Self Provisioning Portal User Guide - Check Point

Self Provisioning PortalSelf Provisioning Portal User GuideUser GuideVersion 8.1Part No.: 701425

© 2012 Check PointAll rights reserved. This product and related documentation are protected by copyright anddistributed under licensing restricting their use, copying, distribution, and decompilation.No part of this product or related documentation may be reproduced in any form or by anymeans without prior written authorization of Check Point. While every precaution has beentaken in the preparation of this book, Check Point assumes no responsibility for errors oromissions. This publication and features described herein are subject to change withoutnotice.RESTRICTED RIGHTS LEGEND:Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.TRADEMARKS:Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of ourtrademarks.Refer to the Third Party copyright notices(http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrightsand third-party licenses.

Latest SoftwareWe recommend that you install the most recent software release to stay up-to-date with thelatest functional improvements, stability fixes, security enhancements and protectionagainst new and evolving attacks.Latest DocumentationThe latest version of this document is at:http://supportcontent.checkpoint.com/documentation_download?ID=15581For additional technical information, visit the Check Point Support Center(http://supportcenter.checkpoint.com).Revision HistoryDateDescription18 April 2012 Rebranded to Check PointApril 2010First release of this document

ContentsContentsIntroduction ........................................................................................................................................... 1About This Guide ................................................................................................................................ 1Intended Audience .............................................................................................................................. 1Document Conventions ....................................................................................................................... 2Related Publications ............................................................................................................................ 2Contacting Technical Support ............................................................................................................. 2Getting Started ...................................................................................................................................... 3SoftWare Requirements ...................................................................................................................... 3Logging in to the Check Point Self Provisioing Portal ....................................................................... 4Using the SPP Main Screen ................................................................................................................ 5Accessing Online Help ........................................................................................................................ 8Logging Out ........................................................................................................................................ 9Automatic Logout ............................................................................................................................... 9Changing Your Password .................................................................................................................... 9Managing Your Gateways .................................................................................................................. 11Viewing and Editing Gateways ......................................................................................................... 12Locking and Unlocking Settings ....................................................................................................... 15Configuring General Settings ............................................................................................................ 18Configuring Service Settings ............................................................................................................ 20Configuring Setup Settings ............................................................................................................... 25Configuring Security Settings ........................................................................................................... 52Configuring SmartDefense Settings .................................................................................................. 75Configuring VStream Antivirus Settings ........................................................................................ 125Configuring VStream Antispam Settings ........................................................................................ 137Configuring Web Filtering Settings ................................................................................................ 159Configuring Email Filtering Settings .............................................................................................. 171Contentsi

ContentsConfiguring Firmware Settings ....................................................................................................... 174Configuring Network Settings ........................................................................................................ 176Configuring VPN Settings .............................................................................................................. 260Configuring DNS Settings .............................................................................................................. 298Configuring Reporting Settings ...................................................................................................... 301Configuring Internal Gateway User Settings .................................................................................. 302Configuring Custom Fields ............................................................................................................. 307Viewing Gateway Owner Information ............................................................................................ 308Resetting Individual Nodes to Default Settings .............................................................................. 310Viewing Gateway Statuses .............................................................................................................. 310Performing Vulnerability Scans on Gateways ................................................................................ 313Managing Your User Account ......................................................................................................... 317Viewing and Editing Users ............................................................................................................. 317Configuring User Account Expiration ............................................................................................ 320Configuring Contact Details............................................................................................................ 321Configuring Community Memberships........................................................................................... 322Configuring Access Permissions ..................................................................................................... 322Configuring Custom Fields ............................................................................................................. 326Viewing User Statuses .................................................................................................................... 326Viewing Logs ..................................................................................................................................... 329Viewing General Logs .................................................................................................................... 329Viewing Security Logs .................................................................................................................... 331Filtering Logs .................................................................................................................................. 334Viewing Reports ................................................................................................................................ 343Viewing Gateway Security Reports ................................................................................................ 343Viewing Gateway Vulnerability Reports ........................................................................................ 343iiSelf Provisioning Portal User Guide

ContentsGlossary of Terms ............................................................................................................................. 345Index ................................................................................................................................................... 355Contentsiii

About This GuideChapter 1IntroductionThe Self Provisioning Portal (SPP) is a Web site that enables you to perform selectedtasks, including:Viewing and/or configuring specific gateway settingsViewing and/or configuring specific user account detailsViewing logs related to your gateways and user accountViewing reports for your gatewaysNote: Your service provider chooses which settings can be viewed and/or modified.Therefore, some tasks described in this guide may be unavailable in the SPP.This chapter includes the following topics:About This Guide ........................................................................................ 1Intended Audience ....................................................................................... 1Document Conventions ............................................................................... 2Related Publications .................................................................................... 2Contacting Technical Support ..................................................................... 2About This GuideThis guide contains all the information necessary to use the SPP.Intended AudienceThis guide is intended for gateway owners whose gateways are managed by the SMP.Chapter 1: Introduction 1

Document ConventionsDocument ConventionsTo make finding information in this manual easier, some types of information are markedwith special symbols or formatting.Boldface type is used for command and button names.Note: Notes are denoted by indented text and preceded by the Note icon.Warning: Warnings are denoted by indented text and preceded by the Warning icon.Related PublicationsThis guide should be used in conjunction with your Embedded NGX appliance's userguide.Contacting Technical SupportFor support and additional documentation, see www.checkpoint.com/support(http://supportcenter.checkpoint.com).2 Self Provisioning Portal User Guide

Logging in to the Check Point Self Provisioing PortalLogging in to the Check Point Self ProvisioingPortalTo log in to the SPP1. Do one of the following:Browse to http:///SPP, where ISP_server is thename of the server on which the SPP is installed. In the local management portal (my.firewall), in the main menu, clickServices > Account, and then click the Configure your account link.The Self Provisioning Portal Login page appears.2. If you forgot your password, do the following:a. Click I forgot my password.The Change Password dialog box appears.b. In the User Name field, type your username.c. In the Email Address field, type your email address.4 Self Provisioning Portal User Guide

Using the SPP Main Screend. In the Portal drop-down list, select the SMP virtual portal to which youare assigned.e. Click Get New Password.The system generates a new password and sends it to your email address.3. Type your username and password in the appropriate fields.4. To save your user username as the default for future logins from yourcomputer, select the Save As Default check box.5. In the Portal drop-down list, select the SMP virtual portal to which you areassigned.6. Click Login.The SPP main screen appears.Using the SPP Main ScreenThe SPP main screen consists of two separate panes. The SPP menu appears in the leftpane and the workspace area appears in the right pane. Use the menu to navigate the SPPapplication, according to the tasks you want to perform. When you select a menu option,the appropriate page is displayed in the workspace.Chapter 2: Getting Started 5

Using the SPP Main ScreenNote: Your service provider chooses which settings can be viewed and/or modified inthe SPP. Therefore, some of the SPP menu items may not appear.Using the Workspace Navigation TreeIn some cases, the workspace contains a navigation tree. When you click on a node in thetree, the relevant fields appear in the workspace's right pane.Some nodes can be expanded or collapsed.To expand a node Click the icon next to the node.The node is expanded, revealing its sub-nodes.To collapse a node Click the icon next to the node.The node is collapsed.6 Self Provisioning Portal User Guide

Using the SPP Main ScreenTo collapse all nodes in the treeRight-click on any node, then click Collapse all.All of the nodes in the tree are collapsed.Understanding the Status BarThe status bar appears at the bottom of each page and displays the following:User information in the format: username @ portal (role)where: username - The name of the user portal - The SMP virtual portal to which the user is connected role - The user's role.The product versionCompleting FieldsWhen using the SPP, you will often need to complete form fields. Fields that aremandatory but currently empty appear in pink, and you must complete them.Viewing and Navigating TablesThe SPP provides various options for viewing and navigating workspace tables.To view and navigate workspace tables1. At the top of the table, in the Results bar, do any of the following:Click the number of the table page you want to view. Click the icon to move to display the next page. Click the icon to display the previous page. Click the icon to view the last page. Click the icon to view the first page.The desired page is displayed.2. To jump to the top of the page, click Top.Chapter 2: Getting Started 7

Accessing Online HelpThis option is not available for all tables.3. To specify the number of items to display per page, in the Rows drop-downlist, select the desired number.This option is available for most tables.4. To refresh the table's contents, click .Sorting TablesYou can sort most workspace tables according to a specific table column.The sort order is persistent throughout the user session.To sort tables according to a specific column1. In the table, click on the desired column header.The table is sorted according to the specified column in ascending order.The column according to which the table is currently sorted is marked by an arrow,indicating the sort order.2. To change the sort order, click on the column header again.The sort order changes to descending order.Reverting Changes to SettingsIn many of the SPP pages, you can revert changes that have not yet been saved, by clickingthebutton.Accessing Online HelpYou can access online help from some of the SPP pages by clickingright corner of the page.in the upper8 Self Provisioning Portal User Guide

Logging OutLogging OutTo log out of the SPP Click in the upper right corner of the page.The Login page appears, informing you that you have logged out. If desired, you canlog in to the SPP again.Automatic LogoutFor security reasons, the SPP automatically logs you off after fifteen minutes of inactivity.To continue working, you must log in to SPP again.Changing Your PasswordYou can change your password at any time. For information on changing your password,see Viewing and Editing Users on page 317.Chapter 2: Getting Started 9

Changing Your PasswordChapter 3Managing Your GatewaysA service plan is a template that specifies a set of gateway features. Each gateway isassigned to a plan, and by default, inherits its settings from the plan. These default settingscan be overridden on a per-gateway basis, if desired.Note: Plan and gateway settings that are configured in the SPP are centrally managedand cannot be modified in the local gateway.This chapter explains how to manage your gateways.This chapter includes the following topics:Viewing and Editing Gateways .................................................................. 12Locking and Unlocking Settings ................................................................ 15Configuring General Settings ..................................................................... 18Configuring Service Settings ...................................................................... 20Configuring Setup Settings ......................................................................... 25Configuring Security Settings .................................................................... 52Configuring SmartDefense Settings ........................................................... 75Configuring VStream Antivirus Settings .................................................. 125Configuring VStream Antispam Settings ................................................. 137Configuring Web Filtering Settings.......................................................... 159Configuring Email Filtering Settings ........................................................ 171Configuring Firmware Settings ................................................................ 174Configuring Network Settings .................................................................. 176Configuring VPN Settings ........................................................................ 260Configuring DNS Settings ........................................................................ 298Configuring Reporting Settings ................................................................ 301Configuring Internal Gateway User Settings ............................................ 302Configuring Custom Fields ...................................................................... 307Viewing Gateway Owner Information ..................................................... 308Resetting Individual Nodes to Default Settings ........................................ 310Viewing Gateway Statuses ....................................................................... 310Performing Vulnerability Scans on Gateways .......................................... 313Chapter 3: Managing Your Gateways 11

Viewing and Editing GatewaysViewing and Editing GatewaysYou can view and edit a gateway's details.To view or edit an existing gateway's properties1. In the SPP menu, click My Gateways.The My Gateways page appears with a list of your gateways.For each gateway, the product name, subscription expiration date, and status aredisplayed. The gateway status indicates whether the gateway is currently connected( ), not connected ( ), or disabled or externally managed ( ).2. Click on the desired gateway's name.The My Gateways page navigation tree appears with the General node selected.3. To view additional gateway settings, in the navigation tree, expand and clickon the relevant nodes.4. To edit the gateway, do the following:a. Edit the desired fields using the information in the following table.b. Click .12 Self Provisioning Portal User Guide

Viewing and Editing GatewaysIf configured to do so, the SMP sends you an email notification, informing you ofchanges to the gateway's Registration Key and/or server group.c. You can configure additional gateway settings as desired, by doing one ormore of the following:• To configure general settings, see Configuring General Settings on page18.• To configure service settings, see Configuring Service Settings on page20.• To configure setup settings, see Configuring Setup Settings on page 25.• To configure security settings, see Configuring Security Settings on page52.• To configure SmartDefense settings, see Configuring SmartDefenseSettings on page 75.• To configure VStream Antivirus settings, see Configuring VStreamAntivirus Settings on page 125.• To configure VStream Antispam settings, see Configuring VStreamAntispam Settings on page 137.• To configure Web Filtering settings, see Configuring Web FilteringSettings on page 159.• To configuring Email Filtering settings, see Configuring Email FilteringSettings on page 171.• To configure firmware settings, see Configuring Firmware Settings onpage 174.• To configure network settings, see Configuring Network Settings onpage 176.• To configure VPN settings, see Configuring VPN Settings on page 260.• To configure DNS settings, see Configuring DNS Settings.• To configure Reporting settings, see Configuring Reporting Settings onpage 301.All gateway settings are edited in the relevant nodes of the My Gateways page.Chapter 3: Managing Your Gateways 13

Viewing and Editing GatewaysTable 1: Gateway Configuration FieldsIn this field… Do this... For example…Name The gateway's name. gw157Description Type a short description of the device. Appliance usedin NY officeEnabledSelect this option to enable the gateway.Gateway TypeManaged by SMPPlanMAC AddressIf the check box is cleared, the gateway is disabledand cannot connect to the SMP.The gateway's appliance type.This field is read-only.If the gateway is externally managed (that is, it isnot managed by this SMP), clear this check box.Select a plan for this gateway.The plan specifies which services will be providedto the gateway.By default, a gateway inherits its settings from theplan. For information on unlocking the gateway'ssettings from the plan, see Locking andUnlocking Settings on page 15.Once you select a plan, the plan's type appearsbelow this field. For example: RemoteManagement.Type the unique physical identifier of the appliance.The format is XX:XX:XX:XX:XX:XX, where X is anumeral from 1-9, or a letter from A-F.Safe@Office500Silver00:00:26:22:28:2614 Self Provisioning Portal User Guide

Locking and Unlocking SettingsIn this field… Do this... For example…The MAC address appears on the bottom of theappliance and on the barcode sticker on theshipping box.Note: If you do not fill in this field, it will be filled inautomatically, when the gateway connects to theSMS for the first time.Use MAC AddressSelect this option to specify that the gateway shoulduse its MAC address to authenticate to the SMS.Use Registration KeyStatic IPReported IPYou must fill in the MAC Address field.Select this option to specify that the gateway shoulduse a registration key to authenticate to the SMS.Then type a Registration Key string of your choicein the field provided, or click to randomlygenerate a new Registration Key..If the gateway has a static IP address, type thestatic IP address.The IP address that the gateway used when it lastconnected to the SMS.wVktmLQeLocking and Unlocking SettingsBy default, an SMP-managed gateway inherits its settings from the plan to which it issubscribed. If desired, you can override some of these inherited settings.In the Main > Gateways > Edit page's navigation tree, individual nodes are marked withicons to indicate whether the node's settings are "locked to plan" (inherited) or "unlockedfrom plan" (overridden):- The node's settings and its sub-nodes' settings are locked to plan.Chapter 3: Managing Your Gateways 15

Locking and Unlocking Settings- The node's settings and its sub-nodes' settings are unlocked from plan.Note: The following settings are unlocked and locked together:Firewall RulesNATVStream AntivirusVStream AntispamLocal Web RulesQoS ClassesNetwork ObjectsNetwork ServicesStatic RoutesVPN SitesUnlocking from PlanYou can override inherited settings in an individual node and all of its sub-nodes, byunlocking the node from plan.To unlock an individual node from plan1. Do one of the following:Right-click on the desired node, and click Unlock from plan in the popup menuthat appears.Or Click the desire node, and click .The following things happen:16 Self Provisioning Portal User Guide

Locking and Unlocking SettingsWhen unlocking certain nodes, the Lock / Unlock Confirmation window opens.Click OK. The node's icon changes to .2. Click .Locking Nodes to PlanYou can reset an individual node and all of its sub-nodes to the values specified in thegateway's plan, by locking the node to plan.To lock an individual node to plan1. Do one of the following:Right-click on the desired node, and click Lock to plan in the popup menu thatappears.Or Click the desired node, and click .The following things happen:When unlocking certain nodes, the Lock / Unlock Confirmation window opens.Click OK. The node's icon changes to .2. Click .Chapter 3: Managing Your Gateways 17

Configuring General SettingsConfiguring General SettingsThe following general settings can be configured in the plan:Community settingsServer group settingsAll gateways subscribed to the plan will take their general settings from the plan, bydefault. If desired, you can override the inherited general settings for a specific gateway,by configuring these settings in the gateway.Note: You cannot override the service settings inherited from the plan.Configuring Community SettingsTo configure community settings1. In the navigation tree, expand the General > Community node.The Community fields appear.2. If configuring settings for a specific gateway, unlock the node from plan.3. Select the Join a community check box.18 Self Provisioning Portal User Guide

Configuring General SettingsThe fields are enabled.4. Complete the fields using the following table.5. Click .Table 2: Community FieldsIn this field…CommunityMember TypeDo this…Select the community to which the gateway(s) should belong.Select the gateway's role in the community.Note: Only a Star VPN community can have a gateway with the role of“Center Gateway”.Configuring Server Group SettingsTo configure server group settings1. In the navigation tree, click the General > Server Group node.Chapter 3: Managing Your Gateways 19

Configuring Service SettingsThe Server Group fields appear.2. If configuring settings for a specific gateway, unlock the node from plan.3. In the Server Group drop-down list, select the server group to use for thisgateway.4. Click .Configuring Service SettingsThe following service settings can be configured in the plan:General service settingsSubscription periodSelf-Provisioning Portal (SPP) URLLogging settingsAll gateways subscribed to the plan will take their service settings from the plan, bydefault. If desired, you can override the inherited service settings for a specific gateway, byconfiguring these settings in the gateway.20 Self Provisioning Portal User Guide

Configuring Service SettingsNote: You cannot override the service settings inherited from the plan.Configuring Subscription SettingsTo configure subscription settings1. In the navigation tree, click the Services > Subscription Period node.The Subscription Period fields appear.2. Unlock the node from plan.3. Select the Gateway will expire in check box.The fields are enabled.4. Complete the fields using the information in the table below.5. Click .Chapter 3: Managing Your Gateways 21

Configuring Service SettingsTable 3: Subscription Settings FieldsIn this field… Do this... For example…Gateway will expire inStart FromSpecified dateExpires OnFirst LoginType the number of months that the subscriptionshould be valid.Specify when the subscription starts, by clickingone of the following:First Login. Sets the subscription'sstarting date to the first time that thegateway connects to the SMC.Specified date. Sets the subscription'sstarting date to a specific date.The Specified date field appears and youmust fill it in.Click in the field, and then do one of the following:Type the date on which the subscriptionshould start, in the formatDD/MM/YYYY.Click on the desired subscription startdate in the calendar that appears.Click Start Now to specify that thesubscription should start immediately.The expiration date of the subscription.If the expiration date has passed, this field changesto "Expired On", and it appears in red.This field is read-only. It is filled in and calculatedbased on the time limit and the starting date.The date on which the gateway first connected tothe SMC.This field is read-only.12Specified date05/07/2009July 5, 2010August 01, 200922 Self Provisioning Portal User Guide

Configuring Service SettingsConfiguring the SPP URLTo configure the SPP URL1. In the navigation tree, click the Services > SPP URL node.The Self Provisioning Portal URL fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Self Provisioning Portal URL check box.The fields are enabled.4. In the Self Provisioning Portal URL field, type the desired SPP's URL.Note: If you do not fill in this field, SPP use will be disabled for the gateway or plan.5. Click .Chapter 3: Managing Your Gateways 23

Configuring Service SettingsConfiguring Logging SettingsTo configure logging settings1. In the navigation tree, click the Services > Logging node.The Logging fields appear.2. If needed, unlock the node from plan.3. Complete the fields using the information in the table below.4. Click .Table 4: Logging FieldsIn this field… Do this... For example…Send logs everyType the interval of time for logging (in seconds).Setting a long interval reduces the load on theserver, but delays the arrival of log messages.Furthermore, since log packets are limited in size,30024 Self Provisioning Portal User Guide

Configuring Setup SettingsIn this field… Do this... For example…they may be filled before the set interval haselapsed. Any log events that occur after a packet isfilled are not included in the packet and are lost.The default value is 300.Limit the amount of logssent in each intervalSelect this option to limit the amount of log packetssent by the gateway to one log packet per interval.Each packet may contain several messages of upto 1.5 KB apiece.When this option is disabled, if the log bufferbecomes full before the defined interval, it is sentimmediately to the server. This prevents loss of logmessages, but may increase the load on the server.When this option is enabled, the log messages fromthe gateway are not transferred immediately to theSMS. This increases logging efficiency byaggregating multiple messages into every logpacket. Furthermore, by limiting the amount oflogging traffic, this option makes it less likely that asingle gateway will overwhelm the server with alarge amount of log messages.Configuring Setup SettingsIf a plan specifies remote management, the following setup settings can be configured inthe plan:Management protocols, including HTTPS, SSH, and SNMPSyslog loggingRADIUS user authenticationChapter 3: Managing Your Gateways 25

Configuring Setup SettingsLicense settingsProduct customization settingsDate and time settingsCLI scriptsUser interface settingsRemote Desktop settingsInternal DNS server settingsAll gateways subscribed to the plan will take their setup settings from the plan, by default.If desired, you can override the inherited setup settings for a specific gateway, byconfiguring these settings in the gateway. In addition, you can also configure licensesettings for a specific gateway.Configuring Management ProtocolsConfiguring HTTPSTo configure HTTPS1. In the navigation tree, click the Setup > Management Protocols > HTTPS node.The HTTPS fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage HTTPS check box.26 Self Provisioning Portal User Guide

Configuring Setup SettingsThe fields are enabled.4. In the Access From drop-down list, specify from where HTTPS access shouldbe allowed.See Access Options on page 28 for information.Chapter 3: Managing Your Gateways 27

Configuring Setup SettingsIf you selected IP Address Range, additional fields appear.5. If you selected IP Address Range, enter the desired IP address range in thefields provided.6. Click .Table 5: Access OptionsSelect thisoption…Internal NetworksTo allow access from…The internal network only.This disables remote access capability. This is the default.Internal Networks +VPNThe internal network and VPN.28 Self Provisioning Portal User Guide

Configuring Setup SettingsSelect thisoption…IP Address RangeTo allow access from…A particular range of IP addresses.Additional fields appear, in which you can enter the desired IP addressrange.Note: You can allow access from multiple IP address ranges, by creatingappropriate firewall rules with the destination This Gateway.AnyAny IP address.Configuring SSHTo configure SSH1. In the navigation tree, click the Setup > Management Protocols > SSH node.The SSH fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage SSH check box.Chapter 3: Managing Your Gateways 29

Configuring Setup SettingsThe fields are enabled.4. In the Access From drop-down list, specify from where Secure Shell (SSH)access should be allowed.See Access Options on page 28 for information.Note: Some gateway types do not support SSH remote access. In these gatewaytypes, the SSH settings will be ignored.30 Self Provisioning Portal User Guide

Configuring Setup SettingsIf you selected IP Address Range, additional fields appear.5. If you selected IP Address Range, enter the desired IP address range in thefields provided.6. Click .Configuring SNMPNote: You can configure SNMP traps using CLI. For information on using CLI, seeUsing CLI Scripts on page 44. For information on the relevant commands for SNMPtraps, refer to the Embedded NGX CLI Reference Guide.To configure SNMP1. In the navigation tree, expand the Setup > Management Protocols > SNMP node.The SNMP fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage SNMP check box.Chapter 3: Managing Your Gateways 31

Configuring Setup SettingsThe fields are enabled.4. Complete the fields using the information in the table below.If you enabled SNMP access, additional fields appear.32 Self Provisioning Portal User Guide

Configuring Setup Settings5. Click .Table 6: SNMP FieldsIn this field… Do this… For example…Access FromIP RangeCommunityLocationContactSpecify from where Simple Network ManagementProtocol (SNMP) access should be allowed, byselecting one of the following:Internal Network. The internal networkonly. This disables remote SNMPcapability.Internal Network + VPN. The internalnetwork and VPNIP Address Range. A particular range of IPaddresses.Any. Any IP addressDisabled. Nowhere. This disables bothlocal and remote access capability.Note: Some gateway types do not support SNMP. Inthese gateway types, the SNMP settings will beignored.Note: You can allow access from multiple IPaddress ranges, by creating appropriate firewallrules with the destination This Gateway.Type the desired IP address range.Type the password used for authentication inSNMP.Type a description of the monitored device'sphysical location.Type the name of the person to contact regardingthe monitored device.IP Address RangeChapter 3: Managing Your Gateways 33

Configuring Setup SettingsIn this field… Do this… For example…Port The port to use for SNMP. The default port is 161.161This field is read-only.Configuring Syslog LoggingYou can send gateway logs directly to a specified Syslog server.This is useful if you want to send a specific gateway's logs to a private Syslog server. If you want tocollect multiple gateways' logs at a central location, it is more secure and efficient to use Check Pointlogging (see the Services > Logging node).To configure Syslog settings1. In the navigation tree, expand the Setup > Syslog node.The Syslog fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Syslog Logging check box.34 Self Provisioning Portal User Guide

Configuring Setup SettingsThe fields are enabled.4. In the IP Address field, type the IP address of the computer that will run theSyslog service.5. In the Port field, type the port number of the Syslog server.The default port is 514 UDP.6. Click .Configuring RADIUS User AuthenticationTo configure RADIUS user authentication1. In the navigation tree, click the Setup > RADIUS node.The RADIUS fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage RADIUS check box.Chapter 3: Managing Your Gateways 35

Configuring Setup SettingsThe fields are enabled.4. Complete the fields using the information in the table below.5. Click .Table 7: RADIUS FieldsIn this field… Do this… For example…Primary Server /Secondary ServerConfigure the primary and secondary RADIUSservers.If the gateway is part of a community that isconfigured for User Authentication, then when auser logs on to the gateway, the gateway firstconsults the local user database, then the RADIUSservers (if configured), and finally the SMP userdatabase.When consulting the RADIUS servers, the gateway36 Self Provisioning Portal User Guide

Configuring Setup SettingsIn this field… Do this… For example…sends a request to the primary RADIUS serverfirst. If the primary RADIUS server does notrespond after three attempts, the gateway will sendthe request to the secondary RADIUS server.IP AddressPortShared SecretRADIUS RealmTimeoutRADIUS AccountingType the IP address of the computer that will runthe RADIUS service.Type the port number on the RADIUS server's hostcomputer. The default port is 1812.Type the shared secret to use for securecommunication with the RADIUS server.If the organization uses RADIUS realms, type therealm to append to RADIUS requests. The realmwill be appended to the username as follows:@.For example, if you set the realm to “myrealm”, andthe user "JohnS" attempts to log in to themy.firewall portal, the gateway will send theRADIUS server an authentication request with theusername “JohnS@myrealm”.Type the interval of time in seconds betweenattempts to communicate with the RADIUS server.The default value is 3 seconds.Select this option to enabling RADIUS accountingon the server.The Accounting Port field appears.Chapter 3: Managing Your Gateways 37

Configuring Setup SettingsIn this field… Do this… For example…Accounting PortType the port number on the RADIUS server's hostcomputer to use for RADIUS accounting purposes.The default port number is 1813.User PermissionsIf the RADIUS VSA (Vendor-Specific Attribute) isconfigured for a user, the fields in this area willhave no effect, and the user will be granted thepermissions specified in the VSA.Access LevelIf the VSA is not configured for the user, thepermissions configured in this area will be used.Select the level of access to the my.firewall portalto assign to all users authenticated by the RADIUSserver.The levels are:Read-onlyNone. The user cannot access theMy.firewall portal. This is the defaultlevel.Read-only. The user can log in to theMy.firewall portal, but cannot modifysystem settings.Read/Write. The user can log in to theMy.firewall portal and modify systemsettings.VPN Remote AccessWeb Filtering OverrideSelect this option to allow RADIUS authenticatedusers to connect to the gateway using a VPNclient.Select this option to allow RADIUS authenticatedusers to override Web Filtering.38 Self Provisioning Portal User Guide

Configuring Setup SettingsIn this field… Do this… For example…HotSpot AccessRemote DesktopAccessSelect this option to allow RADIUS authenticatedusers to access the My HotSpot page.Select this option to allow the user to log in to themy.firewall portal, view the Active Computers page,and remotely access computers' desktops, usingthe Remote Desktop feature.Note: The user can perform these actions, even iftheir level of administrative access is "None".Users ManagerSelect this option to allow the user to log in tomy.firewall and add, edit, or delete "NoAccess"-level users.Note: This permission does not enable the user tomodify other system settings.For example, you could assign this permission toclerks who need to manage HotSpot users.Advanced AccountingSend Periodic UpdatesThis area is only relevant if you enabled RADIUSaccounting.Select this option to specify that the EmbeddedNGX gateway should send accounting informationto the RADIUS server throughout a user session.If you do not select this option, the EmbeddedNGX gateway will only send accountinginformation to the RADIUS server at the beginningand end of the session.Chapter 3: Managing Your Gateways 39

Configuring Setup SettingsIn this field… Do this… For example…Update IntervalThe interval of time in seconds, at which theEmbedded NGX gateway should send accountinginformation to the RADIUS server during a session.The default value is 0.Configuring License SettingsTo configure license settings1. In the navigation tree, click the Setup > License node.The License fields appear.2. Select the Remotely manage License check box.The fields are enabled.For information on the fields displayed, see the following table.3. In the Product Key field, type a product key for the gateway.40 Self Provisioning Portal User Guide

Configuring Setup SettingsThe product key must match the MAC address and gateway type specified in theGeneral node. For information on setting the gateway's MAC address, see Viewingand Editing Gateways on page 12.4. Click .Table 8: License FieldsThis field…Reported Product KeyReported MAC AddressGateway TypeDisplays this…The product key installed on the gateway, when the gateway lastconnected to the SMSThe gateway's MAC address, when the gateway last connected tothe SMSThe gateway's typeConfiguring Product Customization SettingsBy customizing the product settings, it is possible to limit a gateway to a maximumnumber of nodes, even if the product key installed for the gateway supports a highernumber.To configure product customization settings1. In the navigation tree, expand the Setup node.2. Click the License > Product Customization node.3. If needed, unlock the node from plan.Chapter 3: Managing Your Gateways 41

Configuring Setup SettingsThe Product Customization fields appear.4. To override the nodes limit specified in the license, select the Limit gateway tocheck box, then type the maximum number of nodes allowed to connect to thegateway simultaneously (that is, the node limit).If the gateway product key specifies a different number of nodes, the lower limit willapply. If the node limit is lower than the actual licensed amount specified by thegateway product key, the number of SMP licenses used by this gateway is reduced tothe specified amount.5. To specify that additional nodes should be allowed to connect to the gatewaybeyond the node limit, in the Grace Amount drop-down list, type the number ofadditional nodes to allow.6. Click .Note: The sum of the node limit and the grace amount cannot exceed the node limitspecified in the gateway's license.42 Self Provisioning Portal User Guide

Configuring Setup SettingsConfiguring Date and Time SettingsTo configure date and time settings1. In the navigation tree, click the Setup > Date and Time node.The Date and Time fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Date and Time check box.The fields are enabled.4. Complete the fields using the information in the table below.5. Click .Table 9: Date and Time FieldsIn this field…Time ZoneDo this…Select the time zone in which the gateway is located.Chapter 3: Managing Your Gateways 43

Configuring Setup SettingsIn this field…Use NTP to updatedate and timePrimary ServerSecondary ServerDo this…Select this option to synchronize the gateway time with a Network TimeProtocol (NTP) server.Type the IP address of the Primary NTP server.Type the IP address of the Secondary NTP server.Using CLI ScriptsYou can fully control all gateway settings, including those settings that are not available inthe SPP, by downloading CLI scripts to gateways.CLI scripts take precedence over all other settings configured in the SPP. For example, ifyou write a CLI script that sets the firewall level to “Medium”, and you also set thefirewall level to “High” in the Security tab, then the firewall level will be “Medium”.If the CLI script is deleted, its effects will remain only until negated by other settings. Inthe preceding example, the when the CLI script is deleted, the firewall level is immediatelychanged to “High” by the existing setting in the Security tab.SMP supports using the following CLI commands:addclearsetFor information on these commands and their variables, refer to the Embedded NGX CLIReference Guide.The add command must be preceded by the clear command. For example:44 Self Provisioning Portal User Guide

Configuring Setup Settingsclear routesadd routes network 2.2.3.0 netmask 255.255.255.0 gateway 1.2.3.4 metric50add routes network 2.3.3.0 netmask 255.255.255.0 gateway 1.2.3.5 metric50If the CLI script contained only the add command, and the script was executed more thanonce, then multiple items (in this case, routes) would be added. Therefore, the SPP will notallow you to save CLI scripts that do not have clear commands before add commands.To use a CLI script1. In the navigation tree, click the Setup > CLI Script node.The CLI Script fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage CLI Script check box.The fields are enabled.4. In the text box, type or paste a CLI script.Chapter 3: Managing Your Gateways 45

Configuring Setup Settings5. Click .Configuring User Interface SettingsTo configure user interface settings1. In the navigation tree, click the Setup > User Interface node.The User Interface fields appear.2. Unlock the node from plan.3. In the User Interface drop-down list, select the user interface to use for thegateway.If you select embedded, the gateway will not download a user interface. Instead, it willuse the default user interface that is embedded in the firmware file you selected.4. Click .46 Self Provisioning Portal User Guide

Configuring Setup SettingsConfiguring Remote Desktop SettingsTo configure Remote Desktop settings1. In the navigation tree, expand the Setup > Remote Desktop node.The Remote Desktop fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Remote Desktop check box.The fields are enabled.4. To enable Remote Desktop, select the Allow remote desktop access check box.Chapter 3: Managing Your Gateways 47

Configuring Setup SettingsNew fields appear.5. Complete the fields using the information in the table below.6. Click .Table 10: Remote Desktop FieldsIn this field…Do this…SharingShare local drivesShare local printersSelect this option to allow the host computer to access hard drives onthe client computer. This enables remote users to access their local harddrives when logged in to the host computer.Select this option to allow the host computer to access printers on theclient computer. This enables remote users to access their local printerwhen logged in to the host computer.48 Self Provisioning Portal User Guide

Configuring Setup SettingsIn this field…Share localsmartcardsShare local COMportsDo this…Select this option to allow the host computer to access smartcards onthe client computer. This enables remote users to access their localsmartcards when logged in to the host computer.Select this option to allow the host computer to access COM ports onthe client computer. This enables remote users to access their localCOM ports when logged in to the host computer.AdvancedFull screen modeOptimizeperformance for slowlinksSelect this option to open Remote Desktop sessions on the wholescreen.Select this option to optimize Remote Desktop sessions for slow links.Bandwidth-consuming options, such as wallpaper and menu animations,will be disabled.Configuring the Internal DNS ServerEmbedded NGX gateways include an internal DNS server, which can resolve DNS namesfor hosts defined as network objects. Each host is assigned a DNS name in the format., where isthe name of the network object representing the host, and is thedomain name suffix configured for the internal DNS server. The internal DNS server willreply to all DNS requests for the host's DNS name with the host's IP address.In addition to resolving network objects, the internal DNS server also resolves requests forthe current gateway. If a gateway hostname is defined, the DNS server will reply to DNSrequests in the format . with the gateway’s internal IPaddress.For example, if a computer with the IP address 192.188.22.1 is represented by a networkobject called "server1", and the internal DNS server is configured with the domain suffix"mycompany.com", then the computer's DNS name will be "server1.mycompany.com",Chapter 3: Managing Your Gateways 49

Configuring Setup Settingsand the internal DNS server will reply to all DNS requests for "server1.mycompany.com"with the IP address 192.188.22.1.In addition, if the gateway is configured with the hostname "mygateway", the DNS serverwill reply to all DNS requests for "mygateway.mycompany.com" with the gateway’sinternal IP address.Note: The internal DNS server responds to DNS requests from internal network hostsonly. It does not respond to requests from the Internet.To configure internal DNS server settings1. In the navigation tree, expand the Setup > Internal DNS Server node.The Internal DNS Server fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Internal DNS Server check box.The fields are enabled.4. To enable the internal DNS server, select the Enable the Internal DNS Servercheck box.50 Self Provisioning Portal User Guide

Configuring Setup SettingsNew fields appear.5. In the Domain Name Suffix field, type the desired domain name suffix.6. Click .Chapter 3: Managing Your Gateways 51

Configuring Security SettingsConfiguring Security SettingsIf a plan specifies remote management, the following security policy and firewall settingscan be configured in the plan:Security levelBase security policyFirewall rulesSecure Hotspot settingsNAT rulesAll gateways subscribed to the plan will take their security settings from the plan, bydefault. If desired, you can override the inherited security settings for a specific gateway,by configuring these settings in the gateway.Configuring the Security LevelWhen the security level is remotely managed, the local user will not be able to choosebetween security levels on the local gateway (Low, Medium, High).To configure the security level1. In the navigation tree, click the Security > Security Level node.The Security Level fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Security Level check box.52 Self Provisioning Portal User Guide

Configuring Security SettingsThe fields are enabled.4. Click the desired security level.For a description of each level, see the following table.5. Click .Table 11: Firewall Security LevelsLevelLowMediumHighDescriptionAll inbound traffic to the external gateway IP address is blocked, except for ICMPechoes ("pings"). All outbound connections are allowed.All inbound traffic is blocked. All outbound traffic is allowed to the Internet except forWindows file sharing (NBT ports 137, 138, 139 and 445).All inbound traffic is blocked. Restricts all outbound traffic except for the following:Web traffic (HTTP, HTTPS), email (IMAP, POP3, SMTP), ftp, newsgroups, Telnet,DNS, IPSEC IKE, and VPN traffic.Chapter 3: Managing Your Gateways 53

Configuring Security SettingsLevelBlock AllDescriptionBlocks all access between networks. This does not affect traffic to and from thegateway itself.Configuring the Base Security PolicyTo configure the base security policy1. In the navigation tree, click the Security > Security Policy node.The Security Policy fields appear.2. If needed, unlock the node from plan.3. In the Base Policy drop-down list, select the security policy to use for thegateway(s).If you select embedded, the gateway will not download a security policy. Instead, itwill use the default security policy that is embedded in the firmware file you selected.4. Click .54 Self Provisioning Portal User Guide

Configuring Security SettingsConfiguring Firewall RulesAdding and Editing Firewall RulesTo add or edit a firewall rule1. In the navigation tree, click the Security > Firewall Rules node.The Firewall Rules fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Firewall Rules check box.The fields are enabled.4. Do one of the following:To add a new rule, click New.To edit an existing rule, click the number next to the rule.Chapter 3: Managing Your Gateways 55

Configuring Security SettingsThe Edit Local Rule Wizard opens, with the Edit Local Rule: Step 1 dialog boxdisplayed.5. Select the type of rule you want to create, using the information in thefollowing table.6. Click Next.The Edit Local Rule: Step 2 dialog box appears.56 Self Provisioning Portal User Guide

Configuring Security SettingsThe example below shows an Allow and Forward rule.7. Complete the fields using the information in the following table.8. Click Next.The Edit Local Rule: Step 3 dialog box appears.Chapter 3: Managing Your Gateways 57

Configuring Security Settings9. Complete the fields using the information in the following table.10. Click Next.The Edit Local Rule: Step 4 dialog box appears.11. Complete the fields using the information in the following table.12. Click Next.58 Self Provisioning Portal User Guide

Configuring Security SettingsThe Edit Local Rule: Step 5 dialog box appears.13. Click Finish.The rule appears in the Firewall Rules table.14. Click .Table 12: Edit Local Rule Wizard FieldsIn this field…Allow andForwardDo this…Select this rule type to do the following:Permit incoming access from the Internet to a specific service anddestination IP address in the internal network and then forward allsuch connections to a specific computer in the network. Such rulesare called NAT forwarding rules.For example, if the gateway has two public IP addresses,62.98.112.1 and 62.98.112.2, and the network contains two privateWeb servers, A and B, you can forward all traffic with thedestination 62.98.112.1 to server A, while forwarding all traffic withthe destination 62.98.112.2 to server B.Permit outgoing traffic from the internal network to a specificservice and destination IP address on the Internet and then divertChapter 3: Managing Your Gateways 59

Configuring Security SettingsIn this field…Do this…all such connections to a specific IP address. Such rules are calledtransparent proxy rules.For example, you can redirect all traffic destined for a specific Webserver on the Internet to a different IP address.Redirect the specified connections to a specific port. This option iscalled Port Address Translation (PAT).Assign traffic to a QoS class.If Traffic Shaper is enabled for incoming traffic, then Traffic Shaperwill handle relevant connections as specified in the bandwidthpolicy for the selected QoS class. For example, if Traffic Shaper isenabled for incoming traffic, and you create an Allow and Forwardrule associating all incoming Web traffic with the Urgent QoS class,then Traffic Shaper will handle incoming Web traffic as specified inthe bandwidth policy for the Urgent class.For information on Traffic Shaper and QoS classes, seeConfiguring Traffic Shaper on page 236.Note: You must use this type of rule to allow incoming connections if thenetwork uses Hide NAT.Note: You cannot specify two Allow and Forward rules that forward the sameservice to two different destinations.AllowSelect this rule type to do the following:Permit outgoing access from the internal network to a specificservice on the Internet.Permit incoming access from the Internet to a specific service inthe internal network.Assign traffic to a QoS class.If Traffic Shaper is enabled for the direction of traffic specified inthe rule (incoming or outgoing), then Traffic Shaper will handlerelevant connections as specified in the bandwidth policy for theselected QoS class. For example, if Traffic Shaper is enabled foroutgoing traffic, and you create an Allow rule associating alloutgoing Web traffic with the Urgent QoS class, then TrafficShaper will handle outgoing Web traffic as specified in thebandwidth policy for the Urgent class.For information on Traffic Shaper and QoS classes, seeConfiguring Traffic Shaper on page 236.60 Self Provisioning Portal User Guide

Configuring Security SettingsIn this field…Do this…Note: You cannot use an Allow rule to permit incoming traffic, if the network orVPN uses Hide NAT. Use an “Allow and Forward” rule instead. However, youcan use Allow rules for static NAT IP addresses.BlockAny ServiceStandard ServiceSelect this rule type to do the following:Block outgoing access from the internal network to a specificservice on the InternetBlock incoming access from the Internet to a specific service in theinternal network.Click this option to specify that the rule should apply to any service.Click this option to specify that the rule should apply to a specific standardservice.The Select a service drop-down list appears.Select a serviceCustom ServiceSelect the standard service protocol for which the rule should apply.Click this option to specify that the rule should apply to a specific non-standardservice.The Protocol and Port Range fields appear.ProtocolPort RangeSelect the protocol (ESP, GRE, TCP, UDP, ICMP, or ANY) for which the ruleshould apply.To specify the port range to which the rule applies, type the start port numberin the left text box, and the end port number in the right text box.Note: If you do not enter a port range, the rule will apply to all ports. If youenter only one port number, the range will include only that port.SourceSelect the source of the connections you want to allow/block.To specify an IP address, select Specified IP and type the desired IP address inChapter 3: Managing Your Gateways 61

Configuring Security SettingsIn this field…Do this…the text box.To specify an IP address range, select Specified Range and type the desired IPaddress range in the fields provided.DestinationSelect the destination of the connections you want to allow or block.To specify an IP address, select Specified IP and type the desired IP address inthe text box.To specify an IP address range, select Specified Range and type the desired IPaddress range in the fields provided.To specify the gateway IP address, select This Gateway.To specify any destination except the My.firewall portal and network printers,select ANY.Note: If you are creating an Allow and Forward rule or an Allow rule, and thenetwork uses Hide NAT or static NAT, then you must specify the host'sinternal IP address, and not the Internet IP address to which the internal IPaddress is mapped.If the current timeisSelect this option to specify that the rule should be applied only during certainhours of the day.You must then specify the desired time range, by clicking in the fields providedand either typing the time range, or selecting the desired times in thedrop-down list that appears.Forwardconnection toSelect the destination to which matching connections should be forwarded.To specify an IP address, select Specified IP and type the desired IP address inthe text box.This field only appears when defining an Allow and Forward rule.62 Self Provisioning Portal User Guide

Configuring Security SettingsIn this field…Quality of ServiceclassDo this…Select the QoS class to which you want to assign the specified connections.If Traffic Shaper is enabled, Traffic Shaper will handle these connections asspecified in the bandwidth policy for the selected QoS class. If Traffic Shaperis not enabled, this setting is ignored. For information on Traffic Shaper andQoS classes, see Configuring Traffic Shaper on page 236.This drop-down list only appears when defining an Allow rule or an Allow andForward rule.DescriptionRedirect to portType a description of the rule.Select this option to redirect the connections to a specific port. You must thentype the desired port in the field provided.This option is called Port Address Translation (PAT), and is only availablewhen defining an Allow and Forward rule.Log connectionsSelect this option to log the specified blocked or allowed connections.By default, accepted connections are not logged, and blocked connections arelogged. You can modify this behavior by changing the check box's state.Enable this ruleSelect this option to enable the rule.Chapter 3: Managing Your Gateways 63

Configuring Security SettingsReordering Firewall RulesGateways process user-defined rules in the order they appear in the Firewall Rules table, sothat rule 1 is applied before rule 2, and so on. This enables you to define exceptions torules, by placing the exceptions higher up in the Firewall Rules table.For example, if you want to block all outgoing FTP traffic, except traffic from a specific IPaddress, you can create a rule blocking all outgoing FTP traffic and move the rule down inthe table. Then create a rule allowing FTP traffic from the desired IP address and move thisrule to a higher location in the table than the first rule. In the figure below, the general ruleis the Block rule, and the exception is the Allow rule.The gateway will process the Allow rule first, allowing outgoing HTTP traffic from thespecified IP address, and only then will they process the Block rule, blocking all outgoingHTTP traffic.To reorder firewall rules1. In the navigation tree, click the Security > Firewall Rules node.The Firewall Rules fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Firewall Rules check box.The fields are enabled.4. In the Firewall Rules table, for each rule you want to move, click on the ruleand drag it to the desired location in the table.5. Click .Deleting Firewall RulesTo delete a firewall rule1. In the navigation tree, click the Security > Firewall Rules node.The Firewall Rules fields appear.64 Self Provisioning Portal User Guide

Configuring Security Settings2. If needed, unlock the node from plan.3. Select the Remotely manage Firewall Rules check box.The fields are enabled.4. Select the check box next to the desired rule.5. Click Delete.A confirmation message appears.6. Click OK.The rule is deleted.7. Click .Configuring Secure HotSpotYou can enable gateways as public Internet access hotspots. When users on specificnetworks attempt to access the Internet, they are automatically re-directed to the MyHotSpot page http://my.hotspot.Note: You can configure Secure HotSpot to use HTTPS. In this case, the My HotSpotpage will be https://my.hotspot.On this page, the users must read and accept the My HotSpot terms of use, and if MyHotSpot is configured to be password-protected, they must log in using their EmbeddedNGX username and password. The users may then access the Internet or other corporatenetworks. Users can also log out in the My HotSpot page.Embedded NGX Secure HotSpot is useful in any wired or wireless environment whereWeb-based user authentication or terms-of-use approval is required prior to gaining accessto the network. For example, Secure HotSpot can be used in public computer labs,educational institutions, libraries, Internet cafés, and so on.You can choose to exclude specific network objects from HotSpot enforcement. Excludednetwork objects will be able to access the network without viewing the My HotSpot page.Furthermore, users will be able to access the excluded network object without viewing theMy HotSpot page. For information on excluding network objects from HotSpotenforcement, see Configuring Network Objects on page 245.Chapter 3: Managing Your Gateways 65

Configuring Security SettingsImportant: SecuRemote VPN software users who are authenticated by the InternalVPN Server are automatically exempt from HotSpot enforcement. This allows, forexample, authenticated employees to gain full access to the corporate LAN, whileguest users are permitted to access the Internet only.Note: HotSpot enforcement can block traffic passing through the firewall; however, itdoes not block local traffic on the same network segment (traffic that does not passthrough the firewall).Setting Up Secure HotSpotTo set up Secure HotSpot1. Enable Secure HotSpot for the desired networks.See Configuring Network Settings on page 176.2. Customize Secure HotSpot as desired.See Customizing Secure HotSpot on page 66.3. Grant HotSpot Access permissions to users by doing one or both of thefollowing:Grant HotSpot Access permissions to individual users:See Configuring Users' Access Permissions on page 322.Grant HotSpot Access permissions to all RADIUS-authenticated users.See Configuring User Authentication on page 35.Customizing Secure HotSpotTo customize Secure HotSpot1. In the navigation tree, click the Security > HotSpot node.The HotSpot fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage My HotSpot Settings check box.66 Self Provisioning Portal User Guide

Configuring Security SettingsThe fields are enabled.4. Complete the fields using the information in the table below.5. Click .Table 13: My HotSpot FieldsIn this field…TitleDo this…Type the title that should appear on the My HotSpot page.The default title is "Welcome to My HotSpot".Terms of UseType the terms to which the user must agree before accessing the Internet.You can use HTML tags as needed.Chapter 3: Managing Your Gateways 67

Configuring Security SettingsIn this field…PasswordprotectedDo this…Select this option to require users to enter their username and passwordbefore accessing the Internet.If this option is not selected, users will be required only to accept the terms ofuse before accessing the network.The Allow a user to login from more than one computer at the same time check boxis enabled.Allow a user tologin from morethan onecomputer at thesame timeUse HTTPSSelect this option to allow a single user to log in to My HotSpot from multiplecomputers at the same time.Select this option to use HTTPS for Secure HotSpot.After login,redirect to URLTo redirect users to a specific URL after logging in to My HotSpot, select thisoption and type the desired URL in the field provided.For example, you can redirect authenticated users to the company’s Website or a “Welcome” page.Configuring NAT RulesA Network Address Translation (NAT) rule is a setting used to change the source,destination, and/or service of specific connections.You can define the following types of custom NAT rules:Static NAT (or One-to-One NAT). Translation of an IP address range to another IPaddress range of the same size.This type of NAT rule allows the mapping of Internet IP addresses or address rangesto hosts inside the internal network. This is useful if you want each computer in thenetwork to have its own Internet IP addresses.68 Self Provisioning Portal User Guide

Configuring Security SettingsHide NAT (or Many-to-One NAT). Translation of an IP address range to a single IPaddress.This type of NAT rule enables you to share a single public Internet IP address amongseveral computers, by “hiding” the private IP addresses of the internal computersbehind the gateway's single Internet IP address.Few-to-Many NAT. Translation of a smaller IP address range to a larger IPaddress range.When this type of NAT rule is used, static NAT is used to map the IP addresses in thesmaller range to the IP addresses at the beginning of the larger range. The remainingIP addresses in the larger range remain unused.Many-to-Few NAT. Translation of a larger IP address range to a smaller IPaddress range.When this type of NAT rule is used, static NAT is used to map the IP addresses in thelarger range to all but the final IP address in the smaller range. Hide NAT is then usedto map all of the remaining IP addresses in the larger range to the final IP address inthe smaller range.Service-Based NAT. Translation of a connection's original service to a differentservice.In addition, implicitly defined NAT rules are created automatically upon the followingevents:Hide NAT is enabled on an internal networkAn Allow and Forward firewall rule is definedStatic NAT is configured for a network object (for information, see ConfiguringNetwork Objects on page 245)The gateway receives NAT rules from the Service CenterImplicitly defined NAT rules can only be edited or deleted indirectly. For example, inorder to remove a NAT rule created when a certain network object was defined, you mustmodify the relevant network object.The Security > NAT node displays both custom NAT rules and implicitly defined NATrules, and it allows you to create, edit, and delete custom NAT rules.Chapter 3: Managing Your Gateways 69

Configuring Security SettingsAdding and Editing NAT RulesTo add or edit a NAT rule1. In the navigation tree, click the Security > NAT node.The NAT Rules fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage NAT Rules check box.The fields are enabled.4. Do one of the following:To add a new rule, click New.To edit an existing rule, click the number next to the rule.70 Self Provisioning Portal User Guide

Configuring Security SettingsThe Address Translation Wizard opens, with the Address Translation: Step 1 dialog boxdisplayed.5. Select the type of rule you want to create, using the information in thefollowing table.6. Click Next.Chapter 3: Managing Your Gateways 71

Configuring Security SettingsThe Address Translation: Step 2 dialog box appears.7. Complete the fields using the information in the following table.8. Click Next.The Address Translation: Step 3 dialog box appears.72 Self Provisioning Portal User Guide

Configuring Security Settings9. If desired, type a description of the rule in the Name field.10. Click Finish.The rule appears in the NAT Rules table.11. Click .Table 14: Address Translation Wizard FieldsFieldThe source isDescriptionSelect the original source of the connections you want to translate.To specify an IP address, select Specified IP and type the desired IPaddress in the field provided.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.And thedestination isSelect the original destination of the connections you want to translate.To specify an IP address, select Specified IP and type the desired IPaddress in the text box.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.To specify any destination except the local management portal and networkprinters, select Any.And the service isSelect the original service used for the connections you want to translate.Chapter 3: Managing Your Gateways 73

Configuring Security SettingsFieldChange the sourcetoDescriptionSelect the new source to which the original source should be translated.To specify an IP address, select Specified IP and type the desired IPaddress in the field provided.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.To specify that the original source should not be translated, select Don'tChange.Change thedestination toSelect the new destination to which the original destination should betranslated.To specify an IP address, select Specified IP and type the desired IPaddress in the field provided.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.To specify that the original destination should not be translated, select Don'tChange.Change theservice toSelect the new service to which the original service should be translated.To specify that the original service should not be translated, select Don'tChange.Deleting NAT RulesTo delete a NAT rule1. In the navigation tree, click the Security > NAT node.The NAT Rules fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage NAT Rules check box.74 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsThe fields are enabled.4. In the NAT Rules table, select the check box next to the desired rule.5. Click Delete.A confirmation message appears.6. Click OK.The rule is deleted.7. Click .Configuring SmartDefense SettingsIf a plan specifies remote management, SmartDefense settings can be remotely configuredin the plan.All gateways subscribed to the plan will take their SmartDefense settings from the plan, bydefault. If desired, you can override the inherited SmartDefense settings for a specificgateway, by configuring these settings in the gateway.OverviewCheck Point SmartDefense Services, based on Check Point Application Intelligence,provides a combination of attack safeguards and attack-blocking tools that protect anetwork in the following ways:Validating compliance to standardsValidating expected usage of protocols (Protocol Anomaly Detection)Limiting application ability to carry malicious dataControlling application-layer operationsIn addition, SmartDefense aids proper usage of Internet resources, such as FTP, instantmessaging, Peer-to-Peer (P2P) file sharing, file-sharing operations, and File TransferProtocol (FTP) uploading, among others.Chapter 3: Managing Your Gateways 75

Configuring SmartDefense SettingsSmartDefense settings are divided into categories, each of which is represented by a nodein the navigation tree.When a category node is expanded, the settings it contains appear as sub-nodes. Forinformation on each SmartDefense category and the settings it contains, see SmartDefenseCategories on page 79.Each setting node represents an attack type, a sanity check, or a protocol or service that isvulnerable to attacks. To control how SmartDefense handles a specific attack, you mustconfigure the relevant setting node.76 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsConfiguring a SmartDefense SettingTo configure a SmartDefense setting1. In the navigation tree, click the SmartDefense node.The SmartDefense fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage SmartDefense check box.The fields are enabled.4. Click .5. Expand the SmartDefense node and the relevant category node, then click onthe desired setting node.Chapter 3: Managing Your Gateways 77

Configuring SmartDefense SettingsThe right pane displays a description of the setting, followed by fields.6. Complete the fields using the information in SmartDefense Categories onpage 79.7. Click .78 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsSmartDefense CategoriesSmartDefense includes the following categories: Denial of Service on page 79 FTP on page 84 Games on page 124 HTTP on page 89 IGMP on page 91 Instant Messaging Traffic on page 92 IP and ICMP on page 94 Microsoft Networks on page 104 Peer to Peer on page 107 Port Scan on page 109 SCADA on page 111 TCP on page 118 VoIP on page 105Denial of ServiceDenial of Service (DoS) attacks are aimed at overwhelming the target with spurious data,to the point where it is no longer able to respond to legitimate service requests.This category includes the following attacks: DDoS Attack on page 80 LAND on page 80 Non-TCP Flooding on page 81 Ping of Death on page 83 Teardrop on page 83Chapter 3: Managing Your Gateways 79

Configuring SmartDefense SettingsDDoS AttackIn a distributed denial-of-service attack (DDoS attack), the attacker directs multiple hostsin a coordinated attack on a victim computer or network. The attacking hosts send largeamounts of spurious data to the victim, so that the victim is no longer able to respond tolegitimate service requests.You can configure how DDoS attacks should be handled.Table 15: Distributed Denial of Service FieldsIn this field…ActionTrackDo this…Specify what action to take when a DDoS attack occurs, by selecting one ofthe following: Block. Block the attack. This is the default. None. No action.Specify whether to log DDoS attacks, by selecting one of the following: Log. Log the attack. This is the default. None. Do not log the attack.LANDIn a LAND attack, the attacker sends a SYN packet, in which the source address and portare the same as the destination (the victim computer). The victim computer then tries toreply to itself and either reboots or crashes.80 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsYou can configure how LAND attacks should be handled.Table 16: LAND FieldsIn this field…ActionTrackDo this…Specify what action to take when a LAND attack occurs, by selecting one ofthe following: Block. Block the attack. This is the default. None. No action.Specify whether to log LAND attacks, by selecting one of the following: Log. Log the attack. This is the default. None. Do not log the attack.Non-TCP FloodingAdvanced firewalls maintain state information about connections in a State table. InNon-TCP Flooding attacks, the attacker sends high volumes of non-TCP traffic. Since suchtraffic is connectionless, the related state information cannot be cleared or reset, and thefirewall State table is quickly filled up. This prevents the firewall from accepting newconnections and results in a Denial of Service (DoS).Chapter 3: Managing Your Gateways 81

Configuring SmartDefense SettingsYou can protect against Non-TCP Flooding attacks by limiting the percentage of state tablecapacity used for non-TCP connections.Table 17: Non-TCP Flooding FieldsIn this field…ActionTrackMax. PercentNon-TCP TrafficDo this…Specify what action to take when the percentage of state table capacity usedfor non-TCP connections reaches the Max. percent non TCP traffic threshold.Select one of the following: Block. Block any additional non-TCP connections. None. No action. This is the default.Specify whether to log non-TCP connections that exceed the Max. PercentNon-TCP Traffic threshold, by selecting one of the following: Log. Log the connections. None. Do not log the connections. This is the default.Type the maximum percentage of state table capacity allowed for non-TCPconnections.The default value is 10%.82 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsPing of DeathIn a Ping of Death attack, the attacker sends a fragmented PING request that exceeds themaximum IP packet size (64KB). Some operating systems are unable to handle suchrequests and crash.You can configure how Ping of Death attacks should be handled.Table 18: Ping of Death FieldsIn this field…ActionTrackDo this…Specify what action to take when a Ping of Death attack occurs, by selectingone of the following: Block. Block the attack. This is the default. None. No action.Specify whether to log Ping of Death attacks, by selecting one of thefollowing: Log. Log the attack. This is the default. None. Do not log the attack.TeardropIn a Teardrop attack, the attacker sends two IP fragments, the latter entirely containedwithin the former. This causes some computers to allocate too much memory and crash.Chapter 3: Managing Your Gateways 83

Configuring SmartDefense SettingsYou can configure how Teardrop attacks should be handled.Table 19: Teardrop FieldsIn this field…ActionTrackDo this…Specify what action to take when a Teardrop attack occurs, by selecting oneof the following: Block. Block the attack. This is the default. None. No action.Specify whether to log Teardrop attacks, by selecting one of the following: Log. Log the attack. This is the default. None. Do not log the attack.FTPThis category allows you to configure various protections related to the FTP protocol. Itincludes the following: Block Known Ports on page 85 Block Port Overflow on page 85 Blocked FTP Commands on page 87 FTP Bounce on page 8884 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsBlock Known PortsYou can choose to block the FTP server from connecting to well-known ports.Note: Known ports are published ports associated with services (for example, SMTPis port 25).This provides a second layer of protection against FTP bounce attacks, by preventing suchattacks from reaching well-known ports.Table 20: Block Known Ports FieldsIn this field…ActionDo this…Specify what action to take when the FTP server attempts to connect to awell-known port, by selecting one of the following: Block. Block the connection. None. No action. This is the default.Block Port OverflowFTP clients send PORT commands when connecting to the FTP server. A PORT commandconsists of a series of numbers between 0 and 255, separated by commas.Chapter 3: Managing Your Gateways 85

Configuring SmartDefense SettingsTo enforce compliance to the FTP standard and prevent potential attacks against the FTPserver, you can block PORT commands that contain a number greater than 255.Table 21: Block Port OverflowIn this field…ActionDo this…Specify what action to take for PORT commands containing a numbergreater than 255, by selecting one of the following: Block. Block the PORT command. This is the default. None. No action.86 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsBlocked FTP CommandsSome seldom-used FTP commands may compromise FTP server security and integrity.You can specify which FTP commands should be allowed to pass through the securityserver, and which should be blocked.To enable FTP command blocking In the Action drop-down list, select Block.The FTP commands listed in the Blocked Commands box will be blocked.FTP command blocking is enabled by default.To disable FTP command blocking In the Action drop-down list, select None.All FTP commands are allowed, including those in the Blocked Commands box.To block a specific FTP command1. In the Allowed Commands box, select the desired FTP command.2. Click Block.The FTP command appears in the Blocked Commands box.3. Click Apply.When FTP command blocking is enabled, the FTP command will be blocked.Chapter 3: Managing Your Gateways 87

Configuring SmartDefense SettingsTo allow a specific FTP command1. In the Blocked Commands box, select the desired FTP command.2. Click Accept.The FTP command appears in the Allowed Commands box.3. Click Apply.The FTP command will be allowed, regardless of whether FTP command blocking isenabled or disabled.FTP BounceWhen connecting to an FTP server, the client sends a PORT command specifying the IPaddress and port to which the FTP server should connect and send data. An FTP Bounceattack is when an attacker sends a PORT command specifying the IP address of a thirdparty instead of the attacker's own IP address. The FTP server then sends data to the victimmachine.You can configure how FTP bounce attacks should be handled.Table 22: FTP Bounce FieldsIn this field…ActionDo this…Specify what action to take when an FTP Bounce attack occurs, by selectingone of the following: Block. Block the attack. This is the default.88 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…Do this…None. No action.TrackSpecify whether to log FTP Bounce attacks, by selecting one of thefollowing: Log. Log the attack. This is the default. None. Do not log the attack.HTTPThis category allows you to configure various protections related to the HTTP protocol. Itincludes the following: Header Rejection on page 89 Worm Catcher on page 90Header RejectionSome exploits are carried in standard HTTP headers with custom values (for example, inthe Host header), or in custom HTTP headers. You can protect against such exploits byrejecting HTTP requests that contain specific headers and header values.Chapter 3: Managing Your Gateways 89

Configuring SmartDefense SettingsTable 23: Header Rejection FieldsIn this field…ActionTrackHTTP header valueslistDo this…Specify what action to take when an HTTP header-based exploit isdetected, by selecting one of the following: Block. Block the attack. None. No action. This is the default.Specify whether to log HTTP header-based exploits, by selecting one ofthe following: Log. Log the attack. None. Do not log the attack. This is the default.Select the HTTP header values to detect.Worm CatcherA worm is a self-replicating malware (malicious software) that propagates by activelysending itself to new machines. Some worms propagate by using security vulnerabilities inthe HTTP protocol.You can specify how HTTP-based worm attacks should be handled.90 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsTable 24: Worm Catcher FieldsIn this field…ActionTrackHTTP-based wormpatterns listDo this…Specify what action to take when an HTTP-based worm attack isdetected, by selecting one of the following: Block. Block the attack. None. No action. This is the default.Specify whether to log HTTP-based worm attacks, by selecting one ofthe following: Log. Log the attack. None. Do not log the attack. This is the default.Select the worm patterns to detect.IGMPThis category includes the IGMP protocol.IGMP is used by hosts and routers to dynamically register and discover multicast groupmembership. Attacks on the IGMP protocol usually target a vulnerability in the multicastrouting software/hardware used, by sending specially crafted IGMP packets.You can configure how IGMP attacks should be handled.Chapter 3: Managing Your Gateways 91

Configuring SmartDefense SettingsTable 25: IGMP FieldsIn this field…ActionTrackEnforce IGMP tomulticast addressesDo this…Specify what action to take when an IGMP attack occurs, by selectingone of the following: Block. Block the attack. This is the default. None. No action.Specify whether to log IGMP attacks, by selecting one of the following: Log. Log the attack. This is the default. None. Do not log the attack.According to the IGMP specification, IGMP packets must be sent tomulticast addresses. Sending IGMP packets to a unicast or broadcastaddress might constitute and attack; therefore the Embedded NGXgateway blocks such packets.Specify whether to allow or block IGMP packets that are sent tonon-multicast addresses, by selecting one of the following:Block. Block IGMP packets that are sent to non-multicastaddresses. This is the default.None. No action.Instant Messaging TrafficSmartDefense can block instant messaging applications that use VoIP protocols, byidentifying the messaging application's fingerprints and HTTP headers.This category includes the following nodes:ICQMSN MessengerSkypeYahoo92 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsNote: SmartDefense can detect instant messaging traffic regardless of the TCP portbeing used to initiate the session.Note: Note: Skype versions up to 2.0.0.103 are supported.In each node, you can configure how instant messaging connections of the selected typeshould be handled, using the following table.Table 26: Instant Messengers FieldsIn this field…ActionTrackDo this…Specify what action to take when a connection is attempted, by selectingone of the following: Block. Block the connection. None. No action. This is the default.Specify whether to log instant messenger connections, by selecting oneof the following: Log. Log the connection. None. Do not log the connection. This is the default.Chapter 3: Managing Your Gateways 93

Configuring SmartDefense SettingsIn this field…Block proprietaryprotocol /Block proprietaryprotocols on all portsBlock masqueradingover HTTP protocolDo this…Specify whether proprietary protocols should be blocked on all ports, byselecting one of the following:Block. Block the proprietary protocol on all ports. This in effectprevents all communication using this instant messengerapplication. This is the default.None. Do not block the proprietary protocol on all ports.Specify whether to block using the instant messenger application overHTTP, by selecting one of the following:Block. Block using the application over HTTP. This is thedefault.None. Do not block using the application over HTTP.IP and ICMPThis category allows you to enable various IP and ICMP protocol tests, and to configurevarious protections against IP and ICMP-related attacks. It includes the following: Cisco IOS DOS on page 95 IP Fragments on page 97 Max Ping Size on page 98 Network Quota on page 99 Null Payload on page 101 Packet Sanity on page 102 Welchia on page 10394 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsChecksum VerificationSmartDefense identifies any IP, TCP, or UDP packets with incorrect checksums. You canconfigure how these packets should be handled.Table 27: Checksum Verification FieldsIn this field…ActionTrackDo this…Specify what action to take when packets with incorrect checksums aredetected, by selecting one of the following: Block. Block the packets. This is the default. None. No action.Specify whether to log packets with incorrect checksums, by selecting one ofthe following: Log. Log the packets. None. Do not log the packets. This is the default.Cisco IOS DOSCisco routers are configured to process and accept Internet Protocol version 4 (IPv4)packets by default. When a Cisco IOS device is sent a specially crafted sequence of IPv4packets (with protocol type 53 - SWIPE, 55 - IP Mobility, 77 - Sun ND, or 103 - ProtocolIndependent Multicast - PIM), the router will stop processing inbound traffic on thatinterface.Chapter 3: Managing Your Gateways 95

Configuring SmartDefense SettingsYou can configure how Cisco IOS DOS attacks should be handled.Note: You cannot enable CISCO IOS DOS PIM protection in SmartDefense, when thePIM-SM multicast routing protocol is enabled. For information on disabling the PIM-SMprotocol, refer to the Embedded NGX CLI Reference Guide.Table 28: Cisco IOS DOSIn this field…ActionTrackNumber of Hops to ProtectDo this…Specify what action to take when a Cisco IOS DOS attack occurs,by selecting one of the following: Block. Block the attack. This is the default. None. No action.Specify whether to log Cisco IOS DOS attacks, by selecting one ofthe following: Log. Log the attack. This is the default. None. Do not log the attack.Type the number of hops from the enforcement module that Ciscorouters should be protected.The default value is 10.Action Protection forSpecify what action to take when an IPv4 packet of the specific96 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…SWIPE - Protocol 53 /IP Mobility - Protocol 55 /SUN-ND - Protocol 77 /PIM - Protocol 103Do this…protocol type is received, by selecting one of the following: Block. Drop the packet. This is the default. None. No action.IP FragmentsWhen an IP packet is too big to be transported by a network link, it is split into severalsmaller IP packets and transmitted in fragments. To conceal a known attack or exploit, anattacker might imitate this common behavior and break the data section of a single packetinto several fragmented packets. Without reassembling the fragments, it is not alwayspossible to detect such an attack. Therefore, the Embedded NGX gateway alwaysreassembles all the fragments of a given IP packet, before inspecting it to make sure thereare no attacks or exploits in the packet.You can configure how fragmented packets should be handled.Table 29: IP Fragments FieldsIn this field…Forbid IP FragmentsDo this…Specify whether all fragmented packets should be dropped, by selectingone of the following: True. Drop all fragmented packets.Chapter 3: Managing Your Gateways 97

Configuring SmartDefense SettingsIn this field…Do this…False. No action. This is the default.Under normal circumstances, it is recommended to leave this field set toFalse. Setting this field to True may disrupt Internet connectivity, becauseit does not allow any fragmented packets.Max Number ofIncomplete PacketsType the maximum number of fragmented packets allowed. Packetsexceeding this threshold will be dropped.The default value is 300.Timeout forDiscardingIncomplete PacketsWhen the Embedded NGX gateway receives packet fragments, it waitsfor additional fragments to arrive, so that it can reassemble the packet.Type the number of seconds to wait before discarding incompletepackets.TrackThe default value is 10.Specify whether to log fragmented packets, by selecting one of thefollowing:Log. Log all fragmented packets.None. Do not log the fragmented packets. This is the default.Max Ping SizePING (ICMP echo request) is a program that uses ICMP protocol to check whether aremote machine is up. A request is sent by the client, and the server responds with a replyechoing the client's data.98 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsAn attacker can echo the client with a large amount of data, causing a buffer overflow.You can protect against such attacks by limiting the allowed size for ICMP echo requests.Table 30: Max Ping Size FieldsIn this field…ActionTrackMax Ping SizeDo this…Specify what action to take when an ICMP echo response exceeds the MaxPing Size threshold, by selecting one of the following: Block. Block the request. This is the default. None. No action.Specify whether to log ICMP echo responses that exceed the Max Ping Sizethreshold, by selecting one of the following: Log. Log the responses. This is the default. None. Do not log the responses.Specify the maximum data size for ICMP echo response.The default value is 548.Network QuotaAn attacker may try to overload a server in your network by establishing a very largenumber of connections per second. To protect against Denial Of Service (DoS) attacks,Network Quota enforces a limit upon the number of connections per second that areallowed from the same source IP address.Chapter 3: Managing Your Gateways 99

Configuring SmartDefense SettingsYou can configure how connections that exceed that limit should be handled.Table 31: Network Quota FieldsIn this field…ActionTrackDo this…Specify what action to take when the number of network connectionsfrom the same source reaches the Max. Connections/Second per Source IPthreshold. Select one of the following:Block. Block all new connections from the source. Existingconnections will not be blocked. This is the default.None. No action.Specify whether to log connections from a specific source that exceedthe Max. Connections/Second per Source IP threshold, by selecting one ofthe following:Log. Log the connections. This is the default.None. Do not log the connections.100 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…Max.Connections/Secondfrom Same Source IPDo this…Type the maximum number of network connections allowed per secondfrom the same source IP address.The default value is 100.Set a lower threshold for stronger protection against DoS attacks.Note: Setting this value too low can lead to false alarms.Null PayloadSome worms, such as Sasser, use ICMP echo request packets with null payload to detectpotentially vulnerable hosts.You can configure how null payload ping packets should be handled.Table 32: Null Payload FieldsIn this field…ActionDo this…Specify what action to take when null payload ping packets are detected, byselecting one of the following: Block. Block the packets. This is the default.Chapter 3: Managing Your Gateways 101

Configuring SmartDefense SettingsIn this field…Do this…None. No action.TrackSpecify whether to log null payload ping packets, by selecting one of thefollowing: Log. Log the packets. This is the default. None. Do not log the packets.Packet SanityPacket Sanity performs several Layer 3 and Layer 4 sanity checks. These include verifyingpacket size, UDP and TCP header lengths, dropping IP options, and verifying the TCPflags.You can configure whether logs should be issued for offending packets.Table 33: Packet Sanity FieldsIn this field…ActionTrackDo this…Specify what action to take when a packet fails a sanity test, by selectingone of the following: Block. Block the packet. This is the default. None. No action.Specify whether to issue logs for packets that fail the packet sanity tests, by102 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…Do this…selecting one of the following:Log. Issue logs. This is the default.None. Do not issue logs.Disable relaxedUDP lengthverificationThe UDP length verification sanity check measures the UDP header lengthand compares it to the UDP header length specified in the UDP header. Ifthe two values differ, the packet may be corrupted.However, since different applications may measure UDP header lengthdifferently, the Embedded NGX gateway relaxes the UDP length verificationsanity check by default, performing the check but not dropping offendingpackets. This is called relaxed UDP length verification.Specify whether the Embedded NGX gateway should relax the UDP lengthverification sanity check or not, by selecting one of the following:True. Disable relaxed UDP length verification. The EmbeddedNGX gateway will drop packets that fail the UDP lengthverification check.False. Do not disable relaxed UDP length verification. TheEmbedded NGX gateway will not drop packets that fail the UDPlength verification check. This is the default.WelchiaThe Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability. Afterinfecting a computer, the worm begins searching for other live computers to infect. It doesso by sending a specific ping packet to a target and waiting for the reply that signals thatthe target is alive. This flood of pings may disrupt network connectivity.Chapter 3: Managing Your Gateways 103

Configuring SmartDefense SettingsYou can configure how the Welchia worm should be handled.Table 34: Welchia FieldsIn this field…ActionTrackDo this…Specify what action to take when the Welchia worm is detected, by selectingone of the following: Block. Block the attack. This is the default. None. No action.Specify whether to log Welchia worm attacks, by selecting one of thefollowing: Log. Log the attack. This is the default. None. Do not log the attack.Microsoft NetworksThis category includes File and Print Sharing.Microsoft operating systems and Samba clients rely on Common Internet File System(CIFS), a protocol for sharing files and printers. However, this protocol is also widely usedby worms as a means of propagation.104 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsYou can configure how CIFS worms should be handled.Table 35: File Print and Sharing FieldsIn this field…ActionTrackCIFS worm patternslistDo this…Specify what action to take when a CIFS worm attack is detected, byselecting one of the following:Block. Block the attack.None. No action. This is the default.Specify whether to log CIFS worm attacks, by selecting one of thefollowing:Log. Log the attack.None. Do not log the attack. This is the default.Select the worm patterns to detect.Patterns are matched against file names (including file paths butexcluding the disk share name) that the client is trying to read orwrite from the server.VoIPVoice over IP (VoIP) traffic is subject to various threats, such as:Call redirections, in which calls intended for one recipient are redirected toanotherChapter 3: Managing Your Gateways 105

Configuring SmartDefense SettingsStealing calls, where the caller pretends to be someone elseSystem hacking, using ports that were opened for VoIP connectionsThis category allows you to configure various protections related to VoIP protocols. Itincludes the following: SIP on page 106 H.323 on page 107SIPThe SmartDefense SIP Application Level Gateway (ALG) processes the SIP protocol,allows firewall and NAT traversal, and enables Traffic Shaper to operate on SIPconnections.By default, the SIP ALG checks SIP sessions for RFC compliance. If desired, you canallow non-RFC-compliant SIP connections, so that VoIP devices that initiate non-standardSIP calls can communicate through the firewall. You can also disable the SIP ALGaltogether, if it is not needed by your SIP clients, or if it interferes with their operation.Table 36: SIP FieldsIn this field…SIP ProtocolHandlerDo this…Specify whether to enable SIP support, by selecting one of the following: Enabled. Enable SIP support. This is the default. Disabled. Disable SIP support.106 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…Do this…RFCNon-compliantMessagesSpecify what action to take when non-RFC-compliant SIP packets arrive, byselecting one of the following:Block. Block the packets. This is the default.None. No action.H.323H.323 telephony is used by various devices and applications, such as MicrosoftNetmeeting. SmartDefense allows you to choose whether to disable or enable the H.323Application Level Gateway (ALG), which allows firewall and NAT traversal of H.323calls.Table 37: H.323 FieldsIn this field…Peer-to-peerH.323 SupportDo this…Specify whether to enable H.323 support, by selecting one of the following: Enabled. Enable H.323 support. Disabled. Disabled H.323 support. This is the default.Peer to PeerSmartDefense can block peer-to-peer file-sharing traffic, by identifying the proprietaryprotocols and preventing the initial connection to the peer-to-peer networks. This preventsnot only downloads, but also search operations.Chapter 3: Managing Your Gateways 107

Configuring SmartDefense SettingsThis category includes the following nodes:BitTorrenteMuleGnutellaKaZaAWinnyNote: SmartDefense can detect peer-to-peer traffic regardless of the TCP port beingused to initiate the session.In each node, you can configure how peer-to-peer connections of the selected type shouldbe handled, using the following table.Table 38: Peer to Peer FieldsIn this field…ActionTrackDo this…Specify what action to take when a connection is attempted, by selectingone of the following: Block. Block the connection. None. No action. This is the default.Specify whether to log peer-to-peer connections, by selecting one of thefollowing:108 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…Do this…Log. Log the connection.None. Do not log the connection. This is the default.Block proprietaryprotocols on all portsBlock masqueradingover HTTP protocolSpecify whether proprietary protocols should be blocked on all ports, byselecting one of the following:Block. Block the proprietary protocol on all ports. This in effectprevents all communication using this peer-to-peerapplication. This is the default.None. Do not block the proprietary protocol on all ports.Specify whether to block using the peer-to-peer application over HTTP,by selecting one of the following:Block. Block using the application over HTTP. This is thedefault.None. Do not block using the application over HTTP.This field is not relevant for eMule.Port ScanAn attacker can perform a port scan to determine whether ports are open and vulnerable toan attack. This is most commonly done by attempting to access a port and waiting for aresponse. The response indicates whether or not the port is open.This category includes the following types of port scans:Host Port Scan. The attacker scans a specific host's ports to determine which ofthe ports are open.Sweep Scan. The attacker scans various hosts to determine where a specific portis open.Chapter 3: Managing Your Gateways 109

Configuring SmartDefense SettingsYou can configure how the Embedded NGX gateway should react when a port scan isdetected.Table 39: Port Scan FieldsIn this field…Number of portsaccessedDo this…SmartDefense detects ports scans by measuring the number of portsaccessed over a period of time. The number of ports accessed must exceedthe Number of ports accessed value, within the number of seconds specified bythe In a period of [seconds] value, in order for SmartDefense to consider theactivity a scan.Type the minimum number of ports that must be accessed within the In aperiod of [seconds] period, in order for SmartDefense to detect the activity asa port scan.For example, if this value is 30, and 40 ports are accessed within a specifiedperiod of time, SmartDefense will detect the activity as a port scan.For Host Port Scan, the default value is 30. For Sweep Scan, the defaultvalue is 50.110 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…In a period of[seconds]Do this…SmartDefense detects ports scans by measuring the number of portsaccessed over a period of time. The number of ports accessed must exceedthe Number of ports accessed value, within the number of seconds specified bythe In a period of [seconds] value, in order for SmartDefense to consider theactivity a scan.Type the maximum number of seconds that can elapse, during which theNumber of ports accessed threshold is exceeded, in order for SmartDefense todetect the activity as a port scan.For example, if this value is 20, and the Number of ports accessed threshold isexceeded for 15 seconds, SmartDefense will detect the activity as a portscan. If the threshold is exceeded for 30 seconds, SmartDefense will notdetect the activity as a port scan.The default value is 20 seconds.TrackDetect scansfrom Internet onlySpecify whether to issue logs for scans, by selecting one of the following:Log. Issue logs. This is the default.None. Do not issue logs. This is the default.Specify whether to detect only scans originating from the Internet, byselecting one of the following:False. Do not detect only scans from the Internet. This is thedefault.True. Detect only scans from the Internet.SCADAThis category allows you to configure various protections related to supervisory controland data acquisition (SCADA) equipment. It includes the following: Modbus/TCP on page 112 Modbus/TCP Policy on page 113Chapter 3: Managing Your Gateways 111

Configuring SmartDefense SettingsNote: These settings are relevant for UTM-1 Edge appliances only.Modbus/TCPSCADA equipment uses the Modbus/TCP protocol over TCP port 502 for communication.You can configure SmartDefense to scan Modbus/TCP connections, enforce compliance tothe Modbus/TCP standard, and limit Modbus/TCP requests to a specified set of functions,devices, and registers.Table 40: Modbus/TCP FieldsIn this field…ActionTrackDo this…Specify what action to take when a Modbus/TCP connection does notmatch the protocol compliance and/or the Modbus function policy , byselecting one of the following: Block. Block the connection. None. No action. This is the default.Specify whether to log Modbus/TCP connections that do not matchprotocol compliance and/or the Modbus function policy, by selecting oneof the following: Log. Log the connection. None. Do not log the connection. This is the default.112 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…Verify protocolcomplianceSpecify Modbusfunction policyDo this…Specify whether to verify compliance to the Modbus/TCP standard, byselecting one of the following:Enabled. Verify compliance.Disabled. Do not verify compliance. This is the default.Specify whether to block Modbus commands that do not comply with theModbus function policy, by selecting one of the following:Enabled. Block all Modbus commands that do not match thefunction policy.Disabled. Do not enforce the Modbus function policy. This isthe default.If you select Enabled, you must configure the Modbus function policy. SeeModbus/TCP Policy on page 113.Modbus/TCP PolicyIf you enabled blocking Modbus commands that do not comply with the Modbus functionpolicy (see Modbus/TCP on page 112), then you must configure the Modbus functionpolicy. This policy is comprised of a list of allowed Modbus/TCP commands.Adding and Editing Allowed CommandsTo add or edit an allowed command1. Do one of the following:Chapter 3: Managing Your Gateways 113

Configuring SmartDefense SettingsTo add a new command, click New. To edit an existing command, click the number next to the desired command.The Modbus/TCP Allowed Command Wizard opens displaying the Select Functiondialog box.2. Complete the fields using the information in the following table.3. Click Next.114 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsThe Additional Information dialog box appears.4. Complete the fields using the information in the following table.5. Click Next.The Destination & Source dialog box appears.6. Complete the fields using the information in the following table.Chapter 3: Managing Your Gateways 115

Configuring SmartDefense Settings7. Click Next.The final dialog box appears.8. Click Finish.The new command appears in the Modbus/TCP Policy table.Table 41: Modbus/TCP Allowed Command Wizard FieldsIn this field…Any FunctionStandardFunctionDo this…Click this option to specify that the allowed command can include anyfunction.Click this option to specify that the allowed command must include a specificstandard function.You must then select the desired function from the drop-down list.Custom FunctionClick this option to specify that the allowed command must include a specificnon-standard function.116 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…Do this…The Function Range fields are enabled. You must fill them in.Function RangeTo specify the function range, type the start function number in the left textbox, and the end function number in the right text box.The function numbers must be between 1 and 255.Note: If you enter only one function number, the range will include only thatfunction.Any UnitSpecified UnitClick this option to specify that the allowed function(s) can access anyModbus/TCP unit.Click this option to specify that the allowed function(s) can access a specificModbus/TCP unit only.The Unit ID field appears.Unit IDThe connectionsource isType the allowed unit's ID number in the field provided. The ID number mustbe between 0 and 255.Select the source of the functions you want to allow. This list includesnetwork objects.To specify an IP address, select Specified IP and type the desired IP addressin the field provided.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.To specify the Embedded NGX IP address, select This Gateway.To specify any source, select ANY.And thedestination isSelect the destination of the functions you want to allow. This list includesnetwork objects.To specify an IP address, select Specified IP and type the desired IP addressChapter 3: Managing Your Gateways 117

Configuring SmartDefense SettingsIn this field…Do this…in the text box.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.To specify the Embedded NGX IP addresses, select This Gateway.To specify any destination except the local management portal IPaddresses, select ANY.To delete an allowed commandDeleting Allowed Commands1. In the Modbus/TCP Policy table, select the check box next to the desiredcommand.2. Click Delete.A confirmation message appears.3. Click OK.The command is deleted.4. Click .TCPThis category allows you to configure various protections related to the TCP protocol. Itincludes the following: Small PMTU on page 120 Strict TCP on page 122 SynDefender on page 123FlagsThe URG flag is used to indicate that there is urgent data in the TCP stream, and that thedata should be delivered with high priority. Since handling of the URG flag is inconsistent118 Self Provisioning Portal User Guide

Configuring SmartDefense Settingsbetween different operating systems, an attacker can use the URG flag to conceal certainattacks.You can configure how the URG flag should be handled.Table 42: Flags FieldsIn this field…URG FlagDo this…Specify whether to clear or allow the URG flag, by selecting one of thefollowing:Clear. Clear the URG flag on all incoming packets. This is thedefault.Allow. Allow the URG flag.Chapter 3: Managing Your Gateways 119

Configuring SmartDefense SettingsSequence VerifierThe Embedded NGX gateway examines each TCP packet's sequence number and checkswhether it matches a TCP connection state. You can configure how the gateway handlespackets that match a TCP connection in terms of the TCP session but have incorrectsequence numbers.Table 43: Strict TCPIn this field…ActionDo this…Specify what action to take when TCP packets with incorrect sequencenumbers arrive, by selecting one of the following: Block. Block the packets. None. No action. This is the default.TrackSpecify whether to log TCP packets with incorrect sequence numbers, byselecting one of the following:Log. Log the packets. This is the default.None. Do not log the packets.Small PMTUSmall PMTU (Packet MTU) is a bandwidth attack in which the client fools the server intosending large amounts of data using small packets. Each packet has a large overhead thatcreates a "bottleneck" on the server.120 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsYou can protect against this attack by specifying a minimum packet size for data sent overthe Internet.Table 44: Small PMTU FieldsIn this field…ActionTrackMinimal MTUSizeDo this…Specify what action to take when a packet is smaller than the Minimal MTUSize threshold, by selecting one of the following: Block. Block the packet. None. No action. This is the default.Specify whether to issue logs for packets are smaller than the Minimal MTUSize threshold, by selecting one of the following: Log. Issue logs. This is the default. None. Do not issue logs.Type the minimum value allowed for the MTU field in IP packets sent by aclient.An overly small value will not prevent an attack, while an overly large valuemight degrade performance and cause legitimate requests to be dropped.The default value is 300.Chapter 3: Managing Your Gateways 121

Configuring SmartDefense SettingsStrict TCPOut-of-state TCP packets are SYN-ACK or data packets that arrive out of order, before theTCP SYN packet.Note: In normal conditions, out-of-state TCP packets can occur after the EmbeddedNGX restarts, since connections which were established prior to the reboot areunknown. This is normal and does not indicate an attack.Note: Certain SmartDefense protections implicitly apply the Strict TCP protection torelevant connections. In such cases, "TCP Out-of-State" log messages may appearin the Security Log, even though the Strict TCP protection is disabled.You can configure how out-of-state TCP packets should be handled.Table 45: Strict TCPIn this field…ActionTrackDo this…Specify what action to take when an out-of-state TCP packet arrives, byselecting one of the following: Block. Block the packets. None. No action. This is the default.Specify whether to log null payload ping packets, by selecting one of thefollowing: Log. Log the packets. This is the default.122 Self Provisioning Portal User Guide

Configuring SmartDefense SettingsIn this field…Do this…None. Do not log the packets.SynDefenderIn a SYN attack, the attacker sends many SYN packets without finishing the three-wayhandshake. This causes the attacked host to be unable to accept new connections.You can protect against this attack by specifying a maximum amount of time forcompleting handshakes.Table 46: SynDefender FieldsIn this field…ActionDo this…Specify what action to take when a SYN attack occurs, by selecting one ofthe following: Block. Block the packet. This is the default. None. No action.A SYN attack is when more than 5 incomplete TCP handshakes aredetected within 10 seconds. A handshake is considered incomplete when itexceeds the Maximum time for completing the handshake threshold.TrackSpecify whether to issue logs for the events specified by the Log Modeparameter, by selecting one of the following:Chapter 3: Managing Your Gateways 123

Configuring SmartDefense SettingsIn this field…Do this…Log. Issue logs. This is the default.None. Do not issue logs.Log modeSpecify upon which events logs should be issued, by selecting one of thefollowing:None. Do not issue logs.Log per attack. Issue logs for each SYN attack. This is the default.Log individual unfinished handshakes. Issue logs for each incompletehandshake.This field is only relevant if the Track field is set to Log.Maximum Timefor Completingthe HandshakeProtect externalinterfaces onlyType the maximum amount of time in seconds after which a TCP handshakeis considered incomplete.The default value is 10 seconds.Specify whether SynDefender should be enabled for external (WAN)interfaces only, by selecting one of the following:Disabled. Enable SynDefender for all the firewall interfaces. Thisis the default.Enabled. Enable SynDefender for external interfaces only.GamesThis category includes XBox LIVE.124 Self Provisioning Portal User Guide

Configuring VStream Antivirus SettingsXBox 360 requires gateways hosting XBox LIVE games to use the "Open NAT" methodrather than the normal "Strict NAT" method. Therefore, if you want to host online gameson an XBox 360 console, you must first configure your Embedded NGX gateway to usethe "Open NAT" method.Table 47: XBox LIVE FieldsIn this field…Xbox Live OpenNATDo this…Specify whether the Embedded NGX gateway should use the "OpenNAT" method, by selecting one of the following:Enabled. Use the "Open NAT" method. You will be able to hostXBox LIVE games and join existing ones.Disabled. Do not use the "Open NAT" method. You will not beable to host XBox LIVE games, but you will still be able to joinexisting ones. This is the default.Configuring VStream Antivirus SettingsVStream Antivirus includes a flexible mechanism that allows the user to define exactlywhich traffic should be scanned for viruses, by specifying the protocol, ports, and sourceand destination IP addresses.Note: VStream Antivirus differs from the Mail Antivirus subscription service (part ofthe Email Filtering service) in the following ways:Mail Antivirus is centralized, redirecting traffic through the Service CenterChapter 3: Managing Your Gateways 125

Configuring VStream Antivirus Settingsfor scanning, while VStream Antivirus scans for viruses in the gatewayitself.Mail Antivirus is specific to email, scanning incoming POP3 and outgoingSMTP connections only, while VStream Antivirus supports additionalprotocols, including incoming SMTP and outgoing POP3 connections.You can use either antivirus solution or both in conjunction. For information onconfiguring Email Antivirus, see Configuring Email Filtering Settings on page 171.If a plan specifies remote management, the following VStream Antivirus settings can beconfigured in the plan:Enabling VStream AntivirusVStream Antivirus rulesVStream Antivirus advanced settingsAll gateways subscribed to the plan will take their VStream Antivirus settings from theplan, by default. If desired, you can override the inherited VStream Antivirus settings for aspecific gateway, by configuring these settings in the gateway.Enabling/Disabling VStream AntivirusTo enable/disable VStream Antivirus1. In the navigation tree, click the VStream Antivirus node.The VStream Antivirus fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage VStream Antivirus check box.The fields are enabled.If configuring settings for a specific gateway, information about the installed VStreamAntivirus databases is displayed, as described in the following table.4. In the Mode drop-down list, do one of the following:To enable VStream Antivirus, select Enabled.To disable VStream Antivirus, select Disabled.5. Click .126 Self Provisioning Portal User Guide

Configuring VStream Antivirus SettingsTable 48: VStream Antivirus FieldsThis field…Main VersionDaily VersionDisplays…The date and time at which the main database was last updated, followedby the version number.The date and time at which the daily database was last updated, followedby the version number.Configuring VStream Antivirus RulesAdding and Editing VStream Antivirus RulesTo add or edit a VStream Antivirus rule1. In the navigation tree, click the VStream Antivirus > Antivirus Policy node.The Antivirus Policy fields appear.2. Do one of the following:To add a new rule, click New.To edit an existing rule, click the number next to the desired rule.Chapter 3: Managing Your Gateways 127

Configuring VStream Antivirus SettingsThe Edit VStream Policy Rule Wizard opens, with the Edit VStream Policy Rule: Step 1dialog box displayed.3. Complete the fields using the information in the table below.4. Click Next.The Edit VStream Policy Rule: Step 2 dialog box appears.128 Self Provisioning Portal User Guide

Configuring VStream Antivirus SettingsThe example below shows a Scan rule.5. Complete the fields using the information in the table below.6. Click Next.The Edit VStream Policy Rule: Step 3 dialog box appears.7. Complete the fields using the information in the table below.Chapter 3: Managing Your Gateways 129

Configuring VStream Antivirus Settings8. Click Next.The Edit VStream Policy Ruled: Step 4 dialog box appears.9. Click Finish.The rule appears in the Antivirus Policy table.10. Click .Table 49: Edit VStream Policy Rule Wizard FieldsIn this field…ScanDo this…This rule type enables you to specify that VStream Antivirus should scantraffic matching the rule.If a virus is found, it is blocked and logged.PassAny ServiceThis rule type enables you to specify that VStream Antivirus should not scantraffic matching the rule.Click this option to specify that the rule should apply to any service.130 Self Provisioning Portal User Guide

Configuring VStream Antivirus SettingsIn this field…Standard ServiceDo this…Click this option to specify that the rule should apply to a specific standardservice.The Select a service drop-down list appears.Select a serviceCustom ServiceSelect the standard service protocol for which the rule should apply.Click this option to specify that the rule should apply to a specificnon-standard service.The Protocol and Port Range fields appear.ProtocolPort RangeSelect the protocol (TCP, UDP, GRE, ESP, ICMP, or ANY) for which the ruleshould apply.To specify the port range to which the rule applies, type the start port numberin the left text box, and the end port number in the right text box.Note: If you do not enter a port range, the rule will apply to all ports. If youenter only one port number, the range will include only that port.SourceSelect the source of the connections you want to allow/block.To specify an IP address, select Specified IP and type the desired IP addressin the field provided.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.Chapter 3: Managing Your Gateways 131

Configuring VStream Antivirus SettingsIn this field…DestinationDo this…Select the destination of the connections you want to allow or block.To specify an IP address, select Specified IP and type the desired IP addressin the text box.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.To specify the local management portal and network printers, select ThisGateway.To specify any destination except the local management portal and networkprinters, select ANY.DirectionIf the current timeisSelect the direction of connections to which the rule should apply:Download and Upload data. The rule applies to downloaded anduploaded data. This is the default.Download data. The rule applies to downloaded data, that is, dataflowing from the destination of the connection to the source of theconnection.Upload data. The rule applies to uploaded data, that is, data flowingfrom the source of the connection to the destination of theconnection.Select this option to specify that the rule should be applied only duringcertain hours of the day.You must then specify the desired time range, by clicking in the fieldsprovided and either typing the time range, or selecting the desired times inthe drop-down list that appears.DescriptionEnable this ruleType a description of the rule.Select this option to enable the rule.132 Self Provisioning Portal User Guide

Configuring VStream Antivirus SettingsReordering VStream Antivirus RulesVStream Antivirus processes policy rules in the order they appear in the Antivirus Policytable, so that rule 1 is applied before rule 2, and so on. This enables you to defineexceptions to rules, by placing the exceptions higher up in the Rules table.For example, if you want to scan all outgoing SMTP traffic, except traffic from a specificIP address, you can create a rule scanning all outgoing SMTP traffic and move the ruledown in the Antivirus Policy table. Then create a rule passing SMTP traffic from thedesired IP address and move this rule to a higher location in the Antivirus Policy table thanthe first rule. In the figure below, the general rule is rule number 2, and the exception isrule number 1.The gateway will process rule 1 first, passing outgoing SMTP traffic from the specified IPaddress, and only then it will process rule 2, scanning all outgoing SMTP traffic.To reorder VStream Antivirus rules1. In the navigation tree, click the VStream Antivirus > Antivirus Policy node.The Antivirus Policy fields appear.2. In the Antivirus Policy table, for each rule you want to move, click on the ruleand drag it to the desired location in the table.3. Click .Deleting VStream Antivirus RulesTo delete a VStream Antivirus rule1. In the navigation tree, click the VStream Antivirus > Antivirus Policy node.The Antivirus Policy fields appear.2. Select the check box next to the desired rule.3. Click Delete.A confirmation message appears.4. Click OK.Chapter 3: Managing Your Gateways 133

Configuring VStream Antivirus SettingsThe rule is deleted.5. Click .Configuring Advanced VStream Antivirus SettingsTo configure advanced VStream Antivirus settings1. In the navigation tree, click VStream Antivirus > Advanced node.The Advanced Antivirus Settings fields appear.2. Complete the fields using the information in the table below.3. Click .Table 50: Advanced Antivirus Settings FieldsIn this field…Do this…File TypesBlock potentially unsafe filetypes in email messagesSelect this option to block all emails containing potentially unsafeattachments.Unsafe file types are:DOS/Windows executables, libraries and driversCompiled HTML Help filesVBScript encoded filesFiles with {CLSID} in their nameThe following file extensions: ade, adp, bas, bat, chm,cmd,com, cpl, crt, exe, hlp, hta, inf, ins, isp, js, jse, lnk,mdb, mde, msc, msi, msp, mst, pcd, pif, reg, scr, sct,shs,shb, url, vb, vbe, vbs, wsc, wsf, wsh.Pass safe file types withoutscanningSelect this option to accept common file types that are known tobe safe, without scanning them.Safe files types are:GIFBMP134 Self Provisioning Portal User Guide

Configuring VStream Antivirus SettingsIn this field…Do this…JFIF standardEXIF standardPNGRIFFRIFXMPEG video streamMPEG sys streamOgg Stream MP3 file with ID3 version 2MP3PDFPostScriptWMA/WMV/ASFRealMedia fileJPEG - only the header is scanned, and the rest of thefile is skippedSelecting this option reduces the load on the gateway by skippingsafe file types. This option is selected by default..Archive File HandlingMaximum nesting levelType the maximum number of nested content levels that VStreamAntivirus should scan.Setting a higher number increases security. Setting a lowernumber prevents attackers from overloading the gateway bysending extremely nested archive files.The default value is 5 levels.Maximum compressionratio 1:xFill in the field to complete the maximum compression ratio of filesthat VStream Antivirus should scan.For example, to specify a 1:80 maximum compression ratio, typeChapter 3: Managing Your Gateways 135

Configuring VStream Antivirus SettingsIn this field…Do this…80.Setting a higher number allows the scanning of highly compressedfiles, but creates a potential for highly compressible files to createa heavy load on the gateway. Setting a lower number preventsattackers from overloading the gateway by sending extremelycompressible files.The default value is 100.When archived file exceedslimit or extraction failsWhen apassword-protected file isfound in archiveSpecify how VStream Antivirus should handle files that exceed theMaximum nesting level or the Maximum compression ratio, and files forwhich scanning fails. Select one of the following:Pass file without scanning. Scan only the number oflevels specified, and skip the scanning of more deeplynested archives. Furthermore, skip scanning highlycompressible files, and skip scanning archives thatcannot be extracted because they are corrupt. This isthe default.Block file. Block the file.VStream Antivirus cannot extract and scan password-protectedfiles inside archives. Specify how VStream Antivirus should handlesuch files, by selecting one of the following:Pass file without scanning. Accept the file withoutscanning it. This is the default.Block file. Block the file.Corrupt FilesWhen a corrupt file is foundor decoding failsSpecify how VStream Antivirus should handle corrupt files andprotocol anomalies, by selecting one of the following:Ignore and continue scanning. Log the corrupt file orprotocol anomaly, and scan the information on abest-effort basis. This is the default.Block file. Block and log the corrupt file or protocol136 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsIn this field…Do this…anomaly.Configuring VStream Antispam SettingsVStream Antispam includes a flexible mechanism that allows the user to define exactlywhich emails should be scanned for spam, by specifying the protocol, the source anddestination IP addresses, and the sender.Note: VStream Antispam differs from the Mail Antispam subscription service (part ofthe Email Filtering service), in the following ways:VStream Antispam supports both incoming and outgoing POP3 andSMTP, as well as POP3 and SMTP connections between internalnetworks. In contrast, Email Antispam scans incoming POP3 andoutgoing SMTP connections only.VStream Antispam scans for spam in the gateway, while Mail Antispam iscentralized, redirecting traffic through the Service Center for scanning.You can use either antispam solution or both in conjunction. For information onconfiguring Email Antispam, see Configuring Email Filtering Settings on page171.Note: VStream Antispam requires Embedded NGX firmware 8.0 or later.If a plan specifies remote management, the following VStream Antispam settings can beconfigured in the plan:Enabling VStream Antispam enginesVStream Antispam rulesSafe sendersChapter 3: Managing Your Gateways 137

Configuring VStream Antispam SettingsContent Based Antispam settingsBlock List settingsIP Reputation settingsAll gateways subscribed to the plan will take their VStream Antispam settings from theplan, by default. If desired, you can override the inherited VStream Antispam settings for aspecific gateway, by configuring these settings in the gateway.Enabling/Disabling VStream AntispamVStream Antispam is composed three antispam engines, each of which can be enabled ordisabled separately:IP ReputationThe IP Reputation engine protects mail servers by checking the email sender’s IPaddress against an online and constantly updated IP reputation database, beforeaccepting the SMTP email connection. If the IP address belongs to a known spammer,the connection can be immediately blocked at the TCP connection level, therebystopping the spam before it reaches the mail server.Block ListVStream Antispam allows configuring a list of senders whose emails should beblocked. When an email reaches the mail server, the Block List engine determineswhether the sender's email address appears on the list. If so, then VStream Antispamblocks the emails.Content Based AntispamThe Content Based Antispam engine calculates a “spam fingerprint” for eachincoming email message. The fingerprint is then sent to a VStream Antispam datacenter and compared to a constantly updated database of spam messages. The datacenter returns a "spam score", which is a value in percentages indicating the likelihoodthat the message is spam. If the spam score exceeds a user-configurable thresholdcalled the “confidence level”, the message can be flagged as spam, or the message canbe deleted altogether.You must enable at least one engine in order for VStream Antispam to work. Once youhave enabled the desired engines, you must configure them, using the relevant sections inthis guide.138 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsTo enable/disable VStream Antispam1. In the navigation tree, click the VStream Antispam node.The VStream Antispam fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage VStream Antispam check box.The fields are enabled.4. Complete the fields using the information in the table below.5. Click .Table 51: VStream Antispam FieldsIn this field…Content BasedAntispamDo this…Specify the Content Based Antispam engine's mode, by clicking one of thefollowing:On. The Content Based Antispam engine is on. VStreamAntispam will check email fingerprints against an online spamdetection database. Emails that fail the check will be handledaccording to configured Content Based Antispam settings.Monitor Only. The Content Based Antispam engine is on.VStream Antispam will check email fingerprints against anonline spam detection database. Emails that fail the check willbe logged only, and any action configured in the Content BasedAntispam Settings node will not be performed.Off. The Content Based Antispam engine is off.You can then click Settings to configure the Content Based Antispamsettings. For further information, see Configuring the Content BasedAntispam Engine on page 140.Chapter 3: Managing Your Gateways 139

Configuring VStream Antispam SettingsIn this field…Block ListDo this…Specify the Block List engine's mode, by clicking one of the following:On. The Block List engine is on. VStream Antispam will checkemail messages against a list of blocked senders. Emails thatfail the check will be handled according to configured BlockList settings.Monitor Only. The Block List engine is on. VStream Antispamwill check email messages against a list of blocked senders.Emails that fail the check will be logged only, and any actionconfigured in the Block List Settings node will not be performed.Off. The Block List engine is off.You can then click Settings to configure the Block List settings. For furtherinformation, see Configuring the Block List Engine on page 144.SMTP IPReputationCheckingSpecify the IP Reputation engine's mode for SMTP connections, byclicking one of the following:On. The IP Reputation engine is on. VStream Antispam willcheck the reputation of email senders against an online IPreputation database prior to accepting the TCP connection.Emails that fail the check will be handled according toconfigured IP Reputation settings.Monitor Only. The IP Reputation engine is on. VStreamAntispam will check the reputation of email senders against anonline IP reputation database. Emails that fail the check will belogged only, and any action configured in the IP ReputationSettings node will not be performed.Off. The IP Reputation engine is off.You can then click Settings to configure the IP Reputation settings. Forfurther information, see Configuring the IP Reputation Engine on page147.Configuring the Content Based Antispam EngineYou can configure how VStream Antispam should handle spam and suspected spam that isdetected by the Antispam Detection Network engine.140 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsFor information on enabling this engine, see Enabling/Disabling VStream Antispam onpage 138.Note: VStream Antispam adds the following headers to each email that is scanned bythe Content Based Antispam, but not blocked: X-VStream-Spam-Level. Contains an integer between 0and 100, where 100 indicates the highest likelihood that theemail is spam.For example:X-VStream-Engine. The VStream Antispam engine, (either"Content Based Antispam" or "Block List")X-Spam-Level. Contains one to five asterisks, where fiveasterisks indicates the highest likelihood that the email is spam.X-Spam-Flag. Contains YES if the email is deemed to bespam, according to the currently configured thresholds.X-VStream-Spam-Level: 81%X-VStream-Engine: Content Based AntispamX-Spam-Level: ***X-Spam-Flag: YESTo configure the Content Based Antispam engine1. In the navigation tree, click the VStream Antispam > Content Based Settingsnode.The Content Based Antispam Settings fields appear.2. Complete the fields using the information in the following table.3. Click .Chapter 3: Managing Your Gateways 141

Configuring VStream Antispam SettingsTable 52: Content Based Antispam Settings FieldsIn this field…SpamActionDo this…Configure how VStream Antispam should handle spam that is detectedusing the Content Based Antispam engine.Specify the action VStream Antispam should take upon detecting spam,by selecting one of the following: None. Take no action. Reject. Block the email. The email will be permanently deleted. Mark Subject. Mark the email's Subject line.If you select Mark Subject, the Mark Text field appears.Note: If the Content Based Antispam engine is in Monitor Only mode, thissetting is ignored. For information on changing the engine's mode, seeEnabling/Disabling VStream Antispam on page 138.Marked TextType the prefix to the text appearing in the Subject field of the spamnotification email.For example, if you type [SPAM] and the original email's Subject fielddisplays "Earn Money the Easy Way", the spam notification email's Subjectfield will display: "[SPAM] Earn Money the Easy Way".The default value is [SPAM].TrackSpecify whether VStream Antispam should log spam, by selecting one ofthe following: Log. VStream Antispam should log spam. None. VStream Antispam should not log spam.142 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsIn this field…ConfidenceDo this…Type the minimum spam confidence level (SCL) needed to fail this check.If an email's SCL matches or exceeds this threshold, the email isconsidered spam.Setting a higher SCL reduces the number of legitimate emails erroneouslyidentified as spam. Setting a lower SCL increases the amount of spamthat is identified as legitimate email.The default value is 90.Suspected SpamActionConfigure how VStream Antispam should handle suspected spam that isdetected using the Content Based Antispam engine.Specify the action VStream Antispam should take upon detecting potentialspam, by selecting one of the following: None. Take no action. Reject. Block the email. The email will be permanently deleted. Mark Subject. Mark the email's Subject line.If you select Mark Subject, the Mark Text field appears.Note: If the Content Based Antispam engine is in Monitor Only mode, thissetting is ignored. For information on changing the engine's mode, seeEnabling/Disabling VStream Antispam on page 138.Marked TextType the prefix to the text appearing in the Subject field of the suspectedspam notification email.For example, if you type [SUSPECTED SPAM] and the original email'sSubject field displays "Earn Money the Easy Way", the suspected spamnotification email's Subject field will display: "[SUSPECTED SPAM] EarnMoney the Easy Way".The default value is [SUSPECTED SPAM].Chapter 3: Managing Your Gateways 143

Configuring VStream Antispam SettingsIn this field…TrackConfidenceDo this…Specify whether VStream Antispam should log suspected spam, byselecting one of the following: Log. VStream Antispam should log suspected spam. None. VStream Antispam should not log suspected spam.Type the minimum spam confidence level (SCL) needed to fail this check.If an email's SCL matches or exceeds this threshold, the email isconsidered suspected spam.Setting a higher SCL reduces the number of legitimate emails erroneouslyidentified as suspected spam. Setting a lower SCL increases the amountof potential spam that is identified as legitimate email.The default value is 80.Configuring the Block List EngineYou can configure a list of senders that VStream Antispam should automatically block, ifthe Block List engine is enabled.For information on enabling the Block List engine, see Enabling/Disabling VStreamAntispam on page 138.Note: VStream Antispam adds the following headers to each email that is scanned bythe Block List engine, but not blocked: X-VStream-Spam-Level. Contains an integer between 0and 100, where 100 indicates the highest likelihood that theemail is spam.X-VStream-Engine. The VStream Antispam engine, (either"Content Based Antispam" or "Block List")X-Spam-Level. Contains one to five asterisks, where fiveasterisks indicates the highest likelihood that the email is spam.X-Spam-Flag. Contains YES if the email is deemed to bespam, according to the currently configured thresholds.144 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsFor example:X-VStream-Spam-Level: 81%X-VStream-Engine: Content Based AntispamX-Spam-Level: ***X-Spam-Flag: YESAdding and Editing Blocked SendersTo add or edit a blocked sender1. In the navigation tree, click the VStream Antispam > Block List Settings node.The Block List Settings fields appear.2. Do one of the following: To add a new sender, click New. To edit an existing sender, click the number next to the desired sender.The Edit Sender to Block Wizard opens.3. In the field provided, type the sender's email address.4. Click Finish.Chapter 3: Managing Your Gateways 145

Configuring VStream Antispam SettingsThe sender appears in the Blocked Senders table.5. Click .Deleting Blocked SendersTo delete a blocked sender1. In the navigation tree, click the VStream Antispam > Block List Settings node.The Block List Settings fields appear.2. Select the check box next to the desired sender.A confirmation message appears.3. Click OK.The sender is deleted from the Blocked Senders table.4. Click .Configuring Block List SettingsTo configure Block List settings1. In the navigation tree, click the VStream Antispam > Block List Settings node.The Block List Settings fields appear.2. Complete the fields using the information in the following table.3. Click .146 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsTable 53: Block List Settings FieldsIn this field…Block ActionDo this…Specify the action VStream Antispam should take upon receiving an emailfrom a blocked sender, by selecting one of the following: None. Take no action. Reject. Block the email. Mark Subject. Mark the email's Subject line.If you select Mark Subject, the Mark Text field appears.Note: If the Block List engine is in Monitor Only mode, this setting is ignored.For information on changing the engine's mode, see Enabling/DisablingVStream Antispam on page 138.Marked TextType the prefix to the text appearing in the Subject field of the spamnotification email.For example, if you type [SPAM] and the original email's Subject fielddisplays "Earn Money the Easy Way", the spam notification email's Subjectfield will display: "[SPAM] Earn Money the Easy Way".The default value is [SPAM].Track BlockedSendersSpecify whether VStream Antispam should log emails from blockedsenders, by selecting one of the following:Log. VStream Antispam should log emails from blockedsenders.None. VStream Antispam should not log emails from blockedsenders.Configuring the IP Reputation EngineYou can configure how VStream Antispam should handle spam and suspected spam that isdetected by the IP Reputation Network engine.This engine differs from other VStream Antispam engines in the following ways:Chapter 3: Managing Your Gateways 147

Configuring VStream Antispam SettingsTable 54: IP Reputation Network vs Other VStream Antispam EnginesSupported ProtocolsEmail Scanning TimeIP ReputationProtects mail servers only, andapplies to the SMTP protocol onlyScans the email before acceptingthe connectionContent Based Antispam andBlock ListProtects both mail servers and mailclients, and applies to both POP3 andSMTP protocolsScans the email after accepting theconnectionDetection Method Examines the sender's IP address Content Based Antispam examines theemail's content, and Block List examinesthe email's Sender field.SMTP Error MessageMail RejectionMethodServer OverloadProtectionDoes not return an SMTP errormessage to the email senderResets the TCP connectionPrevents spammers fromoverloading gateway and mailserver resourcesReturns an SMTP error message to theemail senderMarks the email Subject line, marks theemail header, rejects the email (SMTPonly), or deletes the email (POP3 only)Does not prevent spammers fromoverloading gateway and mail serverresourcesThe IP Reputation engine works as follows:1. A TCP connection arrives at the SMTP port (TCP 25).2. VStream Antispam sends the connection's source IP address to a VStreamAntispam data center.3. The VStream Antispam data center checks the reputation of this IP addressagainst a list of known spam sender IP addresses, and then returns a spamscore.4. One of the following things happens:148 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsIf the spam score does not exceed the configured confidence level:1) VStream Antispam accepts the connection.2) If other engines are enabled (such as Antispam Detection Networkand Block List), VStream Antispam scans the connection using thoseengines. If the spam score exceeds the configured confidence level, VStream Antispamdetermines that the email is spam and handles it as specified by the IPReputation engine's settings.5. VStream Antispam caches the results of the IP Reputation check.For information on enabling this engine, see Enabling/Disabling VStream Antispam onpage 138.To configure IP Reputation settings1. In the navigation tree, click the VStream Antispam > IP Reputation Settingsnode.The IP Reputation Settings fields appear.2. Complete the fields using the information in the following table.3. Click .Table 55: IP Reputation Settings FieldsIn this field…Do this…SpamActionConfigure how VStream Antispam should handle spam that is detectedusing the IP Reputation engine.Specify the action VStream Antispam should take upon detecting spam,by selecting one of the following:Reject. Log and block the email.Monitor. Log the email, but do not block it.TrackSpecify whether VStream Antispam should log spam, by selecting one ofthe following:Log. VStream Antispam should log spam.Chapter 3: Managing Your Gateways 149

Configuring VStream Antispam SettingsIn this field…Do this…None. VStream Antispam should not log spam.ConfidenceType the minimum spam confidence level (SCL) needed to fail this check.If an email's SCL matches or exceeds this threshold, the email isconsidered spam.Setting a higher SCL reduces the number of legitimate emails erroneouslyidentified as spam. Setting a lower SCL increases the amount of spamthat is identified as legitimate email.The default value is 90.Suspected SpamActionTrackConfidenceConfigure how VStream Antispam should handle suspected spam that isdetected using the IP Reputation engine.Specify the action VStream Antispam should take upon detecting potentialspam, by selecting one of the following: Reject. Log and block the email. Monitor. Log the email, but do not block it.Specify whether VStream Antispam should log suspected spam, byselecting one of the following: Log. VStream Antispam should log suspected spam. None. VStream Antispam should not log suspected spam.Type the minimum spam confidence level (SCL) needed to fail this check.If an email's SCL matches or exceeds this threshold, the email isconsidered suspected spam.Setting a higher SCL reduces the number of legitimate emails erroneouslyidentified as suspected spam. Setting a lower SCL increases the amountof potential spam that is identified as legitimate email.The default value is 80.150 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsConfiguring VStream Antispam RulesVStream Antispam rules specify which ports, protocols, and IP addresses should bescanned by VStream Antispam.Adding and Editing VStream Antispam RulesTo add or edit a VStream Antispam rule1. In the navigation tree, click the VStream Antispam > Policy node.The Antispam Policy fields appear.2. Do one of the following:To add a new rule, click New. To edit an existing rule, click the number next to the desired rule.The Edit VStream Antispam Policy Rule Wizard opens, with the Edit VStream AntispamPolicy Rule: Step 1 dialog box displayed.3. Complete the fields using the information in the table below.4. Click Next.The Edit VStream Antispam Policy Rule: Step 2 dialog box appears.Chapter 3: Managing Your Gateways 151

Configuring VStream Antispam SettingsThe example below shows a Scan rule.5. Complete the fields using the information in the table below.6. Click Next.The Edit VStream Antispam Policy Rule: Step 3 dialog box appears.152 Self Provisioning Portal User Guide

Configuring VStream Antispam Settings7. Complete the fields using the information in the table below.8. Click Finish.The rule appears in the Antispam Policy table.9. Click .Table 56: Edit VStream Antispam Policy Rule Wizard FieldsIn this field…ScanDo this…This rule type enables you to specify that VStream Antispam should scan allemails matching the rule.If spam is found, the email is blocked and logged.PassRejectIf the emailprotocol isAnd theconnectionsource isThis rule type enables you to specify that VStream Antispam should allow allemails matching the rule, without scanning the emails.This rule type enables you to specify that VStream Antispam should reject allemails matching the rule.Select the email protocol to which the rule should apply. The supportedprotocols are SMTP and POP3.Select the source of the connections to which the rule should apply.To specify an IP address, select Specified IP and type the desired IP addressin the field provided.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.Chapter 3: Managing Your Gateways 153

Configuring VStream Antispam SettingsIn this field…And thedestination isDo this…Select the destination of the connections to which the rule should apply.To specify an IP address, select Specified IP and type the desired IP addressin the text box.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.To specify the local management portal and network printers, select ThisGateway.To specify any destination except the local management portal and networkprinters, select Any.DescriptionEnabledType a description of the rule.Select this option to enable the rule.Reordering VStream Antispam RulesVStream Antispam processes policy rules in the order they appear in the Antispam Policytable, so that rule 1 is applied before rule 2, and so on. This enables you to defineexceptions to rules, by placing the exceptions higher up in the Rules table.For example, if you want to scan all outgoing SMTP traffic, except traffic from a specificIP address, you can create a rule scanning all outgoing SMTP traffic and move the ruledown in the Antispam Policy table. Then create a rule passing SMTP traffic from thedesired IP address and move this rule to a higher location in the Antispam Policy table thanthe first rule. In the figure below, the general rule is rule number 2, and the exception isrule number 1.154 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsThe gateway will process rule 1 first, passing outgoing SMTP traffic from the specified IPaddress, and only then it will process rule 2, scanning all outgoing SMTP traffic.To reorder VStream Antispam rules1. In the navigation tree, click the VStream Antispam > Policy node.The Antispam Policy fields appear.2. In the Antispam Policy table, for each rule you want to move, click on the ruleand drag it to the desired location in the table.3. Click .Deleting VStream Antispam RulesTo delete a VStream Antispam rule1. In the navigation tree, click the VStream Antispam > Policy node.The Antispam Policy fields appear.2. Select the check box next to the desired rule.3. Click Delete.A confirmation message appears.4. Click OK.The rule is deleted.5. Click .Configuring Safe SendersYou can configure a list of email addresses that are "safe". VStream Antispam will treat allemails sent by these addresses as legitimate (non-spam) mail.Note: The IP Reputation Network engine is performed before accepting the TCPconnection, at which point the sender’s email address is not yet available. Therefore,if the IP Reputation Network engine is enabled, and an SMTP session is receivedfrom an IP address that is reputed to be a source of spam, VStream Antispam willblock the connection, regardless of whether the sender's email address is on theChapter 3: Managing Your Gateways 155

Configuring VStream Antispam Settingssafe senders list.Adding and Editing Safe SendersTo add or edit a safe sender1. In the navigation tree, click the VStream Antispam > Safe Senders node.The Safe Senders fields appear.2. Do one of the following: To add a new sender, click New. To edit an existing sender, click the number next to the desired sender.The Edit Safe Sender Wizard opens.3. In the field provided, type the sender's email address.4. Click Finish.The sender appears in the Safe Senders table.5. Click .156 Self Provisioning Portal User Guide

Configuring VStream Antispam SettingsDeleting Safe SendersTo delete a safe sender1. In the navigation tree, click the VStream Antispam > Safe Senders node.The Safe Senders fields appear.2. Select the check box next to the desired sender.A confirmation message appears.3. Click OK.The sender is deleted from the Safe Senders table.4. Click .Configuring Safe Senders SettingsTo configure Safe Senders settings1. In the navigation tree, click the VStream Antispam > Safe Senders node.The Safe Senders fields appear.2. In the Track Safe Senders drop-down list, do one of the following:To specify that VStream Antispam should log emails received from safesenders, select Log.To specify that VStream Antispam should not log emails received from safesenders, select None.3. Click .Configuring Handling of Legitimate EmailYou can configure how VStream Antispam handles legitimate email.To configure handling of legitimate email1. In the navigation tree, click the VStream Antispam node.The VStream Antispam fields appear.Chapter 3: Managing Your Gateways 157

Configuring VStream Antispam Settings2. In the Track Non Spam Emails drop-down list, do one of the following:To specify that VStream Antispam should log email that is detected aslegitimate mail, select Log.To specify that VStream Antivirus should not log email that is detected aslegitimate mail, select None.3. Click .158 Self Provisioning Portal User Guide

Configuring Web Filtering SettingsConfiguring Web Filtering SettingsThe following Web Filtering settings can be remotely configured in the plan:Centralized Web Filtering, including: Category-based Web Filtering Centralized Web rulesLocal Web rulesBlocked site messageAll gateways subscribed to the plan will take their Web Filtering settings from the plan, bydefault. If desired, you can override the inherited Web Filtering settings for a specificgateway, by configuring these settings in the gateway.OverviewThe SMP enables you to provide and remotely manage various types of Web Filtering. Thefollowing table describes the differences between the types of Web Filtering:Table 57: Web Filtering TypesCentralized WebRulesCategory-Based WebFilteringLocal Web RulesRequires Web Filtering service Web Filtering service --Executed in The Service Center The UFP server The gatewayRestricts sitesaccording toThe domain name The URL's category The entire URL pathIf desired, you can configure all three types of Web Filtering simultaneously. When a userattempts to access a Web site, the local Web rules are consulted first. If no local rulematches the Web site, then the centralized Web rules are consulted. If no centralized rulematches the Web site, then the UFP server is queried, and the Web site is allowed orblocked according to its category.Since both local and centralized Web rules are applied before the category-based WebFiltering, Web rules can be used to define exceptions to the category-based Web Filtering.Chapter 3: Managing Your Gateways 159

Configuring Web Filtering SettingsNote: Both centralized and local Web rules affect outgoing traffic only and cannot beused to allow or limit access from the Internet to internal Web servers.Regardless of which Web Filtering method is used, if a user attempts to access a blockedpage, the Access Denied page appears. For information on customizing this page, seeCustomizing the Blocked Site Message on page 171.If desired, you can permit specific users to override Web content filtering, by grantingthem Web Filtering Override permissions. Such users will be able to view Web pageswithout restriction, after they have provided their username password via the AccessDenied page. For information on granting Web Filtering Override permissions, seeConfiguring Users' Access Permissions on page 322.In addition, you can choose to exclude specific network objects from Web content filteringenforcement. Users connecting from these network objects will be able to view Web pageswithout restriction, regardless of whether they have Web Filtering Override permissions.For information on configuring network objects, see Configuring Network Objects onpage 245.Configuring Centralized Web FilteringEnabling/Disabling Centralized Web Filtering SettingsIn order to use category-based Web Filtering and/or centralized Web Filtering rules, youmust enable centralized Web Filtering.To enable/disable centralized Web Filtering settings1. In the navigation tree, expand the Web Filtering > Centralized Web Filteringnode.The Centralized Web Filtering fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Centralized Web Filtering check box.The fields are enabled.The Web Filtering server type field displays the UFP server's type. For information onchanging the UFP server type, see Configuring General Settings for the SMP.4. Do one of the following:160 Self Provisioning Portal User Guide

Configuring Web Filtering SettingsTo enable centralized Web Filtering, select the Perform Web Filtering checkbox. To disable centralized Web Filtering, clear the Perform Web Filtering checkbox.Centralized Web Filtering (including both category-based Web Filtering andcentralized Web Filtering rules) is enabled or disabled.5. Click .Configuring Centralized Web Filtering Advanced SettingsTo configure centralized Web Filtering advanced settings1. In the navigation tree, expand the Web Filtering > Centralized Web Filteringnode.The Centralized Web Filtering fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Centralized Web Filtering check box.The fields are enabled.4. Specify how Web Filtering should be handled if the centralized Web Filteringservice is enabled and the Service Center is unavailable, by doing one of thefollowing:To specify that all connections to the Internet should be temporarily allowed,select the Fail-open mode check box.This ensures continuous access to the Internet.To specify that all connections to the Internet should be temporarily blockeduntil the Service Center is available, clear the Fail-open mode check box.This ensures that users will not gain access to undesirable Web sites, even whenthe Service Center is unavailable.5. Click .Chapter 3: Managing Your Gateways 161

Configuring Web Filtering SettingsConfiguring Category-Based Web FilteringTo configure category-based Web Filtering1. In the navigation tree, expand the Web Filtering > Centralized Web Filteringnode.The Centralized Web Filtering fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Centralized Web Filtering check box.The fields are enabled.4. In the Web Filtering Categories area, specify which categories should beallowed/blocked, by doing the following:To block a category, select the desired category in the Allowed Sites box, andthen click .The category appears in the Blocked Sites box.To allow a category, select the desired category in the Blocked Sites box, and5. Click .then click .The category appears in the Allowed Sites box.Configuring Automatic SnoozeYou can automatically disable the Web Filtering service during certain hours of the day, byconfiguring Automatic Snooze.To configure Automatic Snooze1. In the navigation tree, expand the Web Filtering > Centralized Web Filteringnode.The Centralized Web Filtering fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Centralized Web Filtering check box.162 Self Provisioning Portal User Guide

Configuring Web Filtering SettingsThe fields are enabled.4. Do one of the following:To enable Automatic Snooze:1) Select the Automatic Snooze check box.2) In the fields provided, specify the hours between which the WebFiltering service should be disabled.To disable Automatic Snooze, clear the Automatic Snooze check box.5. Click .Configuring Centralized Web RulesAdding and Editing Centralized Web RulesTo add or edit centralized Web rules1. In the navigation tree, click the Web Filtering > Centralized Web Rules node.The Centralized Web Rules fields appear.2. If needed, unlock the node from plan.The fields are enabled.3. Do one of the following:To add a new rule, click New.To edit an existing rule, click the number next to the rule or the rule action.Chapter 3: Managing Your Gateways 163

Configuring Web Filtering SettingsThe Edit Allowed/Blocked Site dialog box opens.4. Complete the fields using the information in the table below.5. Click Finish.The new rule appears in Centralized Web Rules table.6. Click .Table 58: Edit Allowed/Blocked Site FieldsIn this field… Do this… For example…ActionSpecify the rule's action by selecting one of thefollowing:Allow. Allow Web sites that match thisrule.Block. Block Web sites that match thisrule.You must then fill in either the Domain field, the IPAddress field, or both.Block164 Self Provisioning Portal User Guide

Configuring Web Filtering SettingsIn this field… Do this… For example…DomainType the domain name to which the rule shouldapply.To indicate wildcards (for an unlimited number ofcharacters), type an asterisk (*).If you want the ruleto apply to Websites whosedomain ends with".org", type "*.org".Thebutton is enabled.IP AddressType the IP address to which the rule should apply.Click this button to resolve the specified domainname.The IP address appears in the IP Address field.Reordering Centralized Web RulesGateways process Web rules in the order they appear in the Centralized Web Rules table,so that rule 1 is applied before rule 2, and so on. This enables you to define exceptions torules, by placing the exceptions higher up in the table.To reorder centralized Web rules1. In the navigation tree, click the Web Filtering > Centralized Web Rules node.The Centralized Web Rules fields appear.2. If needed, unlock the node from plan.The fields are enabled.3. In the Centralized Web Rules table, for each rule you want to move, click onthe rule and drag it to the desired location in the table.4. Click .Chapter 3: Managing Your Gateways 165

Configuring Web Filtering SettingsDeleting Centralized Web RulesTo delete a centralized Web Filtering rule1. In the navigation tree, click the Web Filtering > Centralized Web Rules node.The Centralized Web Rules fields appear.2. If needed, unlock the node from plan.The fields are enabled.3. Select the check box next to the desired rule.4. Click Delete.A confirmation message appears.5. Click OK.The rule is deleted.6. Click .Configuring Local Web RulesAdding and Editing Local Web RulesTo add or edit local Web rules1. In the navigation tree, click the Web Filtering > Local Web Rules node.The Local Web Rules fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Local Web Rules check box.The fields are enabled.4. Do one of the following:To add a new rule, click New.To edit an existing rule, click the number next to the rule or the rule action.166 Self Provisioning Portal User Guide

Configuring Web Filtering SettingsThe Edit Local Rule Wizard opens displaying the Edit Local Rule: Step 1 dialog box.5. Select the type of rule you want to create.6. Click Next.The Edit Local Rule: Step 2 dialog box appears.Chapter 3: Managing Your Gateways 167

Configuring Web Filtering SettingsThe example below shows a Block rule.7. Complete the fields using the information in the following table.8. Click Next.The Edit Local Rule: Step 3 dialog box appears.168 Self Provisioning Portal User Guide

Configuring Web Filtering Settings9. Click Finish.The new rule appears in Local Web Rules table.10. Click .Table 59: Web Rules FieldsIn this field…Block/Allowaccess to thefollowing URLDo this…Type the URL or IP address to which the rule should apply.Wildcards (*) are supported. For example, to block all URLs that start with"http://www.casino-", set this field's value to: www.casino-*Note: If you block a Web site based on its domain name(http://), the Web site is not automatically blocked whensurfing to the Web server's IP address (http://). Likewise, if youblock a Web site based on its IP address, the Web site is not automaticallyblocked when surfing to the domain name. To prevent access to both thedomain name and the IP address, you must block both.Log connectionsSelect this option to log the specified blocked or allowed connections.By default, allowed Web pages are not logged, and blocked Web pages arelogged.If the connectionsource isSelect the source of the connections you want to allow/block.To specify an IP address, select Specified IP and type the desired IP addressin the field provided.To specify an IP address range, select Specified Range and type the desiredIP address range in the fields provided.Chapter 3: Managing Your Gateways 169

Configuring Web Filtering SettingsIn this field…If the current timeisDo this…Select this option to specify that the rule should be applied only duringcertain hours of the day.You must then use the fields and drop-down lists provided, to specify thedesired time range.Reordering Local Web RulesGateways process Web rules in the order they appear in the Local Web Rules table, so thatrule 1 is applied before rule 2, and so on. This enables you to define exceptions to rules, byplacing the exceptions higher up in the table.To reorder local Web rules1. In the navigation tree, click the Web Filtering > Local Web Rules node.The Local Web Rules fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Local Web Rules check box.The fields are enabled.4. In the Local Web Rules table, for each rule you want to move, click on the ruleand drag it to the desired location in the table.5. Click .Deleting Local Web RulesTo delete a local Web Filtering rule1. In the navigation tree, click the Web Filtering > Local Web Rules node.The Local Web Rules fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Local Web Rules check box.The fields are enabled.170 Self Provisioning Portal User Guide

Configuring Email Filtering Settings4. Select the check box next to the desired rule.5. Click Delete.A confirmation message appears.6. Click OK.The rule is deleted.7. Click .Customizing the Blocked Site MessageA message appears when a user attempts to access a page that is blocked either by a Webrule or by the Web Filtering service. You can customize this message using the followingprocedure.To customize the blocked site message1. In the navigation tree, click the Web Filtering > Blocked Site Message node.The Blocked Site Message fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Blocked Site Message check box.The fields are enabled.4. In the Blocked Site Message text box, type the message that should appearwhen a user attempts to access a blocked Web page.You can use HTML tags as needed.5. To display the blocked site message using HTTPS, select the Use HTTPS checkbox.6. Click .Configuring Email Filtering SettingsIf a plan specifies remote management, centralized email filtering (Mail Antivirus andMail Antispam) settings can be configured in the plan.Chapter 3: Managing Your Gateways 171

Configuring Email Filtering SettingsAll gateways subscribed to the plan will take these settings from the plan, by default. Ifdesired, you can override the inherited email filtering settings for a specific gateway, byconfiguring these settings in the gateway.Configuring email filtering requires the CVM (Content Vectoring) module in the SMS.Note: If you are using SMTP/POP3 over unorthodox ports or over SSL, the mailmessages will not be scanned.To configure email content filtering1. In the navigation tree, click the Email Filtering node.The Email Filtering fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Email Filtering check box.The fields are enabled.4. Complete the fields using the table below.5. Click .Table 60: Email Filtering FieldsIn this field…Mail Antivirus ModeDo this…Select one of the following modes for the centralized Mail Antivirusservice. Disabled. Mail Antivirus is off. Enabled. Mail Antivirus is on.Note: If Mail Antivirus is not included in the plan, this field is disabled.Mail Antispam ModeSelect one of the following modes for the centralized Mail Antispamservice. Disabled. Mail Antispam is off. Enabled. Mail Antispam is on.Note: If Mail Antispam is not included in the plan, this field is disabled.172 Self Provisioning Portal User Guide

Configuring Email Filtering SettingsIn this field…Do this…Protocols to ScanEmail retrieving(POP3)Email sending (SMTP)Select this option to enable scanning all incoming email retrieved viathe POP3 protocol.Select this option to enable scanning all outgoing email sent via theSMTP protocol.AdvancedBypass scanning ifService Center isunavailableSelect this option to specify that all email traffic should be temporarilyallowed, if the Email Filtering service is enabled and the Service Centeris unavailable. This ensures continuous access to email; however, itdoes not protect against viruses and spam, so use this optioncautiously.If you do not select this option, all email traffic will be temporarilyallowed, until the Service Center is available. This ensures constantprotection from spam and viruses.Chapter 3: Managing Your Gateways 173

Configuring Firmware SettingsConfiguring Firmware SettingsIf a plan specifies Software Updates, the following firmware settings can be configured inthe plan:Firmware to use for each gateway typeScheduling firmware updatesAll gateways subscribed to the plan will take their firmware settings from the plan, bydefault. If desired, you can override the inherited firmware settings for a specific gateway,by configuring these settings in the gateway.Selecting FirmwaresTo select a firmware1. In the navigation tree, click the Firmware Updates > Firmware node.The Firmware fields appear.2. Unlock the node from plan.The fields are enabled.The Reported Firmware field displays the firmware version installed on the gateway,when the gateway last connected to the SMS.3. In the Firmware drop-down list, select the firmware version to download to thisgateway.If you select local, the gateway will not download a firmware.4. Click .Scheduling Firmware UpdatesAutomatic firmware updates require the gateway to reboot. If desired, you can limitautomatic firmware updates to certain days and hours, using the following procedure.174 Self Provisioning Portal User Guide

Configuring Firmware SettingsNote: The schedule is interpreted according to the gateway's local time zone. Forexample, if you configure firmware updates to occur between 1:00 to 6:00 AM,gateways in New York will receive firmware updates between 1:00 and 6:00 AMEastern Time (ET), while gateways in California will receive firmware updatesbetween 1:00 and 6:00 AM Pacific Time (PT).To schedule firmware updates1. In the navigation tree, click the Firmware Updates > Firmware Scheduling node.The Firmware Download Scheduling fields appear.2. If needed, unlock the node from plan.The fields are enabled.3. For each weekday, specify when automatic firmware updates can beperformed, by doing one of the following:To specify that firmware updates can be automatically loaded to gateways atanytime of the day on this specific weekday, select Anytime in the drop-downlist.To specify that firmware updates can be automatically loaded to gatewaysonly between certain hours of the day on this specific weekday, selectBetween in the drop-down list. You must then specify the desired time range,by clicking in the fields provided and either typing the time range, or selectingthe desired times in the drop-down list that appears.To specify that firmware updates can never be automatically loaded togateways on this specific weekday, select Never in the drop-down list.4. Click .Chapter 3: Managing Your Gateways 175

Configuring Network SettingsConfiguring Network SettingsIf a plan specifies remote management, the following network settings can be configuredin the plan:QoS classesEnabling Traffic ShaperNetwork objectsNetwork service objectsStatic routesAll gateways subscribed to the plan will take these network settings from the plan, bydefault. If desired, you can override the inherited network settings for a specific gateway,by configuring these settings in the gateway. You can also configure the followingadditional network settings for a specific gateway:Internal network settingsYou can configure settings for any of the gateway's internal networks, including: LAN DMZ VLAN Wireless networks OfficeModePort settingsBridgesTerminal server settingsHigh Availability176 Self Provisioning Portal User Guide

Configuring Network SettingsConfiguring the LANTo configure the LAN1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Networks table, click lan.The Edit Internal Network Wizard opens, with the Edit Internal Network: Internal NetworkParameters dialog box displayed.5. Complete the fields using the information in Network Parameters Fields onpage 180.6. Click Next.Chapter 3: Managing Your Gateways 177

Configuring Network SettingsThe following things happen in the order below:If you set the network's mode to Bridged, the Edit Internal Network: BridgeOptions dialog box appears.Do the following:1) Complete the fields, using the information in Bridge Options Fieldson page 184.2) Click Next.178 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Internal Network: DHCP Server Options dialog box appears.7. Complete the fields using the information in DHCP Server Options Fields onpage 186.8. Click Next.Chapter 3: Managing Your Gateways 179

Configuring Network SettingsThe final Edit Internal Network dialog box appears.9. Click Finish.10. Click .Table 61: Network Parameters FieldsIn this field…Network NameDo this…Type the name of the network.This field is read-only when configuring internal networks that are notVLANs.ModeSelect the network's mode (Enabled/Disabled/Bridged).The Bridged option only appears if bridges are configured for the gateway.TypeSelect the VLAN's type.180 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Do this…If you selected Tag Based VLAN, the VLAN Tag field appears.If you selected Wireless Distribution System, the Peer WLAN MAC Address fieldappears.This field appears only when configuring a VLAN.VLAN TagType a tag for the VLAN.This must be an integer between 1 and 4095.This field appears only when configuring a tag-based VLAN.Peer WLAN MACAddressType the WLAN MAC address of the access point to which you want tocreate a WDS link.Note: This is the MAC address of the WLAN interface, not the WAN MACaddress.IP AddressType the IP address of the network's default gateway.Alternatively, if the gateway belongs to a community for which an IP pool isdefined, you can click Suggest to automatically fill in the field with an IPaddress from the pool. For information on assigning gateways tocommunities, see Configuring General Settings on page 18. Forinformation on configuring an IP pool, see Configuring Communities' IPPools.Note: The network must not overlap other networks.This field is relevant only when the network's mode is Enabled.Subnet MaskType the internal network range.This field is relevant only when the network's mode is Enabled.Hide NATSelect the network's Hide NAT mode (Enabled/Disabled).Hide Network Address Translation (NAT) enables you to share a singleChapter 3: Managing Your Gateways 181

Configuring Network SettingsIn this field…Do this…public Internet IP address among several computers, by “hiding” theprivate IP addresses of the internal computers behind the gateway's singleInternet IP address.The default value is Enabled.Note: If Hide NAT is disabled, the gateway owner must obtain a range ofInternet IP addresses.Note: Static NAT and Hide NAT can be used together.DHCPDHCP ServerFill in these fields to configure DHCP for the LAN, WLAN, or a VLAN.Select the DHCP (Dynamic Host Configuration Protocol) server's mode:Disabled. The Embedded NGX DHCP server is disabled for thenetwork.If there already is a DHCP server on the network, and you wantto use it instead of the Embedded NGX DHCP server, you mustdisable the Embedded NGX DHCP server, since you cannothave two DHCP servers or relays on the same networksegment.Enabled. The Embedded NGX DHCP server is enabled for thenetwork.All the devices on the network are automatically configured withtheir network configuration details. This is the default.Relay. The DHCP relay mode is enabled for the network.If you want the network to use a DHCP server on the Internet orvia a VPN, instead of the Embedded NGX DHCP server, youcan configure DHCP relay. When in DHCP relay mode, thegateway relays information from the desired DHCP server tothe devices on the network.Note: DHCP relay will not work if the gateway is located behinda NAT device.The Primary DHCP Server IP and Secondary DHCP Server IP fieldsappear.Note: You can perform DHCP reservation using network objects. SeeConfiguring Network Objects on page 245.182 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Manual DHCP rangeDo this…Select this option to manually configure the DHCP address range.The DHCP address range is the range of IP addresses that the DHCPserver can assign to network devices. IP addresses outside of the DHCPaddress range are reserved for statically addressed computers.If this option is selected, the DHCP IP range fields appear.If this option is cleared, the Embedded NGX DHCP server will set theDHCP address range automatically.DHCP IP RangeType the desired DHCP range.Primary DHCPServer IPType the IP address of the primary DHCP server to use in Relay mode.Secondary DHCPServer IPType the IP address of the secondary DHCP server to use in Relay mode.Chapter 3: Managing Your Gateways 183

Configuring Network SettingsIn this field…HotSpotDo this…Specify whether to enable Secure HotSpot for this network by selectingone of the following:Disabled. Secure HotSpot is disabled for this network. This is thedefault.Enabled. Secure HotSpot is enabled for this network.For information on configuring Secure HotSpot, see Configuring SecureHotSpot on page 65.This field is not relevant for the OfficeMode network.Table 62: Bridge Options FieldsIn this field…Assign to BridgeBridge Anti-SpoofingDo this…Select the bridge to which the connection should be assigned.Select this option to enable anti-spoofing.If anti-spoofing is enabled, only IP addresses within the AllowedIP Range can be source IP addresses for packets on thisnetwork.184 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Allowed IP RangeDo this…Type the range of IP addresses that should be allowed on thisnetwork.Note: When assigning IP addresses to machines in a bridgednetwork segment, the Embedded NGX DHCP server allocatesonly addresses within the allowed IP address range.To enable clients to move between bridged networks withoutchanging IP addresses, configure identical IP address rangesfor the desired networks, thus allowing the IP addresses to beused on either of the bridged networks.Note: Configuring overlapping or identical allowed IP addressranges will decrease the effectiveness of anti-spoofingbetween the bridged networks.Spanning Tree Protocol - PortCostType the port's cost.STP uses the available port with the lowest cost to forwardframes to the root port. All other ports are blocked.It is recommended to set a lower value for faster links.This field only appears if the bridge uses STP.Chapter 3: Managing Your Gateways 185

Configuring Network SettingsIn this field…Spanning Tree Protocol - PortPriorityDo this…Select the port's priority.The port's priority is combined with the port's logical number tocreate the port's ID. The port with the lowest ID is elected asthe root port, which forwards frames out of the bridge. Theother ports in the bridge calculate the least-cost path to theroot port, in order to eliminate loops in the topology andprovide fault tolerance.To increase the chance of this port being elected as the rootport, select a lower priority.Note: If you select the same priority for all ports, the root portwill be elected based on the port's logical number.The default value is 128.This field only appears if the bridge uses STP.Table 63: DHCP Server Options FieldsIn this field…Domain NameDo this…Type a default domain suffix that should be passed to DHCP clients.The DHCP client will automatically append the domain suffix for theresolving of non-fully qualified names. For example, if the domain suffixis set to "mydomain.com", and the client tries to resolve the name“mail”, the suffix will be automatically appended to the name, resultingin “mail.mydomain.com”.186 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Do this…Name ServersManually assign DNSserver (recommended)Select this option if you want the gateway to act as a DNS relay serverand pass its own IP address to DHCP clients.Normally, it is recommended to leave this option cleared.The DNS Server 1 and DNS Server 2 fields appear.DNS Server 1, 2Type the IP addresses of the Primary and Secondary DNS servers topass to DHCP clients instead of the gateway.Manually assign WINSserverSelect this option if you want DHCP clients to be assigned the sameWINS servers as specified by the Internet connection configuration.The WINS Server 1 and WINS Server 2 fields appear.WINS Server 1, 2Type the IP addresses of the Primary and Secondary WINS servers touse instead of the gateway.Manually assign defaultgatewaySelect this option if you want the DHCP server to pass the currentgateway IP address to DHCP clients as the default gateway's IPaddress.Normally, it is recommended to leave this option selected.The Default Gateway field appears.Chapter 3: Managing Your Gateways 187

Configuring Network SettingsIn this field…Default GatewayOther ServicesTime Server 1, 2Call Manager 1, 2TFTP ServerDo this…Type the IP address to pass to DHCP clients as the default gateway,instead of the current gateway IP address.These fields are not available for the OfficeMode network.To use Network Time Protocol (NTP) servers to synchronize the timeon the DHCP clients, type the IP address of the Primary andSecondary NTP servers.To assign Voice over Internet Protocol (VoIP) call managers to theDHCP clients, type the IP address of the Primary and Secondary VoIPservers.Trivial File Transfer Protocol (TFTP) enables booting disklesscomputers over the network.To assign a TFTP server to the DHCP clients, type the IP address ofthe TFTP server.TFTP Boot FileType the boot file to use for booting DHCP clients via TFTP.X-Windows DisplayManagerTo assign X-Windows terminals the appropriate X-Windows DisplayManager when booting via DHCP, type the XDM server's IP address.Avaya IP PhoneTo enable Avaya IP phones to receive their configuration, type thephone's configuration string.Nortel IP PhoneTo enable Nortel IP phones to receive their configuration, type thephone's configuration string.188 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Thomson IP PhoneDo this…To enable Thomson IP phones to receive their configuration, type thephone's configuration string.Configuring the DMZIn addition to the LAN network, you can define a second internal network called a DMZ(demilitarized zone) network.To configure the DMZ1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Networks table, click dmz.The Edit Internal Network Wizard opens, with the Edit Internal Network: Internal NetworkParameters dialog box displayed.5. Complete the fields using the information in Network Parameters Fields onpage 180.6. Click Next.The following things happen in the order below:If you set the network's mode to Bridged, the Edit Internal Network: BridgeOptions dialog box appears.Do the following:1) Complete the fields, using the information in Bridge Options Fieldson page 184.2) Click Next.The Edit Internal Network: DHCP Server Options dialog box appears.Chapter 3: Managing Your Gateways 189

Configuring Network Settings7. Complete the fields using the information in DHCP Server Options Fields onpage 186.8. Click Next.The final Edit Internal Network dialog box appears.9. Click Finish.10. Click .11. Assign the DMZ/WAN2 port to the DMZ.See Modifying Port Assignments on page 223.Configuring VLANsYou can partition a network into several virtual LAN networks (VLANs). A VLAN is alogical network behind the gateway. Computers in the same VLAN behave as if they wereon the same physical network: traffic flows freely between them, without passing througha firewall. In contrast, traffic between a VLAN and other networks passes through thefirewall and is subject to the security policy. By default, traffic from a VLAN to any otherinternal network (including other VLANs) is blocked. In this way, defining VLANs canincrease security and reduce network congestion.For example, you can assign each division within an organization to a different VLAN,regardless of their physical location. The members of a division will be able tocommunicate with each other and share resources, and only members who need tocommunicate with other divisions will be allowed to do so. Furthermore, you can easilytransfer a member of one division to another division without rewiring the network, bysimply reassigning them to the desired VLAN.190 Self Provisioning Portal User Guide

Configuring Network SettingsYou can configure the following VLAN types:Tag-basedIn tag-based VLAN you use one of the gateway's ports as a 802.1Q VLAN trunk,connecting the appliance to a VLAN-aware switch. Each VLAN behind the trunk isassigned an identifying number called a “VLAN ID”, also referred to as a "VLANtag". All outgoing traffic from a tag-based VLAN contains the VLAN's tag in thepacket headers. Incoming traffic to the VLAN must contain the VLAN's tag as well, orthe packets are dropped. Tagging ensures that traffic is directed to the correct VLAN.Chapter 3: Managing Your Gateways 191

Configuring Network SettingsPort-basedPort-based VLAN allows assigning the Embedded NGX appliance's LAN ports toVLANs, effectively transforming the appliance's four-port switch into up to fourfirewall-isolated security zones. You can assign multiple ports to the same VLAN, oreach port to a separate VLANPort-based VLAN does not require an external VLAN-capable switch, and is thereforesimpler to use than tag-based VLAN. However, port-based VLAN is limited by thenumber of appliance LAN ports.Virtual access point (VAP)In wireless gateways, you can partition the primary WLAN network into wirelessVLANs called virtual access points (VAPs). You can use VAPs to grant differentpermissions to groups of wireless users, by configuring each VAP with the desiredsecurity policy and network settings, and then assigning each group of wireless usersto the relevant VAP. For example, you could assign different permissions toemployees and guests on the company's wireless network, by configuring two VAPscalled “Guest” and “Employee” with the desired set of permissions.To use VAPs, you must enable the primary WLAN network.For information on configuring VAPs, see Configuring Virtual Access Points on page210.Wireless Distribution System (WDS) linksIn wireless gateways, you can extend the primary WLAN's coverage area, by creatinga Wireless Distribution System (WDS). A WDS is a system of access points thatcommunicate with each other wirelessly, without any need for a wired backbone.192 Self Provisioning Portal User Guide

Configuring Network SettingsWDS is usually used together with bridge mode to connect the networks behind theaccess points.To create a WDS, you must add WDS links between the desired access points. Forexample, if a business extends across a large area, and a single access point does notprovide sufficient coverage, then you can add a second access point and create a WDSlink between the two access points.To use WDS links, you must enable the primary WLAN network.For information on configuring WDS links, see Configuring Wireless DistributionSystem Links on page 213.Adding and Editing VLANsTo add or edit a VLAN1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Networks area, do one of the following:To add a VLAN, click Add VLAN. To edit an existing VLAN, click the VLAN's name.The Edit Internal Network Wizard opens, with the Edit Internal Network: Internal NetworkParameters dialog box displayed.5. Complete the fields using the information in Network Parameters Fields onpage 180.6. Click Next.The following things happen in the order below:If you set the network's mode to Bridged, the Edit Internal Network: BridgeOptions dialog box appears.Chapter 3: Managing Your Gateways 193

Configuring Network SettingsComplete the fields, using the information in Bridge Options Fields on page 184. The Edit Internal Network: DHCP Server Options dialog box appears.7. Complete the fields using the information in DHCP Server Options Fields onpage 186.8. Click Next.The final Edit Internal Network dialog box appears.9. Click Finish.10. Do one of the following:If you configured a port-based VLAN, assign one or more LAN ports to theVLAN.See Modifying Port Assignments on page 223.If you configured a tag-based VLAN, assign the DMZ/WAN2 port to VLANTrunk.See Modifying Port Assignments on page 223.The DMZ/WAN2 port will operate as a VLAN Trunk port. In this mode, it willnot accept untagged packets.11. Click .Note: If a tag-based VLAN is configured, the gateway's owner must also do thefollowing:Configure a VLAN trunk (802.1Q) port on the VLAN-aware switch,according to the vendor instructions.Define the same VLAN IDs on the switch.Connect the gateway's DMZ/WAN2 port to the VLAN-aware switch'sVLAN trunk port.Deleting VLANsNote: You cannot delete a VLAN that is currently in use.To delete a VLAN1. In the navigation tree, click the Network > Network Configuration node.194 Self Provisioning Portal User Guide

Configuring Network SettingsThe Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Networks table, select the check box next to the desired VLAN.5. Click Delete VLAN.A confirmation message appears.6. Click OK.The VLAN is deleted.7. Click .Configuring Wireless NetworksYou can configure any of the following wireless networks for a gateway:The primary WLANVirtual access points (VAPs)Wireless Distribution system links (WDS links)For more information on VAPs and WDS links, see Configuring VLANs on page 190 andrefer to the Embedded NGX appliance's user guide.Network Count LimitationsYou can configure a total of eight wireless objects per gateway, including any combinationof the following:The primary WLANUp to three virtual access points (VAPs)Up to seven WDS linksFor example, if you configure the primary WLAN and two VAPs, then you can configurefive WDS links, or one more VAP and four WDS links.Chapter 3: Managing Your Gateways 195

Configuring Network SettingsWhen Extended Range (XR) mode is enabled for a wireless object, then it is counted astwo objects. For example, if you configure XR mode for the primary WLAN and oneVAP, they are counted as four wireless objects.196 Self Provisioning Portal User Guide

Configuring Network SettingsConfiguring the WLANIf a gateway supports wireless connectivity, you can define a wireless internal networkcalled the primary WLAN (wireless LAN) network. The primary WLAN is the mainwireless network, and it controls all other wireless network's statuses: wireless networkscan be enabled only if the primary WLAN is enabled, and disabling the primary WLANautomatically disables all other wireless network. In addition, all wireless networks inheritcertain settings from the primary WLAN.Note: For increased security, it is recommended to enable the internal VPN Server forusers connecting from internal networks, and to install SecuRemote on each computerin the WLAN. This ensures that all connections from the WLAN to the LAN areencrypted and authenticated. For information, see Configuring VPN Server Settingson page 269.To configure the WLAN1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Networks area, click wlan.The Edit Internal Network Wizard opens, with the Edit Internal Network: Internal NetworkParameters dialog box displayed.5. Complete the fields using the information in Network Parameters Fields onpage 180.6. Click Next.The following things happen in the order below:If you set the network's mode to Bridged, the Edit Internal Network: BridgeOptions dialog box appears.Complete the fields, using the information in Bridge Options Fields on page 184.The Edit Internal Network: DHCP Server Options dialog box appears.Chapter 3: Managing Your Gateways 197

Configuring Network Settings7. Complete the fields using the information in DHCP Server Options Fields onpage 186.8. Click Next.The Edit Internal Network: Wireless Settings dialog box appears.9. Complete the fields, using the information in Wireless Settings Fields on page201.10. Click Next.198 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Internal Network: Advanced Wireless Settings dialog box appears.11. Complete the fields, using the information in Advanced Wireless SettingsFields on page 206.12. Click Next.The final Edit Internal Network dialog box appears.13. Click Finish.14. Click .Table 64: Wireless Security ProtocolsIn this field…NoneDo this…No security method is used. This option is not recommended, because itallows unauthorized users to access the WLAN network, although you canstill limit access from the WLAN by creating firewall rules. This method issuitable for creating public access points.Chapter 3: Managing Your Gateways 199

Configuring Network SettingsIn this field…WEP encryptionDo this…In the WEP (Wired Equivalent Privacy) encryption security method, wirelessstations must use a pre-shared key to connect to the network. This methodis not recommended, due to known security flaws in the WEP protocol. It isprovided for compatibility with existing wireless deployments.Note: The appliance and the wireless stations must be configured with thesame WEP key.802.1X: EAPauthentication, noencryptionIn the 802.1x security method, wireless stations (supplicants) attempting toconnect to the access point (authenticator) must first be authenticated,either by a RADIUS server (authentication server) which supports 802.1x,or by the Embedded NGX gateway's built-in EAP authenticator. Allmessages are passed in EAP (Extensible Authentication Protocol).This method is recommended for situations in which you want toauthenticate wireless users, but do not need to encrypt the data.Note: To use this security method, you must first configure either a RADIUSserver that supports 802.1x, or the gateway administrator must set up thenetwork for use with the Embedded NGX gateway's built-in ExtendedAuthentication Protocol (EAP) authenticator, which allows using the localuser database for authentication purposes. For information on configuring aRADIUS server, see Configuring RADIUS User Authentication on page35. For information on using the Embedded NGX EAP authenticator, thegateway administrator should refer to the gateway User Guide.WPA-Enterprise:EAPauthentication,encryptionThe WPA-Enterprise (Wi-Fi Protected Access) security method uses MIC(message integrity check) to ensure the integrity of messages, and TKIP(Temporal Key Integrity Protocol) to enhance data encryption.Furthermore, WPA-Enterprise includes 802.1x and EAP authentication,based either on a central RADIUS authentication server, or on theEmbedded NGX gateway's built-in EAP authenticator. This method isrecommended for situations where you want to authenticate wireless200 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Do this…stations, and to encrypt the transmitted data.Note: To use this security method, you must first configure either a RADIUSserver that supports 802.1x, or the gateway administrator must set up thenetwork for use with the Embedded NGX gateway's built-in ExtendedAuthentication Protocol (EAP) authenticator, which allows using the localuser database for authentication purposes. For information on configuring aRADIUS server, see Configuring RADIUS User Authentication on page35. For information on using the Embedded NGX EAP authenticator, thegateway administrator should refer to the gateway User Guide.WPA-Personal:passwordauthentication,encryptionThe WPA-Personal security method (also called WPA-PSK) is a variation ofWPA-Enterprise that does not require an authentication server.WPA-Personal periodically changes and authenticates encryption keys.This is called rekeying.This option is recommended for small networks, which want to authenticateand encrypt wireless data, but do not want to install a RADIUS server oruse the Embedded NGX EAP authenticator.Note: The appliance and the wireless stations must be configured with thesame passphrase.Table 65: Wireless Settings FieldsIn this field…Network Name(SSID)Do this…Type the network name (SSID) that identifies your wireless network. Thisname will be visible to wireless stations passing near your access point,unless you enable the Hide the Network Name (SSID) option.It can be up to 32 alphanumeric characters long and is case-sensitive.This field only appears when configuring the primary WLAN or a VAP.Chapter 3: Managing Your Gateways 201

Configuring Network SettingsIn this field…CountryDo this…Select the country where you are located.Warning: Choosing an incorrect country may result in the violation ofgovernment regulations.This field only appears when configuring the primary WLAN, and it isinherited by all VAPs and WDS links.Operation ModeSelect an operation mode:802.11b (11 Mbps). Operates in the 2.4 GHz range and offers amaximum theoretical rate of 11 Mbps. When using this mode,only 802.11b stations will be able to connect.802.11g (54 Mbps). Operates in the 2.4 GHz range, and offers amaximum theoretical rate of 54 Mbps. When using this mode,only 802.11g stations will be able to connect.802.11b/g (11/54 Mbps). Operates in the 2.4 GHz range, and offersa maximum theoretical rate of 54 Mbps. When using this mode,both 802.11b stations and 802.11g stations will be able toconnect.802.11g Super (54/108 Mbps). Operates in the 2.4 GHz range, andoffers a maximum theoretical rate of 108 Mbps. When using thismode, 802.1g stations and 802.11g Super stations will be ableto connect.802.11g Super (11/54/108 Mbps). Operates in the 2.4 GHz range,and offers a maximum theoretical rate of 108 Mbps. When usingthis mode, 802.11b stations, 802.11g stations, and 802.11gSuper stations will all be able to connect.Each operation mode indicates a wireless protocol (such as 802.11gSuper), followed by the maximum bandwidth (such as 54/108 Mbps).The list of modes is dependent on the selected country.You can prevent older wireless stations from slowing down the network, bychoosing an operation mode that restricts access to newer wirelessstations.Note: The actual data transfer speed is usually significantly lower than the202 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Do this…maximum theoretical bandwidth and degrades with distance.Important: The station wireless cards must support the selected operationmode. For a list of cards supporting 802.11g Super, refer tohttp://www.super-ag.com.This field only appears when configuring the primary WLAN, and it isinherited by all VAPs and WDS links.ChannelSelect the radio frequency to use for the wireless connection:Automatic. The Embedded NGX gateway automatically selects achannel. This is the default.A specific channel. The list of channels is dependent on theselected country and operation mode.Note: If there is another wireless network in the vicinity, the two networksmay interfere with one another. To avoid this problem, the networks shouldbe assigned channels that are at least 25 MHz (5 channels) apart.Alternatively, you can reduce the transmission power.This field only appears when configuring the primary WLAN, and it isinherited by all VAPs and WDS links.SecuritySelect the security protocol to use. For information on the supportedsecurity protocols, see Wireless Security Protocols on page 199.If you select WEP encryption, the WEP Keys area opens.If you select 802.1x, the Authentication Server field appears.If you select WPA-Enterprise, the Authentication Server, Require WPA2 (802.11i)and WPA Encryption fields appear.If you select WPA-Personal, the Passphrase, Require WPA2 (802.11i), and WPAEncryption fields appear.Note: When configuring a WDS link, only None and WEP are not supported.Chapter 3: Managing Your Gateways 203

Configuring Network SettingsIn this field…AuthenticationServerDo this…Specify which authentication server to use, by selecting one of thefollowing: RADIUS. A RADIUS server. Internal User Database. The Embedded NGX EAP authenticator.Passphrase Type the passphrase for accessing the network, or click to randomlygenerate a passphrase.This must be between 8 and 63 characters. It can contain spaces andspecial characters, and is case-sensitive.For the highest security, choose a long passphrase that is hard to guess, oruse thebutton.Note: The wireless stations must be configured with this passphrase as well.Require WPA2(802.11i)WPA EncryptionSpecify whether you want to require wireless stations to connect usingWPA2, by selecting one of the following:Enabled. Only wireless stations using WPA2 can access thewireless network.Disabled. Wireless stations using either WPA or WPA2 canaccess the wireless network. This is the default.Select the encryption method to use for authenticating and encryptingwireless data:Auto. The Embedded NGX gateway automatically selects thecipher used by the wireless client. This is the default.AES. Advanced Encryption StandardTKIP. Temporal Key Integrity ProtocolNote: AES is more secure than TKIP; however, some devices do not supportAES.204 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…WEP KeysDo this…If you selected WEP encryption, you must configure at least one WEP key.The wireless stations must be configured with the same key, as well.Key 1, 2, 3, 4Type the WEP key.The key is composed of hexadecimal characters 0-9 and A-F, and is notcase-sensitive.Alternatively, click to randomly generate a key matching the selectedlength. The Generate WEP Key dialog box appears.Generate WEPKeySelect the desired WEP key length and click Random.The possible key lengths are: 64 Bits. The key length is 10 characters. 128 Bits. The key length is 26 characters. 152 Bits. The key length is 32 characters.Note: Some wireless card vendors call these lengths 40/104/128,respectively.Note: WEP is generally considered to be insecure, regardless of theselected key length.A random WEP key of the specified length appears in the relevant Key field.Default KeySelect the WEP key that this gateway should use for transmission.The selected key must be entered in the same key slot (1-4) on the stationdevices, but the key need not be selected as the transmit key on thestations.Note: You can use all four keys to receive data.Chapter 3: Managing Your Gateways 205

Configuring Network SettingsTable 66: Advanced Wireless Settings FieldsIn this field…Hide the Network Name(SSID)Do this…Specify whether to hide the network's SSID, by selecting one of thefollowing:Yes. Hide the SSID.Only devices to which the SSID is known can connect tothe network.No. Do not hide the SSID.Any device within range can detect the network nameusing the wireless network discovery features of someproducts, such as Microsoft Windows XP, and attempt toconnect to the network. This is the default.Note: Hiding the SSID does not provide strong security, because adetermined attacker can still discover the SSID. Therefore, it is notrecommended to rely on this setting alone for security.This field only appears when configuring the primary WLAN or aVAP.MAC Address FilteringSpecify whether to enable MAC address filtering, by selecting one ofthe following:Yes. Enable MAC address filtering.Only MAC addresses that are added as network objectscan connect to the network.For information on network objects, see ConfiguringSecurity Settings on page 52.No. Disable MAC address filtering. This is the default.Note: MAC address filtering does not provide strong security, sinceMAC addresses can be spoofed by a determined attacker. Therefore,it is not recommended to rely on this setting alone for security.This field only appears when configuring the primary WLAN or aVAP.Station to Station TrafficSpecify whether you want to allow wireless stations on this network to206 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Do this…communicate with each other, by selecting one of the following:Allow. Allow stations to communicate with eachother. This is the default.Block. Block traffic between wireless stations.This field only appears when configuring the primary WLAN or aVAP.Wireless TransmitterTransmission RateSelect the transmission rate:Automatic. The gateway appliance automatically selects arate. This is the default.A specific rateThis field only appears when configuring the primary WLAN, and it isinherited by all VAPs and WDS links.Transmitter PowerSelect the transmitter power.Setting a higher transmitter power increases the access point'srange. A lower power reduces interference with other access pointsin the vicinity.The default value is Full. It is not necessary to change this value,unless there are other access points in the vicinity.This field only appears when configuring the primary WLAN, and it isinherited by all VAPs and WDS links.Chapter 3: Managing Your Gateways 207

Configuring Network SettingsIn this field…Antenna SelectionDo this…Multipath distortion is caused by the reflection of Radio Frequency(RF) signals traveling from the transmitter to the receiver along morethan one path. Signals that were reflected by some surface reach thereceiver after non-reflected signals and distort them.Embedded NGX gateways avoid the problems of multipath distortionby using an antenna diversity system. To provide antenna diversity,each wireless security gateway has two antennas.Specify which antenna to use for communicating with wirelessstations:Automatic. The Embedded NGX gateway receives signalsthrough both antennas and automatically selects theantenna with the lowest distortion signal to use forcommunicating. The selection is made on a per-stationbasis. This is the default.ANT 1. The ANT 1antenna is always used forcommunicating.ANT 2. The ANT 2 antenna is always used forcommunicating.Use manual diversity control (ANT 1 or ANT 2), if there is only oneantenna connected to the gateway.This field only appears when configuring the primary WLAN, and it isinherited by all VAPs and WDS links.Fragmentation ThresholdType the smallest IP packet size (in bytes) that requires that the IPpacket be split into smaller fragments.In case of significant radio interference, set the threshold to a lowvalue (around 1000), to reduce error penalty and increase overallthroughput.Otherwise, set the threshold to a high value (around 2000), to reduceoverhead.208 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Do this…The default value is 2346.RTS ThresholdType the smallest IP packet size for which a station must send anRTS (Request To Send) before sending the IP packet.If multiple wireless stations are in range of the access point, but not inrange of each other, they might send data to the access pointsimultaneously, thereby causing data collisions and failures. RTSensures that the channel is clear before the each packet is sent.If the network is congested, and the users are distant from oneanother, set the RTS threshold to a low value (around 500).Setting a value equal to the fragmentation threshold effectivelydisables RTS.The default value is 2346.Extended Range Mode (XR)Specify whether to use Extended Range (XR) mode. Extended range(XR) mode allows up to three times the range of a regular 802.11gaccess point. XR dramatically stretches the performance of awireless LAN, by enabling long-range connections. The architecturedelivers receive sensitivities of up to 105dBm, over 20 dB more thanthe 802.11 specification. This allows ranges of up to 300 metersindoors, and up to 1 km (3200 ft) outdoors, with XR-enabled wirelessstations (actual range depends on environment).This field can have the following values:Disabled. XR mode is disabled.Enabled. XR mode is enabled. XR will be automaticallyChapter 3: Managing Your Gateways 209

Configuring Network SettingsIn this field…Do this…negotiated with XR-enabled wireless stations and used asneeded. This is the default.This field only appears when configuring the primary WLAN or aVAP.Multimedia QoS (WMM)Specify whether to use the Wireless Multimedia (WMM) standard toprioritize traffic from WMM-compliant multimedia applications. Thiscan have the following values:Disabled. WMM is disabled. This is the default.Enabled. WMM is enabled. The gateway will prioritizemultimedia traffic according to four access categories(Voice, Video, Best Effort, and Background). This allowsfor smoother streaming of voice and video when usingWMM aware applications.This field only appears when configuring the primary WLAN or aVAP.Configuring Virtual Access PointsNote: To enable VAPs, you must first enable the primary WLAN network. If youdisable the primary WLAN network, all VAPs are automatically disabled.For information on enabling the primary WLAN, see Configuring the WLAN onpage 197.The procedure below explains how to add or edit a VAP. For information on deleting aVAP, see Deleting VLANs on page 194.210 Self Provisioning Portal User Guide

Configuring Network SettingsTo add or edit a VAP1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Networks area, do one of the following:To add a VAP, click Add VLAN. To edit an existing VAP, click the VAP's name.The Edit Internal Network Wizard opens, with the Edit Internal Network: Internal NetworkParameters dialog box displayed.5. Complete the fields using the information in Network Parameters Fields onpage 180.6. Click Next.The following things happen in the order below:If you set the network's mode to Bridged, the Edit Internal Network: BridgeOptions dialog box appears.Complete the fields, using the information in Bridge Options Fields on page 184. The Edit Internal Network: DHCP Server Options dialog box appears.7. Complete the fields using the information in DHCP Server Options Fields onpage 186.8. Click Next.Chapter 3: Managing Your Gateways 211

Configuring Network SettingsThe Edit Internal Network: Wireless Settings dialog box appears.9. Complete the fields, using the information in Wireless Settings Fields on page201.10. Click Next.212 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Internal Network: Advanced Wireless Settings dialog box appears.11. Complete the fields, using the information in Advanced Wireless SettingsFields on page 206.12. Click Next.The final Edit Internal Network dialog box appears.13. Click Finish.14. Click .Configuring Wireless Distribution System LinksNote: To enable WDS links, you must first enable the primary WLAN network. If youdisable the primary WLAN network, all VAPs are automatically disabled.For information on enabling the primary WLAN, see Configuring the WLAN onpage 197.The procedure below explains how to add or edit a WDS link. For information on deletinga WDS link, see Deleting VLANs on page 194.Chapter 3: Managing Your Gateways 213

Configuring Network SettingsTo add or edit a WDS link1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Networks area, do one of the following:To add a WDS link, click Add VLAN. To edit an existing WDS link, click the WDS link's name.The Edit Internal Network Wizard opens, with the Edit Internal Network: Internal NetworkParameters dialog box displayed.5. Complete the fields using the information in Network Parameters Fields onpage 180.6. Click Next.The following things happen in the order below:If you set the network's mode to Bridged, the Edit Internal Network: BridgeOptions dialog box appears.Complete the fields, using the information in Bridge Options Fields on page 184. The Edit Internal Network: DHCP Server Options dialog box appears.7. Complete the fields using the information in DHCP Server Options Fields onpage 186.8. Click Next.214 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Internal Network: Wireless Settings dialog box appears.9. Complete the fields, using the information in Wireless Settings Fields on page201.10. Click Next.Chapter 3: Managing Your Gateways 215

Configuring Network SettingsThe Edit Internal Network: Advanced Wireless Settings dialog box appears.11. Complete the fields, using the information in Advanced Wireless SettingsFields on page 206.12. Click Next.The final Edit Internal Network dialog box appears.13. Click Finish.14. Click .Configuring the OfficeMode NetworkBy default, VPN Clients connect to the VPN Server using an Internet IP address locallyassigned by an ISP. This may lead to the following problems:VPN Clients on the same network will be unable to communicate with eachother via the Embedded NGX Internal VPN Server. This is because their IPaddresses are on the same subnet, and they therefore attempt to communicatedirectly over the local network, instead of through the secure VPN link.216 Self Provisioning Portal User Guide

Configuring Network SettingsSome networking protocols or resources may require the client’s IP address tobe an internal one.OfficeMode solves these problems by enabling the Embedded NGX DHCP Server toautomatically assign a unique local IP address to the VPN client, when the client connectsand authenticates. The IP addresses are allocated from a pool called the OfficeModenetwork.Note: OfficeMode requires Check Point SecureClient to be installed on the VPNclients. It is not supported by Check Point SecuRemote.When OfficeMode is not supported by the VPN client, traditional mode will beselected used instead.To configure the OfficeMode network1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Networks table, click office.The Edit Internal Network Wizard opens, with the Edit Internal Network: Internal NetworkParameters dialog box displayed.5. Complete the fields using the information in Network Parameters Fields onpage 180.6. Click Next.The following things happen in the order below:If you set the network's mode to Bridged, the Edit Internal Network: BridgeOptions dialog box appears.Do the following:1) Complete the fields, using the information in Bridge Options Fieldson page 184.Chapter 3: Managing Your Gateways 217

Configuring Network Settings2) Click Next. The Edit Internal Network: DHCP Server Options dialog box appears.7. Complete the fields using the information in DHCP Server Options Fields onpage 186.8. Click Next.The final Edit Internal Network dialog box appears.9. Click Finish.10. Click .Configuring BridgesYou can connect multiple network segments at the data-link layer, by configuring a bridge.Bridges offer the following advantages:Easy network segmentationBridges can be used to compartmentalize an existing network into several securityzones, without changing the IP addressing scheme or the routers' configuration.Ordinarily, if you need to deploy a firewall within an internal network, you can dividethe existing subnet into two networks and configure a new routing scheme. However,in some deployments, the amount of network reconfiguration required prohibits such asolution. Adding a bridge not only allows you to segment a network quickly andeasily, but it allows you to choose whether to enable the firewall between networksegments.If you enable the firewall between bridged network segments, the gateway operates asa regular firewall between network segments, inspecting traffic and dropping orblocking unauthorized or unsafe traffic. In contrast, if you disable the firewall betweenbridged network segments, all network interfaces assigned to the bridge are connecteddirectly, with no firewall filtering the traffic between them. The network interfacesoperate as if they were connected by a hub or switch.Transparent roamingIn a routed network, if a host is physically moved from one network area to another,then the host must be configured with a new IP address. However, in a bridgednetwork, there is no need to reconfigure the host, and work can continue with minimalinterruption.218 Self Provisioning Portal User Guide

Configuring Network SettingsYou can configure anti-spoofing for bridged network segments. When anti-spoofing isconfigured for a segment, only IP addresses within a specific IP address range can be sentfrom that network segment. For example, if you configure anti-spoofing for the“Marketing” network segment, the following things happens:If a host with an IP address outside of the allowed IP address range tries toconnect from a port or VLAN that belongs to the “Marketing” network segment,the connection will be blocked and logged as “Spoofed IP”.If a host with an IP address within the bridge IP address range tries to connectfrom a port or VLAN that belongs to a network segment other than the“Marketing” segment, the connection will be blocked and logged as “SpoofedIP”.Bridges operate at layer 2 of the OSI model, therefore adding a bridge to an existingnetwork is completely transparent and does not require any changes to the network'sstructure.WorkflowTo use a bridge1. Add a bridge.See Adding and Editing Bridges on page 219.2. Add the desired internal networks to the bridge.See Configuring Network Settings on page 176.3. If you enabled the firewall between networks on this bridge, add firewall rulesand VStream Antivirus rules as needed.For information on adding firewall rules, see Adding and Editing Firewall Rules onpage 55. For information on adding VStream Antivirus rules, see Adding and EditingVStream Antivirus Rules on page 127.Adding and Editing BridgesTo add or edit a bridge1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.Chapter 3: Managing Your Gateways 219

Configuring Network Settings2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Internal Networks node.The Internal Networks fields appear.4. In the Bridges area, do one of the following: To add a new bridge, click New. To edit an existing bridge, click the name of the bridge.The Edit Wizard opens.5. Complete the fields using the information in the following table.6. Click Finish.7. Click .220 Self Provisioning Portal User Guide

Configuring Network SettingsTable 67: Bridge Configuration FieldsIn this field…NameFirewall Between MembersNon IP TrafficSpanning Tree ProtocolDo this…Type a name for the bridge.Specify whether the firewall should be enabled betweennetworks on this bridge, by selecting one of the following:Enabled. The firewall is enabled, and it will inspecttraffic between networks on the bridge, enforcingfirewall rules and SmartDefense protections. This isthe default value.Disabled. The firewall is disabled between networkson the bridge.Specify how the firewall should handle non-IP protocol trafficbetween networks on this bridge, by selecting one of thefollowing:Block. The firewall will block all non-IP protocoltraffic on the bridge. This is the default value.Pass. The firewall will allow all non-IP protocol trafficon the bridge and process it as described inConfiguring Bridges on page 218.Specify whether to enable STP for this bridge, by selecting oneof the following:Enabled. STP is enabled.Disabled. STP is disabled. This is the default value.If you selected Enabled, the Bridge Priority field appears.Chapter 3: Managing Your Gateways 221

Configuring Network SettingsIn this field…Bridge PriorityDo this…Select this bridge's priority.The bridge's priority is combined with a bridged network's MACaddress to create the bridge's ID. The bridge with the lowest IDis elected as the root bridge. The other bridges in the treecalculate the shortest distance to the root bridge, in order toeliminate loops in the topology and provide fault tolerance.To increase the chance of this bridge being elected as the rootbridge, select a lower priority.Note: If you select the same priority for all bridges, the rootbridge will be elected based on MAC address.The default value is 32768.This field only appears if STP is enabled.IP AddressType the IP address to use for this gateway on this bridge.Note: The bridge must not overlap other networks.Subnet MaskSelect this bridge's subnet mask.Deleting BridgesNote: You cannot delete a bridge that is currently in use.To delete a bridge1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.222 Self Provisioning Portal User Guide

Configuring Network Settings3. Click the Internal Networks node.The Internal Networks fields appear.4. Select the check box next to the desired bridge.5. Click Delete.A confirmation message appears.6. Click OK.The bridge is deleted.7. Click .Modifying Port SettingsYou can assign the gateway appliance's ports to different networks or purposes, configuretheir link rates and duplex, and configure their security scheme.Modifying Port AssignmentsYou can assign ports to different networks or purposes. Since modifying port assignmentsoften requires multiple configurations, use the following table to determine whichprocedures are required:Table 68: Modifying Port AssignmentsTo assign a port to... This person... Must perform the followingprocedures....No networkLANVLAN orVLAN TrunkA WAN InternetconnectionAn SMPadministratorThe procedure below. This disables the port.The procedure belowConfiguring a VLAN (See Configuring VLANson page 190)The procedure belowChapter 3: Managing Your Gateways 223

Configuring Network SettingsTo assign a port to... This person... Must perform the followingprocedures....DMZA serial consoleA dialup modemA terminal serverA VLAN network,dynamically assigned by aRADIUS serverAn SMPadministratorThe gatewayadministratorThe gatewayadministratorAn SMPadministratorAn SMPadministratorConfiguring a DMZ network (see Configuringthe DMZ on page 189)Setting up a serial console.Setting up a dialup modem.Configuring the terminal server (see Configuringthe Terminal Server on page 229)Note: This port assignment is relevant for CheckPoint UTM-1 Edge appliances only.Configuring port-based security (seeConfiguring Port-Based Security on page 226)To modify a port's assignment1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Port Settings node.The Port Settings fields appear.4. Click the desired port's name.224 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Port dialog box opens.5. In the Assigned To drop-down list, select the desired port assignment.6. Click Finish.7. Click .Note: If the DMZ port is in use, changing its configuration from that which is definedon the gateway may fail.Modifying Link ConfigurationsBy default, the Embedded NGX appliance automatically detects the link speed and duplex.If desired, you can manually restrict the Embedded NGX appliance's ports to a specificlink speed and duplex.To modify a port's link configuration1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.Chapter 3: Managing Your Gateways 225

Configuring Network Settings2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Port Settings node.The Port Settings fields appear.4. Click the desired port's name.The Edit Port dialog box appears.5. In the Link Configuration drop-down list, do one of the following:Select the desired link speed and duplex. Select Automatic Detection to configure the port to automatically detect thelink speed and duplex.This is the default.6. Click Finish.7. Click .Configuring Port-Based SecurityThe Embedded NGX gateway supports the IEEE 802.1x standard for secure authenticationof users and devices that are directly attached to Embedded NGX gateway's LAN andDMZ ports, as well as the wireless LAN. Authentication can be performed either by anexternal RADIUS server, or by the Embedded NGX gateway's built-in ExtendedAuthentication Protocol (EAP) authenticator, which allows using the local user databasefor authentication purposes.When an 802.1x security scheme is implemented for a port, users attempting to connect tothat port are required to authenticate using their network user name and password. TheEmbedded NGX gateway sends the user's credentials to the configured authenticationserver, and if authentication succeeds, a connection is established. If the user fails toauthenticate, the port is physically isolated from other ports on the gateway.If desired, you can specify how users should be handled after successful or failedauthentication. Users who authenticate successfully on a specific port are assigned to thenetwork with which that port is associated. For example, if the port is assigned to the DMZnetwork, all users who authenticate successfully on that port are assigned to the DMZnetwork.226 Self Provisioning Portal User Guide

Configuring Network SettingsWhen using a RADIUS server for authentication, you can assign authenticated users tospecific network segments, by configuring dynamic VLAN assignment on the RADIUSserver. Upon successful authentication, the RADIUS server sends RADIUS option 81[Tunnel-Private-Group-ID] to the Embedded NGX gateway, indicating to which networksegment the user should be assigned. For example, if a member of the Accounting teamconnects to a network port and attempts to log in, the Embedded NGX gateway relays theinformation to the RADIUS server, which replies with RADIUS option 81 and the value“Accounting”. The gateway then assigns the user’s port to the Accounting network,granting the user access to all the resources of the Accounting team.The Embedded NGX gateway also enables you to automatically assign users to a“Quarantine” network when authentication fails. All Quarantine network security andnetwork rules will apply to those users. For example, you can create security rulesallowing users on the Quarantine network to access the Internet and blocking them fromaccessing sensitive company resources. You can also configure Traffic Shaper to grantmembers of the Quarantine network a lower amount of bandwidth than authorized users.You can choose to exclude specific network objects from 802.1x port-based securityenforcement. Excluded network objects will be able to connect to the Embedded NGXgateway's ports and access the network without authenticating. For information onexcluding network objects from 802.1x port-based security enforcement, see ConfiguringNetwork Objects on page 245.To configure 802.1x port-based security for a port1. To use a RADIUS server for authenticating clients, do the following:a. Configure a RADIUS server.See Configuring RADIUS User Authentication on page 35.b. To configure dynamic VLAN assignment, add port-based VLANnetworks as needed.See Adding and Editing VLANs on page 193.2. To configure a Quarantine network other than the LAN or DMZ, add aport-based VLAN network.See Adding and Editing VLANs on page 193.3. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.4. Select the Remotely manage Network Configuration check box.Chapter 3: Managing Your Gateways 227

Configuring Network SettingsThe fields are enabled.5. Click the Port Settings node.The Port Settings fields appear.6. Click the desired port's name.The Edit Port dialog box opens.7. In the Port Security drop-down list, select 802.1x.The Quarantine Network, Authentication Server, and Allow multiple hosts fields areenabled.8. Complete the fields using the information in the following table.9. Click Finish.10. Click .Note: To complete port-based security configuration using a RADIUS server, thegateway administrator must do the following:Configure the clients for 802.1x authentication.Configure RADIUS option 81 [Tunnel-Private-Group-ID] on the RADIUSserver.To complete port-based security configuration using the Embedded NGX EAPauthenticator, the gateway administrator must follow the workflow for wired clients in"Using the EAP Authenticator" in the gateway User Guide.Table 69: Port-Based Security FieldsIn this field…Assigned ToDo this…Specify how the Embedded NGX gateway should handle users whoauthenticate successfully, by selecting one of the following:A network name. All users who authenticate to this portsuccessfully are assigned to the specified network.From RADIUS. Use dynamic VLAN assignment to assign users tospecific networks. This option is only relevant when using aRADIUS server.228 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…QuarantineNetworkAuthenticationServerDo this…Specify which network should serve as the Quarantine network, byselecting one of the following:A network name. All users for whom authentication to this portfails are assigned to the specified network.None. No Quarantine network is selected.Specify which authentication server to use, by selecting one of thefollowing:RADIUS. A RADIUS server.Internal User Database. The Embedded NGX EAP authenticator.Allow multiplehostsTo allow multiple hosts to connect to this port, select this option.Normally, 802.1x port-based security allows only a single host to connect toeach port. However, when this option is selected, multiple clients canconnect to the same port via a hub or switch. Each client on the port mustauthenticate separately. If authentication fails for one client, then all clientson the port will be blocked.Note: Enabling this option makes 802.1x port-based security less secure.Therefore, it is recommended to enable this option only in locations wherethe number of ports are a limiting factor, and where an external802.1x-capable switch cannot be installed.Configuring the Terminal ServerThe Embedded NGX gateway includes a built-in terminal server (also called a deviceserver), which allows you to Internet-enable legacy RS-232 serial devices by simplyconnecting them to the gateway's Serial port; there is no need for hardware modification oradditional equipment. By adding IP connectivity to serial devices, the terminal serverenables remote monitoring, diagnostics, and management of the devices.The terminal server can be used in the following modes:Chapter 3: Managing Your Gateways 229

Configuring Network SettingsPassive Mode. The terminal server accepts connections from an external Telnetclient, and relays traffic to and from the gateway’s Serial port. This mode allowsTelnet clients to remotely access devices attached to the gateway's Serial port.Active Mode. The terminal server connects to an external Telnet server, andrelays traffic to and from the appliance’s Serial port. This mode affords devicesattached to the gateway's Serial port permanent access an external Telnet server.Note: You can enable tunneling of serial RS-232 data over the Internet or VPN, byconfiguring one Embedded NGX gateway in passive mode and another in activemode.The terminal server can be used in conjunction with VPN connectivity, to enable securetransmission of RS-232 data between the serial devices and the Telnet client or server.To configure the terminal server1. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.2. Select the Remotely manage Network Configuration check box.The fields are enabled.3. Click the Port Settings node.The Port Settings fields appear.4. Click RS232.The Edit Port dialog box appears.5. In the Assigned To drop-down list, select Terminal Server.230 Self Provisioning Portal User Guide

Configuring Network SettingsAdditional fields appear.6. Complete the fields using the information in the following table.7. Click Finish.8. Click .Table 70: Terminal Server FieldsIn this field…TCP PortOperation ModePrimary ServerDo this…Type the TCP port that the terminal server should use for incoming andoutgoing connections between the Serial port and the Internet.Select the terminal server's operation mode.If Active is selected, the Primary Server and Secondary Server fields appear.Type the IP address or DNS name of the primary Telnet server to whichthe terminal server should connect.Chapter 3: Managing Your Gateways 231

Configuring Network SettingsIn this field…Secondary ServerDo this…Type the IP address or DNS name of the secondary Telnet server towhich the terminal server should connect when the primary server is notavailable.Configuring High AvailabilityYou can create a High Availability (HA) cluster consisting of two or more gateways. Forexample, if there are two gateways in a network, then one can act as the “Master”, thedefault gateway through which all network traffic is routed, and one can act as the“Backup”. If the Master fails, the Backup automatically and transparently takes over all theroles of the Master. This ensures that the network is consistently connected to the Internet.The gateways in a HA cluster each have a separate IP address within the local network. Inaddition, the gateways share a single virtual IP address, which is the default gatewayaddress for the local network. Control of the virtual IP address is passed as follows:1. Each gateway is assigned a priority, which determines the gateway's role: thegateway with the highest priority is the Active Gateway and uses the virtual IPaddress, and the rest of the gateways are Passive Gateways.2. The Active Gateway sends periodic signals, or “heartbeats”, to the network viaa synchronization interface.The synchronization interface can be any internal network or bridge existing on bothgateways, except an Internet connection or a VLAN.3. If the heartbeat from the Active Gateway stops (indicating that the ActiveGateway has failed), the gateway with the highest priority becomes the newActive Gateway and takes over the virtual IP address.4. When a gateway that was offline comes back online, or a gateway's prioritychanges, the gateway sends a heartbeat notifying the other gateways in thecluster.If the gateway's priority is now the highest, it becomes the Active Gateway.You can configure port tracking, which means that each gateway tracks its ports' statusesand reduces its own priority by a user-specified amount, if a specific port's Ethernet link islost. If the Active Gateway's priority drops below another gateway's priority, then the othergateway becomes the Active Gateway.232 Self Provisioning Portal User Guide

Configuring Network SettingsIf desired, you can configure multiple HA clusters on the same network segment. To thisend, each cluster must be assigned a unique ID number.Before configuring HA, the following requirements must be met:There must be at least two identical gateways.The gateways must have identical firmware versions and firewall rules.The gateways' internal networks and bridges must be the same.The gateways must have different real internal IP addresses, but share the samevirtual IP address.The gateways' synchronization interface ports must be connected either directly,or via a hub or a switch. For example, if the DMZ is the synchronizationinterface, then the DMZ/WAN2 ports on the gateway appliances must beconnected to each other.The synchronization interface need not be dedicated for synchronization only. It maybe shared with an active internal network or bridge.You can configure HA for any bridge and for any internal network, except the OfficeModenetwork.Note: You can enable the DHCP server on all gateways. A Passive Gateway’s DHCPserver will start answering DHCP requests only if the Active Gateway fails.Note: If you configure HA for the primary WLAN network:A Passive Gateway's wireless transmitter will be disabled until thegateway becomes active.The two primary WLAN networks can share the same SSID and wirelessfrequency.The primary WLAN interface cannot serve as the synchronizationinterface.The following procedure explains how to configure HA on a single gateway. You mustperform this procedure for each gateway that you want to include in the HA cluster.To configure HA1. Set the gateway’s internal IP addresses and network range.Each gateway must have a different internal IP address.Chapter 3: Managing Your Gateways 233

Configuring Network SettingsSee Configuring the LAN on page 177.2. In the navigation tree, click the Network > Network Configuration node.The Network Configuration fields appear.3. Select the Remotely manage Network Configuration check box.The fields are enabled.4. Click the High Availability node.The High Availability fields appear.5. Select the Remotely manage High Availability check box.The Mode field is enabled.6. In the Mode drop-down list, select Enabled.The fields are enabled.7. Complete the fields using the information in the table below.8. Click .Table 71: High Availability Page FieldsIn this field…SynchronizationInterfaceMy PriorityDo this…Select the network you want to use as the synchronization interface.Note: The synchronization interface must be the same for all gateways,and must always be connected and enabled on all gateways.Otherwise, multiple gateways may become active, causingunpredictable problems.Type the gateway's priority.This must be an integer between 1 and 255.234 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Group IDDo this…If multiple HA clusters exist on the same network segment, type the IDnumber of the cluster to which the gateway should belong.This must be an integer between 1 and 255.The default value is 55. If only one HA cluster exists, there is no needto change this value.Virtual IP MappingVirtual IPTo enable HA for a specific internal network or bridge, type the defaultgateway IP address.This can be any unused IP address in the network, and must be thesame for all gateways.Port TrackingOn Link Failure,Reduce Priority ByType the amount to reduce the gateway's priority if the port's Ethernetlink is lost.This must be an integer between 0 and 255.When in passive stateDisable VPNDisable OSPFDisable BGPSelect this option to specify that VPN connectivity should be disabledwhen the gateway is a Passive Gateway.Select this option to specify that Open Shortest Path First (OSPF)dynamic routing should be disabled when the gateway is a PassiveGateway.Select this option to specify that Border Gateway Protocol (BGP)dynamic routing should be disabled when the gateway is a PassiveGateway.Chapter 3: Managing Your Gateways 235

Configuring Network SettingsIn this field…Disable WirelessTransmitterDo this…Indicates that the gateway's wireless transmitter should be disabledwhen the gateway is a Passive Gateway.This option only appears for wireless gateways, and it cannot becleared.Configuring Traffic ShaperTraffic Shaper is a bandwidth management solution that allows you to set bandwidthpolicies to control the flow of communication. Traffic Shaper ensures that important traffictakes precedence over less important traffic, so that businesses can continue to functionwith minimum disruption, despite network congestion.Traffic Shaper uses Stateful Inspection technology to access and analyze data derived fromall communication layers. This data is used to classify traffic in up to eight user-definedQuality of Service (QoS) classes. Traffic Shaper divides available bandwidth among theclasses according to weight. For example, suppose Web traffic is deemed three times asimportant as FTP traffic, and these services are assigned weights of 30 and 10 respectively.If the lines are congested, Traffic Shaper will maintain the ratio of bandwidth allocated toWeb traffic and FTP traffic at 3:1.If a specific class is not using all of its bandwidth, the leftover bandwidth is divided amongthe remaining classes, in accordance with their relative weights. In the example above, ifonly one Web and one FTP connection are active and they are competing, the Webconnection will receive 75% (30/40) of the leftover bandwidth, and the FTP connectionwill receive 25% (10/40) of the leftover bandwidth. If the Web connection closes, the FTPconnection will receive 100% of the bandwidth.Traffic Shaper allows you to give a class a bandwidth limit. A class's bandwidth limit is themaximum amount of bandwidth that connections belonging to that class may use together.Once a class has reached its bandwidth limit, connections belonging to that class will notbe allocated further bandwidth, even if there is unused bandwidth available. For example,you can limit all traffic used by Peer-To-Peer file-sharing applications to a specific rate,such as 512 kilobit per second. Traffic Shaper also allows you to assign a “DelaySensitivity” value to a class, indicating whether connections belonging to the class shouldbe given precedence over connections belonging to other classes.236 Self Provisioning Portal User Guide

Configuring Network SettingsTraffic Shaper supports DiffServ (Differentiated Services) Packet Marking. DiffServmarks packets as belonging to a certain Quality of Service class. These packets are thengranted priority on the public network according to their class.Predefined QoS ClassesTraffic Shaper provides the following predefined QoS classes.To assign traffic to these classes, define firewall rules as described in ConfiguringFirewall Rules on page 55.Table 72: Predefined QoS ClassesClass Weight Delay Sensitivity Useful forDefault 10 Medium(Normal Traffic)Urgent 15 High(Interactive Traffic)Normal traffic.All traffic is assigned to this class by default.Traffic that is highly sensitive to delay. Forexample, IP telephony, videoconferencing, andinteractive protocols that require quick userresponse, such as telnet.Note that the weight (amount of bandwidth)allocated to this class is less than the weightallocated to the “Important” class. The "Urgent"class is ideal for delay-sensitive traffic thatdoes not demand a high amount of bandwidth.Important 20 Medium(Normal Traffic)Important traffic that requires a high allocationof bandwidth, but which is not exceptionallysensitive to delays. For example, you canprioritize the HTTP traffic of a company'sexecutive officers over other types of traffic, byassigning it to the “Important” class.Chapter 3: Managing Your Gateways 237

Configuring Network SettingsClass Weight Delay Sensitivity Useful forLow Priority 5 Low(Bulk Traffic)Traffic that is not sensitive to long delays, andwhich does not require a high guaranteedbandwidth. For example, SMTP traffic(outgoing email).Setting Up Traffic ShaperTo set up Traffic Shaper1. Enable Traffic Shaper.See Enabling Traffic Shaper on page 238.2. Add QoS classes that reflect the gateway owner's communication needs, ormodify the four predefined QoS classes.See Adding and Editing QoS Classes on page 240.3. Use Allow and Allow and Forward rules to assign different types ofconnections to the QoS classes.For example, if Traffic Shaper is enabled for outgoing traffic, and you create an Allowrule associating all outgoing VPN traffic with the Urgent QoS class, then TrafficShaper will handle outgoing VPN traffic as specified in the bandwidth policy for theUrgent class.See Configuring Firewall Rules on page 55.Note: Traffic Shaper must be enabled for the direction of traffic specified in therule.Note: If you do not assign a connection type to a class, Traffic Shaperautomatically assigns the connection type to the predefined "Default" class.Enabling Traffic ShaperYou can enable Traffic Shaper for incoming and/or outgoing traffic, on the primary and/orsecondary Internet connections.238 Self Provisioning Portal User Guide

Configuring Network SettingsFor information on using Traffic Shaper, see Configuring Traffic Shaper on page 236.To enable Traffic Shaper1. In the navigation tree, expand the Network > Traffic Shaper Settings node.The Traffic Shaper Settings fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Traffic Shaper Settings check box.The fields are enabled.4. Complete the fields for the desired Internet connection(s), using theinformation in the table below.5. Click .Table 73: Traffic Shaper FieldsIn this field…Shape UpstreamShape UpStream:Link RateDo this…Select this option to enable Traffic Shaper for outgoing traffic.Type a rate (in kilobits/second) slightly lower than your Internetconnection's maximum measured upstream speed in the field provided.It is recommended to try different rates in order to determine which oneprovides the best results.Shape DownstreamSelect this option to enable Traffic Shaper for incoming traffic.Chapter 3: Managing Your Gateways 239

Configuring Network SettingsIn this field…ShapeDownstream: LinkRateDo this…Type a rate (in kilobits/second) slightly lower than your Internetconnection's maximum measured downstream speed in the field provided.It is recommended to try different rates in order to determine which oneprovides the best results.Note: Traffic Shaper cannot control the number or type of packets itreceives from the Internet; it can only affect the rate of incoming traffic bydropping received packets. This makes the shaping of inbound trafficless accurate than the shaping of outbound traffic. It is thereforerecommended to enable traffic shaping for incoming traffic only ifnecessary.Adding and Editing QoS ClassesTo add or edit a QoS class1. In the navigation tree, expand the Network > QoS Classes node.The QoS Classes fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Quality of Service Classes check box.The fields are enabled.4. Do one of the following:To add a new QoS class, click New.To edit an existing QoS class, click the number next to the class.240 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Quality of Service Class Wizard opens, with the Edit Quality of Service Class:Step 1 dialog box displayed.5. Complete the fields using the information in the table below.6. Click Next.Chapter 3: Managing Your Gateways 241

Configuring Network SettingsThe Edit Quality of Service Class: Step 2 dialog box appears.7. Complete the fields using the information in the table below.8. Click Next.Note: Traffic Shaper may not enforce guaranteed rates and relative weights forincoming traffic as accurately as for outgoing traffic. This is because TrafficShaper cannot control the number or type of packets it receives from theInternet; it can only affect the rate of incoming traffic by dropping receivedpackets. It is therefore recommended to enable traffic shaping for incomingtraffic only if necessary.For information on enabling Traffic Shaper for incoming and outgoing traffic, seeEnabling Traffic Shaper on page 238.242 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Quality of Service Class: Step 3 dialog box appears with a summary of theclass.9. Type a name for the class.For example, if you are creating a class for high priority Web connections, you canname the class "High Priority Web".10. Click Finish.The class appears in the Quality of Service Classes table.11. Click .Table 74: Edit Quality of Service Class Wizard FieldsIn this field…Relative WeightDo this…Type a value indicating the class's importance relative to theother defined classes.For example, if you assign one class a weight of 100, and youassign another class a weight of 50, the first class will beallocated twice the amount of bandwidth as the second when theChapter 3: Managing Your Gateways 243

Configuring Network SettingsIn this field…Do this…lines are congested.Delay SensitivitySelect the degree of precedence to give this class in thetransmission queue:Low (Bulk Traffic). Traffic that is not sensitive to longdelays. For example, SMTP traffic (outgoing email)Medium (Normal Traffic). Normal trafficHigh (Interactive Traffic). Traffic that is highly sensitive todelay. For example, IP telephony, videoconferencing,and interactive protocols that require quick userresponse, such as telnet.Traffic Shaper serves delay-sensitive traffic with a lower latency.That is, Traffic Shaper attempts to send packets with a "High(Interactive Traffic)" level before packets with a "Medium (NormalTraffic)" or "Low (Bulk Traffic)" level.Outgoing Traffic: GuaranteeAt LeastOutgoing Traffic: Limit rate toIncoming Traffic: GuaranteeAt LeastIncoming Traffic: Limit rate toDiffServ Code PointSelect this option to guarantee a minimum bandwidth for outgoingtraffic belonging to this class. Then type the minimum bandwidth(in kilobits/second) in the field provided.Select this option to limit the rate of outgoing traffic belonging tothis class. Then type the maximum rate (in kilobits/second) in thefield provided.Select this option to guarantee a minimum bandwidth forincoming traffic belonging to this class. Then type the minimumbandwidth (in kilobits/second) in the field provided.Select this option to limit the rate of incoming traffic belonging tothis class. Then type the maximum rate (in kilobits/second) in thefield provided.Select this option to mark packets belonging to this class with aDiffServ Code Point (DSCP), which is an integer between 0 and244 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Do this…63. Then type the DSCP in the field provided.The marked packets will be given priority on the public networkaccording to their DSCP.To use this option, the ISP or private WAN must support DiffServ.Deleting QoS ClassesNote: You cannot delete a QoS class that is currently in use.To delete an existing QoS class1. In the navigation tree, expand the Network > QoS Classes node.The QoS Classes fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Quality of Service Classes check box.The fields are enabled.4. In the Quality of Service Classes table, select the check box next to the desiredclass.5. Click Delete.A confirmation message appears.6. Click OK.The rule is deleted.7. Click .Configuring Network ObjectsYou can add individual computers or networks as network objects. This enables you toconfigure various settings for the computer or network represented by the network object.Chapter 3: Managing Your Gateways 245

Configuring Network SettingsYou can configure the following settings for a network object:Static NAT (or One-to-One NAT)Static NAT allows the mapping of Internet IP addresses or address ranges to hostsinside the internal network. This is useful if you want a computer in a private networkto have its own Internet IP address. For example, if the gateway owner has both a mailserver and a Web server on their network, each one can be mapped to a separateInternet IP address.Static NAT rules do not imply any security rules. To allow incoming traffic to a hostfor which you defined Static NAT, you must create an Allow rule. When specifyingfirewall rules for such hosts, use the host’s internal IP address, and not the Internet IPaddress to which the internal IP address is mapped. For further information, seeAdding and Editing Firewall Rules on page 55.Note: Static NAT and Hide NAT can be used together.Note: The Embedded NGX gateway supports Proxy ARP (Address ResolutionProtocol). When an external source attempts to communicate with such a computer,the Embedded NGX gateway automatically replies to ARP queries with its own MACaddress, thereby enabling communication. As a result, the Static NAT Internet IPaddresses appear to external sources to be real computers connected to the WANinterface.Assign the network object's IP address to a MAC addressNormally, the Embedded NGX DHCP server consistently assigns the same IP addressto a specific computer. However, if the Embedded NGX DHCP server runs out of IPaddresses and the computer is down, then the DHCP server may reassign the IPaddress to a different computer.If you want to guarantee that a particular computer's IP address remains constant, youcan reserve the IP address for use by the computer's MAC address only. This is calledDHCP reservation, and it is useful if when hosting a public Internet server on thenetwork.Web Filtering enforcementYou can specify whether or not to enforce the Web Filtering service and Web rules forthe network object. Network objects that are excluded from such enforcement will beable to access the Internet without restriction. For information on Web Filtering, see246 Self Provisioning Portal User Guide

Configuring Network SettingsConfiguring Category-Based Web Filtering on page 162. For information on Webrules, see Configuring Web Rules on page 163.Secure HotSpot enforcementYou can specify whether or not to exclude the network object from HotSpotenforcement. Excluded network objects will be able to access the network withoutviewing the My HotSpot page. Furthermore, users on HotSpot networks will be able toaccess the excluded network object without viewing the My HotSpot page. Forinformation on Secure HotSpot, see Configuring Secure HotSpot on page 65.802.1x port-based security enforcementWhen DHCP reservation is used, you can specify whether or not to exclude acomputer from 802.1x port-based security enforcement. Excluded computers will beable to connect to the Embedded NGX gateway's ports and access the network withoutauthenticating. For information on 802.1x port-based security, see ConfiguringPort-Based Security on page 226.Adding and Editing Network ObjectsTo add or edit a network object1. In the navigation tree, expand the Network > Network Objects node.The Network Objects fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Network Objects check box.The fields are enabled.4. Do one of the following:To add a network object, click New.To edit an existing network object, click the number next to the desirednetwork object.Chapter 3: Managing Your Gateways 247

Configuring Network SettingsThe Edit Network Object Wizard opens, with the Edit Network Object Wizard: Step 1dialog box displayed.5. Do one of the following:To specify that the network object should represent a single computer ordevice, click Single Computer. To specify that the network object should represent a network, click Network.6. Click Next.248 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Network Object Wizard: Step 2 dialog box appears.7. Complete the fields using the information in the tables below.8. Click Next.The Edit Network Object Wizard: Step 3 dialog box appears.Chapter 3: Managing Your Gateways 249

Configuring Network Settings9. In the Name field, type a name for the network object.10. Click Finish.The network object appears in the Network Objects table.Table 75: Edit Network Object Wizard Fields for a Single ComputerIn this field…IP AddressReserve a fixed IP address for thiscomputerDo this…Type the IP address of the local computer.Select this option to assign the network object's IP addressto a MAC address, and to allow the network object toconnect to the WLAN when MAC Filtering is used.The MAC Address and Exclude this computer from 802.1x PortSecurity fields are enabled.MAC AddressExclude this computer from 802.1xPort SecurityType the MAC address you want to assign to the networkobject's IP address.Select this option to exclude this computer from 802.1xport-based security enforcement.The computer will be able to connect to a Embedded NGXgateway port and access the network without authenticating.Perform Static NAT (NetworkAddress Translation)Select this option to map the local computer's IP address toan Internet IP address.You must then fill in the External IP field.External IPExclude this computer fromType the Internet IP address to which you want to map thelocal computer's IP address.Select this option to exclude this computer from Secure250 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…HotSpot enforcementDo this…HotSpot enforcement.This computer will be able to access the network withoutviewing the My HotSpot page. Furthermore, users onHotSpot networks will be able to access this computerwithout viewing the My HotSpot page.Exclude this computer from WebFilteringSelect this option to exclude this computer from the WebFiltering service and Web rule enforcement.Table 76: Edit Network Object Wizard Fields for a NetworkIn this field…IP RangePerform Static NAT (NetworkAddress Translation)Do this…Type the range of local computer IP addresses in thenetwork.Select this option to map the network's IP address range to arange of Internet IP addresses of the same size.You must then fill in the External IP Range field.External IP RangeExclude this network from HotSpotenforcementType the Internet IP address range to which you want to mapthe network's IP address range.Select this option to exclude this network from SecureHotSpot enforcement.Computers on the excluded network will be able to accessthe network without viewing the My HotSpot page.Furthermore, users on HotSpot networks will be able toaccess computers on the excluded network without viewingthe My HotSpot page.Chapter 3: Managing Your Gateways 251

Configuring Network SettingsIn this field…Exclude this network from WebFilteringDo this…Select this option to exclude this network from the WebFiltering service and Web rules.Deleting Network ObjectsNote: You cannot delete a network object that is currently in use.To delete a network object1. In the navigation tree, expand the Network > Network Objects node.The Network Objects fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Network Objects check box.The fields are enabled.4. In the Network Objects table, select the check box next to the desired networkobject.5. Click Delete.A confirmation message appears.6. Click OK.The network object is deleted.7. Click .Configuring Network Service ObjectsYou can add custom services as network service objects. This enables you to configurevarious types of rules for the services represented by the network service objects.Defining network service objects can make policies easier to understand and maintain.When a network service object is modified, the change automatically takes effect in allrules and settings that reference the network service object.252 Self Provisioning Portal User Guide

Configuring Network SettingsAdding and Editing Network Service ObjectsTo add or edit a network object1. In the navigation tree, expand the Network > Network Services node.The Service Objects fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Network Services check box.The fields are enabled.4. Do one of the following:To add a network service object, click New. To edit an existing network service object, click the number next to thedesired network service object.The Edit Network Service Wizard opens, with the Edit Network Service Wizard: Step 1dialog box displayed.5. Complete the fields using the information in the table below.6. Click Next.Chapter 3: Managing Your Gateways 253

Configuring Network SettingsThe Edit Network Service Wizard: Step 2 dialog box appears.7. In the Name field, type a name for the network service object in the field.8. Click Finish.The network service object appears in the Service Objects table.Table 77: Edit Network Service Object Wizard FieldsIn this field…ProtocolDo this…Select the network service's IP protocol.If you select Other, the Protocol Number field appears. If you select TCPor UDP, the Port Ranges field appears.Protocol NumberType the number of the network service's IP protocol.254 Self Provisioning Portal User Guide

Configuring Network SettingsIn this field…Port RangesDo this…Type the network service's port or port ranges.Multiple ports or port ranges must be separated by commas. Forexample: "1000-1003,2000-2001,2005".Deleting Network Service ObjectsNote: You cannot delete a network service object that is currently in use.To delete a network service object1. In the navigation tree, expand the Network > Network Services node.The Service Objects fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Network Services check box.The fields are enabled.4. In the Service Objects table, select the check box next to the desired networkservice object.5. Click Delete.A confirmation message appears.6. Click OK.The network service object is deleted.7. Click .Chapter 3: Managing Your Gateways 255

Configuring Network SettingsConfiguring Static RoutesA static route is a setting that explicitly specifies the route for packets originating in acertain subnet and/or destined for a certain subnet. Packets with a source and destinationthat does not match any defined static route will be routed to the default gateway.A static route can be based on the packet's destination IP address, or based on the source IPaddress, in which case it is a source route.Source routing can be used, for example, for load balancing between two Internetconnections. For example, if you have an Accounting department and a Marketingdepartment, and you want each to use a different Internet connection for outgoing traffic,you can add a static route specifying that traffic originating from the Accountingdepartment should be sent via WAN1, and another static route specifying that trafficoriginating from the Marketing department should be sent via WAN2.Adding or Editing Static RoutesTo add or edit static routes1. In the navigation tree, expand the Network > Static Routes node.The Static Routes fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Static Routes check box.The fields are enabled.4. Do one of the following:To add a static route, click New.To edit a static route, click the number next to the static route.256 Self Provisioning Portal User Guide

Configuring Network SettingsThe Edit Static Route dialog box opens.5. Complete the fields using the information in the following table.6. Click Finish.The new static route appears in the Static Routes table.7. Click .Table 78: Static Route FieldsIn this field…SourceDo this…Select this option to specify a source network (source routing).The relevant Network and Subnet Mask fields are enabled.Source - NetworkType the source network's IP address.Chapter 3: Managing Your Gateways 257

Configuring Network SettingsIn this field…Source - SubnetMaskDestinationDo this…Select the source network's subnet mask.Select this option to specify a destination network.The relevant Network and Subnet Mask fields are enabled.Destination -NetworkDestination -Subnet MaskNext Hop IPMetricType the destination network's IP address.Select the destination network's subnet mask.Type the IP address of the gateway (next hop router) to which to route allincoming packets matching this static route's criteria.Type the static route's metric.When a packet matches multiple static routes' criteria, the gateway sendsthe packet to the matching route with the lowest metric.The default value is 10.Deleting Static RoutesTo delete a static route1. In the navigation tree, expand the Network > Static Routes node.The Static Routes fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Static Routes check box.The fields are enabled.4. Select the check box next to the desired static route.5. Click Delete.258 Self Provisioning Portal User Guide

Configuring Network SettingsA confirmation message appears.6. Click OK.The static route is deleted.7. Click .Chapter 3: Managing Your Gateways 259

Configuring VPN SettingsConfiguring VPN SettingsIf a plan specifies remote management, the following VPN settings can be configured inthe plan:VPN serversVPN sitesAll gateways subscribed to the plan will take these VPN settings from the plan, by default.If desired, you can override the inherited VPN settings for a specific gateway, byconfiguring these settings in the gateway. If DVPN is enabled in the plan, you can alsoconfigure the following additional VPN settings for a specific gateway:VPN authentication methodInternal network topology260 Self Provisioning Portal User Guide

Configuring VPN SettingsConfiguring Authentication SettingsYou can specify the authentication method to use when connecting to other gatewayswithin the VPN community.To configure authentication settings1. In the navigation tree, click the VPN > Authentication Method node.The Authentication Method fields appear.2. Complete the fields using the information in the table below.3. Click .Note: If the gateway is externally managed and configured to use certificateauthentication, you must export the certificate and load it into the gatewaymanually. For information, see Exporting Gateway Certificates on page 264.Table 79: VPN Authentication Method FieldsIn this field…Authentication MethodDo this…Select the authentication method to use when connecting to VPN sites(Certificate/Shared Secret).The default method is Certificate. Shared Secret is only available forexternally managed gateways.If you select Certificate, the following fields appear:Certificate AuthorityDistinguished NameManage CertificateIf you select Shared Secret, the Shared Secret field appears.Certificate AuthoritySelect the Certificate Authority from which the gateway shouldobtain a certificate. This field lists all CAs that are defined in theSMP.The default value is Internal_CA (the SMP internal CA).Chapter 3: Managing Your Gateways 261

Configuring VPN SettingsIn this field…Distinguished NameDo this…The gateway's Distinguished Name (DN).This field is read-only.Shared SecretType the shared secret to use for secure communications whenconnecting to VPN sites, or click to generate a random sharedsecret.The shared secret is a string, and it may contain spaces and specialcharacters.Revoking and Renewing Gateway CertificatesIf you suspect that a gateway's private key was compromised or stolen, you must revokethe certificate and provide the gateway with a new certificate.Note: If you delete a gateway, its certificate is automatically revoked.To revoke and renew a gateway's certificate1. In the navigation tree, click the VPN > Authentication Method node.The Authentication Method fields appear.2. Click Manage Certificate.262 Self Provisioning Portal User Guide

Configuring VPN SettingsThe Export Wizard opens, with the Manage Certificate dialog box displayed.3. Click Revoke and renew the certificate.4. Click Next.The gateway's certificate is revoked and listed in the CA's Revoked Certificates List.The gateway is assigned a new certificate.Chapter 3: Managing Your Gateways 263

Configuring VPN SettingsThe Done dialog box appears.5. Click Done.Note: If the gateway is externally managed, you must export the new certificateand load it into the gateway manually. For information, see Exporting GatewayCertificates on page 264.Warning: It may take a while until all the gateways in the VPN community knowthat the gateway's certificate was revoked.Exporting Gateway CertificatesIf a gateway is externally managed and uses certificate authentication, you must export thegateway's certificate and load it into the gateway manually, whenever the gateway is issueda new certificate.To export a gateway's certificate1. In the navigation tree, click the VPN > Authentication Method node.The Authentication Method fields appear.2. Click Manage Certificate.264 Self Provisioning Portal User Guide

Configuring VPN SettingsThe Export Wizard opens, with the Manage Certificate dialog box displayed.3. Specify the format to which you want to export the certificate, by doing one ofthe following:Click Export the certificate and private key (in PKCS#12 format). Click Export the certificate (X.509 format).The following things happen:If you chose PKCS#12 format, the Export PKCS#12 Format dialog boxappears.Do the following:1) In the text box, type the passphrase to use for importing thecertificate.2) Click Next.Chapter 3: Managing Your Gateways 265

Configuring VPN SettingsThe Done dialog box appears.4. Click Save As.A standard File Download dialog box appears.5. Click Save.The Save As dialog box appears.6. Browse to a destination directory of your choice.7. Type a name for the certificate and click Save.The certificate is exported to the specified directory.8. Click Done.Configuring Network TopologyIf the gateway is a member of a VPN community, and you want to expose some of thenetworks behind this gateway to the other members of the VPN community, you mustconfigure network topology settings for the gateway. The internal network topology is thelist of internal networks or IP addresses behind this gateway, which are exposed to thevirtual private network.Note: The gateway's Internet (WAN) IP address is always an implicit member of thetopology. There is therefore no need to specify this IP address in the topology, even if266 Self Provisioning Portal User Guide

Configuring VPN Settingsyou want to expose it to the VPN.You can configure the SMP to automatically populate the internal network topology withinformation derived from the internal network interfaces, and you can configure theinternal network topology manually.Automatically Configuring Network TopologyTo automatically configure network topology settings1. Configure each of the gateway's internal networks.See Configuring Network Settings on page 176.2. In the navigation tree, click the VPN > Internal Network Topology node.The Internal Network Topology fields appear.3. Select the Automatically inherit topology from internal networks check box.The topology of each internal network and bridge defined in the gateway is added tothe encryption domain and displayed in the Internal Network Topology table.4. Click .5. To make changes to the internal network topology, see Manually ConfiguringNetwork Topology on page 267.Manually Configuring Network TopologyTo manually configure network topology settings1. In the navigation tree, click the VPN > Internal Network Topology node.The Internal Network Topology fields appear.2. Do the following for each network behind the gateway:a. Click New.Chapter 3: Managing Your Gateways 267

Configuring VPN SettingsThe Internal Network Edit dialog box appears.b. Complete the fields using the information in the following table.c. Click Finish.The network information appears in the Manually configured networks area.3. To edit a network's settings, click on the network's name.The Internal Network Edit dialog box appears.4. To delete a network's settings, do the following:a. Select the check box next to the network and click Delete.A confirmation message appears.b. Click OK.The network's settings are deleted.5. Click .268 Self Provisioning Portal User Guide

Configuring VPN SettingsTable 80: Internal Network Edit FieldsIn this field…Network NameNetwork AddressDo this…Type the internal network's name.Type the internal network's IP address.If you want to expose a single IP address, choose255.255.255.255.Network MaskSelect the internal network's subnet mask.Configuring VPN Server SettingsYou can make the gateway's internal networks available to authorized users connectingfrom the Internet or from within the gateways' internal networks, by setting up the gatewayas a VPN Server.When the SecuRemote Remote Access VPN Server or SecuRemote Internal VPN Server isenabled, users can connect to the server via Check Point SecuRemote/SecureClient or via aEmbedded NGX gateway in Remote Access VPN mode.The Endpoint Connect VPN Server can be enabled in addition to one or more of theSecuRemote VPN Servers, to allow users to connect from relevant locations using anEndpoint Connect VPN Client. For example, if both the SecuRemote Remote Access VPNServer and the Endpoint Connect VPN Server are enabled, but the SecuRemote InternalVPN Server is not enabled, then users will be able to use the Endpoint Connect VPNClient to connect from the Internet but not from your internal networks. Endpoint Connectusers are automatically assigned to the OfficeMode network, enabling you to configurespecial security rules for them.When the L2TP (Layer 2 Tunneling Protocol) VPN Server is enabled, users can connect tothe server using an L2TP client such as the Microsoft Windows L2TP IPSEC VPN Client.L2TP users are automatically assigned to the OfficeMode network, enabling you toconfigure special security rules for them.SecuRemote/SecureClient supports split tunneling, which means that VPN Clients canconnect directly to the Internet, while traffic to and from VPN sites passes through theVPN Server. In contrast, the L2TP VPN Client does not support split tunneling, meaningChapter 3: Managing Your Gateways 269

Configuring VPN Settingsthat all Internet traffic to and from a VPN Client passes through the VPN Server and isrouted to the Internet.Enabling the internal VPN Server for users connecting from internal networks adds a layerof security to such connections. For example, while you could create a firewall ruleallowing a specific user on the DMZ to access the LAN, enabling VPN access for the usermeans that such connections can be encrypted and authenticated.To configure VPN Server settings1. In the navigation tree, click the VPN > VPN Server node.The VPN Server fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage VPN Server check box.The fields are enabled.4. Complete the fields using the information in the table below.5. Click .6. If you configured the L2TP or Endpoint Connect VPN Servers, configure theOfficeMode network for the gateway(s).See Configuring the OfficeMode Network on page 216.All users connecting via L2TP or Endpoint Connect will be assigned to theOfficeMode network.7. Configure VPN Remote Access for all users who should be allowed to connectto the VPN Server.See Configuring Access Permissions on page 322.Note: If you configured the SecuRemote Internal VPN Server, the gatewayadministrator must install SecuRemote/SecureClient on the desired internal networkcomputers.If you configured the L2TP VPN Server, the gateway administrator must configureL2TP VPN Clients on the desired internal network computers.270 Self Provisioning Portal User Guide

Configuring VPN SettingsNote: Disabling the VPN Server for a specific type of connection (fromSecuRemote/SecureClient clients on the Internet, from SecuRemote/SecureClientclients on internal networks, or from L2TP clients) will cause all existing VPN tunnels ofthat type to disconnect.Note: In order to allow Endpoint Connect connections, you must enable at least one ofthe SecuRemote VPN servers.Table 81: VPN Server FieldsIn this field…Allow remote users to connect from theInternetDo this…Select this option to enable the SecuRemote RemoteAccess VPN Server.The Bypass NAT and Bypass the Firewall fields appear.Bypass NATBypass the FirewallSelect this option to allow authenticated users connectingfrom the Internet to bypass NAT when connecting to theinternal network.Select this option to allow authenticated users connectingfrom the Internet to bypass the default firewall policy andaccess the internal network without restriction.User-defined rules will still apply to the authenticated users.Allow remote users to connect from myinternal networksSelect this option to enable the SecuRemote Internal VPNServer.The Bypass NAT and Bypass the Firewall fields appear.Bypass NATBypass the FirewallThis option is always enabled for the internal VPN serverand cannot be disabled.Select this option to allow authenticated users connectingfrom internal networks to bypass the default firewall policyChapter 3: Managing Your Gateways 271

Configuring VPN SettingsIn this field…Do this…and access the internal network without restriction.Allow Endpoint Connect users toconnectSelect this option to allow Endpoint Connect remote accessconnections from the Internet and/or from internal networks.This option is only available if a SecuRemote server isenabled.Allow L2TP clients to connectSelect this option to enable the L2TP VPN Server.The Preshared Secret and Bypass the Firewall fields appear.Preshared SecretType the preshared secret to use for securecommunications between the L2TP clients and the VPNServer.The secret can contain spaces and special characters. It isused to secure L2TP connections for all users.In addition to entering this secret, each L2TP user will haveto authenticate with a username and password.Bypass the FirewallSelect this option to allow authenticated users to bypass thedefault firewall policy and access the internal networkwithout restriction.User-defined rules will still apply to the authenticated users.Configuring VPN SitesYou can manually configure VPN sites on a gateway. The following types of sites aresupported:Remote Access VPN Site. Establishes remote access sessions from the gateway'sRemote Access VPN Client to a Remote Access VPN Server.Site-to-Site VPN Gateway. Creates a permanent bi-directional connection betweenthe gateway and another Site-to-Site VPN Gateway.272 Self Provisioning Portal User Guide

Configuring VPN SettingsAlternatively, if you add the gateway to a VPN community, it will automatically inherit theappropriate VPN security parameters and can immediately establish secure VPN sessionswith other members of the community, so that there is no need to configure VPN sites onthe gateway.If you manually configure VPN sites on a gateway, and the gateway belongs to a VPNcommunity, the manually added sites will be used in addition to the community's VPNsettings.Chapter 3: Managing Your Gateways 273

Configuring VPN SettingsAdding and Editing Remote Access VPN SitesTo add or edit a Remote Access VPN site1. In the navigation tree, click the VPN > VPN Sites node.The VPN Sites fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage VPN Sites check box.The fields are enabled.4. Do one of the following:To add a new Remote Access VPN site, click New. To edit an existing Remote Access VPN site, click the number next to theVPN site.The Edit VPN Site Wizard opens, with the Select the type of site to establish dialog boxdisplayed.5. Select Remote Access VPN.6. Click Next.274 Self Provisioning Portal User Guide

Configuring VPN SettingsThe VPN Site Gateway Address dialog box appears.7. In the VPN Gateway field, enter the IP address of the Remote Access VPNServer to which you want to connect.8. To allow the VPN site to bypass the default firewall policy and access thegateway's internal network without restriction, select the Bypass defaultfirewall policy check box.User-defined rules will still apply to the VPN site.9. Click Next.Chapter 3: Managing Your Gateways 275

Configuring VPN SettingsThe VPN Site Network Configuration dialog box appears.10. Specify how the gateway should obtain the VPN network configuration.Refer to VPN Network Configuration Fields on page 280.11. Click Next.The following things happen in the order below:276 Self Provisioning Portal User Guide

Configuring VPN SettingsIf you chose Specify Configuration, a second VPN Network Configuration dialogbox appears.Complete the fields using the information in VPN Network Configuration Fieldson page 280 and click Next.The Authentication Method dialog box appears.12. Complete the fields using the information in Authentication Methods Fieldson page 281.Chapter 3: Managing Your Gateways 277

Configuring VPN Settings13. Click Next.The following things happen in the order below:If you selected Username and Password, the VPN Login dialog box appears.Complete the fields using the information in VPN Login Fields on page 282 andclick Next.The Site Name dialog box appears.278 Self Provisioning Portal User Guide

Configuring VPN Settings14. Enter a name for the VPN site.You may choose any name.15. Click Next.The VPN Site Done screen appears.16. Click Finish.The VPN site appears in the VPN Sites table.17. Click .Chapter 3: Managing Your Gateways 279

Configuring VPN SettingsTable 82: VPN Network Configuration FieldsIn this field…DownloadConfigurationDo this…Click this option to specify that the gateway should obtain the networkconfiguration by downloading it from the VPN site.This option will automatically configure the gateway's VPN settings, bydownloading the network topology definition from the Remote Access VPNServer.Note: Downloading the network configuration is only possible whenconnecting to a Check Point VPN-1 or Embedded NGX Site-to-Site VPNGateway.SpecifyConfigurationRoute All TrafficClick this option to provide the network configuration manually.Click this option to route all network traffic through the VPN site.For example, if the VPN consists of a central office and a number ofremote offices, and the remote offices are only allowed to access Internetresources through the central office, you can choose to route all trafficfrom the remote offices through the central office.Note: You can only configure one VPN site to route all traffic.Route Based VPNClick this option to create a virtual tunnel interface (VTI) for this site, sothat it can participate in a route-based VPN.Route-based VPNs allow routing connections over VPN tunnels, so thatremote VPN sites can participate in dynamic or static routing schemes.This improves network and VPN management efficiency for largenetworks.For constantly changing networks, it is recommended to use a route-basedVPN combined with OSPF dynamic routing. This enables making frequentchanges to the network topology, such as adding an internal network,280 Self Provisioning Portal User Guide

Configuring VPN SettingsIn this field…Do this…without having to reconfigure static routes.OSPF is enabled using CLI. For information on using CLI, see Using CLIScripts on page 44.This option is only available for when configuring a Site-to-Site VPNgateway.Destination network Type up to three destination network addresses at the VPN site.Subnet maskBackup GatewaySelect the subnet masks for the destination network addresses.Type the IP address of the backup gateway on the server site (if relevant).Table 83: Authentication Methods FieldsIn this field…Username andPasswordDo this…Select this option to use a user name and password for VPNauthentication.In the next step, you can specify whether the gateway should log in to theVPN site automatically or manually.CertificateSelect this option to use a certificate for VPN authentication.Chapter 3: Managing Your Gateways 281

Configuring VPN SettingsIn this field…RSA SecurIDTokenDo this…Select this option to use an RSA SecurID token for VPN authentication.When authenticating to the VPN site, the user must enter a four-digit PINcode and the SecurID passcode shown in the SecurID token's display. TheRSA SecurID token generates a new passcode every minute.SecurID is only supported in Remote Access manual login mode.Table 84: VPN Login FieldsIn this field…Manual LoginDo this…Click this option to configure the site for Manual Login.Manual Login connects only the computer that the user is currently loggedinto to the VPN site, and only when the appropriate user name andpassword have been entered.Automatic LoginClick this option to enable the gateway to log in to the VPN siteautomatically.You must then fill in the Username and Password fields.Automatic Login provides all the computers on the internal network withconstant access to the VPN site.UsernamePasswordType the user name to use for logging in to the VPN site.Type the password to use for logging in to the VPN site.Adding and Editing Site-to-Site VPN GatewaysTo add or edit a Site-to-Site VPN gateway1. In the navigation tree, click the VPN > VPN Sites node.The VPN Sites fields appear.282 Self Provisioning Portal User Guide

Configuring VPN Settings2. If needed, unlock the node from plan.3. Select the Remotely manage VPN Sites check box.The fields are enabled.4. Do one of the following:To add a new Site-to-Site VPN site, click New. To edit an existing Site-to-Site VPN site, click the number next to the VPNsite.The Edit VPN Site Wizard opens, with the Select the type of site to establish dialog boxdisplayed.5. Select Site-to-Site VPN.Chapter 3: Managing Your Gateways 283

Configuring VPN SettingsThe VPN Gateway Address dialog box appears.6. Complete the fields using the information in VPN Gateway Address Fields onpage 2947. Click Next.The VPN Network Configuration dialog box appears.284 Self Provisioning Portal User Guide

Configuring VPN Settings8. Specify how the gateway should obtain the VPN network configuration.Refer to VPN Network Configuration Fields on page 280.9. Click Next.If you chose Specify Configuration, a second VPN Network Configuration dialogbox appears.Complete the fields using the information in VPN Network Configuration Fieldson page 280, and then click Next.Chapter 3: Managing Your Gateways 285

Configuring VPN SettingsIf you chose Route Based VPN, the Route Based VPN dialog box appears.Complete the fields using the information in Route Based VPN Fields on page294, and then click Next.The Authentication Method dialog box appears.10. Complete the fields using the information in Authentication Methods Fieldson page 295.286 Self Provisioning Portal User Guide

Configuring VPN Settings11. Click Next.Shared Secret Authentication MethodIf you selected Shared Secret, the Authentication dialog box appears.If you chose Download Configuration, the dialog box contains additional fields.Chapter 3: Managing Your Gateways 287

Configuring VPN Settings1. Complete the fields using the information in VPN Authentication Fields onpage 295 and click Next.The Security Methods dialog box appears.2. Complete the fields using the information in Security Methods Fields on page295.3. Click Next.288 Self Provisioning Portal User Guide

Configuring VPN SettingsThe VPN Site Name dialog box appears.4. Type a name for the VPN site.You may choose any name.5. To keep the tunnel to the VPN site alive even if there is no network trafficbetween the gateway and the VPN site, select Keep this site alive.6. Click Next.Chapter 3: Managing Your Gateways 289

Configuring VPN SettingsIf you selected Keep this site alive, and previously you chose DownloadConfiguration, the Keep Alive Configuration dialog box appears.Do the following:1) Type up to three IP addresses which the gateway should ping inorder to keep the tunnel to the VPN site alive.2) Click Next. The VPN Site Done screen appears.7. Click Finish.The VPN site appears in the VPN Sites table.Certificate Authentication MethodIf you selected Certificate, the following things happen:290 Self Provisioning Portal User Guide

Configuring VPN SettingsIf you chose Download Configuration, the Authentication dialog box appears.Complete the fields using the information in VPN Authentication Fields on page295 and click Next.The Security Methods dialog box appears.1. Complete the fields using the information in Security Methods Fields on page295.Chapter 3: Managing Your Gateways 291

Configuring VPN Settings2. Click Next.The VPN Site Name dialog box appears.3. Enter a name for the VPN site.You may choose any name.4. To keep the tunnel to the VPN site alive even if there is no network trafficbetween the gateway and the VPN site, select Keep this site alive.5. Click Next.292 Self Provisioning Portal User Guide

Configuring VPN SettingsIf you selected Keep this site alive, and previously you chose DownloadConfiguration, the Keep Alive Configuration dialog box appears.Do the following:1) Type up to three IP addresses which the gateway should ping inorder to keep the tunnel to the VPN site alive.2) Click Next. The VPN Site Done screen appears.6. Click Finish.The VPN site appears in the VPN Sites table.Chapter 3: Managing Your Gateways 293

Configuring VPN SettingsTable 85: VPN Gateway Address FieldsIn this field…Gateway AddressBypass NATDo this…Type the IP address of the Site-to-Site VPN Gateway to which the gatewayshould connect.Select this option to allow the VPN site to bypass NAT when connecting tothe gateway's internal network.This option is selected by default.Bypass defaultfirewall policySelect this option to allow the VPN site to bypass the default firewall policyand access the gateway's internal network without restriction.User-defined rules will still apply to the VPN site.Table 86: Route Based VPN FieldsIn this field…Tunnel Local IPTunnel Remote IPOSPF CostDo this…Type a local IP address for the local end of the VPN tunnel.Type the IP address of the remote end of the VPN tunnel.Type the cost of this link for dynamic routing purposes.The default value is 10.If OSPF is not enabled, this setting is not used. OSPF is enabled using thecommand line interface (CLI). For information on using CLI, see Using CLIScripts on page 44.294 Self Provisioning Portal User Guide

Configuring VPN SettingsTable 87: Authentication Methods FieldsIn this field…Shared SecretDo this…Select this option to use a shared secret for VPN authentication.A shared secret is a string used to identify VPN sites to each other.CertificateSelect this option to use a certificate for VPN authentication.Table 88: VPN Authentication FieldsIn this field…Topology UserDo this…Type the topology user’s user name.Topology Password Type the topology user’s password.Use Shared SecretType the shared secret to use for secure communications with the VPNsite.This shared secret is a string used to identify the VPN sites to each other.The secret can contain spaces and special characters.Table 89: Security Methods FieldsIn this field…Do this…Phase 1Security MethodsSelect the encryption and integrity algorithm to use for IKE negotiations:Automatic. The gateway automatically selects the best securitymethods supported by the site. This is the default.A specific algorithmChapter 3: Managing Your Gateways 295

Configuring VPN SettingsIn this field…Diffie-HellmangroupDo this…Select the Diffie-Hellman group to use:Automatic. The gateway automatically selects a group. This isthe default.A specific groupA group with more bits ensures a stronger key but lowers performance.Renegotiate everyType the interval in minutes between IKE Phase-1 key negotiations. This isthe IKE Phase-1 SA lifetime.A shorter interval ensures higher security, but impacts heavily onperformance. Therefore, it is recommended to keep the SA lifetime aroundits default value.The default value is 1440 minutes (one day).Phase 2Security MethodsPerfect ForwardSecrecySelect the encryption and integrity algorithm to use for VPN traffic:Automatic. The gateway automatically selects the best securitymethods supported by the site. This is the default.A specific algorithmSpecify whether to enable Perfect Forward Secrecy (PFS), by selectingone of the following:Enabled. PFS is enabled. The Diffie-Hellman group field isenabled.Disabled. PFS is disabled. This is the default.Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2and renew the key for each key exchange.PFS increases security but lowers performance. It is recommended toenable PFS only in situations where extreme security is required.296 Self Provisioning Portal User Guide

Configuring VPN SettingsIn this field…Diffie-HellmangroupDo this…Select the Diffie-Hellman group to use:Automatic. The gateway automatically selects a group. This isthe default.A specific groupA group with more bits ensures a stronger key but lowers performance.Renegotiate everyType the interval in seconds between IPSec SA key negotiations. This isthe IKE Phase-2 SA lifetime.A shorter interval ensures higher security.The default value is 3600 seconds (one hour).Deleting VPN SitesNote: You cannot delete a VPN site that is currently in use.To delete a VPN site1. In the navigation tree, click the VPN > VPN Sites node.The VPN Sites fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage VPN Sites check box.The fields are enabled.4. Select the check box next to the desired VPN site.5. Click Delete.A confirmation message appears.6. Click OK.The VPN site is deleted.Chapter 3: Managing Your Gateways 297

Configuring DNS Settings7. Click .Configuring DNS SettingsIf a plan specifies Dynamic DNS, mail server settings can be configured in the plan; allgateways subscribed to the plan will take the mail server settings from the plan, by default.If desired, you can override the inherited mail server settings for a specific gateway, byconfiguring these settings in the gateway.You can also assign specific gateways up to three additional names (DNS aliases). TheDNS service maps these aliases to the gateway device's IP address.Note: The DDNS service resolves the Internet IP address of the Embedded NGXgateway. If, for example, a public Web server resides behind the gateway, you mustcreate Allow and Forward rules from the gateway's IP address to the Web server. Forinformation, see Configuring Security Settings on page 52.Configuring Mail Server SettingsTo configure Mail Server settings1. In the navigation tree, click the DNS > Mail Servers node.The Mail Servers fields appear.2. If needed, unlock the node from plan.3. Complete the fields using the information in the table below.4. Click .Table 90: Mail Servers FieldsIn this field… Do this…For Example…PrimaryType the name of the primary mail server.This server will handle all mail sent toaddresses ending in:”@.” whereIf a gateway is named johnsmith,and “mail1.isp.com” is the primarymail server, then the server“mail1.isp.com” will handle all mailsent to addresses ending in298 Self Provisioning Portal User Guide

Configuring DNS SettingsIn this field… Do this… is the gateway's primary nameor alias.For Example…“@johnsmith.mycompany.com”BackupType the name of the backup mail server.In the event that the primary mail serverfails, the backup server will handle all mailsent to addresses ending in:”@..com” where is the gateway's primary nameor alias.mail2.isp.comConfiguring Domain NamesTo configure Domain Names1. In the navigation tree, click the DNS > Domain Names node.Chapter 3: Managing Your Gateways 299

Configuring DNS SettingsThe Domain Names fields appear.The Primary field displays the primary domain name of the gateway.The gateway's primary domain name is composed of the gateway's name followed bythe domain suffix. For example, if the gateway's name is “johnsmith”, and the SMP'sdomain suffix is “mycompany.com”, the gateway's primary domain name will be“johnsmith.mycompany.com”.2. To add an alias for the gateway, do the following:a. Click New.300 Self Provisioning Portal User Guide

Configuring Reporting SettingsA field appears.b. Type the desired alias in the field.The alias can have multiple parts separated by periods.The gateway will be assigned a domain name composed of the alias followed bythe domain suffix. For example, if the gateway's alias is “www”, and the SMP'sdomain suffix is “mycompany.com”, the gateway's domain name will be“www.mycompany.com”.3. To delete an alias, do the following:a. Select the desired alias.b. Click Delete.A confirmation message appears.c. Click OK.4. Click .Configuring Reporting SettingsReporting settings can be configured in the plan.Chapter 3: Managing Your Gateways 301

Configuring Internal Gateway User SettingsAll gateways subscribed to the plan will take these settings from the plan, by default. Ifdesired, you can override the inherited Reporting settings for a specific gateway, byconfiguring these settings in the gateway.To configure reporting1. In the navigation tree, click the Reporting node.The Reporting fields appear.2. If needed, unlock the node from plan.3. To generate periodic security reports for the gateway and automatically emailthem to the gateway's owner, select the Mail scheduled report for this gatewaycheck box.4. To store historic security reports for the gateway, select the Keep historicreports check box.If this option is not enabled, SMP will store only the latest security report for thisgateway.5. Click .Note: In order to store historic reports, you must also configure historic report settingsfor the SMP virtual portal. See Configuring Historic Report Settings.Configuring Internal Gateway User SettingsIf a plan specifies remote management, the following internal user settings can beconfigured in the plan.All gateways subscribed to the plan will take these internal user settings from the plan, bydefault. If desired, you can override the inherited internal users settings for a specificgateway, by configuring these settings in the gateway.Note: The admin user is created by default and must be assigned a password beforesaving the gateway or plan.302 Self Provisioning Portal User Guide

Configuring Internal Gateway User SettingsAdding and Editing Internal UsersTo add or edit a user1. In the navigation tree, click the Internal Users node.The Internal Users fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Internal Users check box.The fields are enabled.4. Do one of the following:To create a new user, click New. To edit an existing user, click the number next to the user, or click the user'susername.The Edit Internal User Wizard opens displaying the Edit Internal User Wizard: Step 1dialog box.5. Complete the fields using the information in Set User Details Fields on page304.6. Click Next.Chapter 3: Managing Your Gateways 303

Configuring Internal Gateway User SettingsThe Edit Internal User Wizard: Step 2 dialog box appears.7. Complete the fields using the information in Set User Permission Fields onpage 305.8. Click Finish.The user appears in the Internal Users table.Table 91: Set User Details FieldsIn this field…UsernamePasswordConfirm PasswordExpires OnDo this…Enter a username for the user.Enter a password for the user. Use five to 25 characters (letters ornumbers) for the new password.Re-enter the user’s password.To specify an expiration time for the user, select the expiration date andtime using the drop-down lists provided.304 Self Provisioning Portal User Guide

Configuring Internal Gateway User SettingsIn this field…Do this…When the user account expires, it is locked, and the user can no longerlog in to the Embedded NGX gateway.If you do not specify a date and time, the user will never expire.Table 92: Set User Permissions FieldsIn this field...Administrator LevelDo this...Select the user’s level of access to the local management portal.The levels are:No Access: The user cannot access the local managementportal.Read Only: The user can log in to the local managementportal, but cannot modify system settings or export thegateway configuration. For example, you could assign thisadministrator level to technical support personnel who needto view the Event Log.Read/Write: The user can log in to the local managementportal and modify system settings.The default level is No Access.The “admin” user’s Administrator Level (Read/Write) cannot bechanged.UFP OverrideVPN AccessHotSpot AccessSelect this option to allow the user to override the Web Filtering serviceand Web rules.Select this option to allow the user to connect to this Embedded NGXgateway using their VPN client.Select this option to allow the user to log in to the My HotSpot page.Chapter 3: Managing Your Gateways 305

Configuring Internal Gateway User SettingsRDP AccessSelect this option to allow the user to log in to the my.firewall portal, viewthe Active Computers page, and remotely access computers' desktops,using the Remote Desktop feature.Note: The user can perform these actions, even if their level ofadministrative access is "No Access".Network AccessUsers ManagerSelect this option to allow the user to connect to this Embedded NGXgateway via a wireless client or by connecting to the gateway's ports,when the Embedded NGX EAP authenticator is used.Select this option to allow the user to log in to the local managementportal and add, edit, or delete "No Access"-level users, but not modifyother system settings.Deleting Internal UsersFor example, you could assign this administrator level to clerks whoneed to manage HotSpot users.Note: You cannot delete the admin user.To delete an internal user1. In the navigation tree, click the Internal Users node.The Internal Users fields appear.2. If needed, unlock the node from plan.3. Select the Remotely manage Internal Users check box.The fields are enabled.4. In the Internal Users table, select the check box next to the desired user.5. Click Delete.A confirmation message appears.306 Self Provisioning Portal User Guide

Configuring Custom Fields6. Click OK.The user is deleted.7. Click .Configuring Custom FieldsIf custom gateway fields are defined for the portal, you can configure the custom fields asdescribed in the following procedure.To configure custom fields1. In the navigation tree, click the Custom Fields node.The Custom Fields fields appear.2. Complete the fields.3. Click .Chapter 3: Managing Your Gateways 307

Viewing Gateway Owner InformationViewing Gateway Owner InformationTo view gateway owner information1. In the navigation tree, click the Owner node.The Owner fields appear with your details.2. To view your user account settings, click the user ID.If historic reports are enabled for the gateway, you can view a list of historic securityreports stored for it.For information on enabling historic reports, see Configuring Historic Report Settings.To view a gateway's historic reports1. In the Main > Gateways > Edit page, in the navigation tree, click the Reporting >Security Reports node.308 Self Provisioning Portal User Guide

Viewing Gateway Owner InformationThe Security Reports fields appear listing the stored security reports for the gateway.The most recent report is marked as "Last".Information is displayed for each report, as described in the following table.2. To view an individual reports, click View in the desired report's row.Table 93: Historic Reports FieldsThis column... Displays… For example…Generation Date The date on which the report was generated. Dec 1 2009Start DateEnd DateAutomaticThe starting date of the period for which thereport was generated.The ending date of the period for which thereport was generated.An indication of whether the report wasSept 1 2009Nov 31 2009Chapter 3: Managing Your Gateways 309

Resetting Individual Nodes to Default SettingsThis column... Displays… For example…automatically generated.Resetting Individual Nodes to Default SettingsWhen working with a plan or a gateway, you can reset individual nodes to the default stateof a new plan or gateway. For example, if you reset the QoS Classes node to defaults, anyadditional classes you defined in Traffic Shaper will be deleted, and the four predefinedclasses will be restored their default settings as specified in Predefined QoS Classes onpage 237.Note: This option is not available for some nodes.Note: You cannot reset a node to its default settings if it contains objects that arecurrently in use. For example, if a user-defined QoS class is currently used by a rule,you cannot reset the QoS Classes node to defaults.To reset a node to its default settings1. Expand the nodes in the navigation tree to display the desired node.2. Right-click on the node, and click Reset to defaults.The node's settings are reset.Viewing Gateway StatusesYou can view a gateway's current status, including:The firmware version and product key currently installed on the gatewayThe gateway's connection details and statusThe gateway's last configuration updateThe expiration date of the gateway's certificate310 Self Provisioning Portal User Guide

Viewing Gateway StatusesTo view a gateway's status In the navigation tree, click the Status node.The Status fields appear.For information on each field, see the following table.Table 94: Gateways Status FieldsThis fieldCreatedLast ModifiedFirst ConnectionLast Connection DayReported IP AddressReported Firmware VersionReported DSL Firmware VersionReported Hardware VersionReported Product KeyReported VStream Main VersionReported VStream Daily VersionDisplaysThe date and time at which the gateway was added to theSMPThe time and date that the gateway was last modifiedThe date and time that the gateway first connected to the SMPThe date that the gateway last connected to the SMPThe IP address that the gateway used when it last connectedto the SMS.The firmware version installed on the gateway, when thegateway last connected to the SMS.The DSL firmware version installed on the gateway, when thegateway last connected to the SMS.The version of the gateway's hardwareThe product key installed on the gateway, when the gatewaylast connected to the SMSThe VStream Antivirus main database version installed on thegateway, when the gateway last connected to the SMS.The VStream Antivirus daily database version installed on thegateway, when the gateway last connected to the SMS.Chapter 3: Managing Your Gateways 311

Viewing Gateway StatusesThis fieldConnection StatusConnection Start TimeDisplaysThe status of the gateway's connection to the SMP(Connected/Not Connected)The time and date at which the current session started.This field appears only when the gateway is connected to theSMP.Last Update TimeThe time and date when the gateway status last changed.This field appears only when the gateway is connected to theSMP.Current ServerThe server name and group to which the gateway isconnected.This field appears only when the gateway is connected to theSMP.Connection AddressThe current IP address and port of the gateway.This information only appears if the gateway is currentlyconnected.In DownloadIf the gateway is in the process of downloading from the SMP,this attribute indicates the percent downloaded.This field appears only when the gateway is connected to theSMP.Gateway Local TimeThe local time and date on the gateway.This field appears only when the gateway is connected to theSMP.312 Self Provisioning Portal User Guide

Performing Vulnerability Scans on GatewaysPerforming Vulnerability Scans on GatewaysIf a gateway's plan includes the Vulnerability Scanning service, you can scan the gatewayfor security vulnerabilities.To perform a vulnerability scan for the gateway1. In the navigation tree, click the Vulnerability Scanning > Hosts node.The Hosts to Scan fields appear listing the computers that will be scanned.2. Specify which computers should be scanned, by doing the following:To add a computer to the list of computers that should be scanned:1) Click New.A new field appears.2) In the field, type the desired computer's IP address or DNS name, ortype the desired gateway's ID.To remove a computer from the list:1) Select the check box next to the desired computer.2) Click Delete.Chapter 3: Managing Your Gateways 313

Performing Vulnerability Scans on Gateways3. Click .A confirmation message appears.3) Click OK.The computer is deleted form the list.4. In the navigation tree, click the Vulnerability Scanning node.The Vulnerability Report fields appear.5. Click Scan Now.Gateway scanning and report generation starts.Note: Scanning and report generation may take several minutes.The Status field displays “Generating”.When report generation is complete, the following things happen:The Scanning Status field displays “Idle”.The Last Report field displays the date for which the report was generated.314 Self Provisioning Portal User Guide

Performing Vulnerability Scans on GatewaysFor information on viewing and mailing the report, see Viewing GatewayVulnerability Reports on page 343.Chapter 3: Managing Your Gateways 315

Viewing and Editing UsersChapter 4This chapter explains how to manage your user account.This chapter includes the following topics:Managing Your User AccountViewing and Editing Users ....................................................................... 317Configuring User Account Expiration ...................................................... 320Configuring Contact Details ..................................................................... 321Configuring Community Memberships .................................................... 322Configuring Access Permissions .............................................................. 322Configuring Custom Fields ...................................................................... 326Viewing User Statuses .............................................................................. 326Viewing and Editing UsersYou can view and edit your details.To view or edit your details1. In the SPP menu, click My Account.The My Account page appears with the General node selected.2. To view additional user account settings, in the navigation tree, expand andclick on the relevant nodes.3. To edit your details, do the following:a. Edit the desired fields using the information in the following table.b. To configure your password, do the following:Note: You can use this password to do the following:Access the SPP.Perform various actions for which you are grantedpermissions in the Permissions node.For information on assigning access permissions, see ConfiguringChapter 4: Managing Your User Account 317

Viewing and Editing UsersAccess Permissions on page 322.1) Next to the Password field, click Change.The Change Password dialog box opens.2) To generate a random password, click Random.3) To set a password of your choice, type a password in the NewPassword and Confirm Password fields and click OK.The password may be composed of letters and numbers only. The maximumpassword length is 25 characters.4) Click OK.a. Click .If configured to do so, the SMP sends you an email notification, informing you ofchanges to your email address.b. You can configure additional user account settings as desired, by doingone or more of the following:• To configure the user account expiration date, see Configuring UserAccount Expiration on page 320.• To configure contact details, see Configuring Contact Details on page321.• To configure community membership, see Configuring CommunityMemberships on page 322.• To configure access permissions, see Configuring Access Permissionson page 322.• To configure custom fields, see Configuring Custom Fields.All user account settings are edited in the relevant nodes of the My Account page.318 Self Provisioning Portal User Guide

Configuring User Account ExpirationTable 95: User Details FieldsIn this field… Do this… For example…First Name Type your first name. JohnLast Name Type your last name. SmithTitle Type your title. CEOCompany Type your company. My CompanyEmail Type your main email address. johns@mycompany.comAdditional EmailsType your additional email addresses, in the format:@;@;...johns@homeisp;johnsmith@officeRole Select your role. Power UserPasswordYou can change the password by clicking Change, asdescribed in Viewing and Editing Users.The user can use this password to do the following:Access the SPP.Perform various actions for which your aregranted permissions in the Permissionsnode.For information on assigning access permissions, seeConfiguring Users' Access Permissions on page322.DescriptionType a description of yourself.Chapter 4: Managing Your User Account 319

Configuring User Account ExpirationConfiguring User Account ExpirationTo configure your user account's expiration1. In the navigation tree, click the Expiration node.The Expiration fields appear.2. Select the User will expire in check box.Additional fields appear.3. Complete the fields using the information in the table below.4. Click .Table 96: Expiration FieldsIn this field… Do this... For example…User will expire inStart FromSpecified dateType the number of months that the user accountshould be valid.Specify when the user account starts, by clickingone of the following:First Login. Sets the user account'sstarting date to the first time that theuser logs in to the gateway or the SMP.Specified date. Sets the user account'sstarting date to a specific date.The Specified date field appears and youmust fill it in.Click in the field, and then do one of the following:Type the date on which the useraccount should start, in the formatDD/MM/YYYY.Click on the desired user account startdate in the calendar that appears.Click Start Now to specify that the useraccount should start immediately.12Specified date05/07/2009320 Self Provisioning Portal User Guide

Configuring Contact DetailsIn this field… Do this... For example…Expires OnFirst LoginThe expiration date of the user account.If the expiration date has passed, this field changesto "Expired On", and it appears in red.This field is read-only. It is filled in and calculatedbased on the time limit and the starting date.The date on which the user account first logged onto the gateway or to the SMP.This field is read-only.July 5, 2009August 01, 2009Configuring Contact DetailsTo configure contact details1. In the navigation tree, click the Contact node.The Contact fields appear.2. Complete the fields using the information in the following table.3. Click .Chapter 4: Managing Your User Account 321

Configuring Community MembershipsTable 97: User Contact FieldsIn this field… Do this… For example…PhoneMobileFaxMailing AddressType the telephone number.Type the mobile telephonenumber.Type the fax number.Type the address, (street andbuilding number).37 Company St.Country Type the country. USAState Type the state. New YorkZIP Code Type the zip code. 12345Configuring Community MembershipsYou can become a member of communities for which User Authentication is configured.To configure community memberships1. In the navigation tree, click the My Communities node.The My Communities fields appear displaying a list of communities with UserAuthentication.2. Select the communities to which you should belong.3. Click .Configuring Access PermissionsYou can grant the following permissions:322 Self Provisioning Portal User Guide

Configuring Access PermissionsWeb Filtering override permissionsVPN client connection permissionsSecure HotSpot access permissionsRemote Desktop access permissionsAdministrative permissions in the my.firewall portal of the user's own gatewaysand other gateways in the communityTo configure access permissions1. In the navigation tree, click the Permissions node.The Permissions fields appear.2. Complete the fields using the information in the table below.3. Click .Table 98: User Access FieldsIn this field… Do this… For example…General PermissionsAccess gateways usingVPN clientSelect this option to allow connecting to allgateways in the community usingSecuRemote or SecureClient.Note: The gateway must be centrallymanaged, and the community must haveuser authentication enabled and DynamicVPN defined.Override Web FilteringSelect this option to allow overriding WebFiltering in all of your gateways.Note: The user must belong to a community.Connect to HotSpotSelect this option to allow logging in to the MyChapter 4: Managing Your User Account 323

Configuring Access PermissionsIn this field… Do this… For example…HotSpot page from networks for whichSecure HotSpot is enabled, in all of yourgateways.For information about enabling andconfiguring Secure HotSpot for a gateway,see Configuring Secure HotSpot on page65.Remote Desktop AccessSelect this option to allow logging in to themy.firewall portal, viewing the ActiveComputers page, and remotely accessingcomputers' desktops, using the RemoteDesktop feature.Note: These actions can be performed, even ifyour level of administrative access is "NoAccess".For information about enabling andconfiguring Remote Desktop for a gateway,see Configuring Remote Desktop Settingson page 47.Users ManagerSelect this option to allow logging in to themy.firewall portal and adding, editing, ordeleting users whose access level togateways is "None" (see the Access gatewaysvia my.firewall area), but not modifying othersystem settings.For example, this administrator level issuitable for clerks who need to manage324 Self Provisioning Portal User Guide

Configuring Access PermissionsIn this field… Do this… For example…HotSpot users.Network AccessSelect this option to allow connecting to theEmbedded NGX gateway via a wireless clientor via a direct connection to the gateway'sports, when the Embedded NGX EAPauthenticator is used.Access gateways viamy.firewallCommunity gatewaysMy gatewaysSpecify your degree of access to themy.firewall portal of all gateways in thecommunity, by selecting one of the following:None. Cannot access themy.firewall portal. This is thedefault level.Read Only. Can access themy.firewall portal, but cannotmake any changes to the gatewaysettings.Read/Write. Can access themy.firewall portal and makechanges to the gateway settings.Note: The gateway must be centrallymanaged, and the community must haveuser authentication enabled and DynamicVPN defined.Specify your degree of access to themy.firewall portal of owned gateways.For information on the available levels, seeCommunity gateways, above.Read OnlyRead/WriteChapter 4: Managing Your User Account 325

Configuring Custom FieldsIn this field… Do this… For example…Note: The gateway must belong to acommunity with User Authentication enabled.Configuring Custom FieldsIf custom user fields are defined for the portal, you can configure the custom fields asdescribed in the following procedure.To configure custom fields1. In the navigation tree, click the Custom Fields node.The Custom Fields fields appear.2. Complete the fields.3. Click .Viewing User StatusesYou can view your status, including information about current SMP sessions.To view your status1. In the navigation tree, click the Status node.The Status fields appear.For information on each field, see the following table.2. To refresh the fields, click Refresh.Table 99: User Status FieldsThis fieldDisplaysStatusCreatedThe date and time that the user account was created326 Self Provisioning Portal User Guide

Viewing User StatusesThis fieldLast ModifiedDisplaysThe date and time that the user account was last modifiedMy SMP Sessions# The session numberCreation TimeThe date and time at which the session was established, in theformat:Month DD, YYYY hh:mm:ssFor example, December 08, 2009 14:21:26ApplicationSource IPThe application to which you logged in (SMC/SPP)The IP address from which you connectedChapter 4: Managing Your User Account 327

Viewing General LogsChapter 5This chapter explains how to monitor your gateways, by viewing logs.This chapter includes the following topics:Viewing General Logs .............................................................................. 329Viewing Security Logs ............................................................................. 331Filtering Logs ........................................................................................... 334Viewing LogsViewing General LogsGeneral logs include the following:Logs about general appliance events on your gateway(s), including: Authentication attempts Changes in setup Internet connection status changes Errors WarningsLogs that were generated for your user account.To view general logs1. In the SPP menu, click Logs > General.The following things happen:A progress bar appears.To stop loading logs, click Stop. Only logs that have loaded will be displayed.Chapter 5: Viewing Logs 329

Viewing General Logs The Logs > General page appears displaying a table of log entries for thecurrent date and portal.The log table contains the columns described in General Log Columns on page330. Log messages are marked according to their severity, as described inGeneral Log Severities on page 331.2. View and navigate the table as desired.See Viewing and Navigating Tables on page 7.3. Sort the logs as desired.You can sort the logs according to the log table's Severity, Date, Portal or Messagecolumns. See Sorting Tables on page 8.4. Filter the logs as desired.See Filtering Logs on page 334.5. To export the displayed logs, click Actions, and then click To Excel.The logs are exported to Excel format.Table 100: General Log ColumnsThis column…Displays this…SeverityThe event's severity.See General Log Severities on page 331.DateThe date and time of the event.OriginThe name of the host or gateway that sent the log.PortalThe portal in which the log was generated.AppThe name of the application that generated the log message. This can beany of the following:. The SMC.. An SMS.330 Self Provisioning Portal User Guide

Viewing Security LogsThis column…Displays this…. A gateway.. An SPP.UserMessageInformationThe username of the SMC administrator or SPP user who caused thelogged event (if applicable).The log message describing the event.Additional information about the logged event.This information only appears when the source provides it.Table 101: General Log SeveritiesSeverity Icon Text Color DescriptionError Red ErrorsIn general logs, these are errors that occurredwhen dealing with the database.Warning Orange WarningsNotice Dark green Actions that were completed successfullyViewing Security LogsThe Security Log include logs about security-related events on your gateway(s), includingthe following:Connections logged by firewall rulesConnections logged by VStream AntivirusConnection logged by VStream AntispamChapter 5: Viewing Logs 331

Viewing Security LogsSecurity events logged by SmartDefenseWeb sites blocked by Web rules or the centralized Web Filtering serviceTo view security logs1. In the SPP menu, click Logs > Security.The following things happen:A progress bar appears.To stop loading logs, click Stop. Only logs that have loaded will be displayed. The Logs > Security page appears displaying a table of log entries for thecurrent date.The log table contains the columns described in Security Log Columns on page332. Log messages are marked according to their actions, as described in SecurityLog Actions on page 333.2. View and navigate the table as desired.See Viewing and Navigating Tables on page 7.3. Sort the logs as desired.You can sort the logs according to any of the log table's columns, except Information.See Sorting Tables on page 8.4. Filter the logs as desired.See Filtering Logs on page 334.5. To export the displayed logs, click To Excel.The logs are exported to Excel format.Table 102: Security Log ColumnsThis column…Displays this…ActionThe action that the firewall performed on a connection.Actions are represented by two icons:An Action icon - Indicates the action's type. For a list of Actionsicons, see Security Log Actions on page 333.332 Self Provisioning Portal User Guide

Viewing Security LogsThis column…Displays this…A direction icon - Indicates the direction of the connection onwhich the firewall acted. This can be one of the following:Incoming connectionOutgoing connectionInternal connectionDateOriginSourceDestinationServiceRuleInformationThe date and time of the action.The gateway whose firewall performed the action.The IP address of the connection's source.The IP address of the connection's destination.The service and port used for the connection.The number of the firewall rule that was executed (if applicable).Additional information about the logged action.Table 103: Security Log ActionsAction Icon DescriptionConnection AcceptedConnection DecryptedConnection DroppedConnection EncryptedConnection RejectedConnection MonitoredThe firewall accepted a connection.The firewall decrypted a connection.The firewall dropped a connection.The firewall encrypted a connection.The firewall rejected a connection.A security event was monitored; however, it was not blocked,Chapter 5: Viewing Logs 333

Filtering LogsAction Icon Descriptiondue to the current configuration.URL AllowedURL FilteredVirus DetectedPotential Spam StampedPotential Spam DetectedMail AllowedBlocked by VStreamAntivirusThe firewall allowed a URL.The firewall blocked a URL.A virus was detected in an email.An email was marked as potential spam.An email was rejected as potential spam.A non-spam email was logged.VStream Antivirus blocked a connection.Filtering LogsIf desired, you can set a filter on general logs and security logs to display any of thefollowing:Logs from different date rangesLogs of different severities or actionsLogs containing specific textThe filter settings are persistent throughout the user session. To remove a filter, seeRemoving Filters on page 342.Setting FiltersTo set a filter1. Click Actions, and then click Filter.The Filter the Logs dialog box appears.334 Self Provisioning Portal User Guide

Filtering LogsFor general logs, this dialog box appears as follows:For security logs, this dialog box appears as follows:2. Complete the fields using the information in the table below.3. Click OK.The logs are filtered according to the specified parameters.Chapter 5: Viewing Logs 335

Filtering LogsTable 104: Log Filter FieldsIn this field… Do this… For example…Start DateUse the drop-down lists to specify the startingdate of the period for which to display logs.The default value is the current date.Jan 1 2009End DateUse the drop-down lists to specify the endingdate of the period for which to display logs.The default value is the current date.Mar 31 2009OriginUserTo filter logs according to their origin, selectone of the following options in the drop-downlist:is. Display only logs that were sentby the specified origin.not. Display only logs that were notsent by the specified origin.Then in the field, type the origin.To filter logs according to a specific user, selectone of the following options in the drop-downlist:is. Display only logs relating to thespecified user.not. Display only logs that do notrelate to the specified user.Then in the field, type the user's User ID.This field only appears for general logs.If you select “is” andtype “SMC”, logsgenerated by the SMCare displayed.If you select “not” andtype “SMS”, logsgenerated by an SMSare not displayed.If you select “is” andtype “JohnSmith”, logsrelating to the userJohnSmith aredisplayed.If you select “not” andtype “JandB”, logsrelating to the userJaneB are notdisplayed.Free Text To filter logs according to their content, select If you select “is” and336 Self Provisioning Portal User Guide

Filtering LogsIn this field… Do this… For example…one of the following options in the drop-downlist:is. Display only logs that contain thetext in the field.not. Display only logs that do notcontain the text in the field.Then in the field, type the text or the regularexpression according to which you want to filterthe logs. For information on regularexpressions, see Using Regular Expressionson page 338.type “SMC”, logscontaining the word“SMC” are displayed.If you select “not” andtype “SMS”, logscontaining the word“SMS” are notdisplayed.Min. SeverityActionYou can filter according to all of the logs' textualfields.Select the minimum log severity level todisplay.The default value is Notice.This field only appears for general logs.Select the check boxes next to the types ofactions to display.By default, all actions are selected except MailAllowed and URL Allowed.This field only appears for security logs.If the selected level is“Alert”, then all logs withthe severity level of“Alert” and “Emergency”are displayed.Packet droppedLimit results toSelect the maximum number of results todisplay.The default value is 1000.1000Chapter 5: Viewing Logs 337

Filtering LogsUsing Regular ExpressionsYou can filter logs by using regular expressions in the Filter the Logs dialog box's Free Textfield. Regular expressions are composed of the constructs listed in this section and are casesensitive.Table 105: Regular-Expression ConstructsConstruct Description For example, thisregular expression...Finds...Charactersx A literal character, x x All logs containing x\\ The backslash character \\ All logs containing abackslashCharacter Classes[abc] A union of characters a, b,and c.gw[45]All logs containing gw,immediately followedby 4 and/or 5.For instance, gw45,gw54, gw409, but notgw004.Note: Most specialcharacters(metacharacters) lose theirmeaning when used in acharacter class.[*+?] All logs containing *,+, and/or ?However, the followingspecial characters retaintheir meaning. They mustbe escaped (preceded by[\\s]All logs containing abackslash and/or s338 Self Provisioning Portal User Guide

Filtering LogsConstruct Description For example, thisregular expression...Finds...a backslash), in order touse them as literalcharacters within acharacter class: backslash ( \ ) caret ( ^ ) hyphen ( - )[^abc] Any character except a, b,or c.[\s]gw[^45]All logs containing awhitespacecharacterAll logs containinggw, not immediatelyfollowed by 4 or 5.For instance,gw004, but notgw45.[a-zA-Z]A union of charactergw[1-48-9]All logs containingranges a-z and A-Z.gw, immediatelyThe ranges can bealphabetical or numerical.followed by anumber in the rangeof 1-4 or a numberin the range of 8-9.For instance, gw3and gw8, but notgw5.[a-z&&[^bc]]An intersection ofgw[1-6&&[^45]]All logs containingcharacter range a-z withgw, immediatelyany character except b orfollowed by ac.number that is inThis is the equivalent of:the range of 1-6 andChapter 5: Viewing Logs 339

Filtering LogsConstruct Description For example, thisregular expression...[ad-z]The ranges can bealphabetical or numerical.Finds...is not 4 or 5.For instance, gw31,but not gw42.[a-z&&[^m-p]]An intersection ofgw[1-9&&[^4-6]]All logs containingcharacter range a-z, withgw, immediatelyany character that is not infollowed by athe range m-p.number that is inThis is the equivalent of:[a-lq-z]The ranges can bealphabetical or numerical.the range of 1-9 andis not in the rangeof 4-6.For instance, gw9,but not gw6.PredefinedCharacter Classes. Any character, except lineterminators.gw.5All logs containinggw, followed by anycharacter, followedby 5.For instance, gw05and gw45.\d A single-character digit.This is the equivalent of:[0-9].\d5 All logs containingthe number 5.\D Any character that is not adigit.gw\D\Dgw, followed by twocharacters that are340 Self Provisioning Portal User Guide

Filtering LogsConstruct Description For example, thisregular expression...This is the equivalent of[^0-9]Finds...not a digit\s A whitespace character.That is, a tab, carriagereturn, line feed character,or a form feed character.\S Any character that is not awhitespace character.This is the equivalent of:[^\s]Hello\s+WorldHello\S+WorldHello, followed byone or morewhitespacecharacters, followedby WorldHello, followed byone or morecharacter that is nota whitespace,followed by World\w A word character. That is,an alphanumeric characteror an underscore.\w gw555 All logs containinggw555This is the equivalent of:[a-zA-Z_0-9]\W Any character that is not aword.This is the equivalent of:[^\w]\W\W\WThree consecutivenon-alphanumericcharactersQuantifiersX? The character X, eitheronce or not at all.gw45?6All logs containinggw456 or gw46Chapter 5: Viewing Logs 341

Filtering LogsConstruct Description For example, thisregular expression...Finds...X* The character X, zero ormore times.X+ The character X, one ormore times.Removing Filtersgw45*6gw45+6All logs containinggw46, gw456,gw4556, and so onAll logs containinggw456, gw4556,and so onTo remove a filter1. Click Actions, and then click Filter.The Filter the Logs dialog box appears.2. Click Clear.The dialog box's fields are reset.3. Click OK.The logs are displayed unfiltered.342 Self Provisioning Portal User Guide

Viewing Gateway Security ReportsChapter 6This chapter explains how to monitor your gateways, by viewing reports.This chapter includes the following topics:Viewing Gateway Security Reports.......................................................... 343Viewing Gateway Vulnerability Reports .................................................. 343Viewing ReportsViewing Gateway Security ReportsYou can view the most recently generated security report for the gateway.To view a gateway security report1. In the SPP menu, click Reports > Security.The Security Reports page appears.2. In Gateway drop-down list, select the desired gateway.3. In the Report Generation drop-dpwn list, select the desired report date.The desired gateway security report appears.Viewing Gateway Vulnerability ReportsYou can view the most recently generated vulnerability report for the gateway.To view a gateway vulnerability report1. In the SPP menu, click Reports > Vulnerability.The Vulnerability Reports page appears.2. In Gateway drop-down list, select the desired gateway.The gateway's latest vulnerability report appears.Chapter 6: Viewing Reports 343

Glossary of TermsGlossary of TermsABCantivirusA program that detects viruses and takesappropriate action.batchA group of gateways that share certainattributes.center gatewayA member of a star VPN community*,which can establish VPN tunnels* witheach satellite gateway* in thecommunity. Also called a hub.certificateA digital signature encrypted with apublic key and with the private key ofthe Certificate Authority (CA)*.Gateways, users, and computers usecertificates to identify themselves andprovide verifiable information. Forinstance, a certificate includes anentity’s Distinguished Name (DN),public key, and possibly the IP address.After two entities exchange and validateeach other's certificates, they can beginencrypting information betweenthemselves using the public keys in thecertificates.Certificate Authority (CA)The Certificate Authority (CA) issuescertificates* to entities such asgateways, users, or computers. Theentity later uses the certificate toidentify itself and provide verifiableinformation. For instance, the certificateincludes the Distinguished Name (DN)(identifying information) of the entity,as well as the public key (informationabout itself), and possibly the IPaddress.After two entities exchange and validateeach other's certificates, they can beginencrypting information betweenthemselves using the public keys in thecertificates.Content Vectoring Protocol (CVP)An OPSEC* API that enablesintegration of third-party contentsecurity applications such as antivirussoftware into gateways. The CVP APIhas been adopted by a wide variety ofsecurity vendors.Customer Premises Equipment (CPE)Communications equipment located atthe customer's site.Glossary of Terms 345

Glossary of TermsDdemilitarized zone (DMZ)An internal network defined in additionto the LAN network and protected bythe Embedded NGX gateway.DHCPAny machine requires a unique IPaddress to connect to the Internet usingInternet Protocol. Dynamic HostConfiguration Protocol (DHCP) is acommunications protocol that assignsInternet Protocol (IP) addresses tocomputers on the network.DHCP uses the concept of a "lease" oramount of time that a given IP addresswill be valid for a computer.Domain Name System (DNS)An Internet service that receives domainnames and returns the corresponding IPaddresses.Dynamic DNS (DDNS)A service that allows you to assign adomain name to a gateway, and thatupdates the mapping of domain name toIP address each time the gateway’s IPaddress changes.Dynamic VPN (DVPN)A service that allows the creation ofVPN communities. Each time the IPaddress of a gateway in the VPNcommunity changes, the DVPN serviceautomatically updates all the gatewaysin the community with the most recentIP address.EFGHEvent Logging Module (ELM)A remote logging mechanism thatenables the SMS* to collect loginformation and security reports fromEmbedded NGX gateways.firewallA combination of hardware andsoftware resources positioned between alocal (trusted) network and the Internet.The firewall ensures that allcommunication between anorganization’s network and the Internetmeet the organization’s security policy.firmwareSoftware embedded in a device.gatewayA device positioned between twonetworks, and through which allcommunications between the networksmust pass. A gateway is the naturalchoice for enforcing a security policyand providing encryption andauthentication services.High AvailabilityA configuration in which redundantcomponents take over the tasks of failedcomponents, to maintain constantavailability of a system despite failures.346 Self Provisioning Portal User Guide

Glossary of TermsIhostA computer connected to a network.HTTPSHypertext Transfer Protocol over SecureSocket Layer, or HTTP over SSL.A protocol for accessing a secure Webserver. It uses SSL as a sub-layer underthe regular HTTP application. Thisdirects messages to a secure portnumber rather than the default Web portnumber, and uses a public key toencrypt dataHTTPS is used to transfer confidentialuser information.INSPECTCheck Point’s high-level scriptinglanguage for defining a security policy*.An INSPECT script* is compiled intomachine code and loaded into anInspection Module* for execution.INSPECT ScriptSee Inspection Script on page 347.Inspection CodeA code that is compiled from anInspection Script* and loaded into anEmbedded NGX FireWall Module forenforcement. Also called INSPECTCode.Inspection ModuleA Check Point security applicationembedded in the broadband accessdevice or gateway, (between the datalink and network layers), that enforces asecurity policy*.Inspection ScriptThe ASCII file that the Check PointPolicy Editor generates from thesecurity policy*. An Inspection Scriptcan also be written using a text editor.InternetA public network connecting manythousands of computer networks in athree-level hierarchy, includingbackbone networks (such as NSFNET,MILNET), mid-level networks andsub-networks. The Internet utilizesmultiple communication protocols(especially TCP/IP*) to create aworldwide communications medium.Internet Protocol (IP)The network layer for the TCP/IP*protocol suite. IP is a connectionless,best-effort packet switching protocolthat is designed to provide the mostefficient delivery of packets across theInternet.intranetAn organization’s internal privatenetwork that is managed according toInternet protocols, but accessible onlyinside the organization.IP addressThe 32-bit address defined by theInternet Protocol to uniquely identifyInternet hosts and servers.Glossary of Terms 347

Glossary of TermsKLIP spoofingA technique whereby an intruderattempts to gain access to a network byaltering a packet’s IP address to make itappear as though the packet originatedin a part of the network with higheraccess privileges, (for example, the IPaddress of a workstation in the localnetwork). This form of attack is onlypossible if a network’s internal IPaddresses have been exposed.keyInformation used to encrypt and decryptdata.LANSee Local Area Network (LAN) onpage 348.load balancingThe ability to distribute processingloads among multiple servers, so as toimprove performance and reduce accesstime. Load balancing is oftentransparent to the user. It improvesInternet security by reducing the risksassociated with certain attacks and byapplying greater resources to the tasksof monitoring and filtering networktraffic. A variety of algorithms can beused to determine how best to distributetraffic over these servers.MLocal Area Network (LAN)A data network intended to serve anarea of only a few square kilometers orless (more typically, an individualorganization). LANs consist of softwareand equipment such as cabling, hubs,switches, and routers, enablingcommunication between computers andthe sharing of local resources such asprinters, databases, and file and videoservers.local management planA service plan which allows theadministrators of gateways subscribedto this plan to configure management,security, and network settings.Logging and Event API (LEA)An OPSEC* API that enables anapplication to securely receive andprocess both real-time and historicallogging and auditing events generatedby Check Point SMP. LEA can be usedby a variety of applications tocomplement firewall management.MAC addressThe physical hardware address of adevice connected to a network.Managed Internet Security ServicesBundled security services, includingsecure Internet*, intranet* and extranet,that are provided by a ServiceProvider*. Typically, the ServiceProvider handles management andsupport for the security services, which348 Self Provisioning Portal User Guide

Glossary of TermsNOcan be implemented as part of theInternet service or customized to clientneeds.meshed VPN communityA VPN community in which allmembers can communicate directly witheach other and fully access the networksbehind the gateways.network addressThe network portion of an IP address*.Depending on the network’s class, thiscan comprise the first one to three bytesof an IP address, with the remainderbeing the host or server address.Network Address TranslationTranslating an internal network’s real IPaddresses to “false” IP addresses, eitherto prevent exposing the real addresses orto enable hosts with “invalid” addressesto communicate on the Internet, thusavoiding the need to change a network’sIP addresses (a formidable, error-pronetask).NOCNetwork Operating CenterOpen Platform for Secure EnterpriseConnectivity (OPSEC)An open, industry-wide alliance, drivenby Check Point Software Technologies,to ensure interoperability at the policylevel between security products.PInteroperability is achieved through acombination of published APIs,industry-standard protocols, and ahigh-level scripting language. OPSECencourages partnerships in the areas ofinfrastructure (network products andservices), framework (securityproducts), and passport (applicationsdevelopers).OPSECSee Open Platform for SecureEnterprise Connectivity (OPSEC) onpage 349.packetA unit of data, as sent across a network.packet filterA type of firewall* that examines onlythe network layer of a packet* and istypically implemented by routers. Thistype of firewall cannot support dynamicprotocols nor apply applicationintelligence to the data stream.passwordA short string of characters, knowledgeof which is required to gain access tosome resource. Passwords areconsidered unreliable security devicesbecause they are relatively easy to guessat, and people tend not to take strictprecautions against their disclosure. Seealso token on page 352.Glossary of Terms 349

Glossary of TermsRSpublic networkAny computer network, such as theInternet*, that offers long-distanceinter-networking, using open, publiclyaccessible telecommunications services,(*in contrast to a WAN* or LAN*).remote management planA service plan which allows SMPadministrators to remotely configuremanagement, security, and networksettings for gateways subscribed to theplan.Rule BaseAn ordered set of rules that defines anEmbedded NGX security policy*. Arule describes a communication in termsof its source, destination, and service,and specifies whether thecommunication should be accepted orrejected, as well as whether it is to belogged. Each communication is testedagainst the Rule Base. If it does notmatch any of the rules, it is dropped.satellite gatewayA member of a star VPN community*,which can only establish VPN tunnelswith the center gateway*. Also called aspoke.Security Content Filtering Server (SCS)An optional Check Point componentthat represents a full antivirus, antispam,and URL filtering solution. The SCS isbased on the free, open-source ClamAVantivirus system, the free ApacheSpamAssassin, and on the SecureComputing SmartFilter URL filteringsystem.Security Management Center (SMC)A Web-based application for managing,configuring, and monitoring all SMPuser and system settings.Security Management Server (SMS)A Check Point component thatdistributes security policies, firmware,and user interfaces to gateways. TheSMS also installs the gateway’scertificate on the correspondingappliance.security policyA security policy is defined in terms offirewalls*, services, users and the rulesthat govern the interactions betweenthem. Once these have been specified,an Inspection Script* is generated andthen installed on the firewalled hosts orgateways. The gateways can thenenforce the security policy on a per-userbasis, enabling verification not only ofthe communication’s source,destination, and service, but of theuser’s authenticity, as well. Auser-based security policy also allowscontrol based on content. For example,mail to or from certain addresses can berejected or redirected, access can bedenied to specific URLs, and antiviruschecking of transferred files can beperformed.350 Self Provisioning Portal User Guide

Glossary of TermsSecurity with Transport Protocol (SWTP)The protocol used by the SMS tocommunicate with gateways.Satellite gateways cannotestablish VPN tunnels witheach other.Self Provisioning Portal (SPP)A website that enables customers tochange some of their own settings.server groupA group of Security ManagementServers* (SMS).service planA service plan is a template in whichyou define a set of gateway features.Each gateway is assigned to a plan, andby default, inherits its settings from theplan. There are two types of plans:remote management* and localmanagement*.Service ProviderA provider of access to the Internet.Some providers own the networkinfrastructure, while others leasenetwork capacity from a third party.SPSee Service Provider on page 351.star VPN communityA VPN community composed of twotypes of members, center* and satellite*(also called hub and spoke), where:The center gateway canestablish VPN tunnels witheach satellite gateway.TStateful InspectionA technology developed and patentedby Check Point that provides the highestlevel of security currently available. AStateful Inspection Module accesses andanalyzes all the data derived from allcommunication layers. This state andcontext data is stored and updateddynamically, providing virtual sessioninformation for tracking connectionlessprotocols.Cumulative data from thecommunication and application states,network configuration and security rulesare all used to decide on an appropriateaction: either accepting, rejecting orencrypting the communication.Any traffic not explicitly allowed by thesecurity policy* is dropped.Subnet MaskA 32-bit identifier indicating how thenetwork is split into subnets. The subnetmask indicates which part of the IPaddress is the host ID and whichindicates the subnet.TCPSee Transmission Control Protocol onpage 352.Glossary of Terms 351

Glossary of TermsUTCP/IPSee Transmission Control Protocolover Internet Protocol (TCP/IP) onpage 352.tokenA password* that can be used onlyonce, typically generated by a hardwaredevice, as needed. Tokens areconsidered secure, since even if one isrevealed, it cannot be misused, becauseit is no longer valid after its first use.Transmission Control ProtocolAn connection-oriented andstream-oriented Internet standardtransport layer protocol, (in contrast tothe connectionless UDP protocol).Transmission Control Protocol overInternet Protocol (TCP/IP)The common name for the suite ofUNIX-based protocols developed by theU.S. Department of Defense in the1970s. TCP/IP is the primary languageof the Internet.URLAn identifier that uniquely identifies aWeb-based resource, such as a Webpage, (for example:www.checkpoint.com).URL Filtering Protocol (UFP)An OPSEC* API that enables theintegration of a third-party applicationto categorize and control access tospecific URL addresses.VVirtual Private Network (VPN)A network with both private and publicsegments, in which data passing over itspublic segments is encrypted so as toachieve secure communications. A VPNis significantly less expensive and moreflexible than a dedicated privatenetwork.virusA program that replicates itself oncomputer systems by incorporatingitself into other programs that are sharedamong computer systems. Once in anew host, a virus can damage data in thehost’s memory, display unwantedmessages, crash the host or, in somecases, simply lie dormant until aspecified event occurs (for example, theturning of a new year).VPN communityA group made up of several gatewayssharing the same VPN securityparameters, such as encryptionalgorithms. When a new member isadded to a community, it automaticallyinherits the appropriate properties andcan immediately establish securesessions with the rest of the VPNcommunity. There are two types ofVPN communities: star and meshed.VPN routingA way of directing communicationthrough a specific VPN tunnel in orderto enhance existing connectivity or352 Self Provisioning Portal User Guide

Glossary of TermsWsecurity. For example, in a star VPNcommunity* configured for VPNrouting, packets sent by a satellitegateway are routed through the centergateway to the destination satellitegateway.VPN tunnelA secure connection between a RemoteAccess VPN Client and a RemoteAccess VPN Server.Web serverA network device that stores and servesup any kind of data file, including text,graphic images, video, or audio. Itsstored information can be accessed viathe Internet* using standard protocols,most often HTTP.Wide Area Network (WAN)A geographically large network,(usually private). A WAN is typicallyconstructed to span numerous locationswithin a single city.wireless LAN (WLAN)A wireless local area network protectedby the Embedded NGX gateway.Glossary of Terms 353

IndexIndexAAbout This Guide • 1Accessing Online Help • 8Adding and Editing Allowed Commands •113Adding and Editing Blocked Senders • 145Adding and Editing Bridges • 219Adding and Editing Centralized Web Rules• 163Adding and Editing Firewall Rules • 55Adding and Editing Internal Users • 302Adding and Editing Local Web Rules • 166Adding and Editing NAT Rules • 70Adding and Editing Network Objects • 247Adding and Editing Network ServiceObjects • 253Adding and Editing QoS Classes • 240Adding and Editing Remote Access VPNSites • 274Adding and Editing Safe Senders • 156Adding and Editing Site-to-Site VPNGateways • 282Adding and Editing VLANs • 193Adding and Editing VStream AntispamRules • 151Adding and Editing VStream AntivirusRules • 127Adding or Editing Static Routes • 256antivirus • 345Automatic Logout • 9Automatically Configuring NetworkTopology • 267Bbatch • 345Block Known Ports • 85Block Port Overflow • 85Blocked FTP Commands • 87Ccenter gateway • 345certificate • 345Certificate Authentication Method • 290Certificate Authority (CA) • 345Changing Your Password • 9Checksum Verification • 95Cisco IOS DOS • 95Completing Fields • 7Configuring a SmartDefense Setting • 77Configuring Access Permissions • 322Configuring Advanced VStream AntivirusSettings • 134Index 355

IndexConfiguring Authentication Settings • 261Configuring Automatic Snooze • 162Configuring Block List Settings • 146Configuring Bridges • 218Configuring Category-Based Web Filtering• 162Configuring Centralized Web Filtering •160Configuring Centralized Web FilteringAdvanced Settings • 161Configuring Centralized Web Rules • 163Configuring Community Memberships •322Configuring Community Settings • 18Configuring Contact Details • 321Configuring Custom Fields • 307, 326Configuring Date and Time Settings • 43Configuring DNS Settings • 298Configuring Domain Names • 299Configuring Email Filtering Settings • 171Configuring Firewall Rules • 55Configuring Firmware Settings • 174Configuring General Settings • 18Configuring Handling of Legitimate Email •157Configuring High Availability • 232Configuring HTTPS • 26Configuring Internal Gateway User Settings• 301Configuring License Settings • 40Configuring Local Web Rules • 166Configuring Logging Settings • 24Configuring Mail Server Settings • 298Configuring Management Protocols • 26Configuring NAT Rules • 68Configuring Network Objects • 245Configuring Network Service Objects • 252Configuring Network Settings • 176Configuring Network Topology • 266Configuring Port-Based Security • 226Configuring Product Customization Settings• 41Configuring RADIUS User Authentication •35Configuring Remote Desktop Settings • 47Configuring Reporting Settings • 301Configuring Safe Senders • 155Configuring Safe Senders Settings • 157Configuring Secure HotSpot • 65Configuring Security Settings • 52Configuring Server Group Settings • 19Configuring Service Settings • 20Configuring Setup Settings • 25Configuring SmartDefense Settings • 75Configuring SNMP • 31Configuring SSH • 29Configuring Static Routes • 256356 Self Provisioning Portal User Guide

IndexConfiguring Subscription Settings • 21Configuring Syslog Logging • 34Configuring the Base Security Policy • 54Configuring the Block List Engine • 144Configuring the Content Based AntispamEngine • 140Configuring the DMZ • 189Configuring the Internal DNS Server • 49Configuring the IP Reputation Engine • 147Configuring the LAN • 177Configuring the OfficeMode Network • 216Configuring the Security Level • 52Configuring the SPP URL • 23Configuring the Terminal Server • 229Configuring the WLAN • 197Configuring Traffic Shaper • 236Configuring User Account Expiration • 320Configuring User Interface Settings • 46Configuring Virtual Access Points • 210Configuring VLANs • 190Configuring VPN Server Settings • 269Configuring VPN Settings • 260Configuring VPN Sites • 272Configuring VStream Antispam Rules • 151Configuring VStream Antispam Settings •137Configuring VStream Antivirus Rules • 127Configuring VStream Antivirus Settings •125Configuring Web Filtering Settings • 159Configuring Wireless Distribution SystemLinks • 213Configuring Wireless Networks • 195Contacting Technical Support • 2Content Vectoring Protocol (CVP) • 345Customer Premises Equipment (CPE) • 345Customizing Secure HotSpot • 66Customizing the Blocked Site Message •171DDDoS Attack • 80Deleting Allowed Commands • 118Deleting Blocked Senders • 146Deleting Bridges • 222Deleting Centralized Web Rules • 166Deleting Firewall Rules • 64Deleting Internal Users • 306Deleting Local Web Rules • 170Deleting NAT Rules • 74Deleting Network Objects • 252Deleting Network Service Objects • 255Deleting QoS Classes • 245Deleting Safe Senders • 157Deleting Static Routes • 258Deleting VLANs • 194Index 357

IndexDeleting VPN Sites • 297Deleting VStream Antispam Rules • 155Deleting VStream Antivirus Rules • 133demilitarized zone (DMZ) • 346Denial of Service • 79DHCP • 346Document Conventions • 2Domain Name System (DNS) • 346Dynamic DNS (DDNS) • 346Dynamic VPN (DVPN) • 346EEnabling Traffic Shaper • 238Enabling/Disabling Centralized WebFiltering Settings • 160Enabling/Disabling VStream Antispam •138Enabling/Disabling VStream Antivirus •126Event Logging Module (ELM) • 346Exporting Gateway Certificates • 264FFiltering Logs • 334firewall • 346firmware • 346Flags • 118FTP • 84FTP Bounce • 88GGames • 124gateway • 346Getting Started • 3HH.323 • 107Header Rejection • 89High Availability • 346host • 347HTTP • 89HTTPS • 347IIGMP • 91INSPECT • 347INSPECT Script • 347Inspection Code • 347Inspection Module • 347Inspection Script • 347Instant Messaging Traffic • 92Intended Audience • 1Internet • 347Internet Protocol (IP) • 347intranet • 347Introduction • 1IP address • 347IP and ICMP • 94IP Fragments • 97358 Self Provisioning Portal User Guide

IndexIP spoofing • 348Kkey • 348LLAN • 348LAND • 80load balancing • 348Local Area Network (LAN) • 348local management plan • 348Locking and Unlocking Settings • 15Locking Nodes to Plan • 17Logging and Event API (LEA) • 348Logging in to the Check Point SelfProvisioing Portal • 4Logging Out • 9MMAC address • 348Managed Internet Security Services • 348Managing Your Gateways • 11Managing Your User Account • 317Manually Configuring Network Topology •267Max Ping Size • 98meshed VPN community • 349Microsoft Networks • 104Modbus/TCP • 112Modbus/TCP Policy • 113Modifying Link Configurations • 225Modifying Port Assignments • 223Modifying Port Settings • 223Nnetwork address • 349Network Address Translation • 349Network Count Limitations • 195Network Quota • 99NOC • 349Non-TCP Flooding • 81Null Payload • 101OOpen Platform for Secure EnterpriseConnectivity (OPSEC) • 349OPSEC • 349Overview • 75, 159Ppacket • 349packet filter • 349Packet Sanity • 102password • 349Peer to Peer • 107Performing Vulnerability Scans onGateways • 313Ping of Death • 83Port Scan • 109Predefined QoS Classes • 237public network • 350Index 359

IndexRRelated Publications • 2remote management plan • 350Removing Filters • 342Reordering Centralized Web Rules • 165Reordering Firewall Rules • 64Reordering Local Web Rules • 170Reordering VStream Antispam Rules • 154Reordering VStream Antivirus Rules • 133Resetting Individual Nodes to DefaultSettings • 310Reverting Changes to Settings • 8Revoking and Renewing GatewayCertificates • 262Rule Base • 350Ssatellite gateway • 350SCADA • 111Scheduling Firmware Updates • 174Security Content Filtering Server (SCS) •350Security Management Center (SMC) • 350Security Management Server (SMS) • 350security policy • 350Security with Transport Protocol (SWTP) •351Selecting Firmwares • 174Self Provisioning Portal (SPP) • 351Sequence Verifier • 120server group • 351service plan • 351Service Provider • 351Setting Filters • 334Setting Up Secure HotSpot • 66Setting Up Traffic Shaper • 238Shared Secret Authentication Method • 287SIP • 106Small PMTU • 120SmartDefense Categories • 79SoftWare Requirements • 3Sorting Tables • 8SP • 351star VPN community • 351Stateful Inspection • 351Strict TCP • 122Subnet Mask • 351SynDefender • 123TTCP • 118, 351TCP/IP • 352Teardrop • 83token • 352Transmission Control Protocol • 352Transmission Control Protocol over InternetProtocol (TCP/IP) • 352360 Self Provisioning Portal User Guide

IndexUUnderstanding the Status Bar • 7Unlocking from Plan • 16URL • 352URL Filtering Protocol (UFP) • 352Using CLI Scripts • 44Using Regular Expressions • 338Using the SPP Main Screen • 5Using the Workspace Navigation Tree • 6VViewing and Editing Gateways • 12Viewing and Editing Users • 317Viewing and Navigating Tables • 7Viewing Gateway Owner Information • 308Viewing Gateway Security Reports • 343Viewing Gateway Statuses • 310Viewing Gateway Vulnerability Reports •343Viewing General Logs • 329Viewing Logs • 329Viewing Reports • 343Viewing Security Logs • 331Viewing User Statuses • 326Virtual Private Network (VPN) • 352virus • 352VoIP • 105VPN community • 352VPN routing • 352VPN tunnel • 353WWeb server • 353Welchia • 103Wide Area Network (WAN) • 353wireless LAN (WLAN) • 353Workflow • 219Worm Catcher • 90Index 361