lab books smc 5_2

Administrator Certification

STONEGATE MANAGEMENT CENTER 5.2

Legal Information

End-User License AgreementThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website:www.stonesoft.com/en/support/eula.html

Third Party LicensesThe StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for those products at the Stonesoft website:www.stonesoft.com/en/support/third_party_licenses.html

U.S. Government AcquisitionsIf Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.

Product Export RestrictionsThe products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.

General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/terms/

Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534; 7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners.

DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.

Copyright © 2010 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Revision: SGIIG_20101004

2

www.stonesoft.com/en/support/eula.html

www.stonesoft.com/en/support/third_party_licenses.html

www.stonesoft.com/en/support/view_support_offering/terms/index.html

www.stonesoft.com/en/support/view_support_offering/return_material_authorization/index.html

www.stonesoft.com/en/support/view_support_offering/warranty_service/index.html

TABLE OF CONTENTS

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Course Goals . . . . . . . . . . . . . . . . . . . . . . . . . 5How To Use This Book. . . . . . . . . . . . . . . . . . . 6

Typographical Conventions . . . . . . . . . . . . . . 6Contact Information . . . . . . . . . . . . . . . . . . . . 7

Licensing Issues . . . . . . . . . . . . . . . . . . . . . 7Technical Support . . . . . . . . . . . . . . . . . . . . . 7Your Comments . . . . . . . . . . . . . . . . . . . . . . 7Other Queries. . . . . . . . . . . . . . . . . . . . . . . . 7

LAB 1Management Server Installation . . . . . . . . . . . . 9

Getting Started. . . . . . . . . . . . . . . . . . . . . . . . 10Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Installing the SMC in Demo Mode . . . . . . . . . . 10Logging in to the Management Client . . . . . . . . 12Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

LAB 2Using Logs: Visualizing Security . . . . . . . . . . . . 13

Getting Started. . . . . . . . . . . . . . . . . . . . . . . . 14Using Tabs and Windows. . . . . . . . . . . . . . . . 14

Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . 15Filtering Logs . . . . . . . . . . . . . . . . . . . . . . . . . 16

Manually Creating a Filter . . . . . . . . . . . . . . . 16Viewing Log Statistics . . . . . . . . . . . . . . . . . . . 19

Viewing the Top Situations . . . . . . . . . . . . . . 19Viewing Individual Event Records . . . . . . . . . . 20

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

LAB 3Taking Action: Security From Logging . . . . . . . 23


Creating a Rule Based on a Log Entry . . . . . . . 24Customizing the Rule . . . . . . . . . . . . . . . . . . . 25Organizing the Policy . . . . . . . . . . . . . . . . . . . . 26

Adding a Comment Rule . . . . . . . . . . . . . . . . 26Changing the Color of the Comment Rule . . . . 27

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

LAB 4Overviews and Reporting . . . . . . . . . . . . . . . . . 29


Viewing Statistics . . . . . . . . . . . . . . . . . . . . . . 30

Viewing the Default Overview . . . . . . . . . . . . 30Customizing Overview Sections . . . . . . . . . . . 31Adding a Firewall Allowed Traffic by Interface Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Organizing the Overview Sections . . . . . . . . . 32Saving the Overview . . . . . . . . . . . . . . . . . . . 33

Generating Predefined Reports . . . . . . . . . . . . 33Viewing the Report. . . . . . . . . . . . . . . . . . . . 34

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

LAB 5Advanced Administration. . . . . . . . . . . . . . . . . 37

Getting Started with Log Data Tasks . . . . . . . . 38Creating an Archive Log Task . . . . . . . . . . . . 38

Defining the Task Options . . . . . . . . . . . . . 39Defining the Operation Options . . . . . . . . . . 39

Running the Archive Log Task . . . . . . . . . . . . 40Scheduling the Archive Log Task . . . . . . . . . . 40

Backing up the Management Server . . . . . . . . 41Scheduling a Management Server Backup . . . 41

Getting Started with Alert Management . . . . . . 42Configuring Alert Channels . . . . . . . . . . . . . . 42Creating an Alert Chain . . . . . . . . . . . . . . . . 43

Creating the Office Alert Chain . . . . . . . . . . 43Creating the Home Alert Chain . . . . . . . . . . 44

Creating an Alert Policy. . . . . . . . . . . . . . . . . 44Adding a Rule for the Office Alert Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Adding a Rule for the Home Alert Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Getting Started with Role-Based Access Control 47Creating an Administrator Role . . . . . . . . . . . 47Creating an Administrator Account. . . . . . . . . 48

Selecting Granted Elements . . . . . . . . . . . . 49Testing Administrator Privileges. . . . . . . . . . . 49

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3Table of Contents

4 Table of Contents

PREFACE

Welcome to the StoneGate Administrator Certification course.

In addition to this lab exercise book, you may find it useful to refer to the StoneGate Reference Guide, distributed as part of the StoneGate Training Kit.

During this training course, you will use an environment that consists of a Management Server and simulated firewall and IPS engines that are run on a VMware Player.

Course Goals

In this course, you will learn how to use the StoneGate Management Center.

By the end of this course, you will be able to:

• Use the navigation tools in the Management Client effectively.• Monitor the status of the StoneGate components.• Monitor traffic statistics.• View and filter logs.• Manage log data.• Generate predefined and custom reports.• Define administrator roles.• Restrict the privileges of an administrator account.• Use the automated alert system.

At the end of the course you will be offered the possibility to participate in the StoneGate Management Center Administrator (SGSMCA) exam.

5

How To Use This Book

We begin the labs by offering some general information that might be useful while working on the exercise. You can find more information on each topic in the StoneGate Reference Guide. We also describe how the task contributes to the larger scenario that we are building throughout the course. This should help you to keep the larger picture in mind while working on the numerous details, and to better understand the purpose behind each individual task.

The Getting Started section of each lab exercise contains practical information, such as prerequisites for the lab, when needed.

Typographical ConventionsThe following typographical conventions are used throughout the guide:

We use the following ways to indicate important or additional information:

Tip – Tips provide information that is not crucial, but may still be helpful.

Table 0.1 Typographical Conventions

Formatting Informative Uses

Normal text This is normal text.

User Interface textText you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face.

References, termsCross-references and first use of acronyms and terms are in italics.

Command lineFile names, directories, and text displayed on the screen are monospaced.

User input User input on screen is in monospaced bold-face.

Command parameters Command parameter names are in monospaced italics.

Note – Notes provide important information that prevents mistakes or helps you complete a task.

Caution – Cautions provide critical information that you must take into account to prevent breaches of security, information loss, or system downtime.

6 Preface

Contact Information

For street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/.

Licensing IssuesYou can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do.

For license-related queries, e-mail [email protected].

Technical SupportStonesoft offers global technical support services for Stonesoft’s product families. For more information on technical support, visit the Support section at the Stonesoft website at http://www.stonesoft.com/support/.

Your CommentsWe want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements.

• To comment on software and hardware products, e-mail [email protected].• To comment on the documentation, e-mail [email protected].

Other QueriesFor queries regarding other matters, e-mail [email protected].

7Contact Information

http://www.stonesoft.com

https://my.stonesoft.com/managelicense.do

mailto:[email protected]

http://www.stonesoft.com/support/

http://www.stonesoft.com/support/




8 Preface

LAB 1

MANAGEMENT SERVER INSTALLATION

The following sections are included:

Getting Started (page 10) Installing the SMC in Demo Mode (page 10) Logging in to the Management Client (page 12)

9

Getting Started

You will install the StoneGate Management Center (SMC) in Demo mode, and log in to the StoneGate Management Client with an unrestricted administrator account that allows you to perform all the administration tasks for the StoneGate components.

Objectives

In this lab, you will:

Install the StoneGate Management Center in Demo Mode. Log in to the Management Client.

Installing the SMC in Demo Mode

Demo mode installs preconfigured Management Center components and simulated StoneGate Firewall/VPN and IPS engines. You will use this simulated environment for this course.

To install StoneGate Management Center in Demo mode1. Copy the installation files from the USB memory stick to the desktop.

2. Browse to StoneGate_SW_installer\Windows and run setup.exe.•First, the Java Runtime Environment (JRE) is installed for StoneGate. This may take a

while. •The Installation Wizard shows the Introduction screen.

3. Click Next to start the installation. The License Agreement is displayed.

4. Accept the License Agreement and click Next. The Select Installation Directory dialogopens.

5. Leave the default installation directory and click Next. The Select Shortcut Directory dialogopens.

Tip – Shortcuts can be used to manually start components and to run some maintenance tasks.

6. Leave the default values as they are and click Next. The Select StoneGate Components tobe Installed dialog opens.

7. Select Demo Mode and click Next. You are prompted to select the backup to restore.

10 Lab 1 Management Server Installation

8. Select Demo Standard and click Next. The Demo Mode Installation dialog opens.

9. Click Next. The Pre-Installation Summary opens.

10.Click Install. The installation begins. When the installation is finished, the Demo ModeInstallation Complete dialog opens.

11.Make a note of the login, password, and server address, and click Next.

12.Click Done to exit the installer. The Management Client login dialog opens.

8

11Installing the SMC in Demo Mode

Logging in to the Management Client

To log in to the Management Client1. Log in with the demo account:

•User Name: demo.•Password: demo.•Server Address: 127.0.0.1.

The Confirmation dialog opens.

2. Click Accept. The Management Client opens, showing the Getting Started tab.

3. Close the Getting Started tab.

Summary

In this lab, you have installed the StoneGate Management Center in Demo mode. You have also logged in to the Management Client.

12 Lab 1 Management Server Installation

LAB 2

USING LOGS: VISUALIZING SECURITY

In this lab you will become familiar with viewing the logs, looking for potentially problematic situations, filtering the logs, visualizing the data, and taking action directly from the log data.


Getting Started (page 14) Viewing Logs (page 15) Filtering Logs (page 16) Viewing Log Statistics (page 19) Summary (page 21)

13

Getting Started

Administrators face a variety of security related challenges on a daily basis. Meeting these challenges starts with having the information necessary to make well informed decisions on security related matters. The StoneGate Management Center provides logging capabilities that allow an Administrator to see real-time, correlated information from all StoneGate components (Firewall/VPN, IPS, and SSL VPN). In addition to providing information on StoneGate components, the SMC also provides for the collection of logs from third-party devices. Having information from all aspects of a network in one location provides the Administrator with a clear picture of their security posture.

Logs can be used for a variety of purposes including intrusion detection, providing evidence for legal action, or the justification of a network upgrade, to name a few. Because the typical installation generates a great deal of logging information, a powerful method of filtering is required to suit the needs of the administrator. The StoneGate Management Center uses drag-and-drop filtering which allows for the creation of filters directly from the log entries themselves. After the logs have been filtered, the StoneGate Management Center also provides powerful methods of visualizing data, wherein trends and problems can be seen easily.

Beyond simple log entries generated from the engines (Firewall/VPN, IPS, SSL VPN), the StoneGate Management Center also provides for the use of Alerts. These are events of interest that are designed to require the administrator’s attention. Whenever a rule with an alert defined as the log option matches traffic, the firewall or IPS node sends the specified Alert to the Log Server. The Management Server also sends alerts in case of critical system events. You can handle both StoneGate firewall and IPS-specific alerts through the same interface.

Using Tabs and WindowsTabs are an essential part of the Management Client interface. Tabs allow you to efficiently manage information within the same window. Tabs in the Management Client operate in the same way as in most modern web browsers. You can also use the forward and back buttons to undo and redo operations, go back to previous views, or go forward through your workflow.

To open an item in a new tabCtrl-click the item you want to open or right-click and select Open in New Tab.

To open an item in a new windowShift-click the item you want to open or right-click and select Open in New Window.

14 Lab 2 Using Logs: Visualizing Security

Viewing Logs

To view logs1. Ctrl-click the Logs icon in the toolbar. The Logs view opens in a new tab.

2. Click the Current Events icon. The display shows the logs in real time as they arrive.

Tip – Clicking any log entry pauses the logs.

2

15Viewing Logs

3. Double-click any log entry to see further details.

4. Click the Records icon in the toolbar to return to the Records arrangement.

Filtering Logs

Filters can be created by dragging and dropping items directly from the log entries or they can be created using the filter editor. You will create a manual filter that shows all permitted traffic from a specific sensor, and save the filter for later use in the Logs view and in other views.

Manually Creating a Filter

To manually create a filter1. Right-click the Query Panel and select New→New Filter.

4


2. Click the Require All Of (And) toolbar button.

3. Browse to All Fields and type sender. The list automatically jumps to the first field thatcontains the string “sender”.

4. Double-click Sender to add it to the filter.

5. Switch to the Resources tab.

6. Browse to Engines→IPS Nodes→Atlanta IPS Analyzer node 1.

7. Drag and drop Atlanta IPS Analyzer node 1 on top of <Operands> next to Sender in thefilter.

3

2

17Filtering Logs

8. Switch back to the Fields tab.

9. Browse to Action and drag and drop it on top of AND in the filter.

10.Double-click <Operands> next to Action and select Permit.

11.Click Apply. The filter appears in the Query panel as a temporary filter.

12.Click the Save icon and Name the filter Permitted Traffic - AtlantaIPS. Click OK.

You have now created a permanent filter that can be reused throughout the system. This filter can be used for filtering log data for other administrators, generating reports, and visualizing data. In the next exercise, you will see how individual log entries can be transformed into meaningful pictures, enabling you to quickly see trends and activity.

12


Viewing Log Statistics

The data now displayed in the log browser is filtered based on the last exercise. As you can see, there are many lines of data. As such, seeing trends in this way is difficult. The data are more useful when visualized. The StoneGate Management System allows you to represent the information in many different ways. For this exercise, you will see the Top Situations occurring on the network, based on the filter you created.

Viewing the Top Situations

To view the top Situations1. Click the Statistics icon in the toolbar and select Top Situations. The Logs view changes to

the Log Statistics arrangement.

Here you can see the situations that have occurred most frequently on your network. By default, the time range is 15 minutes, but more information from a longer time period is needed.

2. Change the Time Range in the Query panel to 1 hour and click Apply. Now the topSituations from the past hour are displayed.

1

2

19Viewing Log Statistics

Viewing Individual Event RecordsFor any situation displayed, it is possible to see the individual log records associated with that situation.

To view individual event records1. Right-click SMB-TCPFailed-Session-Setup and select Show Records. The individual

records are displayed, clearly showing that there is IPv6 traffic on the network, when thereshould not be.

To ensure that there are not multiple sources, you can visualize this information another way: Top Sources.

2. Click the Statistics icon in the toolbar and select Top Sources. A chart now appearsshowing the top source addresses for this Situation. You can now see that there is onesource address for this traffic.

Tip – Because the Management Client navigation functions in a manner similar to a web browser, the back and forward arrows on the top toolbar can be used to navigate through the history of what you have done. This is very useful for repeating actions or undoing actions.

3. Click the Back arrow in the toolbar at the top to return to the log entries.


Summary

In this lab, you have learned how to see more information for a log entry with the help of the details view. Then you have learned to create a filter in order to see only those log entries you are interested of and finally you have used log statistics to find trends in the traffic flow.

21Summary

LAB 3

TAKING ACTION: SECURITY FROM LOGGING


Getting Started (page 24) Creating a Rule Based on a Log Entry (page 24) Customizing the Rule (page 25) Organizing the Policy (page 26) Summary (page 27)

23

Getting Started

Having identified a possible threat to the network, the ability to react to it quickly is very important. Traditionally, this would mean writing down the IP addressees of the source and destination, creating the objects, and finally, creating the rules. This procedure can be costly in terms of both time and reputation. During this lab, you will learn how to add rules to policies directly from log entries, manipulate the rule for maximum effectiveness, and organize these rules for future manageability.

ObjectivesIn this lab, you will:

• Create a rule from the logs• Customize the rule• Organize the policy for future management

Creating a Rule Based on a Log Entry

In the last lab, we saw IPv6 traffic on the network, and further, it appeared that some of that may have been an attack. Using the suspect log entries, you can directly create a rule that will, for example, terminate a connection, alert on that connection, or prevent it from being logged. The primary advantage of this approach is that all of the objects, such as the source and destination, are automatically created. This saves time and allows for a much faster response to a possible security situation.

To create a rule based on a log entry1. Right-click any log entry (filtered from the last lab) and select Create Rule→Terminate

Connection.

24 Lab 3 Taking Action: Security From Logging

2. Click Select and select the Training Policy. The pre-configured rule appears, and thecomment field is automatically filled with information about this new rule.

3. Ensure that Add Rules and Edit the Policy is selected and click OK. The rule is added tothe Exceptions in the policy, and the policy opens for editing.

Customizing the Rule

When rules are added to the policy automatically, all relevant fields are configured. However, you may want to change the parameters of the rule to suit your exact needs. In this exercise, you will change the comment that was generated automatically to be more informative.

To customize the rule1. If the Comment cell is not visible, rearrange the policy view in one of the following ways:

•Maximize the Management Client window.•Right-click a cell heading and select Minimize All.•Resize individual columns.

2. Double-click the Comment cell. You can now edit the comment.

3. Replace the comment with the following text: Suspicious IPv6 traffic, detectedfrom the logs on <current date>.

2

3

3

25Customizing the Rule

Organizing the Policy

When adding rules to Firewall or IPS policies, it is important to maintain a well organized policy. There are many reasons for this, including legibility, audits and compliance, and basic organization. In this exercise, you will add comment rules to create sections in the policy that will allow you to organize rules according to their function.

Adding a Comment Rule

To add a comment rule1. Right-click the ID of the Exception you just added and select Add Comment Rule Before. A

blank comment rule is added.

Note that the existing rule is now nested under this comment rule. This is the primary means of organizing rules.

Tip – Click the plus symbol (+) on the left to see the rule below the comment rule.

2. Double-click the new comment rule and enter Rules added from Log Entries.

2


Changing the Color of the Comment RuleVisual information is very important in organization. For this reason, the color of the comment rules can be changed. For example, the section containing false positive rules could be green, and the section containing rules added from logs could be red. In this exercise, you will change the color of the comment from the default to red.

To change the color of the comment rule1. Right-click the comment rule you just added.

2. Select Colors and select red from the palette. The color of the comment rule changes tored, reflecting its importance.

3. Click the Save and Install icon in the toolbar.

Summary

In this lab, you have transformed real-time, unfiltered data into protection from a possible threat. Additionally, you have created an environment where future rule additions can be managed and maintained.

27Summary

LAB 4

OVERVIEWS AND REPORTING

Now you will take a look at additional ways to monitor your network. In addition to viewing the status of the firewall and IPS engines in the System Status view, you can get different kinds of statistical information in the Overviews. You can view statistics on current activity or create reports of past activity.


Getting Started (page 30) Viewing Statistics (page 30) Generating Predefined Reports (page 33) Summary (page 35)

29

Getting Started

A basic task for an administrator is to monitor the status of the firewall and IPS engines. Many times this is not enough; the administrators want to know more about the activity of their environment. In addition to allowing or rejecting network traffic, a StoneGate firewall collects information about the traffic in the logs. Monitored traffic can be used to show live statistics of firewall activity.

ObjectivesIn this lab, you will:

Create overviews Create reports from statistics

Viewing Statistics

The statistical charts can be found in the Overviews, which allow you to have several sections for monitoring the system status and traffic statistics. You will customize the default overview to monitor the firewall allowed traffic. You will also customize the layout of the overview and save it.

Viewing the Default Overview

To view the default overview1. Click the Overviews toolbar icon and select New Overview. The Overview Properties dialog

opens.

2. Select Default and click OK. The default overview opens.

30 Lab 4 Overviews and Reporting

Customizing Overview SectionsThe default time period for the Records by Data Type section is too short for your monitoring needs. In this exercise, you will change the time period and the graph type for the Records by Data Type section.

To customize an overview section1. Right-click the Records by Data Type section and select Edit. The Section Properties panel

opens on the right side of the window.

2. Select the Top Rate diagram type.

3. Select 1 hour as the Period. The changes are automatically applied to the section.

Adding a Firewall Allowed Traffic by Interface Section

To add a firewall allowed traffic by interface section1. Click the New icon in the toolbar and select Statistics Section. A new section is added to

the overview.

2. In the Section Properties panel, click Add. The Select Element dialog opens.

2

3

2

31Viewing Statistics

3. Type allowed in the Search field. Items with “allowed” in their names are displayed.

4. Select Allowed traffic by interface, FW (Packets) and click Select.

5. Switch to the Senders tab in the Section Properties panel.

6. Click the Select icon. The Select Element dialog opens.

7. Browse to Firewalls and select Helsinki FW.

Organizing the Overview Sections

To organize the Overview sections1. Click the X of the Allowed Traffic (Bits) section to close the section.

2. Click the title of the Firewall Allowed Traffic by Interface section and move it to the spaceof the section you just closed.

3

4

1


3. Click the X of the Records by dst IP section to close the section.

4. Click and hold the left side of the Firewall Allowed Traffic by Interface section and drag itto the left to expand it across the space of the section you just closed.

Saving the Overview

To save the overview1. Select File→Save As from the menu.

2. Name the Overview Atlanta Overview and click OK.

Generating Predefined Reports

First, you will generate a predefined daily summary report from the Firewall logs collected during the course.

To generate a report1. Click the Configuration toolbar icon and select Monitoring. The Monitoring Configuration

view opens.

2. Right-click Firewall Daily Summary and select Start. The Report Operation Propertiesdialog opens.

4

33Generating Predefined Reports

3. Deselect 1 Day Period.

4. Enter yesterday’s date as the Period Beginning.

5. Enter the current date and current time as the Period End.

Tip – You can click the Current Time button to automatically fill in the current date and time.

6. Switch to the Task tab and make sure Store Report is selected.

7. Click OK. The report is generated. When the report is ready, it appears in the StoredReports list.

Viewing the Report

To view the report1. Double-click the report name. The report opens as an Overview.

2. Right-click the curve for the Helsinki FW in the Allowed connections by cluster section andselect Show Records. The logs used to generate the report data are shown.

3

2


Summary

During this lab, you have learned how to monitor your firewall and receive real-time statistical information from it. You have viewed predefined Overviews and created your own customized Overview. You have also generated a report based on a predefined report design, seen how to read the generated reports to retrieve the desired information, and seen what conclusions can be made based on the reports. In the next lab, you will become familiar with advanced administration tasks, such as log data management, alert configuration, and role-based access control.

35Summary

LAB 5

ADVANCED ADMINISTRATION

In this lab, you will become familiar with advanced administration tasks. You will configure log data management tasks, configure alerts, and use role-based access control to distribute the tasks for different levels of administrators.


Getting Started with Log Data Tasks (page 38) Backing up the Management Server (page 41) Getting Started with Alert Management (page 42) Getting Started with Role-Based Access Control (page 47) Summary (page 50)

37

Getting Started with Log Data Tasks

If you let log data build up, the logs eventually fill up the Log Server's hard disk and the Log Server stops receiving new logs. To prevent this, you can set up automatic scheduled tasks to export and remove the old logs.

Creating an Archive Log TaskTo prevent old data from using too much disk space on the Log Server, you will create an Archive Log Task to export and delete the old log data.

To create an Archive Log Task1. Click the Configuration toolbar icon and select Administration. The Administration

Configuration view opens.

2. Browse to Tasks→Task Defintions.

3. Right-click Task Definitions and select New→Archive Log Task. The Archive Log TaskProperties dialog opens.

4. Name the task Archive IPS.

5. Select Log Server from the list of Log Task Servers and click Add.

38 Lab 5 Advanced Administration

Defining the Task Options

To define the task options1. Switch to the Task tab.

2. Select IPS Log as the Target Data.

3. Select Today as the Time Range.

Tip – You can use both relative and absolute definitions as the Time Range. There are also predefined ranges available.

Defining the Operation Options

To define the operation options1. Switch to the Operation tab.

2. Click Select and browse to All Filters.

3. Select Permitted Traffic - AtlantaIPS and click Select.

Tip – Start typing the filter name to search for the filter.

4. Select Delete Source Data. This deletes the old log entries once they are archived.

5. Keep Primary archive as the Archive Target Directory.

6. Click OK. The Archive Log Task Properties dialog closes. The task you created appears inthe Task Definitions list.

3

2

39Getting Started with Log Data Tasks

Running the Archive Log TaskNow that you have defined the Export Log Data and Delete Log Tasks, you can start the Tasks.

To run the Archive Log Task1. Right-click Archive IPS and select Start. A Confirmation dialog opens.

2. Click Yes. The Archive Log Task starts.

3. Browse to Tasks→Executed Tasks when the task is finished to view the details of thefinished task.

Tip – Log entries can also be exported directly in the Logs view. First select the log entries you want to export. Then right-click one of the selected entries and select Export Logs (to export XML or CSV or archive) or Print to PDF from the menu.

Scheduling the Archive Log TaskLog Data Tasks can also be scheduled to run automatically. To make sure that the Log Server hard disk will not fill up, it is a good idea to create a scheduled task to delete old unnecessary log data. Archiving log data regularly also speeds up fetching active and filtering log data. Archived logs can be viewed in the Logs view.

To schedule the Archive Log Task1. Browse to Tasks→Task Definitions.

2. Right-click Archive IPS and select Schedule. The Task Properties dialog opens.

3. Configure the properties as follows:•Repeat: Daily.•Start at: <today’s date> 23:59:00.

4. Click OK. The Archive IPS Task is scheduled to run daily.


Backing up the Management Server

The management server is a repository for the configurations of all managed devices. As such, part of a well-managed system is ensuring that a backup of the management server is done periodically. This will ensure that, in the event of a problem, there is always a backup available. This is one of the most important tasks that a StoneGate Administrator performs.

To back up the Management Server1. Browse to File→System Tools→Backup. The backup dialog opens.

2. Select the Management Server and click Add.

3. Click OK. The progress window for the management backup opens.

Tip – When a manual backup or an automated backup completes, the backup file is stored in /usr/local/stonesoft/stonegate/backups on Linux and C:\Stonesoft\Stonegate\backups on Windows Platforms by default.

Scheduling a Management Server BackupManagement and Log server backups can be scheduled to run automatically, ensuring that there is a current backup available if there is a problem critical to business continuity and security.

To schedule a Management Server backup1. Browse to Tasks→Task Definitions.

2. Right-click Task Definitions and select New→Backup Task. The Backup Task Propertiesdialog opens.

3. Name the task Management Server Backup.

4. Select the Management Server and click Add.

5. Click OK. A new Backup Task is created.

6. Right-click Management Server Backup and select Schedule. The schedule dialog opens.

41Backing up the Management Server

7. Configure the properties as follows:•Repeat: Weekly.•Start at: <today’s date> 23:59:00.

8. Click OK. The Management Server backup is scheduled to run weekly.

Getting Started with Alert Management

Configuring Alert ChannelsAlert channels define how alert notifications are sent to administrators. For example, they specify which mail server is used to send the alerts. The alert channel is used in the configuration of the alert chain.

To configure alert channels1. Browse to Servers and open the properties of the Log Server.

2. Switch to the Alert Channels tab.

3. Configure the properties as follows:•SMTP Server: 172.31.200.101.•Mail Sender Name: admin.•Mail Sender Address: [email protected].•GSM COM Port: COM1.•PIN Code: 1234.

4. Click OK.


Creating an Alert ChainAn Alert Chain defines the escalation chain for alerts. Alert chains are used in the configuration of alert policies.

Creating the Office Alert Chain

To create the office alert chain1. Browse to Alert Configuration→Alert Chains.

2. Right-click Alert Chains and select New Alert Chain. The Alert Chain Properties dialogopens.

3. Name the alert chain Office and click OK. The Alert Chain opens for editing in a new tab.

4. Right-click the Final Action row and select Rule→Add Rule. A new row appears in the AlertChain.

5. Configure the rule with the following properties:•Channel: SMTP.•Destination: [email protected].•Threshold to block: 10 alerts in 1h, notify blocking (default value).•Delay: 30.

6. Right-click the rule and select Rule→Add Rule After. A new row appears.

7. Configure the rule with the following properties:•Channel: SMS.•Destination: 03584012345678.•Delay: 0 min (default value)

8. Double-click the Threshold to block cell. The Threshold to Block dialog opens.

9. Fill in 2 alerts during 30 min and click OK. The finished alert chain should look like theillustration below.

10.Click the Save icon in the toolbar and close the Office alert chain.

10

43Getting Started with Alert Management

Creating the Home Alert Chain

To create the home alert chain1. Right-click Alert Chains and select New Alert Chain. The Alert Chain Properties dialog

opens.

2. Name the alert chain Home and click OK. The Alert Chain opens for editing in a new tab.

3. Right-click the Final Action row and select Rule→Add Rule. A new row appears in the alertchain.

4. Configure the rule with the following properties:•Channel: SMS.•Destination: 03584087654321.•Threshold to block: 2 alerts in 1 h, notify blocking.•Delay: 0 min (default value)..

5. Select Acknowledge as the Final Action.

6. Click the Save icon in the toolbar and close the Home alert chain.

Creating an Alert PolicyAn Alert Policy allows you to specify how different alerts are directed to different escalation chains.

To create an alert policy1. Browse to Alert Policies.

2. Right-click Alert Policies and select New Alert Policy. The Alert Policy Properties dialogopens.

3. Name the policy Atlanta Alerts and click OK. The Alert Policy opens for editing.

5


Adding a Rule for the Office Alert Chain

To add a rule for the office alert chain1. Right-click the rule table and select Rule→Add Rule.

2. Drag and drop the following elements from the Alert Senders list to the Sender cell:•Atlanta FW.•Atlanta IPS Analyzer.

3. Click the Alert and Situation cell. A list of Alert and Situation elements opens on the left.

4. Drag and drop System Alert to the Alert and Situation cell.

5. Double-click the Time cell. The Alert Rule Validity Time dialog opens.

6. Define the time settings as follows:•Days: Mon, Tue, Wed, Thu, Fri.•Start Time: 08:00.•End Time: 18:00.

7. Define the remaining settings as follows:•Severity: ANY.•Chain: Office.

The completed rule should look like the following illustration:

Adding a Rule for the Home Alert Chain

To add a rule for the home alert chain1. Right-click the rule you just created and select Rule→Copy Rule.

2. Right-click the rule again and select Rule→Paste. A duplicate rule is added.

3. Change the following properties in the second rule:•Start Time: 18:01.•End Time: 23:59.•Chain: Home.

4. Copy the rule you just created and paste it as the last rule.

Note – Time is defined in UTC.

45Getting Started with Alert Management

5. Double-click the Time cell in the last rule and change the following settings:•Start Time: 00:00.•End Time: 07:59.

The Alert Policy should now look like the illustration below.

6. Save and install the Alert Policy on the Log Server.

7. Close the upload progress tab and the Alert Policy editing tab.

Note – The end time for a rule must be on the same calendar day as the start time. For this reason, you created one rule that is valid from 18:01-23:59 and another that is valid from 00:00-07:59 to cover the time range between 18:01-07:59.


Getting Started with Role-Based Access Control

The privileges of StoneGate administrators are defined flexibly with administrator accounts. An administrator account specifies what kinds of actions the administrator can take (for example, create new elements, and browse logs).

There are three predefined permission levels for administrators: unrestricted permissions (superuser), restricted permissions, and no permissions. An administrator with unrestricted permissions can create and modify all elements in StoneGate.

Creating an Administrator RoleThere are three predefined Administrator Roles: Operator, Editor, and Owner, which each contain certain rights. You can also create new Administrator Role elements and select the rights for them. The permissions that an Administrator Role gives apply only to the granted elements selected for the role. In this exercise, you will create an Administrator Role for the administrators in Atlanta that gives administrators permissions for all actions, except managing administrator accounts.

To create an Administrator Role1. Browse to Access Rights→ Administrator Roles.

2. Right-click Administrator Roles and select New Administrator Role. The AdministratorRole Properties dialog opens.

3. Name the Administrator Role Atlanta Administrator.

4. Select the following permissions:•Element Rights for Granted Elements: select all.•Action Rights: select all.•Administrative Rights: Select all except Manage Administrators.

Tip – Select All at the top of the tree, then deselect Manage Administrators.

5. Click OK.

4

47Getting Started with Role-Based Access Control

Creating an Administrator AccountOnce you have created the new Administrator Role, you can create a new administrator account and use the Administrator Role to grant permissions for the administrator. An administrator account is defined with an Administrator element.

To create an Administrator1. Right-click Administrators and select New Administrator. The Administrator Properties

dialog opens.

2. Name the Administrator AtlantaAdmin.

3. Leave Internal Authentication selected.

4. Enter and confirm the password:•For this exercise, use Pass1234.

5. Leave Always Active selected.

6. Switch to the Permissions tab.

7. Leave Restricted Permissions selected and click Add Role. A new row appears with theOperator as the role and ALL Simple Elements as the granted elements.

Caution – Always use a strong password in a production environment.

3

5

9


8. Click Operator and select the Atlanta Administrator Role you created earlier.

Tip – If the role you want to select is not listed, select Other and browse to the role.

9. Select Permitted Traffic - AtlantaIPS as the Log Filter.

Tip – The log filters define which logs the administrator sees in the Logs view.

Selecting Granted Elements

To select granted elements1. Right-click ALL Simple Elements and select Edit Granted Elements. The Select Element(s)

dialog opens.

2. Browse to Firewalls and add Atlanta.

3. Browse up to IPS and add Atlanta IPS Sensor and Atlanta IPS Analyzer.

4. Browse to Firewall Policies→Policies→Training Template Policy and add Training Policy.

5. Browse to IPS Policies→Policies→IPS System Template and add the System Policy.

6. Click OK. The Select Element dialog closes.

7. Click OK. The Administrator properties dialog closes.

Testing Administrator PrivilegesOnce you have created the new administrator account, you can log in to the StoneGate Management Client as that administrator and see how StoneGate manages the actions that the administrator is allowed to perform.

To test the administrator’s privileges1. Close the Management Client.

2. Open the Management Client and log in with administrator account you just defined:•User Name: AtlantaAdmin.•Password: Pass1234.

3. Click OK.

4. Right-click the Atlanta firewall and select Current Policy→Refresh. •What is the result?

5. Click the Configuration icon and select Administration. The Administration Configurationview opens.

49Getting Started with Role-Based Access Control

6. Browse to Administration→Access Rights→Administrators. •What is the result? Why?

7. Close the Management Client and log in again with the Demo account.

Summary

During this lab, you have seen how to manage large amounts of log data with log management tasks. You have defined alert channels, alert chains, and an Alert Policy. You have seen how StoneGate’s flexible multi-level administrator configuration enables effective distribution of management tasks.


lab books smc 5_2

Documents