help

You can print Help to have a hard copy of one or more topics.

Prerequisites

Complete the following tasks before beginning this procedure:

■ “Displaying Help” on page 45

To print Help

1 In the Symantec Gateway Security 5000 Series v3.0 Help window, on the Table of Contents, Index,

or Search results tabs, do one of the following:

■ To print a single topic, select it.

■ To print multiple topics at one time, press Ctrl, and then select multiple topics.

2 Click Print .

Related information

None.

Working with configurations of objects

With the SGMI, you create objects to represent specific aspects of your network environment such as
users, authentication servers, network hosts, subnets, DNS settings, routes, and so forth. You also
create rule, filter, and tunnel objects that control network traffic.

When the right pane displays a table, each line of the table represents an object. Each column shows a
property of the object, such as the network address of a subnet or network host, or the source and
destination of traffic that is controlled by a rule.

48 Becoming familiar with the SGMI

Working with configurations of objects

Buttons above the table of objects let you do the following:

Table 2-5 Buttons used with objects

Button Name Description

New Create a new object of the type in the table.

In a dialog box, when this icon appears to the right of a drop-down list, it indicates that
you can create a new object of the type that appears in the drop-down list.

Delete Delete a selected object.

Properties View the properties of a selected object.

In a dialog box, when this icon appears to the right of a drop-down list, it indicates that
you can view and modify the properties of an object selected from the drop-down list.

Search Search for objects in the table and display only those objects.

Clear
search

Clear the search so that all table objects are displayed.

The New and Properties icons are available in dialog boxes because many of the objects you create
reference other objects that are defined on the security gateway. For example, when you create a rule,
you must select the network entities that are the source and destination of the traffic, and the service
group that contains the protocols specific to the traffic that is controlled by the rule. These icons let
you create new objects or modify existing objects without having to discard the work you are doing so
that you can navigate to another part of the SGMI to create them.

You can save and activate changes you make immediately or make multiple changes and then save and
activate them at one time.

The following tasks are described in this section:

■ Changing the display of objects in a table

■ Viewing and modifying object properties

■ Adding configuration objects

■ Configuring objects that reference other objects

■ Saving and activating configuration changes

■ Deleting configuration objects

Changing the display of objects in a table

Objects that you configure are displayed in tables in the right pane.

You can change how object tables are displayed. Changes you make are only retained for the current
session.

You can make changes by doing the following:

■ Changing sort order and column placement in a table

■ Adding or removing columns

■ Searching for objects in a table

Working with configurations of objects

Changing sort order and column placement in a table

You can sort objects in a table based on any column of the table. You can also move columns to make it
easy to see the information in the columns that are most important to you.

To change the sort order and column placement in a table

1 In the SGMI, in the right pane, to change the sort order of the table, click on the heading of the

column by which you want to sort.

The current alphabetic or numeric sort order is reversed.

Click again to change the order back.

2 To change column placement, drag the column heading to the location you want.

Adding or removing columns

Object tables display the columns that make the object unique such as object type and name, and
frequently used information like network address, or port used. Most objects include properties that
are not shown in the default column display.

You can add or remove columns to customize your table view.

To add or remove a column

1 Do one of the following:

■ On the View menu, click Show Columns.

■ In the table, right click on a row and click Show Columns.

2 In the Show Columns dialog box, to display a column in the table, check it.

3 To remove a column from the table display, uncheck it.

49Becoming familiar with the SGMI

4 To return to the default column display, click Restore Defaults.

5 To remove the Show Columns dialog box, click Close.

Searching for objects in a table

When a table contains a large number of objects, you can reduce the number displayed by searching for
objects that have specific attributes.

To search for objects in a table

1 In the SGMI, above the table of objects, click Search.

The Search dialog box for the object contains drop-down lists for the key properties that

differentiate the object. You perform the search using these properties. For example, you can

search for time periods by Period name and Description.

You can search on one key property or a combination of properties.

For some objects, such as time periods and network entities, the type of object is one of the key

differentiators. When the set of objects that you are searching contains more than one type of

object, a Type drop-down list lets you select the object type.

50 Becoming familiar with the SGMI

Working with configurations of objects

2 For each property by which you want to search, do one of the following:

■ To search on part of a property name, click Contains, and specify one or more letters

contained in the name.

■ To search on the beginning of a property name, click Starts with, and then specify the first

letters of the name.

■ To search on a specific property name, click Equals, and then type the exact name.

3 The Description property is included in most search dialog boxes. If your organization uses the

Description tab to record configuration changes, you can use those changes as search criteria. For

example, if you record who makes configuration changes, you can search for the changes made by

one administrator.

From the Description drop-down list, choose Contains, and then type the name of the

administrator.

4 Click OK.

5 To modify the search, click Search.

6 To re-display the entire table of objects, click Clear Search.

Viewing and modifying object properties

When you view a table of objects in the SGMI, you can see the primary properties of each object. For
example, if you view a table of rules, you can see the source and destination of the traffic controlled by
the rule, the interface on which the traffic arrives and leaves the security gateway, and the service
group that contains the protocols that are applied to the rule.

You can change these properties by displaying a object’s properties dialog box.

This section contains the following topics:

■ Viewing the properties of an existing object

■ Modifying the properties of an object

Viewing the properties of an existing object

Every object in the SGMI has a properties dialog box that shows the details of the object’s
configuration.

To view the properties of an existing object

1 In the SGMI, in the right pane, do one of the following:

■ Double-click an object in the table.

■ Select the object and, above the table, click Properties.

Working with configurations of objects

■ Select the object, and then on the Edit menu, click Properties.

Properties dialog boxes have two or more tabs:

■ The General tab shows whether the object is enabled and displays its name and a short

caption describing the object.
It may include other information, such as the IP address and MAC Address in this example.
When an object does not have many configurable properties, the General tab may contain all

of the properties.

■ Other tabs may describe additional properties of the object.

■ The Description tab can contain a more detailed description.

For example, you can use the Description tab to record who makes configuration changes or
when they are made. You can then use these details as filter criteria when searching for
objects.

2 Click each tab to view additional property details.

51Becoming familiar with the SGMI

Modifying the properties of an object

As your security needs change, you will need to modify the configuration objects that represent your
security environment.

To modify the properties of an object

1 In the SGMI, in the right pane, select the object that you want to modify.

2 Since objects in the SGMI can be used together, before you modify an object it is strongly

recommended that you check where it is used. Do the following:

■ To initiate a check, in the View menu, click In use by.

A window opens at the bottom of the SGMI, showing a search for objects that use the one you
want to modify.

■ To close the window, click the X icon in the upper left corner of the bottom window.

3 To modify the object, double-click it in the table.

4 In the object’s properties dialog box, use the tabs to navigate to the property that you want to

change.

5 Make the desired or required changes, and then click OK.

In the table, a blue ball appears to the left of the object, indicating that it has been modified.

52 Becoming familiar with the SGMI

Working with configurations of objects

6 Do one of the following:

■ Continue editing.

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “Saving and activating configuration changes” on page 59

Adding configuration objects

The security gateway provides some predefined objects. Some examples include a sample denial-of­service filter, default time periods, and built-in network protocols.

To configure your security gateway, you create additional objects. For example, under the Assets
section, you add objects that represent your organization’s infrastructure and the external resources
that you want to make available to your users. Under the Policy section, you add objects that control
how traffic is passed.

You can add configuration objects by doing either of the following:

■ Creating a new object

■ Copying an existing object

Creating a new object

You use the New button to create objects. This button appears at the top of right pane tabs that contain
tables of objects.

New buttons are also available in the properties dialog box when you create an object that requires the
use of other objects. For example, to create a rule, you use network entities to represent the source and
destination of traffic and a service group that contains the protocols used to pass the traffic. If these
objects do not already exist, you can create them as you create the rule.

Examples in the following procedure describe creating a DNS host record from the DNS tab.

To cr e a t e a new object

1 In the SGMI, in the right pane, at the top of pages that contain tables of objects, click New.

One of two things happens:

■ A list of configurable objects displays.

Click on the type of object that you want to create.
For example, when creating a DNS host record, in the list of DNS record types, you would click

DNS Host Record.
A properties dialog box for the object type you chose displays.

■ A properties dialog box displays immediately.

2 On the General tab, do the following:

Enable To enable the object, check Enable.

Not all objects have Enable check boxes.

Working with configurations of objects

53Becoming familiar with the SGMI

<object> name Type a name for the object.

The maximum length is 256 characters.

Allowed characters are a-z, A-Z, numerals, periods (.), dashes (-), and underscores (_).

Do not include spaces in the name. The characters @,!,#,$,%,^,&,*,<,> and other reserved
characters are also invalid.

Caption Optionally, type a brief description.

To provide a longer description, such as an ongoing record of changes, use the Description
tab.

If you were configuring a DNS host record, as shown in step 1, you would complete the following

additional field:

Accessibility From the drop-down list, select either Private or Public.

IP address Type the IP address of the DNS host.

The yellow text box indicates that this is a required field. In this case, you must enter an IP
address.

3 If there are additional tabs, on each tab, use the fields to configure the object to meet your needs.

54 Becoming familiar with the SGMI

Working with configurations of objects

4 Optionally, on the Description tab, type a more detailed description than you typed in the Caption

5 When you have configured all the properties you want for the object, click OK.

For example, when configuring a DNS host record, on the Aliases tab, you can assign an alias, or

short name for the host, to be used in DNS lookups.

In the Alias text box, you would type the alias and then click Add to add it to the list.

text box.

This information is useful to help track changes or as search criteria for filters.

The new object (in this example, the host DNS record) is added to the table, with a + mark to its left

to show that you have not yet saved it.

If you made an error or omitted a required field in the configuration, a validation message displays,

showing your error.

Correct the problem, and then click OK.

6 Do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “Configuring objects that reference other objects” on page 55

Copying an existing object

When you want to create many similar objects, you can create the initial object, copy it, and use it as a
template for other objects.

For example, to create many users with similar characteristics, you can create one user, copy it, and
paste it multiple times. Because no two object can be identical, each time you paste the object, you are
prompted to change the object so that the required fields are unique.

For example, named objects must have unique names, so you must change the name. Other objects may
need to have unique IP addresses or domain names.

To copy existing objects

1 In the SGMI, in the right pane, in the table, select one or more objects.

2 Copy the object by doing one of the following:

■ Right click the object and click Co py.

Working with configurations of objects

■ On the Edit menu, click Copy.

■ On the keyboard, press Ctrl + C.

3 Paste the objects by doing one of the following:

■ Right click again and click Past e.

■ On the Edit menu, click Pa ste.

■ On the keyboard, press Ctrl + V.

One of the following displays:

■ If you copied only one object, a message displays informing you that the object is a duplicate

and asking if you want to edit it.

■ If you copied multiple objects, the Correct Pasted Items dialog box displays, listing the objects.

4 If you are copying a single object, do the following:

■ Click Ye s

■ In the object’s properties dialog box, modify the objects properties.

■ Click OK.

If you have made all required modifications, the object is created in the table.
If the object still needs further modification, a message tells you the property that must be
changed.

5 If you are copying multiple objects, do the following:

■ In the Correct Pasted Items dialog box, select an item, and then click Edit.

■ In the properties dialog box that displays, modify the object’s properties.

■ Click OK.

If you have made all required modifications, the object is created in the table and you are
returned to the Correct Pasted Items dialog box.

If the object still needs further modification, a message tells you the property that must be
changed. Click OK to close the message and then make the required change.

■ Select and edit additional objects. When you finished, click Close.

55Becoming familiar with the SGMI

Related information

For further information related to this topic, see the following:

■ “Viewing and modifying object properties” on page 50

Configuring objects that reference other objects

Objects in the SGMI define your network resources, external resources, and methods that control
traffic between them.

The objects that you create to control traffic reference the objects that you create to describe your
internal and external resources. For example, rules reference the following:

■ The network entities that represent the source and destination of traffic

■ The interfaces through which traffic is passed

■ The service group that contains the protocols that control the traffic

The service group itself references specific protocols.

■ Time constraints on the rule

■ Authentication method for users of the rule

■ Content and newsgroup profiles for content filtering

56 Becoming familiar with the SGMI

Working with configurations of objects

When you create an object that references other objects, you have two choices:

■ Create the required objects, such as network entities and service groups, before you begin to create

■ Create the referenced objects as you need them.

This section describes the process of configuring objects as you create the object that references them.
It uses the process of creating entities for a filter as an example.

To configure objects that reference other objects

1 In the SGMI, in the left pane, click the sub-folder that contains the object to which you want to add

2 In the right pane, highlight the referencing object, and then click Properties to display its

the object that references them.

a referenced object. Then in the right pane, click the appropriate tab.

For example, you would click Policy > Firewall > Packet Filters to access a packet filter so that you

can change one of the entities that are referenced in it.

properties.

3 In the object’s properties dialog box, to the right of the referenced object, do one of the following:

■ To modify the properties of an existing object, select it from the drop-down list and then click

the Properties icon.
The Properties dialog box of the object is displayed. This example shows the properties of

Entity A, WebServer2.

■ To add a new object, click the New icon and, if necessary, click the type of object you want to

create. For example, to create a new entity, you must choose the type of entity.

Working with configurations of objects

The properties dialog box for a new instance of the referenced object is displayed.

4 Create or modify the referenced object.

5 Click OK.

The properties dialog box of the referenced object closes, and you can continue to work using the

tabs of the referencing object.

Note that because the referenced objects for the packet filter that is used in this example are each a

different type of network entity, an icon is displayed beside each to identify the entity type.

57Becoming familiar with the SGMI

6 When you finish configuring the referencing object, you can save and activate to both objects. Do

one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “Saving and activating configuration changes” on page 59

Using a selection dialog box to add objects

When you are required to add objects to a configuration, and the number of possible objects is large, an
Add button lets you display a selection dialog box. The search capabilities of the dialog box help you
find and select the objects to add.

This example shows adding protocols to a service group.

Prerequisites

None.

To use a selection dialog box to add objects

1 In the SGMI, in the left pane, under Assets, click Protocols.

2 In the right pane, on the Service Groups tab, click New.

3 In the Service Group Properties dialog box, on the General tab, do the following:

Service Group Name Type a unique name for the service group.

Caption Type a brief description of the service group.

58 Becoming familiar with the SGMI

Working with configurations of objects

4 On the Protocols tab, to add protocols to the Selected list, click Add.

5 In the Select protocols dialog box, the list of protocols displayed is determined by the search

6 In the Network Protocol list that is returned by your search, select the desired protocols.

7 Do one of the following:

8 On the Protocols tab of the Service Group Properties dialog box, verify that the Selected list shows

9 Do one of the following:

method you select and the value you specify.

The default is to display all of the protocols.

To reduce the number of protocols displayed, do one of the following:

■ To display only protocols whose names contain a specific text string, in the Search drop-down

list click Contains, and then type the text string.

■ To display only protocols whose names begin with a specific text string, click Starts with, and

then type the text string.

You can select multiple protocols by using the Shift and Control keys on the keyboard.

■ To add the selected protocols to the service group and close the dialog box, click OK.

■ To add the selected protocols to the service group without closing the dialog box, click Apply.

You can create a new search to display other protocols.
When you are done selecting protocols, click Close.

the protocols that you selected, and then click OK.

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “Creating service groups” on page 183

Saving and activating configuration changes

When you configure a new object or modify an existing object, the SGMI indicates that there are
unsaved changes:

Two symbols in the far left column of a table of objects indicate unsaved changes:

■ A + mark indicates that the object is new.

T

■ A blue ball indicates that it has been modified

On the right side of the toolbar, a yellow triangle and the words Changes pending indicate that saved
changes have not been activated.

You have the following choices after you make changes:

Table 2-6 Saving and activating changes

Option Button Description

Working with configurations of objects

59Becoming familiar with the SGMI

Continue configuring
the security gateway

Save your changes When you save changes, they are stored in a temporary staging area, but do

Activate all pending
changes

N/A You can move to other folders and tabs and make additional changes.

not yet affect how traffic is passed.

Saved changes are called pending changes. To activate pending changes, you
run the Activation Wizard.

When changes are activated, they affect the behavior of the security
gateway.

When you run the Activate Wizard, if there are unsaved changes, you are
asked if you want to save them before you proceed.

If you have both saved and unsaved changes, you have the choice of
activating only the saved changes. This lets you continue to work on
unsaved changes.

For an example of activating only saved changes, consider this scenario:

■ Admin A and Admin B administer the same security gateway. Admin A makes changes, saves them

without activating them, and logs out.

■ Admin B logs on and begins making additional, experimental changes. Admin B wants to continue

working but may not want to save the changes. Admin B contacts Admin A to find out if previous

changes need to be activated.

■ When Admin A says ‘yes,’ Admin B activates the previously saved changes without activating the

changes that have not been saved.

Note: When you leave the SGMI without saving changes, you are warned and given the opportunity to
save changes.

60 Becoming familiar with the SGMI

Working with configurations of objects

Save and activate changes

You can save and activate changes both from the toolbar and from menu options.

To sa v e c h anges

1 Do one of the following:

2 One of the following takes place:

To activate changes

1 Do one of the following:

■ On the toolbar, click Save.

■ On the File menu, click Save.

■ If the configurations are correct, the green + mark or blue ball to the left of each object is

removed, indicating that the changes have been saved.
A status message “Changes pending” appears on the right side of the toolbar.

■ If there is an error in your configuration, an error message describing it is displayed.

Fix the mistake, and then click Save again.

■ On the toolbar, click Activate.

■ On the System menu, click Activate.

2 If you have not saved changes, a Save Changes message box prompts you to save.

Do one of the following:

■ To activate changes that you have previously saved and any changes you have made

subsequently, click Ye s .

■ To activate only changes that you have previously saved, without activating your unsaved

changes, click No.

3 In the Activate Changes Wizard welcome panel, click Next.

4 In the Revision Comment panel, in the Activation Comment text box, type a comment to identify

the changes that you made to the configuration.

This comment appears as the description of the active configuration in the Quick Status section on

the Home Page.

5 Click Next.

6 In the Activation panel, the Activation Progress indicator shows your changes being activated.

One of the following takes place:

■ If all of the configurations contain the required fields and have legal values, the wizard screen

message changes to Activation successful.
Click Close.

■ If you have made an error or omitted a required field in a configuration, the wizard screen

reports Activation not successful, and a window opens at the bottom of the SGMI, showing a
validation report that describes your error.

Return to the invalid configuration and correct the problem. Then run the Activation wizard
again.

Related information

For further information related to this topic, see the following:

■ “Viewing Quick Status” on page 29

■ “Reverting changes” on page 61

Working with configurations of objects

Reverting changes

The actions of saving and activating changes are not irrevocable.

Prerequisites

Complete the following task before beginning this procedure:

■ “Saving and activating configuration changes” on page 59

Revert changes

When you want to undo changes, you can do either of the following:

■ If you have unsaved changes, you can revert to the last changes that you saved.

■ If you have changes that have been saved but not activated, you can revert to the state at the last

time you activated changes.

■ If you want to undo changes to a single object, you can revert just those changes.

To revert unsaved changes

1 On the File menu, click Revert to Last Saved.

2 When prompted to confirm that you want to revert, click Ye s .

The changes and change indicators are removed from the objects.

61Becoming familiar with the SGMI

To revert changes that have not been activated

1 On the File menu, click Revert to Last Active.

2 In the Confirm Discard of Pending Changes message, click Ye s .

The changes and change indicators are removed from the objects.

To revert changes to a single object

1 In the right pane, select the object for which you want to revert changes.

2 Right-click and click Revert.

Only the changes you made to the selected object are reverted. Changes are retained for all other

objects, and can be saved and activated.

Deleting configuration objects

When changes take place in your network infrastructure or corporate security policy, you can delete
objects that are no longer used. For example, if a mail server is no longer in use, you can delete the
network entity that represents it.

To delete a configuration object

1 In the SGMI, in the left pane, click the section and folder that contain the object.

For example, to delete a network entity, under Assets, click Network.

2 In the right pane, click the appropriate tab.

For example, in the right pane, click Network Entities.

3 Do one of the following:

■ Select the object to be deleted, and then, on the Edit menu, click Delete.

■ Right-click the object, and then click Delete.

■ Select the object, and then, at the top of the pane, click Delete.

If no other objects reference this object, a red X to the left of the object in the table marks it for

deletion.

62 Becoming familiar with the SGMI

Working with configurations of objects

4 If the object is referenced by other security gateway configurations, a warning displays, telling you

that the object cannot be deleted because it is in use. Do the following:

■ To clear the warning, click OK.

■ Right-click the object that you could not delete and click In Use By.

The In Use By tab of the lower pane opens, listing the other configurations that are affected.
Before you can delete the object, you must revise or delete the objects that use it.

You c an a ls o c l ic k Copy to copy the warning message to the clipboard and paste the message in a

document for use in locating the object at a later time.

5 A deletion is not final until you save the change. To undo a deletion, right click on the deleted

object and then click Revert.

In the table, a blue ball beside the object indicates that it has been modified.

Using the lower pane when you change configurations

The SGMI usually appears with two panes visible: the left pane that contains folders for navigation and
the right pane that contains the configuration details of the selected folder.

As you modify configuration details, you can display an additional lower pane at the bottom of the
SGMI window to let you view error warnings, validation messages, and other security gateway objects
that use a selected object.

This section includes the following topics:

■ Displaying and hiding the lower pane

■ Viewing objects used by an object you want to modify

Displaying and hiding the lower pane

The lower pane displays automatically in the following circumstances:

■ When you activate a change and activation fails.

■ When you select an object and click the In Use By option on the Table menu.

You can also open the lower pane manually.

To display and hide the lower pane

1 To display the lower pane, in the SGMI, hold the left mouse button down and drag the divider bar at

the bottom of the window up until the pane is the desired height.

2 To hide the lower pane, in the upper left corner of the pane, click X, or drag the divider bar down.

Viewing objects used by an object you want to modify

When you make configuration changes to a security gateway object, the changes affect other objects
that use the object you change. For example, if you change the properties of a network entity that is
used in a rule, the behavior of the rule changes. If you rename an object, all referencing objects are
updated automatically.

If you attempt to delete an object that is in use by other configuration objects, a message warns you
that the object is in use and cannot be deleted.

Before you begin to modify an object, you can use the In Use By option to display a list of objects that
reference the object you want to change.

Viewing system information

To view objects used by an object you want to modify

1 In the SGMI, in the right pane, select the object that you want to modify.

2 Do one of the following:

■ On the View menu, click In Use By.

■ Right-click, and click In Use By.

The SGMI searches for references to the selected object in other objects and displays the results on

the In Use By tab of the lower pane.

3 When a large number of object are returned, you can use the icons to the left of the window to

control the search.

Restart the search.

This can only be used after the search has been paused.

Pause the search.

Stop the search.

4 To view the results of the search, drag the pane divider up to increase the size of the window, or use

the scroll bar.

63Becoming familiar with the SGMI

Related information

For further information related to this topic, see the following:

■ “Viewing and modifying object properties” on page 50

■ “Deleting configuration objects” on page 61

Viewing system information

The System window is a read-only display of several security gateway statistics. This page displays the
operating system, system date and time, host name and gateway address, product name including the
security gateway version number, and the Symantec System ID. You can also view the Symantec
System ID on the LCD panel of the appliance.

If you are connected to SESA, the System page also displays information about the SESA Agent,
including whether it is installed and enabled and the port over which it is connected.

Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security
Gateways v3.0.

Prerequisites

None.

64 Becoming familiar with the SGMI

Using wizards to simplify configuration

To view the system information

1 In the SGMI, in the left pane, under System, click System Information.

2 In the right pane, in the System Information window, view the current information about the

security gateway, including the product name and appliance model, date and time, status of the

front panel of the appliance, and Symantec System ID.

This window is read-only; however, you can copy information from it to the clipboard.

Related information

None.

Using wizards to simplify configuration

To simplify security gateway configuration, the SGMI includes the configuration wizards that are
described in Table 2-7. These wizards give you step-by-step configuration instructions to ensure
success.

Table 2-7 Symantec Gateway Security 5000 Series v3.0 wizards

Wizard name Description

Firewall Rule Wizard Helps you set up your mail, FTP, and HTTP services.

System Setup Wizard Helps you set up your security gateway, including network interfaces.

VPN Wizards Help you configure VPN access.

The following wizards are available:

■ Client VPN Package Wizard

Helps you create a configuration package for remote Client VPN users and
groups.

■ Remote Access Tunnel Wizard

Helps you create a tunnel for remote access using Client VPN or Clientless
VPN.

■ Gateway-to-Gateway Tunnel Wizard

Helps you create a tunnel from one security gateway to another.

Using wizards to simplify configuration

Table 2-7 Symantec Gateway Security 5000 Series v3.0 wizards (Continued)

Wizard name Description

Join SESA Wizard Helps you join SESA for scalable management.

Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced
Manager for Security Gateways v3.0.

Cluster Wizard Helps you create a cluster of security gateways for high availability and load

balancing.

License Installation Wizard Helps you obtain and install license files.

Activation Wizard Helps you activate configurations.

Active Directory Wizard Lets you test the Active Directory Server when you configure it.

SecurID Wizard Lets you test the SecurID Server when you configure it.

Wizards have the following common characteristics:

■ A Welcome panel describes the object or feature that you are configuring.

65Becoming familiar with the SGMI

Back and Next buttons at the bottom of the panel let you navigate, and a Cancel button lets you

exit the wizard without making changes. A Help button displays online Help on the wizard

procedure.

66 Becoming familiar with the SGMI

Using wizards to simplify configuration

■ Detail panels prompt you for the information that you must provide. These panels include

■ A Confirmation panel lets you review your choices.

instructions to help you provide the information.

If you want to make a change, you can click Back to return to a previous panel.

You use the Finish button to initiate the configuration changes that you have configured using the

wizard.

The status table shows the changes being made. Each successful change is indicated by a green

check mark.

When the configuration is complete, the Finish button becomes a Close button that lets you close

the wizard.

Chapter

Managing administrative access

This chapter includes the following topics:

■ Creating administrator accounts

■ Creating machine accounts for security gateway access from remote computers

■ Changing passwords

■ Enabling SSH for command-line access to the appliance

Providing access to the security gateway

Although you may be the chief administrator of your corporate security gateway, it is likely that other
people in your organization need access to the security gateway. For example, round the clock
monitoring of the security gateway requires additional accounts for the employees who perform
monitoring. If different access strategies are needed for different segments of your organization, there
may be multiple administrators who perform configuration tasks. The SGMI lets you create accounts
for these employees, with the appropriate privileges for their jobs.

You can also create machine accounts to define computers other than management workstations that
need to automatically access information from the security gateway. This access includes the ability to
view and manage logs, and to provide IDS blacklist entries.

The administrative and machine accounts you create are secured by passwords, which you should
change regularly to protect the integrity of your security gateway.

3

An additional administrative access feature is the ability to configure SSH as a means of providing
command line access to view configuration files or perform tasks that are not accessible through the
SGMI. SSH provides a cryptographically protected connection that prevents eavesdropping, hijacking,
and other attacks.

Creating administrator accounts

The security gateway creates a default administrator account, called admin, when it is set up using the
appliance LCD panel. You should not modify the privileges of the admin account unless you have
created additional accounts that have full administrative access.

A second administrator account called Cluster is created when security gateways are clustered. This
account is read-only with the exception of the Password field. If the Cluster account does not exist, you
cannot manually create it. Manual creation of the Cluster account prevents a valid cluster
configuration.

You can use the Symantec Gateway Management Interface (SGMI) to create additional administrator
accounts to delegate administrator responsibility for the security gateway. When you create an
administrator account, you specify the account’s access privileges to security gateway services. For
example, an administrator who creates configurations requires full configuration privileges, while an
administrator who monitors the security gateway may only need privileges to view and manage logs,
and issue alerts.

68 Managing administrative access

Creating administrator accounts

Prerequisites

None.

To create local administrator accounts

1 In the SGMI, in the left pane, under System, click Adminis tration.

2 In the right pane, on the Local Administrators tab, click New.

3 In the Admin Account Properties dialog box, on the General tab, do the following:

Enable To enable the local administrator, check Enable.

User Name Type the name of the administrator.

Full Name Type the full name of the administrator.

You can use this name to distinguish between similar user names.

Password Type the local administrator’s password.

The password is encrypted and appears as a string of asterisk (*) characters.

The admin password should be at least 10 characters long, and contain both upper and
lower case letters and a punctuation character.

You can create a password that does not meet these recommendations, but you will get
a warning.

Confirm Password Type the administrator’s password again for confirmation.

Last password

change

Caption Type a brief description of the local administrator.

The Last password change field indicates the last time that the password was changed.

This field is read-only.

4 On the Configuration Privileges tab, do the following:

■ Under Administrator privileges, to permit the administrator to make changes to the security

gateway configuration, check Write configuration allowed.
You must check this option if you want to give the administrator write access to any of the
other configurations that are listed on this tab.

Creating machine accounts for security gateway access from remote computers

■ Under Restrictions on the above, you can limit specific privileges of the local administrator by

unchecking one or more check boxes.

5 On the Maintenance Privileges tab, enable the privileges you want to grant to the administrator.

When the administrator logs on, the functions for which privileges are not enabled are greyed out.

6 On the Restrict To Address tab, to restrict the addresses from which the administrator can log on,

type an IP address in the Address text box and clicking Add.

7 Optionally, on the Description tab, type a more detailed description than you typed in the Caption

text box.

8 Click OK.

9 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “Admin Account Properties—General tab” on page 758

■ “Admin Account Properties—Configuration Privileges tab” on page 759

69Managing administrative access

■ “Admin Account Properties—Maintenance Privileges tab” on page 760

■ “Admin Account Properties—Restrict To Address tab” on page 761

Creating machine accounts for security gateway access from
remote computers

The Machine Account window lets you define computers other than administrator workstations and
authorize them to automatically retrieve or update information on the security gateway. Depending on
the privileges you assign to the machine account, the computer represented by the account can be used
to remotely view or manage log files, or to manage the security gateway’s blacklist.

Prerequisites

None.

To create a machine account for security gateway access from a remote computer

1 In the SGMI, in the left pane, under System, click Adminis tration.

2 In the right page, on the Machine Accounts tab, click New.

3 In the Machine Account Properties dialog box, on the General tab, do the following:

Enable To enable the machine account, check Enable.

IP address Type the IP address of the machine account in dotted quad format.

Password Type the password for the machine account.

The password must be at least 10 characters long, contain both upper and lower case
letters, at least one numeric digit, and a punctuation character.

The password is encrypted and appears as a string of asterisk (*) characters.

Verify Password Type the machine account password again for confirmation.

70 Managing administrative access

Changing passwords

Last password

change

Caption Type a brief description of the machine account.

The Last Password Change text box is read only; it displays the date of the most recent
password change.

4 On the Privileges tab, do the following:

View log Check to let the remote computer view security gateway log files.

Manage log Check to let the remote computer access and manage security gateway log files.

Provide IDS blacklist

entries

Check to let the remote computer add or change entries in the Blacklist file.

If you check this entry, complete the following fields:

■ Pass entries on port

Type the port number to be used to connect to the blacklist.

■ Entry lifetime (minutes)

Type the length of time the blacklist entries are valid.

5 Optionally, on the Description tab, type a more detailed description than you typed in the Caption

text box.

6 Click OK.

7 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “Machine Account Properties—General tab” on page 764

■ “Machine Account Properties—Privileges tab” on page 765

Changing passwords

The administrative and machine accounts you create are secured by passwords, which you should
change regularly to protect the integrity of your security gateway.

The following topics describe how to change these passwords using the SGMI:

■ Changing administrator passwords

■ Changing the root password

■ Changing a machine account password

You can also use the LCD panel on the appliance to generate a new random root and admin password.
For more information, see the Connecting and Configuring section of the Symantec Gateway Security
5000 Series Getting Started guide.

An additional administrative account, the Cluster account, is created when you enable high
availability/load balancing (HA/LB). You can change the Cluster account password, caption, and
description. All other Cluster account information is read-only.

See “Changing the cluster account password” on page 519.

Note: If you use the LCD to change the administrator password for a cluster member, you must log on
to that member and activate the change so that it is propagated to the other cluster members.

If there are no changes to activate, make a spurious change such as creating and deleting an object so
that the Activate button is available.

Changing administrator passwords

Changing administrator passwords applies to two types of administrator password:

■ The password for the admin account that is created when you set up the security gateway

This password is automatically generated when you use the LCD panel to perform the initial

security gateway setup.

■ Passwords for administrator accounts that are created using the SGMI

Administrator passwords are used to log on to the SGMI, establish the administrator’s right to change
the root password, and can be used to make SSH connections for command-line access to the
appliance.

Changing passwords

71Managing administrative access

Change administrator passwords

There are three options for changing the administrator password:

■ Changing the admin password from the System menu

You can use the System menu to change the password with which you logged on to the SGMI.

When you do, the change takes effect immediately. You do not need to save and activate the

change.

■ Changing the administrator password from the System Setup Wizard

The System Setup Wizard provides a way to change the administrator password. On initial setup,

this lets you change the password immediately and choose a password that is more easily

remembered than the password that is generated during the appliance front panel setup.

You can continue to use the System Setup Wizard as a way to change your password after you

have done the initial setup of the security gateway.

■ Changing passwords in administrator accounts

If you are logged on to the SGMI with write privileges for local administrator accounts, you can

change the password of any of these accounts, including your own logon password.

When you change a password in an administrator account, you must save and activate the change

to make it take effect.

To change the administrative password using the System menu

1 In the SGMI, on the System menu, click Change Admin Password.

2 In the Change Administrator Password dialog box, in the Current administrator password text box,

type your existing password.

3 In the New administrator password text box, type a new password.

The password should contain at least 10 characters, should not contain digits or punctuation

characters, and should be all lower case.

The password is encrypted and appears as a string of asterisk (*) characters.

4 In the Verify new administrator password text box, type the new password again.

72 Managing administrative access

Changing passwords

5 Click OK.

For further information related to this topic, see “Change Administrator Password dialog box” on
page 773

To change the administrator password from the System Setup wizard

1 In the SGMI, in the Tools menu, click System Setup Wizard.

2 In the Welcome panel, click Next.

3 In the Optional Features panel, click Next.

4 In the Setup Options panel, click Next.

5 In the Machine Settings panel, to enable password changing, click Change administrator

■ If the passwords match and meet security recommendations, the new password is created.

■ If the passwords match but do not meet security recommendations, a password warning

displays with a recommendation and asks if you want to use the password anyway.
To change the password without taking the recommendation, click Ye s .
To return to the Change Administrator Password dialog box and follow the recommendation,
click No. Retype the password as suggested.

password, and then do the following:

Current password Type your logon password.

New password Type a new password.

The password should be ten or more lowercase alphabetic characters.

Passwords are encrypted and appear as a string of asterisk (*) characters.

Verify password Type the password again.

6 Click Next. One of the following happens:

■ If the passwords match and meet security recommendations, the Network Interface panel

displays. Continue at step 7.

■ If the passwords match but do not meet security recommendations, a password warning

displays with a recommendation and asks if you still want to use the password.
To change the password without taking the recommendation, click Ye s . Continue at step 7.
To return to the Machine Setting panel and follow the recommendation, click No. Retype the

passwords as suggested.

■ If the passwords do not match, a password error message displays. Click OK, and then retype

the passwords.

7 In the Network Interfaces panel, click Next.

8 In the Confirmation panel, click Finish.

For further information related to this topic, see “Machine Settings panel” on page 799.

To change local administrator passwords

1 In the SGMI, in the left pane, under System, click Adminis tration.

2 In the right pane, on the Local Administrators tab, highlight the administrator’s account with the

password that you want to change, and then click Propertie s.

3 In the Admin Account Properties dialog box, on the General tab, in the Password text box, type the

new password.

The password must be at least 10 characters long, with both upper and lowercase letters, numerals,

and a punctuation mark.

The password is encrypted and appears as a string of asterisk (*) characters.

4 In the Confirm Password text box, type the password again.

5 Click OK.

If the new password does not contain the recommended characters, you are warned; however, the

password is created.

If you want to follow the recommendations, edit the administrator’s account again.

6 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

For further information related to this topic, see “Admin Account Properties—General tab” on
page 758

Changing the root password

The root password is created during the initial setup of the security gateway using the LCD panel.
Initially, it is the same as the administrator password.

You use it when you connect directly to the appliance from an SSH connection, and to temporarily
unlock the appliance through the LCD panel.

You can change the root password from the SGMI. When you do, the change takes effect immediately.

Changing passwords

73Managing administrative access

Prerequisites

None.

To change the root password

1 In the SGMI, on the System menu, click Change Root Password.

2 In the Change Root Password dialog box, in the Current administrator password text box, type the

password you used to log on to the SGMI.

3 In the New root password text box, type the new root password.

Passwords should only contain lowercase alphabetic characters, and should be at least 10

characters long.

If the LCD panel is locked, the password must be 12 or fewer lowercase letters in order to be

entered on the LCD panel.

The password is encrypted and appears as a string of asterisk (*) characters.

4 In the Verify root password text box, type the new root password again.

5 Click OK.

If the LCD panel is not locked and the new password contains digits or punctuation characters, you

are warned; however, you can still create the password.

If the LCD panel is locked, you cannot create the password unless it contains the required

characters.

Related information

For further information related to this topic, see the following:

■ “Change Administrator Password dialog box” on page 773

■ “Changing administrator passwords” on page 71

74 Managing administrative access

Enabling SSH for command-line access to the appliance

Changing a machine account password

If you are logged on to the SGMI with write privileges, you can change the password of machine
accounts. When changing machine account passwords, you must save and activate the changes to
make them take effect.

Prerequisites

Complete the following task before beginning this procedure:

■ “Creating machine accounts for security gateway access from remote computers” on page 69

To change a machine account password

1 In the SGMI, in the left pane, under System, click Adminis tration.

2 In the right pane, on the Machine Accounts tab, highlight the account with the password that you

want to change, and then click Properties.

3 In the Machine Account Properties dialog box, on the General tab, in the Password text box, type

the new password.

It must be at least 10 characters long and contain numerals, both uppercase and lowercase

alphabetic characters, and symbols.

The password is encrypted and appears as a string of asterisk (*) characters.

4 In the Confirm Password text box, type the password again.

5 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “Machine Account Properties—General tab” on page 764

Enabling SSH for command-line access to the appliance

There may be times when you need to work directly on the security gateway. For example, you connect
to the appliance to configure multicast support for gateway to gateway IPsec tunnels. You can also
connect to the appliance as an alternate way to perform a backup, or to retrieve an upgrade report.

In addition, Symantec Technical Support may ask you to view or change a configuration that is not
accessible through the SGMI.

You can use a Standard Secure Shell (SSH) client to establish a connection to the appliance so that you
can enter commands. SSH is a high-security protocol that uses strong cryptography to protect your
connection against eavesdropping, hijacking, and other attacks.

When you log on using SSH, you use the root password.

Prerequisites

None.

To enable command-line access to the appliance

1 In the SGMI, in the left pane, under System, click Configuration.

Enabling SSH for command-line access to the appliance

2 In the right pane, on the Features tab, under SSH connection, do the following:

SSH Version 1 To enable SSH V1 connectivity, check this option.

SSH Version 2 To enable SSH V2 connectivity, check this option.

Port Type the port through which the connection is made.

SSH Login Banner Message Optionally, type a message to be displayed when an SSH connection to the

appliance is made.

You can enable both SSH Version 1 and SSH Version 2. The correct version is used based on the

version of SSH that is supported on the client that is connecting.

3 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “Features tab” on page 743

75Managing administrative access

76 Managing administrative access

Enabling SSH for command-line access to the appliance

Maintaining your security gateway

This chapter includes the following topics:

■ Installing and uninstalling hotfixes

■ Configuring and running LiveUpdate

■ Starting and stopping the security gateway

■ Rebooting the security gateway appliance

■ Shutting down the security gateway appliance

■ Understanding and using licenses

Chapter

4

■ Backing up and restoring configurations

■ Making system changes with the System Setup Wizard

■ Maintaining traffic flow

Performing maintenance tasks

Regular maintenance of your security gateway is an important part of protecting your organization.

Maintenance can include the following:

■ Tasks that you perform occasionally, such as installing hotfixes to update your security gateway

software, installing new licenses, or running the System Setup Wizard to make interface changes

■ Tasks that you choose to perform regularly such as running LiveUpdate to update virus definitions

and intrusion detection signatures, and performing regular configuration backups

■ Tasks that are required as a result of changes to the security gateway, such as restarting or

rebooting the security gateway, or shutting down the appliance

Installing and uninstalling hotfixes

Periodically, Symantec issues hotfixes, which provide additional functionality or increased
performance for the security gateway. To learn about available hotfixes, visit the Symantec hotfix
download Web site at the following location:

http://www.symantec.com/techsupp/enterprise/select_product_updates_nojs.html

After you download the file that contains a hotfix to your workstation, you can install it using the
hotfix option on the SGMI System menu. The Hotfix dialog box that displays lets you:

■ View installed hotfixes

■ Install a hotfix

78 Maintaining your security gateway

Installing and uninstalling hotfixes

■ Uninstall a hotfix

Note: Installing a hotfix may result in the JAR cache version being older or newer than that of the
security gateway. The hotfix documentation tells you whether you need to clear the JAR cache before
logging on.

Prerequisites

None.

Install and uninstall hotfixes

Use the following procedures to install and uninstall hotfixes.

To install a hotfix

1 Connect to the Symantec product update Web site at

enterprise/select_product_updates_nojs.html

2 Click the link that is located in the hotfix description and read the document that is displayed.

This document tells you whether there are any prerequisites for installing the hotfix.

3 Download the .tgz file for the hotfix to a folder on your management computer.

4 In the SGMI, on the System menu, click Hotfix .

http://www.symantec.com/techsupp/

to determine if a new hotfix is available.

5 In the Hotfix dialog box, view the installed hotfixes.

6 To install a new hotfix, click Install Hotfix.

7 In the Open dialog box, navigate to the location where you downloaded the hotfix file.

8 Select the hotfix file, and then click Open.

When the hotfix installation completes successfully, a message displays, depending on the content

of the hotfix:

■ If the message tells you that the hotfix has been successfully installed, click OK.

■ If the message tells you that the hotfix will not take effect until the security gateway is

restarted, do one of the following:
To restart the security gateway immediately, click Ye s .
To close the message and continue working in the SGMI, click No. Restart the security

gateway at a later time to make the hotfix take effect.

9 If you receive a message that the hotfix cannot be installed, check the Symantec product update

Web site to find out if another hotfix needs to be installed first.

Install any required hotfixes, and then install the hotfix that failed to install.

To uninstall a hotfix

1 In the SGMI, on the System menu, click Hotfix .

2 In the Hotfix dialog box, select the hotfix that you want to uninstall.

3 Click Uninstall Hotfix.

4 A message displays, depending on the content of the hotfix you are uninstalling:

■ If the message says that the hotfix has been successfully uninstalled, click OK.

■ If the message says that you must restart the security gateway to remove the hotfix, do one of

the following:
To restart the security gateway immediately, click Ye s .
To close the message and continue working in the SGMI, click No. Restart the security

gateway at a later time to complete the removal of the hotfix.

■ If the message says that you must reboot the security gateway to remove the hotfix, do one of

the following:
To reboot the security gateway immediately, click Ye s .
To close the message and continue working in the SGMI, click No . Reboot the security
gateway at a later time to complete the removal of the hotfix.

Related information

For further information related to this topic, see the following:

■ “Hotfix dialog box” on page 774

■ “Starting and stopping the security gateway” on page 84

■ “Rebooting the security gateway appliance” on page 85

Configuring and running LiveUpdate

The LiveUpdate component of the security gateway lets you schedule updates of the definitions and
signatures that are used by the following content security components:

■ Antispam

■ Antivirus

Configuring and running LiveUpdate

79Maintaining your security gateway

■ Content filtering

■ Dynamic Document Rating (DDR)

■ Intrusion detection and intrusion protection (IDS/IPS)

Note: If you have made changes to pre-configured intrusion detection policies, LiveUpdate may

overwrite those changes.

Configuring LiveUpdate involves the following:

■ Defining a LiveUpdate server

■ LiveUpdating components

■ Optionally, Running LiveUpdate manually

Defining a LiveUpdate server

To update a component, the security gateway contacts the LiveUpdate server you specify for the
component and downloads updated configurations. If you specify more than one LiveUpdate server,
the security gateway contacts the servers in the order in which they are listed.

80 Maintaining your security gateway

Configuring and running LiveUpdate

Three public Symantec LiveUpdate servers are defined by default:

Table 4-1 Default LiveUpdate servers

Server name Server URL

Symantec LiveUpdate http://liveupdate.symantecliveupdate.com

Symantec LiveUpdate 2 http://liveupdate.symantec.com

Symantec LiveUpdate FTP ftp://update.symantec.com/opt/content/onramp

If a LiveUpdate server is deployed in your network, you can identify it to the security gateway for use in
updating components. Benefits of configuring a local LiveUpdate server can include better
performance and the ability to control the version of LiveUpdate signatures and definitions that is
available.

Prerequisites

None.

To define a LiveUpdate server

1 In the SGMI, in the left pane, under System, click Configuration.

2 In the right pane, on the LiveUpdate tab, under LiveUpdate Servers, click New.

3 In the LiveUpdate server properties dialog box, on the General tab, do the following:

Name Type a name to identify the LiveUpdate server.

Protocol From the drop-down list, select HTTP or FTP as the protocol to be used by the

LiveUpdate server.

Server URL Type the fully qualified domain name of the LiveUpdate server.

Port Type the port on which the LiveUpdate server listens.

4 If you chose FTP as the protocol, optionally, you can require authentication by doing the following:

User name Type the user name that is used to authenticate to the LiveUpdate server.

Password Type the password that is used to authenticate to the LiveUpdate server.

5 Optionally, on the Description tab, type a more detailed description than you typed in the Caption

text box.

6 Click OK.

7 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “LiveUpdate Server Properties—General tab” on page 754

■ “LiveUpdating components” on page 81

LiveUpdating components

LiveUpdate is run separately for each content security component.

You can schedule LiveUpdate for each component, or you can manually run a LiveUpdate of a
component at any time.

Note: If you run LiveUpdate in a clustered environment, only the components on the security gateway
where you issue the command are updated. To prevent having different definitions on the nodes of the
cluster, you should schedule LiveUpdate to be run at the same time on each cluster member.

The tasks that you can perform are:

■ Scheduling LiveUpdate of a component

■ Adding a LiveUpdate server for a component

■ Specifying an HTTP proxy for LiveUpdate

■ Running LiveUpdate manually

Scheduling LiveUpdate of a component

You schedule a LiveUpdate session separately for each of the components that has an update license.
Scheduling LiveUpdate lets you assure that your content security components are always up to date.
Once scheduled, the component update takes place automatically.

Configuring and running LiveUpdate

81Maintaining your security gateway

Prerequisites

None.

To schedule LiveUpdate for a component

1 In the SGMI, in the left pane, under System, click Configuration.

2 In the right pane, on the LiveUpdate tab, view the components that can be updated and the

LiveUpdate servers that are defined for your security gateway.

3 To schedule LiveUpdate for a component, in the LiveUpdate Components table, double-click the

component.

4 Optionally, in the LiveUpdate Settings for Component Properties dialog box, in the Caption text

box, type a brief description of the LiveUpdate properties for this component.

5 On the Schedule tab, to have LiveUpdate performed at regular intervals, check Automatic Update.

82 Maintaining your security gateway

Configuring and running LiveUpdate

6 To select the type of interval, do one of the following:

Multiple times a day Use the drop-down list to specify the interval in hours.

Once a day Use the Time drop-down lists to specify the hour and minute.

Once a week Use the Day drop-down list to specify the day of the week.

7 Optionally, on the Description tab, type a more detailed description than you typed in the Caption

text box.

8 Click OK.

9 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

Related information

For further information related to this topic, see the following:

■ “LiveUpdate Settings for Component Properties—General tab” on page 755

■ “Adding a LiveUpdate server for a component” on page 82

Click the appropriate radio button to specify AM or PM.

Use the Time drop-down lists to specify the hour and minute.

Click the appropriate radio button to specify AM or PM.

When prompted to save your changes, click Ye s .

■ “Specifying an HTTP proxy for LiveUpdate” on page 83

■ “Running LiveUpdate manually” on page 84

Adding a LiveUpdate server for a component

Three LiveUpdate servers are provided by Symantec. By default, these are selected as the LiveUpdate
servers for the content security components.

You can also configure one or more additional servers for use for LiveUpdate and specify them in the
components’ properties.

A total of 10 servers can be listed for each component. When LiveUpdate is performed, these servers
are contacted in the order in which they are listed. You can modify the order.

Prerequisites

None.

To add a LiveUpdate server for a component

1 In the SGMI, in the left pane, under System, click Configuration.

2 In the right pane, on the LiveUpdate tab, view the components that can be updated and the

LiveUpdate servers that are defined for your security gateway.

3 In the LiveUpdate Settings for Component Properties dialog box, the General tab lists the

LiveUpdate servers that are currently used to update the component.

To add a server, beside the LiveUpdate servers list, click Add.

Configuring and running LiveUpdate

4 In the Select LiveUpdate Servers dialog box, select a server from the LiveUpdate Server list, and

then do one of the following:

■ To add the server to the LiveUpdate Servers list without closing the Select dialog box, click

Apply.

■ To add the server to the LiveUpdate Servers list and close the Select dialog box, click OK.

You can add up to 10 LiveUpdate servers.

5 LiveUpdate servers are contacted in the order in which they are listed.

To move a server in the list, select it, and then click Move Up or Move Down.

6 Click OK.

7 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

Related information

For further information related to this topic, see the following:

■ “LiveUpdate Settings for Component Properties—General tab” on page 755

■ “Defining a LiveUpdate server” on page 79

83Maintaining your security gateway

Specifying an HTTP proxy for LiveUpdate

If one or more of your LiveUpdate servers uses HTTP to download updated definitions or signatures,
you can specify a proxy as one of the component properties.

Using a proxy lets you specify a different port, and a user name and password for greater security.

Prerequisites

None.

To specify an HTTP proxy for LiveUpdate

1 In the SGMI, in the left pane, under System, click Configuration.

2 In the right pane, on the LiveUpdate tab, double-click the component for which you want to use a

proxy.

3 On the Proxy tab, check Use a proxy for HTTP connections.

4 Specify the proxy details by doing the following:

HTTP proxy address Specify the address of the proxy server.

HTTP proxy port Specify the port used by the proxy server to connect to the security gateway.

HTTP proxy user name Specify the user name used to authenticate the connection.

HTTP proxy password Specify the password used to authenticate the connection.

5 Click OK.

6 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

84 Maintaining your security gateway

Starting and stopping the security gateway

Related information

For further information related to this topic, see the following:

■ “LiveUpdate Settings for Component Properties—Proxy tab” on page 756

■ “Defining a LiveUpdate server” on page 79

Running LiveUpdate manually

When you schedule LiveUpdate for a component, the component is automatically updated on the
scheduled days and times. You can also initiate a LiveUpdate at any time, without waiting for the
scheduled LiveUpdate. For example, if there is an outbreak of a new virus, you can update your virus
definitions immediately.

Prerequisites

None.

To run LiveUpdate manually

1 In the SGMI, in the left pane, under System, click Configuration.

2 In the right pane, on the LiveUpdate tab, under LiveUpdate Components, select the component you

want to update.

3 Click Run LiveUpdate Now.

The Run LiveUpdate Results message box tells you that LiveUpdate has started for the component.

4 Click OK.

Related information

For further information related to this topic, see the following:

■ “Defining a LiveUpdate server” on page 79

■ “LiveUpdating components” on page 81

Starting and stopping the security gateway

You can use the SGMI to configure the security gateway whether it is stopped or started; however, the
security gateway must be running to perform some tasks such as viewing license usage or creating a
cluster. In other cases, to complete a procedure such as installing or uninstalling a hotfix, you may be
required to restart the security gateway.

The status message on the right side of the toolbar indicates whether the security gateway is running
or if it is stopped. The System menu option that lets you start and stop the security gateway changes to
reflect the security gateway status.

Icon Status message Menu option state

Security gateway is running Stop Gateway

Security gateway is stopped Start Gateway

Note: When the security gateway is stopped, all traffic is blocked except administrator connections to
the security gateway.

Prerequisites

None.

To start or stop the security gateway

1 If the security gateway is stopped and you want to start it, do the following:

■ On the System menu, click Start security gateway.

■ In the confirmation message box, click OK.

2 If the security gateway is running and you want to stop it, do the following:

■ On the System menu, click Stop security gateway.

■ In the confirmation message box, click OK.

Related information

None.

Rebooting the security gateway appliance

Most of the changes you make to security gateway configurations can be activated using the Activate
toolbar button or menu item. These include the creation of objects such as rules, tunnels, and users,
and the configuration of features such as antivirus, antispam, and content filtering. Some situations,
however, require you to reboot the appliance as part of a change process.

Rebooting the appliance is incorporated into the following security gateway processes:

■ An appliance reboot occurs automatically:

■ If you use the System Setup Wizard to change the appliance host or domain name, default

gateway, or any interface properties, or lock the LCD panel

■ After you restore a configuration, a reboot occurs automatically.

Rebooting the security gateway appliance

85Maintaining your security gateway

■ You use the Reboot Cluster option to reboot all cluster members after making cluster changes.

There are additional situations where you must manually reboot the appliance for a change to take
effect, including:

■ After you add or remove licenses, to register the change.

■ After you install or uninstall some hotfixes

■ If you have problems joining SESA.

Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for

Security Gateways v3.0.

■ If you make changes using command line commands.

You should not change security gateway configurations unless directed to do so by Symantec

Technical Support.

You can also reboot the appliance manually using the System menu options on the appliance front
panel. See the section on using the System menu in the Symantec Gateway Security 5000 Series v3.0
Installation Guide.

86 Maintaining your security gateway

Shutting down the security gateway appliance

Prerequisites

Complete the following task before beginning this procedure:

■ “Saving and activating configuration changes” on page 59

To reboot the security gateway appliance

1 In the SGMI, on the System menu, click Reboot.

2 When prompted to confirm the reboot, click Yes .

The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security

gateway reboots.

3 When the reboot has completed, you can log on to the SGMI again.

Related information

For further information related to this topic, see the following:

■ “Rebooting a cluster” on page 523

Shutting down the security gateway appliance

Some security gateway maintenance procedures require you to shut the security gateway down. In
particular, if you need to install a field replaceable unit (FRU) such as a fan or hard disk, you should
shut down the security gateway.

This procedure describes shutting down the appliance from the SGMI.

You can also shut the appliance down manually, using the System menu options on the appliance’s
LCD panel. For instructions, see the section on shutting down the appliance in the Symantec Gateway
Security 5000 Series v3.0 Installation Guide.

Prerequisites

None.

To shut down the security gateway appliance

1 In the SGMI, on the System menu, click Shutdown.

2 When prompted to confirm the shutdown, click Yes .

The SGMI closes and the Symantec Gateway Security 5000 Series v3.0 logon screen is displayed.

3 To log on to the SGMI again, manually start the appliance.

4 In the log on screen, type your password and click Logon.

Related information

For further information related to this topic, see the section on using the System menu in the Symantec
Gateway Security 5000 Series v3.0 Installation Guide.

Understanding and using licenses

The security gateway is comprised of a base firewall component that controls access through the
security gateway and additional components that provide specific kinds of protection and connectivity.

When you receive the security gateway, all components are activated by a 30-day grace period license.
The grace period license gives you full functionality for all security gateway components, and content
update for content security signatures and definitions. You can configure all components and use them
in security gateway rules, filters, and tunnels.

Understanding and using licenses

Before the end of the grace period you must obtain and install licenses for each security gateway
feature that you want to continue to use. When the grace period expires or when you install the first
license, components for which you do not have licenses are disabled. If you have configured rules that
use the disabled features, those rules will be invalid. For example, if you do not have a license for
antivirus protection but you configured a rule using antivirus during the grace period, that rule will be
invalid. To avoid a loss of functionality, you may want to install all of your licenses at one time.

Security gateway features are individually licensed to let you purchase licenses for only the features
that your security plan requires. If your security requirements change, you can purchase and install
licenses for additional security features.

Licensing tasks include:

■ Viewing the license status of security gateway components

■ Viewing license usage

■ Viewing installed licenses

■ Obtaining licenses

■ Preparing to install license files

■ Installing licenses

■ Removing all license files

■ Enabling and disabling security gateway features

87Maintaining your security gateway

Viewing the license status of security gateway components

The License Summary tab lets you view all security gateway license information in one place. The
license information includes the starting date, expiration date, and user limit for each licensed security
gateway component.

Note: Licenses expire at midnight Greenwich Mean Time (GMT). The time shown in the license
summary is the local time adjusted to reflect this.

Prerequisites

None.

To view the license status of security gateway components

1 In the SGMI, in the left pane, under System, click Licensing.

In the right pane, on the License Summary tab, licensed features and their status (Licensed or Not

licensed), starting dates, expiration dates, and limits (node count) are displayed.

The information in the License Summary table is read-only.

Related information

For further information related to this topic, see the following:

■ “Obtaining licenses” on page 89

■ “Installing licenses” on page 94

88 Maintaining your security gateway

Understanding and using licenses

Viewing license usage

The License Usage tab lets you view the usage rates of the various licensed security gateway
components.

You can only view the license usage if the security gateway is running.

Prerequisites

Complete the following task before beginning this procedure:

■ “Starting and stopping the security gateway” on page 84

To view license usage

1 In the SGMI, in the left pane, under System, click Licensing.

In the right pane, on the License Usage tab, you can monitor the usage of licensed features on your

security gateway.

The information displayed includes the number of security gateway servers and clients, the

number of licensed tunnels being used, the number of configured clusters, and so on. The limits on

each licensed feature are also listed. The information in the License Usage table is read-only.

Related information

For further information related to this topic, see the following:

■ “Obtaining licenses” on page 89

■ “Installing licenses” on page 94

Viewing installed licenses

The Installed Licenses tab lets you view information about the licenses installed on the security
gateway. It also lets you install new licenses for additional security gateway components.

Prerequisites

Complete the following tasks before beginning this procedure:

■ “Obtaining licenses” on page 89

■ “Installing licenses” on page 94

To view installed licenses

1 In the SGMI, in the left pane, under System, click Licensing.

Understanding and using licenses

89Maintaining your security gateway

2 In the right pane, on the Installed Licenses tab, right-click an entry, and then click Properties.

3 In the Installed License Properties dialog box, you can view the attributes of the installed license,

4 Click OK.

Related information

For further information related to this topic, see the following:

■ “Installed License Properties” on page 767

■ “Installing licenses” on page 94

■ “Removing all license files” on page 95

Obtaining licenses

You obtain security gateway licenses from the Symantec Licensing and Registration Web site. This site
prompts you for the information that is needed to issue your license files. After you enter all the
requested registration information on the licensing Web site, Symantec sends an email with a license
file attachment.

Obtaining licenses includes:

■ Understanding license types

■ Preparing to obtain license files

■ Completing the license registration process

■ Preparing to install license files

such as the license file name, the features licensed, and the expiration date of the license.

All information in this window is read-only.

90 Maintaining your security gateway

Understanding and using licenses

Understanding license types

Licenses are available for all individual Symantec Gateway Security 5000 Series features and also in
combinations of features.

Activation packs are combinations of individual licenses that are packaged for convenience and ease of
installation.

■ The Firewall Base License Activation Pack consists of a 50-node firewall base license and three

months of Gold maintenance.

■ The VPN Base License Activation Pack consists of a 25-session VPN Base License and three months

of Gold maintenance.

■ Bundle License Activation Packs consist of various combinations of add-on feature licenses,

additive node or session licenses, and maintenance.

Individual licenses are available for all separate additive and add-on features.

■ Additive licenses increase the number of VPN sessions or nodes allowed.

■ Add on licenses are for individual features such as antivirus and antispam (AV+AS), content

filtering (CF), intrusion detection and prevention (IDS+IPS), high availability/load balancing

(HALB), and client-to-gateway (C2G). Add on Gold Maintenance licenses are also available to extend

subscriptions to features that use Symantec’s LiveUpdate technology to update content such as

antivirus and antispam, and intrusion detection and prevention.

Preparing to obtain license files

Before you connect to the Symantec Licensing and Registration Web site, make sure that you have
obtained the information you need. To make it easier to organize this information, complete the
license file organization worksheet. If you are licensing multiple appliances, copy the worksheet and
complete it for each appliance.

To obtain license files, you need the following information:

■ License serial numbers

These numbers are printed on the Serial Number Certificate you receive when you purchase the

appliance. There is a unique serial number for the base firewall component, and additional serial

numbers for each component for which you have purchased a license.

■ Symantec System ID

The Symantec system ID is a unique identifier for your appliance. You can obtain it from the LCD

panel of the appliance or from the SGMI.

■ Appliance serial number

The appliance serial number is a unique identification located on a label on the underside of the

appliance and also on a label on the appliance shipping carton adjacent to the S/N barcode.

■ Technical contact names

You must register for technical support and software update (maintenance) services at the same

time you request your license file. Only the people whose contact information you provide are

entitled to contact Symantec for technical support.

You can only enter technical support contacts on the licensing Web site at the time you obtain

your licenses. To change technical support contact information later, contact the contact person

for your contract.

The following contact information is required to obtain a license:

■ The email address of the person to whom your license files will be sent.

■ The names, phone and FAX numbers, and email addresses of two technical representatives

who will be authorized to contact Symantec for support.

■ Your full company name.

Understanding and using licenses

The following topics describe how to obtain and record the information you need to register your
licenses:

■ “Gathering and sorting your serial number certificates” on page 91

■ “Obtaining the Symantec System ID” on page 92

■ “Completing the license file organization worksheet” on page 92

Gathering and sorting your serial number certificates

Symantec provides evidence of your purchase using a serial number certificate. Check with your sales
representative to understand how your certificates are sent. Each serial number certificate can contain
several unique serial numbers, one or more for each feature ordered.

The format of the license serial number is a letter followed by 10 digits. For example, F2430482013.
The license serial numbers on serial number certificates correspond to the purchase order that you
place:

■ If you ordered one product, the serial number certificate contains the license serial number for

that product.

■ If you ordered more than one product, the serial number certificate has license serial numbers for

all of the products and features in that order.

Figure 4-1 shows serial numbers for features ordered for two different appliances, A and B, on the

same certificate.

If you ordered more than one product, you should separate and organize the license serial

numbers on the serial number certificate before requesting license files.

91Maintaining your security gateway

Figure 4-1 Sample serial number certificate

Appliance A

Appliance B

92 Maintaining your security gateway

Understanding and using licenses

Related information

For further information related to this topic, see the following:

■ “Obtaining the Symantec System ID” on page 92

■ “Completing the license file organization worksheet” on page 92

Obtaining the Symantec System ID

The Symantec System ID is an alphanumeric string with parenthesis that identifies your appliance to
the licensing system. The license file will only activate the product’s features on the appliance with the
Symantec System ID that you provide during registration.

Note: The Symantec System ID is case sensitive, and enclosed in parentheses. All letters in the
Symantec System ID must be capitalized.

Prerequisites

None.

Obtain the Symantec System ID

You can obtain the Symantec System ID from the system menu on the LCD panel of the appliance or
from the SGMI.

To obtain the Symantec System ID from the appliance’s LCD

1 On the front panel of the appliance, press the e button to select the LCD system menu.

2 Press the down arrow button until you see 4. System ID.

3 Press the e button to view the Symantec System ID.

To obtain the Symantec System ID from the SGMI

1 In the SGMI, in the left pane, under System, click System Information.

2 In right pane, at the bottom of the window, highlight the Symantec System ID, including the

parentheses.

3 On the keyboard, click Ctrl + C to copy the System ID to the clipboard. You can then paste it into a

document to have available when you are ready to obtain your licenses.

Related information

For further information related to this topic, see the following:

■ “Gathering and sorting your serial number certificates” on page 91

■ “Completing the license file organization worksheet” on page 92

Completing the license file organization worksheet

A license file worksheet is available in the licensing chapter of the Symantec Gateway Security 5000
Series v3.0 Installation Guide.

Complete the worksheet by recording the license serial numbers and the number of nodes licensed for
each available license option. Fill out a separate worksheet for each security gateway before you apply
for your license file.

Understanding and using licenses

Complete the following tasks before you fill out the worksheet:

■ “Preparing to obtain license files” on page 90

■ “Gathering and sorting your serial number certificates” on page 91

■ “Obtaining the Symantec System ID” on page 92

Completing the license registration process

The Symantec Licensing and Registration Web site lets you enter serial numbers and contact
information to request and obtain license files. It is also used to register technical contacts that are
entitled to contact Symantec for support. After entering all the requested registration information on
the licensing Web site, Symantec sends an email with a license file attachment.

Before using the Symantec Licensing and Registration Web site, make sure you understand what
information you need and fill out a license file organization worksheet for each appliance.

Prerequisites

Complete the following tasks before beginning this procedure:

■ “Gathering and sorting your serial number certificates” on page 91

■ “Obtaining the Symantec System ID” on page 92

■ “Completing the license file organization worksheet” on page 92

93Maintaining your security gateway

To complete the license registration process

1 Open a Web browser and connect to Symantec’s Licensing and Registration Web site at https://

licensing.symantec.com.

2 In the Licensing and Registration page, follow all the on-line instructions and complete all the

required registration screens.

Symantec emails a license file to the email address you specify during registration. This file must be
installed on the appliance to enable the licensed features. The subject line of the email contains a serial
number for one of the licensed products contained within the order. Once you receive your license
files, unzip them to a location on your network accessible to your appliance.

Caution: When you receive and store your license files, keep a back up of these files in a secure location.
License files cannot be backed up using the SGMI backup procedure.

If you purchase additional licenses for this appliance in the future, you should follow these same steps
for the new licenses and associated serial numbers.

Related information

For further information related to this topic, see the following:

■ “Preparing to install license files” on page 93

■ “Installing licenses” on page 94

Preparing to install license files

When your license files are emailed to you, the subject line of the email shows the serial number used
to request the license file. The message in the email shows the Symantec System ID of the security
gateway to which the license belongs. You must install your license files before the 30-day grace period
ends.

94 Maintaining your security gateway

Understanding and using licenses

If you need additional support, contact the Customer Service team for your region at http://

www.symantec.com/licensing/els/help/en/help.html

Prerequisites

Complete the following tasks before beginning this procedure:

■ “Preparing to obtain license files” on page 90

■ “Completing the license registration process” on page 93

To prepare to install license files

1 On the desktop, create a separate folder for each security gateway, in an accessible location on your

network, with the folder name based on the Symantec System ID of the security gateway.

2 When you receive the email that contains the security gateway’s license files, open the attached file

using a decompression utility, such as WinZip or WinRAR.

The .slf file contained within the .zip file is the actual license file that you must install on your

security gateway to enable the features.

Caution: Do not attempt to edit the .slf file; this corrupts the license file and prevents your product

from working properly.

3 Save the license files to the appropriate folders.

4 Create a backup copy of your license files in a secure location.

Related information

For further information related to this topic, see the following:

■ “Installing licenses” on page 94

Installing licenses

After you obtain your security gateway license files, you install them by running the License
Installation Wizard.

You can run the License Installation Wizard from the following locations:

■ The License Installation Wizard link in the Quick Status section of the home page.

■ The Installed Licenses tab of the Licensing window.

The License Installation Wizard guides you through the process of installing license files. You can
install a single license file or upload and install multiple files.

Prerequisites

Complete the following tasks before beginning this procedure:

■ “Completing the license registration process” on page 93

■ “Preparing to install license files” on page 93

This link is only available when you have read access to the SGMI and a license is nearing

expiration.

To install a license

1 In the SGMI, in the left pane, under System, click Licensing.

2 In the right pane, on the Installed Licenses tab, click Install.

3 On the License Installation Wizard welcome panel, click Next.

4 On the Obtain License Files panel, click Next.

Understanding and using licenses

5 In the Upload License Files panel, to the right of the license file list, click Upload File.

6 For each license file you want to install, do the following:

■ In the Open dialog box, navigate to the location where you copied your license files.

■ Select one or more license files, and then click Open.

The license files appear in the License File list.

7 If you inadvertently upload a license file that you do not want to install, select it and click Remove

File.

8 When you have uploaded all of the license files that you want to install, click Next.

9 In the License Error Check panel, the licenses you have uploaded are checked against other

licensed components on your security gateway. Read the messages, and then do the following:

■ If no errors are listed, click Next.

■ If errors are reported, click Back to remove licenses for which you receive errors or warnings,

or click Close, and then call Symantec Technical Support for assistance.

10 In the Confirm License Installation panel, verify that license files for all the features and node

limits you want are uploaded. Do one of the following:

■ To install the licenses on the appliance, click Next.

■ If you have not uploaded all the files you need, click Back until the Upload License Files panel

is displayed, and then repeat steps 5 through 8 to upload and verify the missing license files.
Click Next.

11 In the License Installation Complete panel, click Close.

95Maintaining your security gateway

12 When prompted to restart the security gateway, do one of the following:

■ To continue working and restart the security gateway at a later time, click No.

The new licenses will not take effect until you restart the security gateway.
When you are ready to restart the security gateway, on the System menu, click Reboot.

■ To restart the security gateway now, click Ye s .

The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security
gateway reboots.

Related information

For further information related to this topic, see the following:

■ “Removing all license files” on page 95

Removing all license files

You can remove license files from the security gateway using the SGMI. You must remove all installed
licenses at one time; you cannot remove individual feature or node limit licenses. After you remove all
licenses, you can then reinstall the licenses you still want to use.

If you have any time left in your 30-day grace period, the security gateway will function for the
remaining time. Otherwise, after removing licenses your security gateway will not be operational until
you install new licenses.

Prerequisites

None.

To remove all license files

1 In the SGMI, in the left pane, under System, click Licensing.

2 In the right pane, on the Installed Licenses tab, click Remove All.

96 Maintaining your security gateway

Understanding and using licenses

3 When prompted to confirm the removal, click Ye s .

All licenses are removed.

A message tells you that the security gateway will be rebooted in 30 seconds and asks if you want to

reboot immediately

4 If you do not want to wait for the reboot to start, click OK.

The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security

gateway reboots.

5 When the reboot has completed, you can log on to the SGMI again.

Related information

For further information related to this topic, see the following:

■ “Installing licenses” on page 94

Enabling and disabling security gateway features

When you first configure the security gateway, the 30-day grace period license gives you access to all
of the security gateway’s features. When the grace period ends, features for which you have not
installed a license are disabled. Installing a license automatically enables the features provided by the
license.

Other features, such as hardware encryption and the ability to make SSH connections, do not require
licenses, but must be enabled through the SGMI in order to take effect.

There are two ways to enable and disable the security gateway’s features:

■ Running the System Setup Wizard

See “Enabling and disabling security gateway features from the System Setup Wizard” on page 96.

■ By using the System > Configuration > Features tab.

See “Enabling and disabling security gateway features from the Features window” on page 97.

Enabling and disabling security gateway features from the System Setup
Wizard

With the exception of hardware encryption, the security gateway features you can enable from the
System Setup Wizard are those that are available to you through your security gateway licenses.

The exception is when you first receive your security gateway. At that time, the 30 day evaluation
license that installs with the product lets you use all of the security gateway features until you have
had time to obtain and install your licenses.

Prerequisites

None.

To enable licensed security gateway features from the System Setup Wizard

1 In the SGMI, on the Tools menu, click System Setup Wizard.

2 On the System Setup Wizard Welcome panel, click Next.

3 On the Optional Features panel, check a feature’s check box to enable the feature.

4 When you have enabled all features, click Next.

5 On the Setup Options panel, click Next.

6 On the Machine Settings panel, click Next.

7 On the Network Interfaces panel, click Next.

8 On the Confirmation panel, click Finish.

Understanding and using licenses

Related information

For further information related to this topic, see the following:

■ Enabling and disabling security gateway features from the Features window

Enabling and disabling security gateway features from the Features window

The Features window lets you enable both licensed features and other security gateway features such
as the use of an uninterruptible power supply, Clientless VPN features, and the use of SSH.

When you disable a feature, the areas of the SGMI that let you configure that feature are greyed out.
This includes the configuration options for the feature, and other places in the SGMI where those
options are used. For example, if you disable the content filtering feature, you cannot configure
content profiles, or specify URLs that should be blocked. In addition, you cannot add content filtering
restrictions to a rule.

Prerequisites

Complete the following tasks before you begin this procedure:

■ “Obtaining licenses” on page 89

■ “Installing licenses” on page 94

To enable and disable security gateway features

1 In the SGMI, in the left pane, under System, click Configuration.

97Maintaining your security gateway

2 In the right pane, on the Features tab, do the following:

■ To enable a feature, check the check box.

■ To disable a feature, uncheck the check box.

If you are not licensed to use a feature, it is unavailable.

3 Optionally, do one of the following:

■ To save your configuration now and activate later, on the toolbar, click Save.

■ To activate your configuration now, on the toolbar, click Activate.

When prompted to save your changes, click Ye s .

98 Maintaining your security gateway

Backing up and restoring configurations

Related information

For further information related to this topic, see the following:

■ “Features tab” on page 743

■ “Making system changes with the System Setup Wizard” on page 104

■ “Advanced mail actions” on page 446

■ “Enabling SSH for command-line access to the appliance” on page 74

Backing up and restoring configurations

You should back up your security gateway’s configuration on a regular basis, and particularly prior to
making and activating major changes. This lets you restore the previous configuration if something is
wrong with the new configuration.

Note: A backup password is required to restore the configuration.

If you are upgrading from a previous version of the security gateway, you are instructed to back up and
restore your configurations as part of the upgrade process. For backup and restore details that are
specific to upgrading the security gateway, see the upgrade chapter of the Symantec Gateway Security
5000 Series v3.0 Installation Guide.

You can backup the configuration of one security gateway and restore it on another security gateway
as a way to move configurations between appliances. Another method of sharing configurations
between security gateways is by associating the security gateways with each other in a cluster.

Keep the following requirements in mind when you plan to back up and restore configurations:

■ To perform a backup, your administrator account must have backup privileges. To restore a

configuration, you must have restore privileges.

■ You can only back up the active configuration. Any changes that have not been saved and activated

are not included in the backup.

■ If you are restoring a configuration to a different security gateway, the target machine security

gateway must have the same, or more interfaces, than the original security gateway.

You can use following procedures to back up and restore configurations:

■ Backing up configuration files from the SGMI

■ Restoring security gateway configuration files from the SGMI

■ Using command-line utilities to perform a local or remote backup

Related information

For further information related to this topic, see the following:

■ “About clustering” on page 509

Backing up configuration files from the SGMI

Before you backup your configuration, save and activate your changes.

The following parts of the security gateway configuration are not restored as part of the restore
operation. You need to recreate these items following a backup and restore operation:

■ Administrator password

■ Cluster associations

These are the cluster name, heartbeat interface, and member information.

Backing up and restoring configurations

■ License installations

Back up your license files separately so that you can reinstall them after restoring your

configuration. You cannot reinstall the licenses from one security gateway on another security

gateway.

Note: In a clustered environment, backing up and restoring a cluster node’s configuration does not
restore the clusters associations. You must run the Cluster Wizard following the restore to re-establish
the cluster association.

Prerequisites

Complete the following tasks before beginning this procedure:

■ “Saving and activating configuration changes” on page 59

■ “Creating administrator accounts” on page 67

To back up configuration files from the SGMI

1 In the SGMI, on the File menu, click Backup.

2 In the Backup dialog box, in the Password text box, type a backup/restore password.

3 In the Verify password text box, retype the password, and then click OK.

4 In the Save dialog box, navigate to the location where you want to save the backup file.

99Maintaining your security gateway

5 In the File name field, type a name for the backup file.

The default file type is .bk.

6 Click Save.

7 When you are notified that the backup has completed successfully, click OK.

Related information

For further information related to this topic, see the following:

■ “Backup dialog box” on page 774

■ “Using command-line utilities to perform a local or remote backup” on page 101

■ “Restoring security gateway configuration files from the SGMI” on page 99

■ “Backing up and restoring cluster configurations” on page 534

Restoring security gateway configuration files from the SGMI

The SGMI has a restore option that lets you restore a security gateway configuration to the security
gateway from which you made the backup file, or to another security gateway. For example, if you have
configured one security gateway and want the same configuration on another security gateway, you
can replicate the configuration by restoring the backup of the first security gateway to the second
security gateway.

You can also use the Restore Wizard to restore the following:

■ A security gateway that is part of a cluster

■ Configurations created using Symantec Gateway Security v2.0, Symantec Clientless VPN Gateway

v5.0, or Symantec Enterprise Firewall v8.0 software

For detailed information about restoring configurations for these versions of the security

gateway, see the chapter on upgrading in the Symantec Gateway Security 5000 Series v3.0

Installation Guide.

100 Maintaining your security gateway

Backing up and restoring configurations

This procedure describes using the SGMI to restore a Symantec Gateway Security 5000 Series v3.0
configuration to a security gateway that is not part of a cluster.

Prerequisites

Complete one of the following tasks before beginning this procedure:

■ “Backing up configuration files from the SGMI” on page 98

■ “Performing a local command line backup” on page 102

■ “Performing a remote command line backup” on page 102

To restore security gateway configuration files from the SGMI

1 In the SGMI, on the File menu, click Restore.

2 In the Restore Wizard welcome panel, click Next.

3 In the Optional Features panel, enable or disable licensed features, and then click Next.

4 In the Setup Options panel, ensure that Standalone gateway is selected, and then do one of the

following:

■ To use the network interface configuration that was saved with the backup that you are

■ To map network interfaces from the backup file to the interfaces currently configured for this

■ To maintain the network settings that are currently configured on the security gateway, click

5 Click Next.

6 In the Restore Settings panel, do the following:

■ Click Restore from a Symantec Gateway Security backup image.

■ To the right of the Backup file text box, click Browse.

■ In the Open dialog box, navigate to the location of the backup file. Select it and click Open.

■ In the Password text box, type the password that was used to backup the security gateway

■ Optionally, to restore the local administrator accounts that are defined in the backup file,

restoring, click Restore backup configuration’s network interfaces data.

security gateway, click Merge backup configuration’s network interfaces data.

Use current network interfaces data.

configuration.

check Restore administrator accounts.

7 Click Next.

One of two things happens:

■ If the restore is successful, the Machine Settings panel is displayed.

■ If the restore is unsuccessful, click OK to clear the error message that informs you that the

restore has been rolled back, and then click Cancel to exit the wizard.

8 In the Machine Settings panel, do one of the following:

■ Make changes to machine and system settings and then click Next.

■ To proceed without making changes, click Next.

9 In the Network Interfaces panel, do one of the following:

■ Make changes to network interfaces, and then click Next.

■ To proceed without making changes, click Next.

10 In the Confirmation panel, review the summary of your configuration.

11 Click Finish.

After the restored configurations have been validated, a message tells you that the security

gateway will be rebooted in 30 seconds and asks if you want to reboot immediately