ace engineer
TRANSCRIPT
Welcome to the training!
Astaro Certified Engineer V7
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 1© Astaro 2004/ ACE_V7.4
Courseware Version EN-V7.4
DISCLAIMER
All rights reserved. This product and related documentation are protected by copyright and distribution under licensing restricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,or stored in a database or retrieval system, without prior written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any other purpose is in violation of copyright laws.
While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or omissions and makes no explicit or implied claims to the validity of this information. This document and features described herein are subject to change without notice.
This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. Neither Astaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability, loss or damage caused or alleged to have been caused directly or indirectly by this book.
Trademarks:
© Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 2© Astaro 2004/ ACE_V7.4
© Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.
© Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.
© Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.
Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.
All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your product manuals for complete trademark information.
Agenda - ACEDAY ONE
Astaro Product Overview
Available Products
AXG System Architecture
Refresher ACA
Networking
VLAN
Link Aggregation
Bridging
Policy Routing
OSPF
DAY TWO
VoIP Security
H.323
SIP
Troubleshooting
WebGui
Command Line
DAY THREE
Additional Products
ACC
Astaro Report Manager
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 3© Astaro 2004/ ACE_V7.4
OSPF
Quality of Service
Before we start …/ ACE Exam
ACE Certificates & Exams
ACE certification signifies that an individual has:
Achieved ACE certification
Passed the ACE web-based exam
Demonstrated knowledge required to implement and configure Astaro Security products with extended features
How do you become an Astaro Certified Engineer?
By passing a web-based exam.
45 questions randomly generated must be answered within 60 min
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 4© Astaro 2004/ ACE_V7.4
Training participants have one free trial to pass the ACE Exam
To login you will receive a voucher via e-mail short after the training
ACE Exam site is available at https://my.astaro.com/training/
How should you prepare for the ACE exam?
Actively participate in the training
Study the ACE-Courseware
Work through the Astaro product Manuals
Configure and test the discussed scenarios in practice
Before we start …/ Course Objective
� Familiar with the Astaro product line
� Able to configure Astaro products
� Able to troubleshoot „Get together „Get together
Upon Completion of this course you should be:
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 5© Astaro 2004/ ACE_V7.4
� Able to troubleshoot common problems on Astaro products
„Get together „Get together is the beginning is the beginning --work together is work together is the success.“the success.“
Henry FordHenry Ford
Astaro Product Overview
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 6© Astaro 2004/ ACE_V7.4
Product Overview
The Astaro product portfolio features easy-to-use “all-in-one” security gateways that enable IT managers to effectively protect their network from malicious Internet-based threats. Additional management tools support Astaro’s Gateway products with centralized management and reporting facilities.
All Astaro Gateway products with the exception of the Astaro Report Manager are based upon the same architecture. During the training we will use the term ‘AXG’ whenever we are referring to the common architecture. The specific product abbreviation (ASG,AWG) will be used whenever we are
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 7© Astaro 2004/ ACE_V7.4
abbreviation (ASG,AWG) will be used whenever we are discussing a particular product.
Available Products/Astaro Security Gateway
Astaro Security Gateway is blend of open-source, proprietary and OEM technology, combined to create an all-in-one device that runs as the perimeter security gateway on a network
Astaro Security Gateway is built on an integrated management platform that makes it easy to install and administer a complete security solution
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 8© Astaro 2004/ ACE_V7.4
ASG Overview/ Security Features
Astaro Security Gateway, based on Astaro's award-winning Astaro Security Linux, provides a complete package of 9 perimeter security applications.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 9© Astaro 2004/ ACE_V7.4
E-mail Security
• Virus Protection for
• Anti-Spam/Phishing
• E-mail Encryption
Network Security
• Intrusion Protection
• SPI-Firewall and Proxies
• VPN-Gateway
Web Security
• Spyware Protection
• Virus Protection
• Content Filtering
ASG Overview/ Available Appliances
Astaro Security Gateway 110/120
Astaro Security Gateway 220a
Astaro Security Gateway 320
Astaro Security Gateway 425a
Astaro Security Gateway 525
Users 10/Unrestricted Unrestricted Unrestricted Unrestricted Unrestricted
EnvironmentsHome office, small office
Small business,
branch office
Medium business, enterprise division
Large enterprise headquarters
Large enterpriseCore networks
System
Network ports
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 10© Astaro 2004/ ACE_V7.4
Network ports3x 10/100 Mbps 8 x 10/100 Mbps 4 x 10/100 Mbps
4 x 10/100/1000 Mbps
8 x 10/100/1000 Mbps 10 x 10/100/1000 Mbps
PerformanceThroughput (Mbps)Firewall VPNIPS/IDSE-mails/day (without Mail-Security)
Concurrent Connections
1003055
350,000
60,000
260150120
500,000
400,000
420200180
1,000,000
550,000
1200265450
1,500,000
700,000
3000400750
2,200,000
>1,000,000
Product Overview/Astaro Web Gateway
Effective “all-in-one” web security for your network:
Single, cost effective and easy to use point solution
Detects and blocks malicious code in HTTP or FTP traffic
Granular control of web site access and use of IM/P2P applications
Deploys as hardware, software, or virtual appliance
Web Interface is the same as the ASG but with less features
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 11© Astaro 2004/ ACE_V7.4
AWG System Overview/ Available Appliances
Astaro WebGateway 1000
Astaro WebGateway 2000
Astaro WebGateway 3000
Astaro WebGateway 4000
Astaro WebGateway Virtual Appliance
Recommended Users
100 250 750 2000 Unrestricted
EnvironmentsSmall
NetworksMedium Networks
Medium Networks Large NetworksSmall to Large networks
System
Network ports
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 12© Astaro 2004/ ACE_V7.4
Network ports2x 10/100 /1000 Mbps
2 x 10/100 / 1000 Mbps
3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
PerformanceThroughput (Mbps)In-line throughputAntivirus/WebUser Requests
5020
100 req./s
8040
375 req./s
15080
120 req./s
250130
3000 req./s
*Depends on hardware
platform used.
Product Overview/Astaro Email Gateway
Effective “all-in-one” Email security for your network:
Single, cost effective and easy to use point solution
Detects and blocks malicious code and SPAM in SMTP or POP3 traffic
Provides end user Quarantine management through secure portal and daily SPAM reports
Provides Email Encryption
Web Interface is the same as the ASG but with less features
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 13© Astaro 2004/ ACE_V7.4
AMG System Overview/ Available Appliances
Astaro MailGateway 1000
Astaro MailGateway 2000
Astaro MailGateway 3000
Astaro MailGateway 4000
Astaro MailGateway Virtual Appliance
Recommended Users
100 250 750 2000 Unrestricted
EnvironmentsSmall
NetworksMedium Networks
Medium Networks Large NetworksSmall to Large networks
System
Network ports
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 14© Astaro 2004/ ACE_V7.4
Network ports2x 10/100 /1000 Mbps
2 x 10/100 / 1000 Mbps
3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
PerformanceThroughput (Mbps)In-line throughputAntivirus/WebUser Requests
5020
100 req./s
8040
375 req./s
15080
120 req./s
250130
3000 req./s
*Depends on hardware
platform used.
Product Overview/ Astaro Report Manager
Data collection and reporting solution for internal security analysis:
Centralized collection, correlation and analysis of syslog data
Documentation of security infrastructure effectiveness
More than 800 tailored security and activity reports
Real-time monitoring dashboard for instant security incident visibility
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 15© Astaro 2004/ ACE_V7.4
Product Overview/ Astaro Report Manager
The Astaro Report Manager is a centralized reporting engine which gives you the ability to collect and analyze log data from one or more ASG installations
The Report Manager allows you to create robust drill down reports in a variety of output formats like Word,
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 16© Astaro 2004/ ACE_V7.4
variety of output formats like Word, Excel, HTML and PDF
With advanced attack and event analysis, users can create rule-based alerts which can notify administrators when user defined thresholds have been passed
Product Overview/ Astaro Compliance Reporter
The Astaro Compliance Reporter for PCI is an automated service what allows organizations operating under Payment Card Industry (PCI) regulation to easily conduct a formal risk assessment, as required by the PCI Data Security Standard.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 17© Astaro 2004/ ACE_V7.4
Product Overview/ Astaro Command Center
Provides Centralized Management of Large Astaro Gateway Deployments.
Dashboard views display the most important system parameters for all selected devices.
List views offer detailed information about specific parameters, such as detected threats or resources in use.
The world map makes it simple to localize Astaro Security Gateways within a large global network and enables a quick overview of the security status.
A complete hardware inventory of all Astaro Security Gateways is available via a single mouse click.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 18© Astaro 2004/ ACE_V7.4
available via a single mouse click.
Astaro Command Center is available free of charge!Based on the same architecture and management components as the Astaro Security Gateway, the Command Center employs similar flexible deployment options.
System Architecture
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 19© Astaro 2004/ ACE_V7.4
AXG System Overview/ Architecture
AXG is based on Novell/SUSE® Linux Enterprise 10
AXG comes with its own hardened and compiled 2.6x kernel
SLES10 RPMs are used but completely new compiled
All major processes including
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 20© Astaro 2008/ ACA_V7.3
All major processes including WebGUI run in chroot-environments.
AXG is built upon a number of Open Source Projects; many of those are actively developed in cooperation with Astaro, others are sponsored by Astaro.
Open source software is distributed with the source code freely available for alteration and customization
Collective work of many programmers
Resulting software can become more useful and free of holes and bugs
Architecture/ Open Source Module
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 21© Astaro 2004/ ACE_V7.4
useful and free of holes and bugs
Astaro leverages the flexibility and innovation of Linux and Open Source
Configuration/ Administration Workflow
Every function can be configured and controlled via the Web-Admin interface.
There is no need to interact with any of the other components or the Command Line Interface (CLI) using a shell like
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 22© Astaro 2004/ ACE_V7.4
Line Interface (CLI) using a shell like Bash.
Refresher ACA
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 23© Astaro 2004/ ACE_V7.4
This chapter provides a refresher of key areas covered during the ACA course
Refresher ACA/ Setting up Ethernet Interfaces
An Ethernet interface is a standard 10/100/1000 Mbit network card
Things to remember:
Set the correct IP address for each interface with the correct netmask
Only define one default gateway unless you are using Uplink Balancing
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 24© Astaro 2004/ ACE_V7.4
Balancing
Make sure that each interface has a unique address range in your environment
Refresher ACA Network Settings / Additional IPs on an Interface
Additional IPs are typically referred to as aliasesand follow the same rules as “Standard Ethernet” interfaces.
This feature allows administrators to assign multiple IP addresses to one physical Ethernet interface.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 25© Astaro 2004/ ACE_V7.4
Commonly used with NAT (Network Address Translation)
Limited to 100 aliases per interface.
Restrictions
No DHCP address assignment
No accounting and monitoring
No IPSec tunnel endpoint
NOTE: An IP alias should from the same IP network range as the primary address of the interface to prevent possible problems such as IP spoofing. Nevertheless addresses from other ranges are allowed.
Refresher ACA Network Settings / Uplink (WAN) balancing
Allows for ‘bonding’ of multiple internet connections.
Two modes offered:
Active/Passive (Failover) where second internet connection only becomes active when primary goes down
Active/Active (Multipath) where all internet connections are active and traffic is balanced across them. Traffic automatically fails over
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 26© Astaro 2004/ ACE_V7.4
across them. Traffic automatically fails over to other available links in the event of an outage.
After adding interfaces to Uplink group a new definition called Uplink Interfaces will be automatically created and used by any packet filter and DynDNS rules.
Once Uplink balancing is enabled each interface can be configured with its own default gateway and will have its own routing table.
Refresher ACA /Network Settings / Multipath Rules
Allows administrators to specify which internet connection traffic should use.
This is different from policy routing since the rules benefit from being able to use other connections if the desired Interface is down.
Ability to create sticky or persistant
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 27© Astaro 2004/ ACE_V7.4
Ability to create sticky or persistant connections by:
Combination of source and destination
By connection
By source OR destination
By interfaceNOTE: In the Site-to-Site VPN section, there is now a new choice for the “local interfaces” drop-down box, which allows you to select “Uplink Interfaces” which resolves to the first available interface in the available interfaces box, increasing the redundancy available to site-site VPN’s.
Refresher ACA / Network Address Translation / Masquerading
Used if one (or multiple) internal networks should be hidden behind one official IP address.
Especially useful if private IP address ranges are used.
RFC 1918-IP Public IP
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 28© Astaro 2004/ ACE_V7.4
Destination Network Address Translation (DNAT) is used if an internal resource should be accessible via an IP address assigned to the firewall, e.g. server in a DMZ
Source Network Address Translation (SNAT) is used like masquerading, but allows more granular settings
Refresher ACA /Network Address Translation / DNAT & SNAT
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 29© Astaro 2004/ ACE_V7.4
Note: DNAT occurs before packet filtering takes place. Ensure your packet filtering rules have the translatedaddress as the destination or use the ‘Automatic Packet Filter rule’ option.
Refresher ACA / Packet filtering Architecture
• masquerading• snat• conntrack• mangle
FORWARD
OUTPUTINPUT
POSTROUTING
PREROUTING Routing
• dnat• conntrack• mangle• spoofdrop
Routing
incoming packets
outgoingpackets
• conntrack• mangle
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
• mangle• filter• ips
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 30© Astaro 2004/ ACE_V7.4
• mangle• ips
OUTPUTINPUT
OUTPUT
Local Processes
Ap
ach
e
EX
IM
SS
HD
SQ
UID
SO
CK
S
BIN
D
IPS
EC
PP
TP
• spoofdrop
• conntrack• mangle• dnat
• mangle• filter• ips
Tables:
NATFilter
Refresher ACA / Packet Filter - Configuration Principles (1)
You only need to maintain one table of filter rules.
ASG automatically creates correct entries in the INPUT, OUTPUT or FORWARD chain as necessary.
The rules in the table are ordered. The first rule to match decides what is done with the packet.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 31© Astaro 2004/ ACE_V7.4
Possible actions are:
Allow
Drop
Reject
Any action allows optional Logging
If no filter rule matches - the packet is dropped and logged!
Astaro Security Gateway starts with an empty table but keeps implicit internal rules for all services it is using itself.
Refresher ACA / Packet Filter - Configuration Principles (2)
Default ViewSource Destination
Action and
Service
Description(optional)
Enable/Disable
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 32© Astaro 2004/ ACE_V7.4
Edit or delete
Groupname
Order
Refresher ACA / Packet Filter - Configuration Principles (3)
To create new or edit existing rules:
Assign or create a group
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 33© Astaro 2004/ ACE_V7.4
Assign or create a groupName: Name for the ruleMove rule to a specific position
The sources: IP or GroupThe service: TCP/UDP/IPThe destinations: IP or GroupWhat to do: Allow, Drop or RejectWhen to do: The timeLog Packets: Yes or NoComment: Whatever helps
Refresher ACA / DNS - Configuration
Global:
Accepts DNS Requests from allowed, internal networks (e.g. your AD-Servers, clients in smaller networks)
Forwarders
Forwards DSN requests of ASG to e.g. Provider DNS servers
Request Routing
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 34© Astaro 2004/ ACE_V7.4
Request Routing
When ASG should be able to resolve the hostnames of an internal domain hosted on your own internal DNS server, this server could be used as an alternate server to resolve DNS which should not be resolved by DNS forwarders.
Static Entries
Handles static mappings of hostnames to IP addresses
Refresher ACA High Availability & Clustering/ Overview
redundant
redundant switches
No more single point of failure!
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 35© Astaro 2004/ ACE_V7.4
Internet
redundant links
LANredundant Hardware
:= Aggregated Links
Refresher ACA High Availability & Clustering/ HA Modes
Active-Passive HA (Standby)
Only the Master is active
Passive (Slave) takes over in case of failure
Configuration settings and operational states are synchronized
Each ASG requires it’s own base license. Only 1 set of subscriptions are necessary for both units.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 36© Astaro 2004/ ACE_V7.4
Active-Active HA (Cluster)
Offers High Availability AND Load balancing
All appliances are active at the same time
Application traffic is actively balanced across the cluster of nodes
A maximum of 10 units can be added to the cluster.
Each unit in the cluster requires the same licenses for both base and subscriptions.
Refresher ACA High Availability & Clustering/ Hot Standby Mode
Master
Status & ConfigSynchronisation
Hot Standby Mode
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 37© Astaro 2004/ ACE_V7.4
All tunnels, SPF-Connections (IP-Conntrack) and quarantined objects
are synchronized
Slave
Synchronisation
Stateful Failover < 2sec
Refresher ACA High Availability & Clustering/ Active-Active-Mode
High Availability(Active/Active) (loadbalancing)
InternetLAN
Cluster Nodes
Scalable
MasterSlave
1 Gigabit/sec VPN, IPS, AV, AS
Active/Active ModeMaster runs Packet Filtering & distributes the load.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 38© Astaro 2004/ ACE_V7.4
Note:
Packet Filtering runs on the Master only
Balanced Services are: AV for HTTP, FTP, SMTP, POP3
AS for SMTP, POP3
IPSec
IPS
Cluster Distribution is round robin, except HTTP which is session based.
InternetLAN
Fully meshedFully meshed
Scalable1 Gigabit/sec VPN, IPS, AV, AS
Slave and cluster nodes handle the load.
Refresher ACA High Availability & Clustering/ Auto Configuration (1)
Automatic Configuration = Default Configuration
Both devices configure themselves upon connection through the HA-Port
To configure an Active/Active Cluster, only the Master needs to be configured to „Cluster Mode“
Appliances: HA interface eth3 (HA port)
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 39© Astaro 2004/ ACE_V7.4
Master
Slave
HA port (eth3)
Refresher ACA High Availability & Clustering/ Auto Configuration (2)
Default setting for appliances (HA-Port)
Step 1:
Activate HA (if necessary)
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 40© Astaro 2004/ ACE_V7.4
appliances (HA-Port)
If HA is active, Status will look like this.
Refresher ACA High Availability & Clustering/ Auto Configuration (3)
If everything is correct, the system switches to active/passive
Step 2:
Connect other HA device
Make sure the cabling is correct
Start the device
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 41© Astaro 2004/ ACE_V7.4
system switches to active/passive operation automatically:
Refresher ACA High Availability & Clustering/ Disabling Master-Slave
Disabling Master/Slave:
Switch back Operation mode To „Off“
The slave device will perform a factory reset and shuts down.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 42© Astaro 2004/ ACE_V7.4
factory reset and shuts down.
Refresher ACA High Availability & Clustering/ ASG Cluster Configuration (1)
Cluster Configuration:
For the Master System:
Set Operation Mode to „Cluster“
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 43© Astaro 2004/ ACE_V7.4
Set Operation Mode to „Cluster“
Configure NIC
Configure Device name, e.g. Node1
Select Node ID (1, 2, 3…)
Configure an encryption Key
By default the Master will configure any new devices
(Optional) Configure a backup interface which will be used if dedicated NIC fails.
Refresher ACA High Availability & Clustering/ ASG Cluster Configuration (2)
Cluster Configuration:
For the Slave System:
The slave system is still configured to auto configuration on eth2 from before(check, if not sure)
Make sure cabling is correct
Power on the device
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 44© Astaro 2004/ ACE_V7.4
Power on the device
Once the slave is working, you can see the HA status.
It will display „Operation Mode: Cluster“
Refresher ACA /User Authentication/ Groups
The Users>>Groups section on the AxG allows the administrator to create and manage local and/or remote user groups
Common Group Types:
Local Groups will consist of static members which are user accounts located on the AxG. These accounts can either be locally or remotely authenticated.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 45© Astaro 2004/ ACE_V7.4
Backend membership groups may be dynamically updated and modified by making changes to the group object on the remote authentication server (an example would an AD security group)
Use the Limit to backend group(s) membershipcheckbox to specify a specific security group or container on your remote authentication server
Use the built in LDAP browser to view the remote server tree if using eDirectory or Active Directory
Refresher ACA /Remote Authentication/ Available Methods
Astaro has the following options for remote user authentication:
eDirectory
Novell, partly LDAP based
Active Directory
Microsoft, partly LDAP based
RADIUS
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 46© Astaro 2004/ ACE_V7.4
RADIUS
Remote Access Dial-In User Service
Livingston Enterprises, later RFC
TACACS+
Terminal Access Controller Access-Control System Plus
Cisco, now RFC
LDAP – OSI, X.500, now RFC
Lightweight Directory Access Protocol
Refresher ACA /Remote Authentication/ Global Settings
When using remote authentication the AxG can be configured to automatically add user accounts when users successfully authenticate against:
HTTP Proxy
End User Portal
SSL VPN
WebAdmin
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 47© Astaro 2004/ ACE_V7.4
WebAdmin
NOTE: Automatically creating user accounts for HTTP Proxy users in large environments (eDirectory) is not suggested and will have an adverse effect on the AxG performance.
Refresher ACA /Remote Authentication/ Novell eDirectory
With AxG V7 eDirectory SSO, Novell users will only need to authenticate once at initial client login to gain web access to the Internet.
Once authenticated, Web security capabilities of AxG are applied to web surfing based on the user or group without the need for further authentication at the browser level.
Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an administrator to verify their BIND User DN settings as well as verify individual user account credentials.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 48© Astaro 2004/ ACE_V7.4
user account credentials.
Refresher ACA /Remote Authentication/ Novell eDirectory
Advanced options let you set the synch interval which is how often the AxG will query (Poll) the eDirectory server for updated account information relating to relevant information such as logins/logouts, and group changes.
Prefetching of user accounts can be done on the fly or may be scheduled.
As of version 7.400 the AxG software also supports Event Based eDirectory synchronization. This new feature is an eDirectory option which requires version 8.7 or higher.
Event Based synchronization replaces the existing Polling method which will be used if the
eDirectory server does not
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 49© Astaro 2004/ ACE_V7.4
eDirectory server does not
support this feature.
Event Based synchronization
will instruct the eDirectory
server to send notifications of
any changes such as logins or
logouts.
Event Based synchronization
can help to significantly reduce
the network load between the
AxG and the eDirectory server.
Refresher ACA /Remote Authentication/ Novell eDirectory
When creating Groups from the Novell eDirectory, ASG offers a very convenient eDirectory Browser
It allows you to select user groups directly through the Web Admin Interface
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 50© Astaro 2004/ ACE_V7.4
NOTE:
• SSO in eDir does not work on machines where more than one user is logged in. (Terminal Servers)
Refresher ACA /Remote Authentication/ Active Directory
With AxG V7 Active Directory SSO, domain users will only need to authenticate once at initial client login to gain web access to the Internet.
Based on the AxG V7 SSO authenticated user, user/group based access control and content inspection profiles can be assigned.
AD SSO requires either Kerberos or NTLMv2 for authentication
Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 51© Astaro 2004/ ACE_V7.4
Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an administrator to verify their BIND User DN settings, verify a user account is active, and to see what group they belong to.
Administration is
eased via the built in
LDAP browser
Prefetching of user
accounts can be done
on the fly or by
schedule.
Refresher ACA /Remote Authentication/ Active Directory
As of version 7.400 the AxG software now supports Windows Server 2008 Native mode.
To enable AD SSO you must:Verify that the time, and time zone settings are the same on both the AxG and on the AD server.
Create a DNS ‘A’ record on the AD server that matches the FQDN hostname you have assigned to the AxG
Configure the AxG to use the AD server as a DNS forwarder OR you must create a DNS request route for the AD domain which points to the
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 52© Astaro 2004/ ACE_V7.4
Configure the AxG to use the AD server as a DNS forwarder OR you must create a DNS request route for the AD domain which points to the AD DNS server
When configuring the AD SSO
section the domain must be
complete (ASTARO.COM),
and should be entered in
ALL CAPS.
Use the same admin username
that you had used in the BIND
DN section
Refresher ACA /Web Security/ Overview
Astaro’s Web Security is offered as a subscription on the ASG and as a solution on the Astaro Web Gateway (AWG).
Astaro Web Security provides a complete solution to protect users against malicious content, and allows an organization to enforce their web usage policy through flexible policies
Firewall’s only pass HTTP/S traffic and are unable to scan for malware such
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 53© Astaro 2004/ ACE_V7.4
Firewall’s only pass HTTP/S traffic and are unable to scan for malware such as viruses, adware, sypware, and root kits
HTTP/S proxies ensure client pc’s never directly connect to outside resources
Web Security allows administrators to block anonymous proxies, port forwarding sites and applications, and block/control IM/P2P applications
Refresher ACA /Proxies/ Theory
A Proxy (or Application Level Gateway) acts as a relay between a client and a server.
It plays the roles of client and server at the same time.
It speaks one or a few application specific protocols.
HTTP/S RequestHTTP/S Request
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 54© Astaro 2004/ ACE_V7.4
HTTP/S Response HTTP/S Response
Client Server
Proxy
Refresher ACA Web Security/ HTTP/S Proxy – Overview
The HTTP/S Proxy provides:
Different proxy modes including user Authentication
Antivirus/malware scanning
Extension/MIME type blocking
Content Filtering
HTTP/S Protocol Enforcement
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 55© Astaro 2004/ ACE_V7.4
Local content caching
The ability to create different profiles for different users, groups, or networks
Refresher ACA /Web Security/ HTTP/S Global Configuration
Networks that are listed in the ‘Allowed Networks’ section will be allowed to use the proxy
HTTPS (SSL) traffic can also be proxied and scanned. To do this the AxG will need to create maintain the chain of trust between the client and the web server. This is done via a system of certificate exchanges.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 56© Astaro 2004/ ACE_V7.4
system of certificate exchanges.
The HTTP/S live log will provide detailed
information on connections and the ability
to filter on specific users or IP addresses
Information found in Live Log
includes Date, Time, Source IP,
Username, Status of connection
(Pass, Fail, Timed Out, Target
Service Not Allowed), URL
Refresher ACA Web Security// HTTP/S Global ConfigurationHTTPS Proxy configuration
To establish the chain of trust the HTTPS proxy uses Verification CA’s and a Signing CA
A new tab in Web Security called HTTPS CA’scontains the major Global Verification CA’s which are in use today and the Signing CA
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 57© Astaro 2004/ ACE_V7.4
NOTE: It is also possible to upload your own Verification CA if necessary. Under most circumstances though it will not be necessary to make changes on this tab.
Refresher ACA Web Security/ HTTP/S Global ConfigurationHTTPS Proxy configuration/testing
To use the HTTPS proxy the client browsers will need to import or “Trust” the Proxy CA that exists on their AxG. There are 3 ways administrators can deploy this to their users:
Have the users sign in to the UserPortal, select the “HTTPS Proxy” tab, and import the proxy CA certificate. Select all option-boxes and select “OK”, and the import will finish. Note that you should do this for all browsers you use.
Publish the CA using an Active Directory Group Policy. As the administrator, navigate to Web Security�HTTP/S and select the “HTTPS
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 58© Astaro 2004/ ACE_V7.4
administrator, navigate to Web Security�HTTP/S and select the “HTTPS CAs” tab. From there, click the “Download” Button at the top in the “Signing CA” section, and use Active Directory to distribute it to your network users.
Have the users directly download it via a special URL directly from the Astaro Device, by navigating to https://passthrough.fw-notify.net/cacert.pem in their browser, and then selecting all the checkboxes on the import dialog box, and selecting “Ok” to complete the process.
Once deployed the HTTPS scanning can be verified by using a test file from a site that vendors use. This file will be reported as “malware/virus” though it is in fact harmless and designed just for this type of testing.
https://secure.eicar.org/eicar_com.zip.
Refresher ACA /Web Security/ HTTP/S Operational ModesStandard
Proxy listens on port 8080
Allows any network listed in Allowed Networks to connect
Client browser must be configured
HTTP proxy service requires a valid Domain Name Server (DNS)
Transparent
Proxy handles all traffic on port 80
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 59© Astaro 2004/ ACE_V7.4
Proxy handles all traffic on port 80
Client doesn’t need to touch browser configuration
Proxy cannot handle FTP and HTTPS
Packetfilter must allow port 21 and 443
No HTTP on other than port 80
Clients must be able to resolve DNS hostnames themselves!
*Full transparent mode preserves the original source IP of the client machine instead of replacing it with the proxy IP
Refresher ACA /Web Security/ HTTP/S Operational Modes
Active Directory and eDirectory modes transparently authenticate users but require that the client browser has been configured to use a proxy server
These settings can be configured manually in the browser or pushed out by a group policy
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 60© Astaro 2004/ ACE_V7.4
A popular alternative for environments with laptop users is to use a proxy configuration file which can be configured to first check the local network before applying proxy settings. More information and examples can be found at the following URL http://en.wikipedia.org/wiki/Proxy_auto-config
HTTP Content Filter Profiles
HTTP/S Profiles allow you to create different permissions for different users, groups, and/or networks.
The configuration is done by linking Proxy Profiles and Filter Actions through Filter Assignments
Refresher ACA /Web Security/ Content Filter Profiles
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 61© Astaro 2004/ ACE_V7.4
and Filter Actions through Filter Assignments
Refresher ACA /Web Security/ Content Filter Profiles
Flexible configuration is possible through Proxy Profiles and Filters.
Each Profile holds a combination of options and settings.
Allows for time, user and user
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 62© Astaro 2004/ ACE_V7.4
Allows for time, user and user group based filtering
The suggested way to create profiles is to work from the right to the left.
First create your Filter Actions, then create your Filter Assignments, and then create your Proxy Profiles
Refresher ACA / Email Security Mail Manager/ Overview/Global tab
The Mail Manager allows you to view and manage the Quarantined SMTP and POP3 messages for all users. Additionally you can view the SMTP log which contains a record of all messages that have been handled by the AxG.
Statistics are shown on the Global tab listing e-mails Waiting for Delivery, Quarantined, and Rejected.
The Mail Manager Utility is reached by
clicking the Open Mail Manager in New
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 63© Astaro 2004/ ACE_V7.4
clicking the Open Mail Manager in New
Window button.
HINT:Notice that only the administrator can release all type of messages held in quarantine. End users can only release Spam using the User Portal or the Quarantine Report
Refresher ACA / Email Security Mail Manager/SMTP Quarantine
The SMTP Quarantine Option lets the Administrator view all SMTP mails being held in Quarantine, and provides information on why it was not delivered.
Filters are available to sort mails by type (Malware, SPAM, Expression…)
Search by Sender/Subject, Date or any phrase
Global actions for cleanup and release are available
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 64© Astaro 2004/ ACE_V7.4
HINT:SPAM false positives that are incorrectly quarantined by the Heuristic engine can be automatically released and reported back to Commtouch.
Refresher ACA / Email Security Mail Manager/SMTP Spool/ Tips
The SMTP Spool Option lets the Administrator view all SMTP mails processed but not delivered.
The AxG Mail Manager also features Tips which can offer guidance or explain terms.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 65© Astaro 2004/ ACE_V7.4
Refresher ACA / Email Security Mail Manager/SMTP Log
The SMTP Log Section displays an entry for all emails processed by the AxG. Messages can be sorted by Reason or Result.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 66© Astaro 2004/ ACE_V7.4
Refresher ACA /Remote Access / Astaro SSL VPN Client
Based on OpenVPN 32 bit version. For 64 bit operating system support download the latest OpenVPN client and configure per the following KB article http://portal.knowledgebase.net/article.asp?article=299973&p=5956
Uses latest SSL version (TLS)
Proven technology
Used for all internet applications
Offers Secure and stable authentication and encryption
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 67© Astaro 2004/ ACE_V7.4
Offers Secure and stable authentication and encryption
Easy client installation and configuration
Platform independent client application
Windows, Linux, Mac OS X, Solaris, OpenBSD, FreeBSD, NetBSD…
Accessible from anywhere
Via NAT, UMTS, GPRS, DSL,..
Using dynamic IP addresses…
Refresher ACA SSL-based Remote Access / Configuration/Global
Enable the SSL Remote Access status
Drag and Drop the Users or Group objects
Drag and Drop the Local Networks that users should be able to access
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 68© Astaro 2004/ ACE_V7.4
If you unclick Automatic Packet Filter rules you will have to manually create PF rules in the Network Security>>Packet Filter section.
The Server Settings allows you to choose the protocol (TCP or UDP) to be used. Note that UDP will be much quicker though may not work with all applications.
The port number (443 by default). This can be changed if you already use 443 for a NAT rule.
The Override hostname field must use a valid IP or hostname that clients can resolve!
Refresher ACA SSL-based Remote Access / Configuration/ Settings
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 69© Astaro 2004/ ACE_V7.4
resolve!
Pool network: The default settings assign addresses from the private IP space 10.242.2.x/24. This network is called the VPN Pool (SSL). If you wish to use a different network, simply change the definition of the VPN Pool (SSL) on the Definitions � Networks page.
Duplicate CN allows multiple users with the same common account name to connect
Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows
Installing the SSL VPN Client Software
The installation wizard copies all needed files to the client system.
A virtual network card will be installed during the installation process.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 70© Astaro 2004/ ACE_V7.4
installation process.
Since the relevant driver is not certified by Microsoft, a caution message will appear but can be ignored.
Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows
Using the SSL Client
Login in with Username and Password
Connection dialogue box allows to monitor the set-up of the connection.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 71© Astaro 2004/ ACE_V7.4
SSL VPN Remote Access can be disconnected by clicking <Disconnect>.
Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows
Connectivity Testing
Login in with Username and Password
Connection dialogue box allows to monitor the set-up of the connection.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 72© Astaro 2004/ ACE_V7.4
connection.
SSL VPN Remote Access can be disconnected by clicking <Disconnect>.
Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows
Configuration analysis & troubleshooting
<Show Status> provides all details regarding to authentication,
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 73© Astaro 2004/ ACE_V7.4
authentication, encryption, routing, etc.
<View Log> shows details log information depending on
Refresher ACA /SSL-based Remote Access / Configuring logon Scripts to run automatically
There are three different scripts that the SSL VPN GUI can execute to help with different tasks like mapping network drives automatically.
Preconnect: If a file named "***_pre.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed BEFORE the OpenVPN tunnel is established.
Connect: If a file named "***_up.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed AFTER the OpenVPN tunnel is established.
Disconnect: If a file named "***_down.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed BEFORE the
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 74© Astaro 2004/ ACE_V7.4
the same as your OpenVPN config file name, this will be executed BEFORE the OpenVPN tunnel is closed.
Note that the ‘config’ directory may be named something like '[email protected]' and to use the _up.bat you must rename both this directory and the OpenVPN configuration file that is contained within to something without special characters such as '@'. So you could rename this directory and the associated OpenVPN config file to 'userdomain.com'. Once this is done you can simply put your 'userdomain_up.bat' file into this directory and it will launch when you run the SSL VPN application.
Network
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 75© Astaro 2004/ ACE_V7.4
In this chapter you will learn about features not covered by the ACA course:
VLAN
Link Aggregation
Bridging
Policy Routing
OSPF
QOS
Networking/ VLAN (1)
Virtual LAN (VLAN) technology allows a network to be separated in multiple smaller network segments on the Ethernet level (layer 2).
A VLAN switch plus a VLAN capable network interface simulate a number of physical interfaces plus cabling.
Every segment is identified by a "tag“ (an integer number).
Adding a VLAN interface will create a virtual hardware device.
Example
PC1 and PC2 on the first floor and PC4 on the second floor will be connected together on
Host6Host4 Host5
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 76© Astaro 2004/ ACE_V7.4
Switch a Switch b
Port VLAN
Tag
tagged/
untagged
Port VLAN
Tag
tagged/
untagged
1 10, 20 T 1 10, 20 T
2 (PC1) 10 U 2 (PC4) 10 U
3 (PC2) 10 U 3 (PC5) 20 U
4 (PC3) 20 U 4 (PC6) 20 U
5 10,20 T
second floor will be connected together on VLAN 10.
PC3, PC5 and PC6 will be connected together on VLAN 20.
Both VLAN can communicate through ASGs Rulebase.
Firewall
Router
a1
a2 a3 a4
a5
b1
b2b3
b4
Host1 Host2
Host6
Host3
Host4 Host5
Switch b
Switch a
Networking/ VLAN (2)
VLAN segments are distinguished by a tag (integer value), a 12-bit number, allowing up to 4095 virtual LANs.
When you add a VLAN interface, you will create a virtual hardware device that can be used to add additional interfaces (aliases) too.
NOTES:
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 77© Astaro 2004/ ACE_V7.4
- It is essential to check HCL for ensuring VLAN capable NIC’s are supported.
- PPPoE and PPPoA devices cannot be run over VLAN virtual hardware.
- Make sure you have installed a VLAN-capable NIC or refer to the HCL.
Networking/ Overview IEEE 802.3ad Link Aggregation
Link aggregation (LA, also known as "port trunking" or "NIC bonding") allows to aggregate multiple Ethernet network ports into one virtual interface.
Aggregated ports appear as a single IP address.
Link Aggregation Control Layer (LACL) controls the distribution of the data stream to the different ports communication via Link Aggregation Control Protocol (LACP).
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 78© Astaro 2004/ ACE_V7.4
Aggregated ports appear as a single IP address.
Link aggregation is useful to
increase the link speed beyond the speed of any one single NIC
to provide basic failover and fault tolerance by redundancy
All traffic routed over the failed port or switch is automatically re-routed to remaining ports or switches.
Failover is completely transparent to the system using the connection.
NOTES:
– In a HA-Environment, Ethernet connections can even be on different HA units.
– Link partners must support IEEE 802.3ad.
– LA and Bridging cannot be combined. LA cannot work with DSL.
Networking / Link Aggregation using ASG
Link aggregation allows to have:
Trunking two links for speed and
Two links in redundancy mode
Requirement:
The link partner needs to support Link Aggregation
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 79© Astaro 2004/ ACE_V7.4
Networking / Link Aggregation – Configuration (1)
IEEE 802.3ad Link Aggregation
Link Trunking (for speed)
Link Redundancy (for high availability)
Combination of both
To enable Link Aggregation:
Add Links to the group
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 80© Astaro 2004/ ACE_V7.4
Astaro Supports up to 4 Link Aggregation Groups
Networking / Link Aggregation – Configuration (2)
To create a link aggregation group (LAG), proceed as follows: 1. Select the interfaces you want to convert into a link
aggregation group. 2. Select check box for each unconfigured interface you
want to add to the LAG. 3. Enable LAG
Up to four different link aggregation groups with a maximum of four Ethernet interfaces per group possible.
On top of the bonding interface you can create one of the following:
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 81© Astaro 2004/ ACE_V7.4
On top of the bonding interface you can create one of the following:
Ethernet Standard
Cable Modem (DHCP)
Ethernet VLAN
Alias interfaces
To disable a LAG, clear the check boxes of the interfaces that make up the LAG and click Update This Group.
The status of the bonding interface is shown on the Support / Advanced / Interfaces Table tab.
Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAG will be used for all other NICs within the LAG.
Networking/ Bridging – Overview (1)
Bridging occurs at the link layer (OSI layer 2)
The link layer controls data flow, handles transmission errors, provides physical (as opposed to logical) addressing, and manages access to the physical medium
Bridges analyze incoming frames,
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 82© Astaro 2004/ ACE_V7.4
Bridges analyze incoming frames, make forwarding decisions based on information contained in the frames, and forward the frames toward the destination
Keep SubnetSplit Subnet
NOTE: Bridging does not require splitting a network in two subnets to integrate ASG into an existing network.
Networking/ Bridging – Overview (2)
A bridge transparently relays traffic between multiple network interfaces.
Basically, a bridge connects two or more physical networks together to form one bigger (logical) network.
How it works:
The default gateway for 172.16.1.2 and 172.16.1.4 is
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 83© Astaro 2004/ ACE_V7.4
172.16.1.2 and 172.16.1.4 is 172.16.1.1
172.16.1.1 is the bridge interface br0 with ports eth1 and eth2
NOTE: All devices must have the same maximum packet size (MTU) since the bridge doesn't fragment packets.
Networking / Bridging – Overview (3)
The idea is that traffic between 172.16.1.4 and 172.16.1.2 is bridged, while the rest is routed, using masquerading.
How it works:
When ethX interfaces are added to a bridge, then become a part of the br0 interface
The Linux 2.6 kernel has built-in support for bridging via the ebtables
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 84© Astaro 2004/ ACE_V7.4
support for bridging via the ebtables project
Ebtables has very basic IPv4 support
Bridge-nf is the infrastructure that enables iptables/netfilter to see bridged IPv4 packets and do advanced things like transparent IP NAT
It forces bridged IP frames/packets go through the iptables chains
Networking/ Bridging – Configuration (1)
Configuration Example:
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 85© Astaro 2004/ ACE_V7.4
Networking/ Bridging – Configuration (2)
There two advanced options available:Allow ARP Broadcasts
Ageing timeout
By default, ARP broadcasts are not allowed to pass across the bridged interfaces
If needed, enable the Allow ARP Broadcasts option
As the network can change, we need to specify when to remove an entry due to in activity, this is the Ageing timeout.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 86© Astaro 2004/ ACE_V7.4
timeout.
Prov. A
Networking/ Policy Based Routing (1)
Policy-based routing provides a mechanism for expressing and implementing forwarding/routing of data packets based on the policies defined by the network administrators.
It provides a more flexible mechanism for routing packets, complementing the existing mechanism provided by routing protocols. Router Router
Prov. B
MPLS DSL
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 87© Astaro 2004/ ACE_V7.4
Packets can now be routed based on source IP address, source port and destination port, in addition to normal routing which is based on the destination IP address.
Example:
DMZ 1
LAN 1
LAN 2ERP
SMTP
interface = any service = SAP source = Finance target = Provider A
Route ERP traffic from Finance to MPLS Provider
interface = 2 service = SMTP source = DMZ1target = Provider B
Route SMTP traffic from DMZ to DSL Provider
Networking/ Policy Based Routing (2)
Policy based routing will route by selectors: Destination
Source
Service
Source Interface
Policy based routing will route to targets: An interface
A host
Limitations:It is not possible to select all traffic and route it as this would be a default
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 88© Astaro 2004/ ACE_V7.4
It is not possible to select all traffic and route it as this would be a default gateway
Policy routes have an order which is evaluated in the same way as the packet filter (top to bottom)
Only user defined policy routes are possible
Network groups in policy routes are not possible
The following benefits can be achieved by implementing policy-based routing in the networks:
Load Sharing
Cost Savings
Source-Based Transit Provider Selection
Quality of Service (QoS)
OSPF/ Overview
OSPF = Open Shortest Path First
Link-state hierarchical routing protocol
Uses Dijkstra‘s SPF Algorithm to calculate the shortest path tree.
Open standard, developed by IETF
ASG supports OSPF version 2, RFC 2328 (using the Quagga package, http://www.quagga.net)
Interior Gateway Protocol (IGP) for routing within one autonomous System (AS)
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 89© Astaro 2004/ ACE_V7.4
System (AS)
OSPF uses cost as its routing metric (e.g. by dividing 10^8 through the bandwidth of the interface in bits per second)
The cost of an OSPF-enabled interface is an indication of the overhead required to send packets across a certain interface.
The cost of an interface is inversely proportional to the bandwidth of that interface.
A link state database is constructed of the network topology which is identical on all routers in the area.
OSPF guarantees loop-less routing.
OSPF/ Features & Benefits
Area concepts for hierarchical topologies and reduction of CPU – and memory consumption of routers
Independent from IP subnet classes
Arbitrary, dimensionless metric
Load Balancing for paths with equal costs
Special reserved multicast addresses reduce impact at non-OSPF devices
Authentication
External Route Tags
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 90© Astaro 2004/ ACE_V7.4
External Route Tags
TOS-Routing possible
Fast database reconciliation after topology changes
Support for large networks
Low susceptibility for fault routing information
OSPF/ ASG Configuration – OSPF-ID
The OSPF-Id is a unique ID to the router device.
This can be the official Address
It is denoted in x.x.x.x format
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 91© Astaro 2004/ ACE_V7.4
OSPF/ ASG Configuration – OSPF Area
Before you can enable the OSPF
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 92© Astaro 2004/ ACE_V7.4
Before you can enable the OSPF function, you must have at least one OSPF area configured.
Areas are identified by a 32-bit ID in dot-decimal notation similar to the notation of IP addresses.
OSPF/ ASG Configuration – OSPF Interfaces (1)
The OSPF interface defines Interfaces
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 93© Astaro 2004/ ACE_V7.4
The OSPF interface defines Interfaces that can be used to announce OSPF networks.
OSPF/ ASG Configuration – OSPF Interfaces (2)
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 94© Astaro 2004/ ACE_V7.4
The OSPF interface must be added to the area that will be announced
OSPF/ ASG Configuration – OSPF Interfaces (3)
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 95© Astaro 2004/ ACE_V7.4
The OSPF debug section gives information about the current state of OSPF operations. It shows neighbors, routes interfaces etc. in pop-up windows.
Quality of Service/ Working Principle
Quality of Service (QoS) can reserve guaranteed bandwidths for certain types of outbound network traffic passing between two points in the network.
Inbound traffic is optimized internally by various techniques such asStochastic Fairness Queuing (SFQ) or Random Early Detection (RED).
Without traffic shaping.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 96© Astaro 2004/ ACE_V7.4
ASG leftASG right
Headquarter Branch Office
With traffic shaping.
Quality of Service/ Features and Benefits
QoS allows to
Limit available bandwidth
Guarantee minimum bandwidth
Define traffic directions carefully:
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 97© Astaro 2004/ ACE_V7.4
and
Works per Interface
Works per Subnet/Host
Works per Service
Upstream � shapedownstream
Ext. NIC
Int. NIC
HTTP & FTP Download from ANY => outbound from the ext. NICs view
Quality of Service/ Configuration
Status
The Status tab lists the
Traffic Selectors
A traffic
Internal & External
Bandwidth Pool describe the bandwidth shared by multiple
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 98© Astaro 2004/ ACE_V7.4
lists the interfaces for which QoS can be configured. By default, QoS is disabled for each interface.
A traffic selector can be regarded as a QoS definition for a certain type of network traffic.
bandwidth shared by multiple sources. Bandwidth Pools can also specify upper bandwidth limits.
Quality of Service/ Configuration: Status Overview
Display all available interfaces
Define the available, physical bandwidth.
Define the guaranteed uplink and downlink bandwidth for any Interface, e.g. the DSL line.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 99© Astaro 2004/ ACE_V7.4
By default, QoS is disabled for each interface
Quality of Service/ Configuration: Traffic Selectors
Traffic Selectors describe what traffic needs to be accounted.
The description contains details about the source of the traffic, its destination and its service.
TOS/DSCP allows to pay respect to „Type of Service“ and „DiffServ“ flags in the traffic.
It is possible to build groups of Traffic Selectors.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 100© Astaro 2004/ ACE_V7.4
Quality of Service/ Configuration: Bandwidth Pools
Bandwidth Pools
They describe the available and guaranteed bandwidth for the available interfaces
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 101© Astaro 2004/ ACE_V7.4
NetworkingReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 102© Astaro 2004/ ACE_V7.4
Networking/ Review Questions
1. How many VLAN’s can you create on an ASG interface?
You can create up to 4095 VLAN’s on each interface.
2. What are two major benefits of Link aggregation?
LAG can be used to increase the link speed beyond the speed of any one single
NIC, and to provide basic failover and fault tolerance by redundancy.
3. On which OSI layer does bridging occur?
Bridging occurs at the link layer (OSI layer 2)
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 103© Astaro 2004/ ACE_V7.4
4. Name some of the benefits of using OSPF.
OSPF guarantees loop-less routing.
Support for very large network.
Low susceptibility for fault routing information
Load Balancing for paths with equal costs
5. What are the two major benefits to using QOS?Limit available bandwidth
Guarantee minimum bandwidth
Network Security
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 104© Astaro 2004/ ACE_V7.4
In this chapter you will learn about the network security features not covered by the ACA course:
Full NAT
Generic Proxy
Socks Proxy
Ident Proxy
A full NAT is a NAT rule that alters both the source and destination information of a single packet traversing the ASG.
A Full NAT does not make traffic initiated on either side of the ASG possible with one rule -- You still need a DNAT and an SNAT for this!
A full NAT rule is generally used in a network
Network Security / NAT/ Full NAT
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 105© Astaro 2004/ ACE_V7.4
A full NAT rule is generally used in a network in which the routes on the internal network would prevent a packet's return traffic from being routed back to the ASG.
There are two common topologies that will require the use of a full NAT:
Two Gateways on the Network
Routes Do Not Allow Return Traffic
In this example, there are two gateways that the host is using. The default gateway is set to the other router. Notice that without the NAT rule, the packet will go out the default gateway.
A) traffic is initiated from the internet to an internal host
B) The ASG DNATs the packet to the
Network Security / NAT/ Two Gateways on the Network
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 106© Astaro 2004/ ACE_V7.4
B) The ASG DNATs the packet to the internal server, note that the public source IP of the packet is intact
C) The server sends the return traffic to its default gateway
D) The packet is sent back and may be received, but the session is broken as a result.
In this example, there is a switch that connects a host and a server. If the host attempts to connect to the server's external IP address, the session is dropped unless the
1) PC Sends request to Internal Server's public IP address
2) ASG DNATs The Packet
3) ASG routes the packet to the proper
Network Security / NAT/ Routes Do Not Allow Return Traffic
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 107© Astaro 2004/ ACE_V7.4
3) ASG routes the packet to the proper server
4) Server has a proper route directly to the host, breaking the session
4a) If you use a Full NAT, the server will reconnect with the ASG
4b) The ASG will the route the packet normally and the session is intact
Network Security / Advanced
The Generic Proxy is another option when private
SOCKS is an internet protocol to allow clients to
The Ident Protocol is specified in RFC 1413 and
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 108© Astaro 2004/ ACE_V7.4
when private networks are being used
allow clients to use the services of a firewall transparently and is short for „SOCKetS“
RFC 1413 and helps identifying users of particular TCP connection.
Works as a port forwarder
Combines features of DNAT and Masquerading
Forwarding all incoming traffic for a specific service to an arbitrary server.
The difference to standard DNAT, however, is that a generic proxy also replaces the source
Network Security / Generic Proxy
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 109© Astaro 2004/ ACE_V7.4
that a generic proxy also replaces the source IP address of a request with the IP address of the ASG interface for outgoing connections. In addition, the destination (target) port number can be changed as well.
Network Security / SOCKS
What is it used for?
Can build TCP and UDP connections for client applications
Can provide incoming ports to listen on
Used with systems that incorporate NAT
Where is it used?
IM clients such as ICQ, AIMSocks
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 110© Astaro 2004/ ACE_V7.4
IM clients such as ICQ, AIM
FTP
RealAudio
Astaro Security Gateway supports SOCKSv5
User authentication can be used
Socks
Network Security/ IDENT Relay
IDENT is an older protocol
Allows external users to associate a username with a TCP connection
Not very secure because the connection isn't encrypted
Necessary for some services like IRC and some mail servers
Astaro will respond with the string that you specify as the
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 111© Astaro 2004/ ACE_V7.4
Astaro will respond with the string that you specify as the default response
Hence the configuration is rather simple, it offers:
Configuration of the string to answer with
Optionally the possibility to forwardIdent requests to the internal clients(which is not always possible)
Network Security/ Review Questions
1. Why would you use a FULL NAT rule?
Full NAT is generally used in two scenarios: when there are Two Gateways on
the Network, and the existing routes Do Not Allow Return Traffic.
2. What is the difference between DNAT and the generic proxy?
DNAT replaces the destination IP of a connection while the generic proxy also
replaces the source IP with the IP of the ASG interface for outgoing connections.
3. What version of SOCKS does the ASG support?
ASG support SOCKS v5.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 112© Astaro 2004/ ACE_V7.4
ASG support SOCKS v5.
4. What is a major disadvantage to IDENT?
IDENT connections are not encrypted
VoIP Security
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 113© Astaro 2004/ ACE_V7.4
In this chapter you will learn how
SIP
and
H.323
security work
VoIP Security/ SIP/H.323 Security
SIP and H.323 are so called “Signaling” protocols, which are designed to notify communication partners in telephony like connections. These signals contain information about the state of the connection, like “INVITE”, “RINGING” or “HANGUP”. The actual voice connection takes place on a dynamic port.
Astaro’s VoIP Security uses special
Rick Cory
INVITE Cory@IP-BC = IN IP4 IP-AM = audio 2000 RTP/AVP 0
To IP-B, PORT-S
To IP-A, PORT-S
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 114© Astaro 2004/ ACE_V7.4
Astaro’s VoIP Security uses special connection tracking helper modules for monitoring the control channel to determine which dynamic ports are being used and then only allowing these ports to pass traffic when the control channel is busy.
To configure VoIP Security, client and server network definitions need to be made.
Time
To IP-A, PORT-S
200 OKC = IN IP4 IP-BM = audio 4000 RTP/AVP 3
Audio stream to IP-A, 2000
Audio stream to IP-B, 4000
VoIP Security/ SIP – Session Initiation Protocol
Session Initiation Protocol is is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences." (cit. RFC 3261)
A good starting point for reading about SIP is athttp://en.wikipedia.org/wiki/Session_Initiation_Protocol
Rick SIP Proxy
INVITE [email protected]
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 115© Astaro 2004/ ACE_V7.4
http://en.wikipedia.org/wiki/Session_Initiation_ProtocolRick
CorySIP Registrar
SIP Proxy
VoIP Security/ H323 – Session Initiation Protocol
H.323 is an umbrella recommendation from the ITU Telecommunication Standardization Sector (ITU-T), that defines the protocols to provide audio-visual communication sessions on any packet network.
H.323 was originally created to provide a mechanism for transporting multimedia applications over LANs but it has rapidly evolved to address the growing needs of VoIP networks.
Currently real-time applications such as NetMeeting and Ekiga (the latter using the OpenH323 implementation) use H323.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 116© Astaro 2004/ ACE_V7.4
A good link to get started with readings about is at http://en.wikipedia.org/wiki/H323
VoIP Security/ SIP/H.323 Security
To configure H.323 or SIP Security, go to the VoIP Security Menu. Each module can be activated individually.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 117© Astaro 2004/ ACE_V7.4
Both modules are rather easy to configure, simply add the allowed clients to the SIP or H.323 configuration and configure one or more SIP servers or H.323 gatekeeper.
General WebAdmin Troubleshooting
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 118© Astaro 2004/ ACE_V7.4
General WebAdmin Troubleshooting
Most troubleshooting can be done via the WebAdmin GUI
Webadmin dashboards that show real time statistics, reports, and logs will point to problems and errors
Real time resource indicators such as high CPU usage can indicate problems with running processes
RAM usage depends on applications being used and hardware installed
Swap will increase
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 119© Astaro 2004/ ACE_V7.4
Swap will increase
if system runs out of
RAM
Growing log disks
may indicate logging
errors
General WebAdmin Troubleshooting
Network Statistics can identify most active source hosts, services, concurrent connections, and total traffic.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 120© Astaro 2004/ ACE_V7.4
General WebAdmin Troubleshooting
Real time logs in the Logging section will show real time information. If CPU Usage has been running high error messages may be in the System Messages or Self monitoring logs.
System messages should be checked for errors relating to the databases. If found a support ticket should be opened with Astaro.
Self monitoring log should not show many process restarts
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 121© Astaro 2004/ ACE_V7.4
General WebAdmin Troubleshooting
Incorrectly Binding a host to a specific interface can prevent packet filter and NAT rules from working
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 122© Astaro 2004/ ACE_V7.4
General WebAdmin Troubleshooting
Incorrectly written NAT rules are common issues. Some common problems are trying to translate ‘Any’ service to a specific port.
Not using the ‘Automatic Packet’ filter rule option can prevent many rules from working.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 123© Astaro 2004/ ACE_V7.4
Command Line Troubleshooting Guide
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 124© Astaro 2004/ ACE_V7.4
CLI / Linux skills
Command Line or Shell access is not needed during normal operation of the AxG product line
All configuration can and should be done via the WebAdmin GUI
Shell access is used for more in depth and quicker troubleshooting
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 125© Astaro 2004/ ACE_V7.4
Shell configuration changes are made at your own risk and can void support.
Basic Linux skills will be needed for shell
Google searches will return plenty of information about Linux
http://www.linux.org/lessons/ offers some free easy beginner courses
CLI/ First steps
When first logging into the Shell some quick things to check are:
System Load
Top processes
Log directories to see which log files are being written to
Disk space utilization
System load and top processes are checked using the ‘top’
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 126© Astaro 2004/ ACE_V7.4
System load and top processes are checked using the ‘top’ command which shows the processor activity in real time.
CLI/ First steps
Top shows information such as
uptime, load average, memory, swap,
and processes running.
Load average depends on the hardware
installed and will be displayed via
WedAdmin as CPU Usage. If CPU is
running high then load will be high.
To determine which process is using the
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 127© Astaro 2004/ ACE_V7.4
To determine which process is using the
most CPU look at the %CPU column or
sort by pressing the ‘C’ key
To kill a process press the ‘K’ key and
enter the PID #. If no ‘signal’ is chosen
the TERM signal is sent. If the process
does not stop try specifying the ‘KILL’
by using the number ‘9’ when prompted.
CLI/ First steps
The /var/log directory holds logs for both the
current day as well as directories for past
dates.
Logs can be sorted according to time to see
which was last written to by using the ‘ll –tr’
command.
Logs can be viewed by using utilities such as
‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 128© Astaro 2004/ ACE_V7.4
‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log
as it updates in real time. ‘Grep’ can be used
filter on specific information such as
usernames or IP addresses.
CLI/ First steps
The /var/log directory holds logs for both the
current day as well as directories for past
dates. Additional debug and .lock files are
found in the /tmp directory.
Logs can be sorted according to time to see
which was last written to by using the ‘ll –tr’
command.
Logs can be viewed by using utilities such as
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 129© Astaro 2004/ ACE_V7.4
Logs can be viewed by using utilities such as
‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log
as it updates in real time. ‘Grep’ can be used
filter on specific information such as
usernames or IP addresses.
CLI / Packetfiltering basics (1)
•masquerading•snat•conntrack•mangle
FORWARD
OUTPUTINPUT
POSTROUTING
PREROUTING
Routing
•dnat•conntrack•mangle•spoofdrop
Routing
Incoming packets
Outgoingpackets
•conntrack•mangle
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
•mangle•filter•ips
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 130
•mangle•ips
OUTPUTINPUT
OUTPUT
Local Processes
Apache
EXIM
SSH
D
HTTP
Pro
xy
BIN
D
IPSEC
PPTP
•spoofdrop
•conntrack•mangle•dnat
•mangle•filter•ips
Tables:
NAT
Filter
© Astaro 2004/ ACE_V7.4
CLI / Packetfiltering basics (2)
Verify packet filter rules using the command line interface (CLI) or ShellPacket filter rules can be reviewed using the command iptables –L –nv on the CLI.
With this command the table filter with all its chains and sub-tables will be shown by default.
The available tables can be seen with the commandcat /proc/net/ip_tables_names.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 131
Note: Manual changes to the packet filter with the command iptables will be overridden when a change is done using the WebAdmin.
Important chains within the table filter are: AUTO_INPUT – contains rules that have one of the ASG IP addresses as destination and are configured as a service within the WebAdmin (e.g. DNS to the ASG)
AUTO_FORWARD – contains rules that are forwarded through the ASG and are configured as a service within the WebAdmin (e.g. ping through firewall)
USR_FORWARD – contains packet filter rules that are configured by the Administrator manually in the menu “Packet filter” and do not use an IP address of the ASG itself as source or destination address.
© Astaro 2004/ ACE_V7.4
CLI / Packet filter example (1)
Scenario 1: The administrator has locked out himself from the WebAdminThe admin has locked himself out by mistake. A network/host was removed from the list of„Allowed networks“. SSH is activated and the ASG is accessible with SSH.
Verify with: iptables -L AUTO_INPUT -nv |grep 4444
Chain AUTO_INPUT (1 references)pkts bytes target prot opt in out source destination0 0 LOGACCEPT tcp -- * * 192.168.140.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:4444
LOGMARK match 600063 180 LOGDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:4444
LOGMARK match 60005
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 132
There is only the network 192.168.140.0/24 allowed for the WebAdmin, all other networks will be blocked and logged by default.
Add a network: iptables -I INPUT -j ACCEPT --source 172.16.65.0/24 -p tcp --dport 4444
Verify with: iptables -L INPUT -nv |grep 4444
Chain INPUT (policy DROP 0 packets, 0 bytes)pkts bytes target prot opt in out source destination0 0 ACCEPT tcp -- * * 172.16.65.0/24 0.0.0.0/0 tcp dpt:4444
Once the WebAdmin is accessible, the according network should be added to the “Allowed networks“ and saved with apply. All manually configurations will be deleted after a restart of the middleware/ASG.
© Astaro 2004/ ACE_V7.4
CLI / Packet filter example (2)
Scenario 2: A packet filter rule for VPN doesn’t work, the VPN itself is working correctly.A few packet filter rules where configured for communication with the branch office using the WebAdmin. The access with HTTP in rule 3 isn’t working.
Verify with: iptables -L USR_FORWARD -nv |grep 172.16.67.2
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 133
Chain USR_FORWARD (1 references)pkts bytes target prot opt in out sourc e destination0 0 LOGACCEPT tcp -- * eth1 172.16.55.0/24 172.16.67.2 tcp spts:1:65535 d pt:80
LOGMARK match 3
Solution: The network definition (type: host) for the webserver is bound to interface eth1 (WAN), but the tunnel uses interface ipsec0. That is why this rule isn’t working and all packets will be dropped by the „Default drop“.
These errors are hard to find with the WebAdmin and the packet filter table. They are easier to find with the command iptables using the CLI.
© Astaro 2004/ ACE_V7.4
CLI / Stateful packet filtering
Scenario 3: Outgoing FTP connections are not working, the packet filter entries are correct.
The Astaro Security Gateway writes every connection to the connection tracking table. The administrator wants to verify if the FTP connection is visible in this table.
Verify with: conntrack –L| grep 192.168.140.213
Working connection:tcp 6 103 TIME_WAIT src=172.16.55.55 dst=192.1 68.140.213 sport=1114 dport=4045 packets=4 bytes=16 8 src=192.168.140.213 dst=192.168.140.225 sport=4045 dport=1114 packets=4 bytes=279 [ASSURED] mark=0 use=1
tcp 6 431987 ESTABLISHED src=172.16.55.55 dst= 192.168.140.213 sport=1113 dport=21 packets=15 byte s=696 src=192.168.140.213 dst=192.168.140.225 sport=21 dp ort=1113 packets=16 bytes=1171 [ASSURED] mark=0 use=3
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 134
src=192.168.140.213 dst=192.168.140.225 sport=21 dp ort=1113 packets=16 bytes=1171 [ASSURED] mark=0 use=3
Not working connection (only one entry):
tcp 6 431982 ESTABLISHED src=172.16.55.55 dst= 192.168.140.213 sport=1192 dport=21 packets=9 bytes =419 src=192.168.140.213 dst=192.168.140.225 sport=21 dp ort=1192 packets=9 bytes=686 [ASSURED] mark=0 use=1
Background: FTP works with a second connection for data transfer on different ports. These ports are negotiated dynamically for every FTP conneciton. The Astaro Security Gateway has to relate this second connection to the allowed FTP connection on port 21.
Solution: The connection tracking helper for FTP has to be activated. This is done using Network Security -> Packetfilter -> Advanced and is activated by default.
© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 135
Networking
© Astaro 2004/ ACE_V7.4
CLI / Network problems (1)
Scenario 1: Slow connections between different networks. (1)
The ASG is connected with multiple switches on different interfaces. Users report slow connections from one network to an other one. In this case the connections between the internal network (eth0) and the DMZ (eth2) are very slow. The administrator wants to verify the according interfaces.
Verify with: ifconfig eth0, ifconfig eth2
ifconfig eth0eth0 Link encap:Ethernet HWaddr 00:0C:29:15:E 2:DA
inet addr:172.16.55.225 Bcast:172.16.55.255 Mask: 255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:3095 errors:120 dropped:30 overruns:0 frame:0TX packets:13426 errors:0 dropped:0 overruns:0 carr ier:0
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 136
TX packets:13426 errors:0 dropped:0 overruns:0 carr ier:0collisions:0 txqueuelen:1000RX bytes:233056 (227.5 Kb) TX bytes:19608084 (18.6 Mb)Interrupt:177 Base address:0x1424
RX = number of received packets, errors = receiving, dropped = dropped packets when receiving, overruns =, frame = received Frames
TX = number of transmitted packets, errors = errors when sending, dropped = dropped packets when sending, overruns = packets that are bigger than the allowed MTU size, carrier = errors on connection (mostly a broken network cable)
Note: If there is a problem with the connection and the speed and duplex settings are not correct, errors are mostly shown here. Always check both sides of the connection, like the switches on the other side of the cable.
© Astaro 2004/ ACE_V7.4
CLI / Network problems (2)
Scenario 2: Slow connections between different networks. (2)
There are errors on the interface. The administrator wants to check the speed and duplex settings for the interfaces. Auto-negotiation is configured on both sides.
Verify with: mii-diag eth2
fw:/root # mii-diag eth2Basic registers of MII PHY #1: 3000 782d 02a8 0154 05e1 c1e1 0009 0000.
The autonegotiated capability is 01e0.The autonegotiated media type is 100baseTx-FD.
Basic mode control register 0x3000: Auto-negotiation enabled.You have link beat, and everything is working OK.Your link partner advertised c1e1: 100baseTx - FD 100baseTx 10baseT - FD 10baseT.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 137
Your link partner advertised c1e1: 100baseTx - FD 100baseTx 10baseT - FD 10baseT.End of basic transceiver information.
There are sometimes network cards (like in VMWare) that are not mii-compatible. For these network cards the ethtool is useful to see nearly the same information.
In this scenario the verification has shown us that the settings on the ASG and the settings on the switch are not the same (100baseT/Full vs. 10baseT/Half).
Solution: The configuration for the interfaces can be changed in the WebAdmin menu Network -> Interfaces -> Hardware. It is possible to configure a fixed speed and duplex mode.
© Astaro 2004/ ACE_V7.4
CLI/ Network tools
Tools to test the connectivity
Check if a host is accessible: ping <IP> at the command lineor Support -> Tools -> Ping Check in the WebAdmin
PING 172.16.55.56 (172.16.55.56) 56(84) bytes of da ta.64 bytes from 172.16.55.56: icmp_seq=1 ttl=128 time =2.45 ms64 bytes from 172.16.55.56: icmp_seq=2 ttl=128 time =0.320 ms64 bytes from 172.16.55.56: icmp_seq=3 ttl=128 time =1.12 ms
Check a path to a server on the internet: traceroute <IP/Name> at the command line or Support -> Tools -> Traceroute in the WebAdmin
traceroute to www.astaro.de (85.115.22.4), 30 hops max, 40 byte packets
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 138
traceroute to www.astaro.de (85.115.22.4), 30 hops max, 40 byte packets1 port-87-234-47-9.static.qsc.de (87.234.47.9) 2. 865 ms 5.489 ms 3.428 ms…5 DE-CIX2.de.lambdanet.net (80.81.192.74) 22.012 ms 20.533 ms 22.377 ms6 Telemaxx.FRA-1-eth0-145.de.lambdanet.net (217.71 .110.42) 19.606 ms 20.851 ms 19.337 ms7 sw4ch.ka.telemaxx.net (213.144.4.134) 24.037 ms 25.553 ms 22.330 ms8 85.115.22.4 (85.115.22.4) 19.359 ms 19.362 ms 18.378 ms
Discover duplicate IP addresses within your network: arping <IP>
ARPING 172.16.55.56 from 172.16.55.225 eth0Unicast reply from 172.16.55.56 [00:0C:29:68:40:72] 4.687msUnicast reply from 172.16.55.56 [00:0C:29:68:40:72] 0.845msUnicast reply from 172.16.55.56 [00:0C:29:68:40:72] 1.794ms
Note: When the same IP address is configured on different hosts this output shows different MAC addresses.
© Astaro 2004/ ACE_V7.4
CLI / Network tools/ Tcpdump
Tcpdump is a packet sniffer utility that allows an administrator to intercept and display traffic traversing a network interface. With tcpdump network traffic can be analyzed for problems and either displayed on the screen in real time or saved into a file which can then be viewed by programs such as ‘Wireshark’.
Parameters can be specified to filter on specific interfaces, ports, and IP
networks or addresses.
Basic examples are:
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 139© Astaro 2004/ ACE_V7.4
Basic examples are:
tcpdump -i eth0 port 25 (the ‘i’ specifies which interface to use)
tcpdump -i eth0 port 25 –w test.pcap (the ‘w’ specifies a file name)
tcpdump -i eth0 host 10.10.12.12 and port 25
CLI / Network tools/ Iftop
Iftop can be used to display bandwidth usage on an interface by host
Common parameters which can be used are:
-i = specify the interface to use.
-n = will not resolve IP’s to DNS names
-P = will show ports
as well as IP’s
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 140© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 141
IM/P2P Security
© Astaro 2004/ ACE_V7.4
CLI IM/P2P Security/ Logging (1)
With version 7.200 the Astaro Security Gateway and the Astaro Web Gateway introduced the service Astaro Flow Classifier for IM/P2P control. This service is logging to the file /var/log/afc.log. The log-file can be browsed with the WebAdmin or via command line.
For troubleshooting the AFC, it is necessary to understand the log format correctly. Aan example line from an AFC log file is shown here (Bittorrent):
2008:11:19-15:33:27 (none) ulogd[2517]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log " fwrule="60202 " outitf="eth2" srcip="79.213.68.225" dstip="192.16 8.99.101" proto="6" length="57" tos="0x00" prec="0x00" ttl="1 15" srcport="57389" dstport="18710" tcpflags="ACKPS H“
Log-Entry Meaningid="2017" The ID shows the kind of log-entry, 2017 is only logging
2018 is for file transfer block and 2019 blocks completely
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 142
2018 is for file transfer block and 2019 blocks completely
name="AFC Alert" action="log" name and action, corresponding to the ID
fwrule="60202" shows the kind of protocol, 60202 stands for „P2P/Bittorrent“
srcip="79.213.68.225“ dstip="192.168.99.101“ source and destination IP address of the packet
srcport="57389" dstport="18710" source and destination port of the packet
Important for troubleshooting are always the ID, action and the fwrule.
The particular values for ID, action and fwrule are explained in detail in the Astaro knowledge base article 290351.
© Astaro 2004/ ACE_V7.4
CLI IM/P2P Security/ Logging (2)
Here is another example for skype blocking, noticeable with the fwrule (Skype) and the ID (Block completly):
2008:11:19-15:36:41 (none) ulogd[2517]: id=" 2019 " severity="info" sys="SecureNet" sub="packetfilter " name=" AFC Block " action="drop" fwrule=" 60103 " outitf="eth0" srcip="192.168.99.3" dstip="62.214. 209.43" proto="6" length="124" tos="0x00" prec="0x00" ttl=" 127" srcport="1238" dstport="21510" tcpflags="ACKPS H"
Scenario 1: High logging impact when activating IM/P2P control with all protocolsWhen activating logging for Instant Messaging and Peer-to-Peer protocols and a high volume of data is processed by the Astaro Security Gateway, there is a lot of logging traffic and this could possibly fill up the log-partition.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 143
Solution: Using IM/P2P -> Settings –> Advanced it is possible to configure a logging limit.
There are four options to choose from:
Off – deactivates logging completely; there is no reporting for IM/P2P any more.
Limit all 5/sec – there will be only 5 log entries per second for all hosts alltogether.
Limit host 1/sec – there is a limit of one log entry per second per host. (default)
Log all – the complete traffic will be logged (Attention!)
© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 144
High Availability & Clustering
© Astaro 2004/ ACE_V7.4
CLI High Availability & Clustering / HA-Status
Scenario 1: The administrator wants to check the HA status. The actual status for a ha-cluster can be seen in the WebAdmin. A more detailed view can be shown using the CLI.
Verify with: ha_utils on the command line
- Status ------------------------------------------- ----------------------------Current mode: HA MASTER with id 1 in state ACTIVE-- Nodes ------------------------------------------- ----------------------------MASTER: 1 Node1 198.19.250.1 7.302 ACTIVE since Mon Nov 3 09:17:46 2008SLAVE: 2 Node2 198.19.250.2 7.302 ACTIVE since Mon Nov 3 09:18:44 2008-- Load -------------------------------------------- ----------------------------Node 1: [1m] 0.50 [5m] 0.41 [15m] 0.39Node 2: [1m] 0.08 [5m] 0.10 [15m] 0.09- Kernel --------------------------------------------------- --------------------
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 145
- Kernel --------------------------------------------------- --------------------Current mode: enabled masterinterface: eth3Local ID: 198.19.250.1debug: offverbose: offtso: offppp sync: off- Ctsyncd ------------------------------------------ ----------------------------MASTER- IPSec --------------------------------------------- ---------------------------000 #1460: "S_REF_RxrkmFZPsh_0" [email protected] 2.98.74 [email protected]; tunnel[…]- PostgreSQL --------------------------------------- ---------------------------------reporting: […]pop3: […]
This output shows a HA-configuration with 2 Nodes in active-passive mode. Under IPSec the messages for active tunnels are displayed.
© Astaro 2004/ ACE_V7.4
CLI High Availability & Clustering / Connection to slave system
Scenario 2: The administrator wants to view the log files from the HA-slave.
Two ASGs are connected within a HA-configuration and the formerly master has done a reboot. Because of the failover the log files from the old master are now on the “new” slave and are not accessible through the WebAdmin.
An administrator wants to access the log files from the old master (now slave) and save these files for troubleshooting.
Access to the slave via: ha_utils ssh (only as root from the master ASG)
A SSH connection to the slave will be established, the administrator doesn’t need to know the IP
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 146
A SSH connection to the slave will be established, the administrator doesn’t need to know the IP address of the slave. This connection is only possible when the SSH daemon is configured on the default Port 22.
The log files can be found in /var/log/ and can be display by the standard linux tools like tail, less and grep. The log files can be copied to the master via SCP.
Example for copying the high-availability.log from the slave to the master:
<S> asg:/var/log # scp high-availability.log [email protected]:/home/ login/high-availability.log.node2
© Astaro 2004/ ACE_V7.4
CLI High Availability & Clustering / Connection problems
Scenario 3: The front panel of the ASG shows »MTU ERROR« and the appliance is shutdown completely.
Solution: The HA-cluster interface uses a MTU of 2000 Byte when connecting via a gigabit interface.
The connected switch should support Jumbo Frames, and this feature should be activated on the switch. When the switch doesn’t support Jumbo Frames, the interface configuration should be configured to fixed 100 Mbit/s full-duplex (= MTU 1500) to avoid problems with the ha-cluster interface.
Scenario 4: The link status from one or more interfaces shows »down« frequently, whereby a failover is initiated over and over again.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 147
Where can more detailed information about a link lost for all interfaces be found?
Solution: Check the kernel log using the WebAdmin or on the command line in the file /var/log/kernel.log
There is detailed information of the interface status provided in this file.
For more information about the interfaces have a look at the networking chapter.
© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 148
User Authentication
© Astaro 2004/ ACE_V7.4
CLI User Authentication/ Overview (1)
This diagram demonstrates the different work flows for the three authentication methods Active Directory, eDirectory and LDAP. Within Active Directory and eDirectory there is a differentiation between basic authentication and Single Sign On.
It is discernable which attributes are synced between the different directory services and the local user database of the Astaro Security Gateway.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 149© Astaro 2004/ ACE_V7.4
CLI User Authentication/ Overview (2)
The authentication messages are logged into the file /var/log/aua.log and can be reviewed via command line or the WebAdmin.
2008:11:19-16:26:17 (none) aua[5534]: id="3004" sev erity="info" sys="System" sub="auth"name="Authentication successful" srcip=“172.16.65.2" user=“berlin" caller="portal" engine="adirectory“
Log-Entry Meaning
sub="auth" name="Authentication successful“ Authentication successful
srcip=„172.16.65.2“ Client IP
user=„berlin“ Authenticated user
Calling system process: WebAdmin, User Portal or HTTP Proxy
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 150
caller="portal" Calling system process: WebAdmin, User Portal or HTTP Proxy
engine="adirectory“ Authentication method
If this information is not enough for troubleshooting authentication problems it is possible to activate the debug mode for the aua daemon. This is done on the command line with: killall –USR2 aua.bin.
There is a lot of information provided in the aua.log file in debug mode. To disable the debug mode for the aua daemon just use the command killall -USR2 aua.bin again.
Attention: Passwords can be seen in clear text in the debug log.
Note: When having problems with authentication in conjunction with the HTTP proxy it is possible to start the HTTP process in debug mode.
© Astaro 2004/ ACE_V7.4
CLI User Authentication / Active Directory (1)
Scenario 1: The administrator wants to check if the AD connection is working properly.
Verify with: Click the button „Test Server“
Possible Answer 1:Connection to ldap://192.168.140.215:389 failed
Solution 1: The IP address of the AD server is not correct or the LDAP service is not accessible. (Maybe a firewall between AD server and ASG is blocking the connection. Missing packet filter rule on this firewall?)
Possible Answer 2:Server exists and accepts connections, but bind to ldap://192.168.140.213:389 failed with this Bind DN and Password
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 151
Bind DN and Password
Solution 2: The LDAP service can be accessed but the Bind User DN or the password is not correct.
Scenario 2: Joining the domain with Active Directory Single-Sign-On (SSO) fails.
Joining the domain failed.
Solution: The following premises have to be fulfilled to join a domain:The ASG needs a FQDN (e.g. firewall.mydomain.local), which can be resolved in the local AD domain.
The time difference between the DC and the ASG must not be more than 5 minutes.
The following DNS entries have to be resolvable by the ASG:$host -t SRV _kerberos._udp.MYDOMAIN.LOCAL
$host -t SRV _ldap._tcp.dc._msdcs.MYDOMAIN.LOCAL
When this is not the case a DNS request route can be configured under: Networking » DNS » Request RoutingExample: Domain: MYDOMAIN.LOCAL ->Target Servers: Active Directory Server
© Astaro 2004/ ACE_V7.4
CLI User Authentication / Active Directory (2)
Active Directory SSO
There is a tool wbinfo on the command line to see detailed information about the Active Directory SSO connection. Active Directory users and groups can be displayed.
Examples:
Command Meaningwbinfo –u Shows all AD users
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 152
wbinfo –g Shows all AD groups
wbinfo –r <user> Shows all groups for a specific user (Note: it shows only group IDs, not the name!)
wbinfo -D <domain> Shows information about a specific AD domain
Detailed information for the tool can be seen with the command wbinfo –-help.
© Astaro 2004/ ACE_V7.4
CLI User Authentication / eDirectory
There is a test tool provided in the WebAdmin for Novell eDirectory to test single users. (see Microsoft Active Directory)
Detailed information for Novell eDirectory can be seen in the aua.log file when activating the debug mode for the responsible processes. This can be done on the cli using the command killall –USR2 aua.bin aua_edirsync.plx.
Scenario 3: The administrator wants to check if an eDirectory user is in the cache of the ASG.
Verify with: Bring both processes into debug mode (see above) and check the aua.log.
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: Writing cache entry for dn cn=testuser,ou=FW,ou=Support,o=Karlsruhe
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 153
cn=testuser,ou=FW,ou=Support,o=Karlsruhe2008:10:27-12:25:28 (none) aua[1293]: id="3007" sev erity="debug" sys="System" sub="auth" name="SSO: ad ding
IP address 172.26.3.17 to cache“
Scenario 4: The administrator wants to check which eDirectory groups are imported for one user.
Verify with: Both processes are in debug mode, check the aua.log.
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'a ttrs' => {2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'm odifytimestamp' => [2008:10:27-12:25:30 (none) aua_edir_sync[23466]: '20081027112505Z‘],2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'c n' => [2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'testuser',[…] ],2008:10:27-12:25:30 (none) aua_edir_sync[23466]: ' groupmembership ' => [2008:10:27-12:25:30 (none) aua_edir_sync[23466]: ' ou=FW,ou=Support,o=Karlsruhe '2008:10:27-12:25:30 (none) aua_edir_sync[23466]: ],
© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 154
Web Security
© Astaro 2004/ ACE_V7.4
CLI Web Security/ Categorization
Since Version 7.302 the Astaro Security Gateway includes the content filter product SmartFilter XL from Secure Computing.
Scenario 1: The administrator wants to check in which category a particular web site is included.
Verify with: Start the browser and open the web page: http://www.astaro.com/support/support_resources and click the link “Astaro Web Filtering Site Test”.
It is possible to send an optional
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 155
It is possible to send an optional suggestion for a different category.
All filter categories are described in detail in the Astaro Knowledgebase article 297586.
© Astaro 2004/ ACE_V7.4
CLI Web Security/ Details of Content Filter Log
On this slide the important fields of the http proxy log file are described for a detailed troubleshooting.
2008:11:18-18:42:46 (none) httpproxy[1729]: id="000 1" severity="info" sys="SecureWeb" sub="http" name= "http access" action="pass" method="GET" srcip=„172.16.65 .2" user="user1" statuscode="200" cached="0" profile="profile_0" filteraction="action_REF_Defaul tHTTPCFFAction„ size="6835" time="782 ms" request="0xb385b88" url="http://www.google.de/" err or="" category="145" categoryname="Search Engines" content-type="text/html“
Log-Entry Meaningsub="http" name="http access" action="pass" Access allowed
srcip=„172.16.65.2“ Client IP
user=„user1“ Logged in user at the http proxy
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 156
statuscode="200" HTTP status code »OK«
cached="0" The web page was not loaded from the cache
profile="profile_0" First profile in Web Security » HTTP Profiles
filteraction="action_REF_DefaultHTTPCFFAction" Used filter action, the reference can be resolved in the WebAdmin
using Support » Advanced » Resolve REF_.
size="6835" time="782 ms" Size and download time for this request
url="http://www.google.de/" Requested URL
category="145" Secure Computing SmartFilter XL category ID
categoryname="Search Engines" Category name
content-type="text/html“ MIME type
© Astaro 2004/ ACE_V7.4
CLI Web Security/ HTTP Proxy in Debug Mode
Common problems with the HTTP proxy can be solved with an in depth log analysis or are in conjunction with authentication problems (see there). More detailed information is provided when activating the debug mode for the HTTP proxy.
Solution: Changing the debug level for the HTTP proxyThe debug level can only be configured by editing the file: /var/chroot-http/etc/httpproxy.ini [global] » debug= …
Debug level Explanationnone Debugging is deactivated
dns DNS resolution debugging
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 157
profile Detailed profile parsing and matching
auth Authentication debugging (NTLM, Basic, E-Dir, etc)
conn connection debugging
hdr HTTP header debugging
scan Content scanning debugging
ssl SSL communication debugging
cache Hard disk cache debugging
Attention: All debug levels are only active until the next change or restart of the http proxy
© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 158
E-Mail Security
© Astaro 2004/ ACE_V7.4
The MailManager provides a SMTP Log whree the administrator can easily see the results of the mail processing and can filter these messages by different filter criteria.
More information about the MailManager can be found in the courseware in the according chapter.
A new window with more information about an e-mail and the Message ID for this e-mail will be opened
CLI E-mail Security/ SMTP Log (1)
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 159
A new window with more information about an e-mail and the Message ID for this e-mail will be opened with a double click on an entry in the log view.
The Message ID can be used to find more information about this particular e-mail in the actual SMTP-Log. For an advanced search the last two parts of the ID are necessary to find all information about the e-mail in the log file. For example 0002EF-2t is used to find every log line for this particular e-mail.
This advanced search can be done in the WebAdmin using Logging -> Search Log Files or on the command line in the file /var/log/smtp.log.
© Astaro 2004/ ACE_V7.4
CLI E-mail Security/ SMTP Log (2)
Scenario 1: An administrator wants to see all log entries for a particular e-mail.
Verify with: Click on the entry in the MailManager log view, type in the command grep "0002EF-2t" /var/log/smtp.log on the command line
2008:11:20-12:04:50 (none) exim[8571]: 2008-11-20 1 2:04:50 1L37L7-0002EF-2t <= [email protected] H=([192.168.140.158]) [192.168.140.158]:2198 P=esmt p S=682 [email protected]:11:20-12:04:51 (none) smtpd[4015]: QMGR[4015]: 1L37L7-0002EF-2t moved to work queue2008:11:20-12:05:01 (none) smtpd[8573]: SCANNER[857 3]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="192.168.140.1 58" from="[email protected]" to="[email protected]" subject="Standardtestmail an den Trainer" queueid=" 0z2kWS-0002EF-2t " size="102"2008:11:20-12:05:01 (none) exim[8592]: 2008-11-20 1 2:05:01 0z2kWS-0002EF-2t => [email protected] R=static_route_hostlist T=static_smtp H=192.168.140 .213 [192.168.140.213]:252008:11:20 - 12:05:01 (none) exim[8592]: 2008 - 11- 20 12:05:01 0z2kWS- 0002EF- 2t Completed
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 160
2008:11:20 - 12:05:01 (none) exim[8592]: 2008 - 11- 20 12:05:01 0z2kWS- 0002EF- 2t Completed
Scenario 2: The information provided by the SMTP log is not enough for troubleshooting.
Solution: The debug mode for the SMTP proxy can be activated like this:Change the following line the file /var/mdw/scripts/smtp:
chroot $CHROOT /bin/smtpd.bin $WORKER intochroot $CHROOT /bin/smtpd.bin $WORKER –debug
and restart the SMTP proxy with /var/mdw/scripts/smtp restart.
Note: The SMTP proxy in debug mode generates a lot of logging messages which can cause a flooded log partition! The debug mode should only be activated for a short period and deactivated after
troubleshooting with the same procedure.
© Astaro 2004/ ACE_V7.4
CLI E-mail Security/ Greylisting
Scenario 3: An urgent e-mail was sent by an external partner and the administrator wants to check if the e-mail was delayed by Greylisting.
Solution: Inspection of the log file on the command line. Attention: The message can not bee seen in the MailManager and has to be searched manually.
2008:11:20-12:24:21 (none) exim[9364]: 2008-11-20 1 2:24:21 1L37e0-0002R2-2s Greylisting: Greylisted 192.168.140.1582008:11:20-12:24:21 (none) exim[9364]: [1\19] 2008- 11-20 12:24:21 1L37e0-0002R2-2s H=([192.168.140.158 ]) [192.168.140.158]:2397 F=<[email protected]> temporarily rejected after DATA: Temporary local pr oblem, please try again!2008:11:20-12:24:21 (none) exim[9364]: [2\19] Envel ope-from: < [email protected] >2008:11:20 - 12:24:21 (none) exim[9364]: [3 \ 19] Envelope - to: < [email protected] >
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 161
2008:11:20 - 12:24:21 (none) exim[9364]: [3 \ 19] Envelope - to: < [email protected] >2008:11:20-12:24:21 (none) exim[9364]: [4\19] P Rec eived: from [ 192.168.140.158 ] (port=2397)2008:11:20-12:24:21 (none) exim[9364]: [5\19] by asg225.asllab.net with esmtp (Exim 4.69)2008:11:20-12:24:21 (none) exim[9364]: [6\19] (en velope-from <[email protected]>)2008:11:20-12:24:21 (none) exim[9364]: [7\19] id 1L37e0-0002R2-2s[…]--------------------------------------------------- --------------------------------------------------- -----2008:11:20-12:32:02 (none) exim[9630]: 2008-11-20 1 2:32:02 1L37lS-0002VK-1Y Greylisting: Successful greylist retry from 192.168.140.158 (original host was 192.168.140.158/32)[…]2008:11:20-12:32:13 (none) exim[9650]: 2008-11-20 1 2:32:13 0zJj0D-0002VK-1Y => [email protected] R=static_route_hostlist T=static_smtp H=192.168.140 .213 [192.168.140.213]:252008:11:20-12:32:13 (none) exim[9650]: 2008-11-20 1 2:32:13 0zJj0D-0002VK-1Y Completed
In this example above Greylisting rejects temporarily the message first. The second part of this log extract shows the successful retry to deliver the message.Please note that a new message ID is generated when the message is received for the second time.
© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 162
Reporting
© Astaro 2004/ ACE_V7.4
CLI Reporting / Overview (1)
Since version 7.300 all Reporting data is stored in the new PostgreSQL database.
To generate all kind of reports the ASG uses three different data sources:
RRD files to create the graphs
ACCU files with absolute values of the last 30 days
PostgreSQL for long-time data storage for up to 6 month
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 163
Furthermore there are 7 reporters for different scopes which can be configured in the WebAdmin separately:
Websec reporter
Mailsec reporter
VPN reporter
IPS reporter
Pfilter reporter
Admin reporter
System reporter
© Astaro 2004/ ACE_V7.4
CLI Reporting / Overview (2)
The administrator can check if all database processes and all reporter processes are running properly using the command line.
Verify with: ps -ef |grep postgres on the command line
ps -ef |grep postgrespostgres 2939 1 0 Nov17 ? 00:00:09 /usr/bin/postgres -D / var/storage/pgsql/datapostgres 2948 2939 0 Nov17 ? 00:00:03 pos tgres: writer processpostgres 2949 2939 0 Nov17 ? 00:00:01 pos tgres: wal writer processpostgres 2950 2939 0 Nov17 ? 00:00:01 pos tgres: autovacuum launcher processpostgres 2951 2939 0 Nov17 ? 00:00:12 pos tgres: stats collector processpostgres 14097 2939 0 Nov18 ? 00:00:04 pos tgres: reporting reporting [local] idlepostgres 14333 2939 0 Nov18 ? 00:00:02 pos tgres: postgres smtp 127.0.0.1(36013) idlepostgres 7043 2939 0 00:15 ? 00:00:52 pos tgres: postgres smtp 127.0.0.1(58014) idle
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 164
PID 2939 is the postgres main process and the processes 2948-2951 are copying data within the database. Furthermore there are two processes for the SMTP database visible for storing e-mails in the quarantine.
Verify with: ps -ef |grep reporter under the command line
ps -ef |grep reporterroot 4805 2508 0 00:00 ? 00:00:01 /us r/bin/perl /usr/local/bin/reporter/websec-reporter. plroot 4806 2508 0 00:00 ? 00:00:03 /us r/bin/perl /usr/local/bin/reporter/mailsec-reporter .plroot 4807 2508 0 00:00 ? 00:00:00 /us r/bin/perl /usr/local/bin/reporter/vpn-reporter.plroot 4808 2508 0 00:00 ? 00:00:01 /us r/bin/perl /usr/local/bin/reporter/ips-reporter.plroot 4809 2508 0 00:00 ? 00:00:01 /us r/bin/perl /usr/local/bin/reporter/pfilter-reporter .plroot 4810 2508 0 00:00 ? 00:00:01 /us r/bin/perl /usr/local/bin/reporter/admin-reporter.p l
These lines show the running reporter processes that are collecting data from logging (syslog-ng) and are writing this information in the three databases RRD, ACCU, PostgreSQL.
© Astaro 2004/ ACE_V7.4
CLI Reporting / Logging & Storage
All database errors can be found in the file /var/log/system.log and can be reviewed via WebAdmin or the command line.
In case of problems with the database or the reporting, the administrator should search the log file for postgreSQL entries.
If there are messages like the following found in the log file, the administrator is requested to open a support call to restore the database with the help of the Astaro support.
ERROR: invalid page header in block 7002 of relatio n "accounting“ERROR: could not open relation 17747/16519/18546: No such file or directoryPANIC: right sibling 1672 of block 110 is not next child of 3 in index "websec_bud_dayidx“FATAL: bogus data in lock file "/var/run/postgresql /.s.PGSQL.5432.lock": "#
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 165
FATAL: bogus data in lock file "/var/run/postgresql /.s.PGSQL.5432.lock": "#
Note: The database files are not included in the backup file and can not be restored after a database restore.
Scenario1: The reporting is not working any more, the administrator wants to check if the storage partition is full.
Verify with: at the command line df -h /var/storage/pgsql/data
Filesystem Size Used Avail Use% Mounte d on/dev/disk/by-label/storage 745M 208M 499M 30% / var/storage
Attention: The database files are stored under /var/storage/pqsql/data but this is only a subfolder of the storage partition /var/storage in which in addition the HTTP proxy cache, the SMTP quarantine e-mails and more is stored. When this partition is full it is not necessarily a database problem, but it could be as well a problem with the HTTP cache or the SMTP proxy.
© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 166
Site-To-Site VPN using certificates
© Astaro 2004/ ACE_V7.4
CLI Site-To-Site VPN using certificates / General
Scenario 1: The administrator wants to check if the IPSec connection is established successfully.
Verify with: Check in the WebAdmin with a click on „Site-to-Site VPN“ or on the command line using the command cat /proc/net/ipsec_eroute
asg225:/root # cat /proc/net/ipsec_eroute14 172.16.55.0/24 -> 192.168.150.0/24 => tun0x10 [email protected]
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 167
When all lights are green the connection is established with both phases. The output on the command line shows in addition the number of packets sent through the established tunnel.
The following lines should be (similar to these) in the log file for an established tunnel:
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #273: ISAKMP SA established2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #276: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #276: Dead Peer Detection (RFC 3706) ena bled2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #276: sent QI2, IPsec SA established
There you can see that both phases are established successfully. The administrator should check the log file after the first build-up of the tunnel. This log file can be found under /var/log/ipsec.log.
Note: If the tunnel is fully established in both phases but no packets pass through the tunnel, the packet filter log and the packet filter rules should be checked.
© Astaro 2004/ ACE_V7.4
CLI Site-To-Site VPN using certificates/ Connection problems (1)
Scenario 1: The tunnel can not be established.
cannot respond to IPsec SA request because no connection is known for 172.16.55.0/24===192.168.140.225...192.168.140.226= ==192.168.150.0/24
Solution 1: Check the network definitions on both sides of the tunnel. The „Local Networks“ on one side have to be configured as “Remote Networks” on the other site and vice versa.
Scenario 2: The tunnel can not be established.
packet from 192.168.140.226:500: initial Main Mode message received on 192.168.140.225:500 but no connection has been authorized with policy=PSK
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 168
Solution 2: Check the policy configuration on both gateways. This is important especially in case of different gateway vendors.
Note: All default policies on the ASG have „strict policy“ disabled. If you see the error message above, it is possible that a connection is established but with different policy settings than specified in the policy. In this case the ASG tries to establish a connection using “higher” security credentials.
In case of activated „strict policy“ on both gateways the following messages will appear in the log file:
2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #309: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1536] refused d ue to strict flag2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #309: no acceptable Oakley Transform2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #309: sending notification NO_PROPOSAL_CHOSENto 192.168.140.226:5002008:11:20-12:50:25 (none) pluto[13925]: packet fro m 192.168.140.226:500: ignoring informational paylo ad, type NO_PROPOSAL_CHOSEN
© Astaro 2004/ ACE_V7.4
CLI Site-To-Site VPN using certificates/ Connection problems (2)
Scenario 3: The tunnel can not be established.
2008:11:20-14:41:16 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #494: byte 2 of ISAKMP Identification Payload must be zero, but is not2008:11:20-14:41:16 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #494: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet2008:11:20-14:41:25 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #492: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure : no acceptable response to our first encrypted message
Solution 3: Check the preshared keys on both gateways. These messages indicate different keys.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 169
Scenario 4: The tunnel can not be established.
2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #520: issuer cacert not found2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #520: X.509 certificate rejected2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #520: Signature check (on @asg226.asllab.net) failed (wrong key?); tried *AwE AAdhkV
Solution 4: In this case the authentication was done with certificates and the branch office still use the old local self signed certificate configured using the option “Local X509 Certificate” and not the certificate provided by the head quarter. Check the certificate configuration.
Note: A good overview of the actual tunnel configuration is given in the file /var/chroot-ipsec/etc/ipsec.conf. The entries stating “left” are for the local ASG, the entries stating “right” are for the remote gateway. The file is dynamically created when activating a tunnel and changes to this file are discarded and ignored.
© Astaro 2004/ ACE_V7.4
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 170
Miscellaneous issues
© Astaro 2004/ ACE_V7.4
CLI CLI /Lost passwords
Scenario WebAdmin password has been forgotten or lost.
If the ‘Root & Login’ user passwords are known:
Use SSH or use connect a monitor and keyboard directly to the AxG to login to the shell: Once at the shell prompt enter the configuration utility by following the directions below:
dot10:/root # cc127.0.0.1 MAIN >RAW127.0.0.1 RAW >system_password_reset127.0.0.1 RAW >Ctrl c (keys)
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 171
Log back into the WebGui and a set password prompt will appear.
© Astaro 2004/ ACE_V7.4
CLI Miscellaneous issues/ Lost passwords
Scenario All passwords have been forgotten or lost (1)
Reset the console passwords with a Linux LiveCDIn order to reset the password to a system that you can not access, you will need to download a Linux LiveCD. There are many distributions and if you have one, it will likely work. The distribution that was used to test this article was Ubuntu Linux. The iso image can be found here:http://mirror.cs.umn.edu/ubuntu-releases/intrepid/ubuntu-8.10-desktop-i386.iso
What that you will need:*Physical access to the ASG
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 172
*Physical access to the ASG*Keyboard*Mouse (optional, depending on the distribution you are using)*Monitor*Suitable CD ROM drive (USB for appliances, various types for software based systems).*PC with network access and a CD burner (or access to a LiveCD)
Download a suitable Linux LiveCD. the latest Ubuntu Linux distribution is confirmed to work. Burn the iso image to a CD.
Attach the peripherals to the ASG. You should see a command prompt that says 'login:' on screen. Insert the LiveCD into the CD ROM and reboot the system. You should now be booting into the LiveCD. Depending on the LiveCD, you may need to choose options to boot into the system.
© Astaro 2004/ ACE_V7.4
CLI Miscellaneous issues/ Lost passwords
Scenario All passwords have been forgotten or lost (2)
Once booted, enter the console. gain root privileges, this is done with the 'su' commad in most distributions. For Ubuntu, it is 'sudo su'. Run the following, commands that must be typed are in bold.
Linux> suLinux# mkdir /mnt/asgLinux# mount LABEL=root /mnt/asgLinux# chroot /mnt/asg /bin/bashLinux# passwd loginuser Changing password for user loginuser Password:Retype
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 173
Linux# passwd loginuser Changing password for user loginuser Password:Retype Password:Linux# passwd Changing password for user root Password:Retype password: Linux# exitLinux# umount /mnt/asg Now take the CD out of the CD ROM and reboot the ASG. Once you have rebooted the ASG, you can now sign in as root on the console of the system using your new root password.Reset the admin password from the ASG's console:Log into the ASG via console and enter the following commands that are in BOLD.
dot10:/root # cc127.0.0.1 MAIN >RAW127.0.0.1 RAW >system_password_reset127.0.0.1 RAW >Ctrl c (keys)
© Astaro 2004/ ACE_V7.4
CLI Miscellaneous issues/ Up2date troubleshooting (1)
Scenario System up2dates when applied in WebAdmin do not up2date the system to latest version.
Simulation of RPM installsSimulation of an up2date install is useful for determining why a particular up2date may be failing such as no connection to the Up2date servers. The output will appear in the standard /var/log/up2date.log file or for an individual test by sending to a file will make examination easier. From the shell run the commands in BOLD.
dot10:/root # auisys.plx –simulation Or to pipe the output to a specific file such as ‘up2datetest.log’dot10:/root # auisys.plx --simulation >>up2datetest.log
Scenario Up2date to a specific version is desired
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 174
Scenario Up2date to a specific version is desired
This is useful for up2dating to a specific version rather than all the way to the latest in particular with up2dates making large changes as noted by our feature releases of 7.100, 7.200, 7.300, 7.400. Prior to up2dating completely it is usually useful and causes less problems to first up2date to the latest in the series prior to a feature release. As an example up2date only to 7.202 first, then up2date to 7.30x latest after the system reboots with a running 7.202 version.
dot10:/root # auisys.plx --upto 7.300
© Astaro 2004/ ACE_V7.4
CLI Miscellaneous issues/ Up2date troubleshooting (2)
Scenario A ‘Force’ of an up2date is required
For up2date issues the combination of the --rpmargs and --force will have the greatest effect on loading all current up2dates. In addition these can be combined with the --upto version in order to create a powerful up2date order. This command is standard to run to effectively force all up2dates present to load on a system despite previous up2date failures which may be triggered by customized RPM packages having been loaded on the system previously.
dot10:/root # auisys.plx --rpmargs –forceOr combined with ‘upto’ versiondot10:/root # auisys.plx --rpmargs --force --upto 7.300
Scenario A downloaded up2date appears corrupt and must be downloaded again.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 175
Scenario A downloaded up2date appears corrupt and must be downloaded again.
Sometimes a new download or removal of an up2date will be required to resolve an issue if an up2date has been corrected on the up2date servers or is otherwise corrupted on a customer system. Remove any affected system up2dates from the AxG and run a new download:
dot10:/root # cd /var/up2date/sysdot10:/var/up2date/sys # rm u2d-sys-7.301* (or whatever up2date you wish to remove)
dot10:/var/up2date/sys # audld.plx (Triggers a new download)
If the download cannot communicate or authenticate to a server the download can be pulled directly from the Astaro ftp servers into the /var/up2date/sys directory with a wget command such as:dot10:/root # cd /var/up2date/sysdot10:/var/up2date/sys # wget http://ftp.astaro.com/ASG/v7/up2date/u2d-sys-7.300.tgz.gpg
© Astaro 2004/ ACE_V7.4
CLI Miscellaneous issues/ Restore a Backup from SSH
Scenario WebAdmin access is unavailable but shell access is and there are backups stored on the AxG.
In the event that webadmin access is unavailable it is possible to restore a currently saved backup file from ssh or direct console.
1) Login to ssh:login: loginuserpassword: loginuser passwordroot access: supassword: root password
2) Identify the backup file needed:cd /var/confd/var/storage/snapshots
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 176
cd /var/confd/var/storage/snapshotsls -lFiles will appear as example: cfg_21707_1200723302
3) Restore the backup file/usr/local/bin/backup.plx -i /var/confd/var/storage/snapshots/cfg_21707_1200723302
© Astaro 2004/ ACE_V7.4
Introduction to ACC
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 177© Astaro 2004/ ACE_V7.4
In this chapter you will see:
Astaro Command Center
Astaro Command Center / Overview
Centralized and efficient management of multiple Astaro Gateway’s
Central threat-level monitoring
IPSec VPN Tunnel creation and
monitoring
Central Up2date cache
Using state-of-the-art Web 2.0 technologies
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 178© Astaro 2004/ ACE_V7.4
Using state-of-the-art Web 2.0 technologies like AJAX (Asynchronous JavaScript And XML)
Tracking of critical system parameters in real-time
detected threats
license status
software updates
resource usage
No license needed!! It‘s free!!!
ACC System Overview/ Available Appliances
Astaro Command
Center 1000
Astaro Command
Center 2000
Astaro Command Center 3000
Astaro Command Center 4000
Astaro Command Center Virtual Appliance
Max Gateways supported
20 50 100 200 Unrestricted
Administrators*Clients*
14
210
320
440
Small to Large networks
System
Network ports
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 179© Astaro 2004/ ACE_V7.4
Network ports2x 10/100 /1000 Mbps
2 x 10/100 / 1000 Mbps
3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
System Storage
Log/Reporting
30 GB
40 GB
30 GB
40 GB
30 GB
40 GB
60 GB
80 GB*Depends on hardware
platform used.
*Admin with full-access, clients with access to an average of 5 Gateways and 1/3 of the clients simultaneously logged in.
Astaro Command Center / Features
Inventory management provides comprehensive information about each device (CPU, hard disk, memory, network interfaces, software version and more)
All Astaro Security Gateway devices are automatically organized into device groups
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 180© Astaro 2004/ ACE_V7.4
groups
Single-sign-on eases configuration management
Central update management enables the possibility of updating multiple devices through a single click
Role-based multi-administrative support
Astaro Command Center/ ASG Configuration
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 181© Astaro 2004/ ACE_V7.4
AxG’s must be configured with the IP/Hostname of the ACC Server and shared secret.
The connection between ASG and ACC is SSL encrypted using port 4433
Packet filter rules to allow this communication are created automatically
Astaro Command Center/ ACC Configuration (1)
ACC has an ‘Administrative’ GUI and a ‘Gateway Manger’ GUI
The Administrative GUI is accessed via port 4444 just like the other AxGproducts
Look and feel is the same with sections for Management, Network settings, etc.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 182© Astaro 2004/ ACE_V7.4
Astaro Command Center/ ACC Configuration (2)
Gateway Manager submenu controls access for Administrators, Clients, and Networks
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 183© Astaro 2004/ ACE_V7.4
Astaro Command Center/ Gateway Manager
Gateway Manager access is via port 4422 by default
Different Monitoring views display information on connected Gateways such as:
Threats
Licenses
Versions
Resources
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 184© Astaro 2004/ ACE_V7.4
Resources
Services
Availability
Astaro Command Center/ Gateway Manager
Maintenance shows Inventory information and allows for scheduled operations on individual Gateways. Options are to:
Reboot
Shutdown
Prefetch Up2dates
Install Firmware
Install Patters
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 185© Astaro 2004/ ACE_V7.4
Install Patters
Astaro Command Center/ Gateway Manager
Management allows for selective control of which Gateways can connect via the Registration submenu
Access Control allows for role based access for Users
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 186© Astaro 2004/ ACE_V7.4
Astaro Command Center/ Gateway Manager
Configuration offers a Site to Site VPN configuration wizard.
Easily create and monitor VPN connections between Astaro Security Gateways
Additional configuration options such as Centralized Object creation and management will be available
in later releases
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 187© Astaro 2004/ ACE_V7.4
Astaro Command CenterReview Questions
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 188© Astaro 2004/ ACE_V7.4
Astaro Command Center/ Review Questions
1. Which technology is ACC built upon?
2. What features does ACC offer?
3. What port is used for communication between ACC and ASG?
4. Is the traffic encrypted?
5. Is it possible to cache the Up2Date packages for multiple ASGs?
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 189© Astaro 2004/ ACE_V7.4
Astaro Report Manager
The topics in this chapter will be:
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 190© Astaro 2004/ ACE_V7.4
Overview of the Astaro Report Manager
Installation/Configuration of ARM and Syslog software
Astaro Report Manager/ Overview
ARM is a data collection, analysis, and reporting tool
Aggregates and parses syslog data from network devices
Includes:
Real time monitoring
Alerts based on configurable
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 191© Astaro 2004/ ACE_V7.4
Alerts based on configurable
parameters
Built in and customizable
reports
Forensic analysis
Astaro Report Manager/ Overview/ Security Center
The Security Center offers manageable Monitoring views and the ability to create ‘Drill Down’ reports by simply double clicking items to bring up a ‘Workbench’
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 192© Astaro 2004/ ACE_V7.4
Astaro Report Manager/ Overview / Security Center
The Reporting Section offers more than 800 reports on information such as
Attacks
Bandwidth
Content Categorization
Event
Web Activity
Historical information
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 193© Astaro 2004/ ACE_V7.4
Historical information
can be viewed using
the built in calendar
Astaro Report Manager/ Overview / Security Center
Information can be viewed in different formats and exported or printed
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 194© Astaro 2004/ ACE_V7.4
Astaro Report Manager/ Installation/Configuration
Hardware requirements are dependant on the number of devices sending data.
Recommended specs:
Pentium 4- 2.8 Ghz or higher
100 GB or higher disk space
2 GB or higher of RAM
Windows server 2k/2003
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 195© Astaro 2004/ ACE_V7.4
IIS or Apache (Apache Recommended)
Fast IO
Internet Explorer 6.0 or higher with Java
Astaro Report Manager/ Installation/Configuration
ARM is available on the Astaro FTP servers accessible through http://my.astaro.com/
Current version is 4.6 which is the only release that works with AxG V7
FTP site contains both the ARM software and the Syslog server software
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 196© Astaro 2004/ ACE_V7.4
Astaro Report Manager/ Installation/Configuration
Installation requires admin rights
Choose ‘Standalone’ for most
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 197© Astaro 2004/ ACE_V7.4
Choose ‘Standalone’ for most installations
Encrypt traffic with SSL
Choose Apache Server for most installations
Astaro Report Manager/ Installation/Configuration
Once Astaro Report Manager installation is complete it will prompt you to install the Syslog server
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 198© Astaro 2004/ ACE_V7.4
Choose all of the defaults unless a change is needed for the Sylog port (UDP 514) or you need to use trusted IP’s for connections.
Astaro Report Manager/ Installation/Configuration
By default the ARM software will check for the presence of a new device sending syslog data every 60 seconds.
Devices will appear on the Devices tab
Devices must have a valid license before Monitoring will begin
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 199© Astaro 2004/ ACE_V7.4
Astaro Report Manager/ Installation/Configuration
Licenses are managed via the License Manger Icon located in the Upper left corner of the ARM screen
The License Manager offers the ability to Add, Manage, and Update licenses and devices
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 200© Astaro 2004/ ACE_V7.4
Astaro Report Manager/ Installation/Configuration
Once a device is licensed and has a checkbox under the Monitoring column it should be accepting Syslog data from your AxG. To confirm that the system is receiving data use the AppStatus Icon
Syslog Statistics will be shown here and clicking the Refresh button should show updated counts
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 201© Astaro 2004/ ACE_V7.4
Astaro Report Manager/ Installation/Configuration
The Astaro Report manager default collection policy does not offer monitoring of event logs. This will result in minimal information on dashboard screens. To enable monitoring change the collection policy by clicking on the Policies button to open the Policy Manager. Highlight and edit the ‘Collect All’ policy and add your device. Once saved the dashboards should start displaying real time information
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 202© Astaro 2004/ ACE_V7.4
should start displaying real time information
THE END.
Astaro Security Gateway V7 - Astaro Certified Engineer – Page 203© Astaro 2004/ ACE_V7.4
Questions &
Answers.