ACE Engineer

Welcome to the training!

Astaro Certified Engineer V7

Astaro Security Gateway V7 - Astaro Certified Engineer – © Astaro 2004/ ACE_V7.4

Courseware Version EN-V7.4

DISCLAIMER

All rights reserved. This product and related documentation are protected by copyright and distribution under licensing restricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,or stored in a database or retrieval system, without prior written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any other purpose is in violation of copyright laws.

While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or omissions and makes no explicit or implied claims to the validity of this information. This document and features described herein are subject to change without notice.

This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. Neither Astaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability, loss or damage caused or alleged to have been caused directly or indirectly by this book.

Trademarks:

© Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.


© Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.

© Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.

© Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.

All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your product manuals for complete trademark information.

Agenda - ACEDAY ONE

Astaro Product Overview

Available Products

AXG System Architecture

Refresher ACA

Networking

VLAN

Link Aggregation

Bridging

Policy Routing

OSPF

DAY TWO

VoIP Security

H.323

SIP

Troubleshooting

WebGui

Command Line

DAY THREE

Additional Products

ACC

Astaro Report Manager


OSPF

Quality of Service

Before we start …/ ACE Exam

ACE Certificates & Exams

ACE certification signifies that an individual has:

Achieved ACE certification

Passed the ACE web-based exam

Demonstrated knowledge required to implement and configure Astaro Security products with extended features

How do you become an Astaro Certified Engineer?

By passing a web-based exam.

45 questions randomly generated must be answered within 60 min


Training participants have one free trial to pass the ACE Exam

To login you will receive a voucher via e-mail short after the training

ACE Exam site is available at https://my.astaro.com/training/

How should you prepare for the ACE exam?

Actively participate in the training

Study the ACE-Courseware

Work through the Astaro product Manuals

Configure and test the discussed scenarios in practice

Before we start …/ Course Objective

� Familiar with the Astaro product line

� Able to configure Astaro products

� Able to troubleshoot „Get together „Get together

Upon Completion of this course you should be:


� Able to troubleshoot common problems on Astaro products

„Get together „Get together is the beginning is the beginning --work together is work together is the success.“the success.“

Henry FordHenry Ford

Astaro Product Overview


Product Overview

The Astaro product portfolio features easy-to-use “all-in-one” security gateways that enable IT managers to effectively protect their network from malicious Internet-based threats. Additional management tools support Astaro’s Gateway products with centralized management and reporting facilities.

All Astaro Gateway products with the exception of the Astaro Report Manager are based upon the same architecture. During the training we will use the term ‘AXG’ whenever we are referring to the common architecture. The specific product abbreviation (ASG,AWG) will be used whenever we are


abbreviation (ASG,AWG) will be used whenever we are discussing a particular product.

Available Products/Astaro Security Gateway

Astaro Security Gateway is blend of open-source, proprietary and OEM technology, combined to create an all-in-one device that runs as the perimeter security gateway on a network

Astaro Security Gateway is built on an integrated management platform that makes it easy to install and administer a complete security solution


ASG Overview/ Security Features

Astaro Security Gateway, based on Astaro's award-winning Astaro Security Linux, provides a complete package of 9 perimeter security applications.


E-mail Security

• Virus Protection for

e-mail

• Anti-Spam/Phishing

• E-mail Encryption

Network Security

• Intrusion Protection

• SPI-Firewall and Proxies

• VPN-Gateway

Web Security

• Spyware Protection

• Virus Protection

• Content Filtering

ASG Overview/ Available Appliances

Astaro Security Gateway 110/120

Astaro Security Gateway 220a

Astaro Security Gateway 320

Astaro Security Gateway 425a

Astaro Security Gateway 525

Users 10/Unrestricted Unrestricted Unrestricted Unrestricted Unrestricted

EnvironmentsHome office, small office

Small business,

branch office

Medium business, enterprise division

Large enterprise headquarters

Large enterpriseCore networks

System

Network ports


Network ports3x 10/100 Mbps 8 x 10/100 Mbps 4 x 10/100 Mbps

4 x 10/100/1000 Mbps

8 x 10/100/1000 Mbps 10 x 10/100/1000 Mbps

PerformanceThroughput (Mbps)Firewall VPNIPS/IDSE-mails/day (without Mail-Security)

Concurrent Connections

1003055

350,000

60,000

260150120

500,000

400,000

420200180

1,000,000

550,000

1200265450

1,500,000

700,000

3000400750

2,200,000

>1,000,000

Product Overview/Astaro Web Gateway

Effective “all-in-one” web security for your network:

Single, cost effective and easy to use point solution

Detects and blocks malicious code in HTTP or FTP traffic

Granular control of web site access and use of IM/P2P applications

Deploys as hardware, software, or virtual appliance

Web Interface is the same as the ASG but with less features


AWG System Overview/ Available Appliances

Astaro WebGateway 1000




Astaro WebGateway Virtual Appliance

Recommended Users

100 250 750 2000 Unrestricted

EnvironmentsSmall

NetworksMedium Networks

Medium Networks Large NetworksSmall to Large networks

System

Network ports


Network ports2x 10/100 /1000 Mbps

2 x 10/100 / 1000 Mbps

3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps

PerformanceThroughput (Mbps)In-line throughputAntivirus/WebUser Requests

5020

100 req./s

8040

375 req./s

15080

120 req./s

250130

3000 req./s

*Depends on hardware

platform used.

Product Overview/Astaro Email Gateway

Effective “all-in-one” Email security for your network:

Single, cost effective and easy to use point solution

Detects and blocks malicious code and SPAM in SMTP or POP3 traffic

Provides end user Quarantine management through secure portal and daily SPAM reports

Provides Email Encryption

Web Interface is the same as the ASG but with less features


AMG System Overview/ Available Appliances

Astaro MailGateway 1000




Astaro MailGateway Virtual Appliance

Recommended Users


EnvironmentsSmall

NetworksMedium Networks

Medium Networks Large NetworksSmall to Large networks

System

Network ports



2 x 10/100 / 1000 Mbps

3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps

PerformanceThroughput (Mbps)In-line throughputAntivirus/WebUser Requests

5020

100 req./s

8040

375 req./s

15080

120 req./s

250130

3000 req./s

*Depends on hardware

platform used.

Product Overview/ Astaro Report Manager

Data collection and reporting solution for internal security analysis:

Centralized collection, correlation and analysis of syslog data

Documentation of security infrastructure effectiveness

More than 800 tailored security and activity reports

Real-time monitoring dashboard for instant security incident visibility


Product Overview/ Astaro Report Manager

The Astaro Report Manager is a centralized reporting engine which gives you the ability to collect and analyze log data from one or more ASG installations

The Report Manager allows you to create robust drill down reports in a variety of output formats like Word,


variety of output formats like Word, Excel, HTML and PDF

With advanced attack and event analysis, users can create rule-based alerts which can notify administrators when user defined thresholds have been passed

Product Overview/ Astaro Compliance Reporter

The Astaro Compliance Reporter for PCI is an automated service what allows organizations operating under Payment Card Industry (PCI) regulation to easily conduct a formal risk assessment, as required by the PCI Data Security Standard.


Product Overview/ Astaro Command Center

Provides Centralized Management of Large Astaro Gateway Deployments.

Dashboard views display the most important system parameters for all selected devices.

List views offer detailed information about specific parameters, such as detected threats or resources in use.

The world map makes it simple to localize Astaro Security Gateways within a large global network and enables a quick overview of the security status.

A complete hardware inventory of all Astaro Security Gateways is available via a single mouse click.


available via a single mouse click.

Astaro Command Center is available free of charge!Based on the same architecture and management components as the Astaro Security Gateway, the Command Center employs similar flexible deployment options.

System Architecture


AXG System Overview/ Architecture

AXG is based on Novell/SUSE® Linux Enterprise 10

AXG comes with its own hardened and compiled 2.6x kernel

SLES10 RPMs are used but completely new compiled

All major processes including

Astaro Security Gateway V7 - Astaro Certified Engineer – © Astaro 2008/ ACA_V7.3

All major processes including WebGUI run in chroot-environments.

AXG is built upon a number of Open Source Projects; many of those are actively developed in cooperation with Astaro, others are sponsored by Astaro.

Open source software is distributed with the source code freely available for alteration and customization

Collective work of many programmers

Resulting software can become more useful and free of holes and bugs

Architecture/ Open Source Module


useful and free of holes and bugs

Astaro leverages the flexibility and innovation of Linux and Open Source

Configuration/ Administration Workflow

Every function can be configured and controlled via the Web-Admin interface.

There is no need to interact with any of the other components or the Command Line Interface (CLI) using a shell like


Line Interface (CLI) using a shell like Bash.

Refresher ACA


This chapter provides a refresher of key areas covered during the ACA course

Refresher ACA/ Setting up Ethernet Interfaces

An Ethernet interface is a standard 10/100/1000 Mbit network card

Things to remember:

Set the correct IP address for each interface with the correct netmask

Only define one default gateway unless you are using Uplink Balancing


Balancing

Make sure that each interface has a unique address range in your environment

Refresher ACA Network Settings / Additional IPs on an Interface

Additional IPs are typically referred to as aliasesand follow the same rules as “Standard Ethernet” interfaces.

This feature allows administrators to assign multiple IP addresses to one physical Ethernet interface.


Commonly used with NAT (Network Address Translation)

Limited to 100 aliases per interface.

Restrictions

No DHCP address assignment

No accounting and monitoring

No IPSec tunnel endpoint

NOTE: An IP alias should from the same IP network range as the primary address of the interface to prevent possible problems such as IP spoofing. Nevertheless addresses from other ranges are allowed.

Refresher ACA Network Settings / Uplink (WAN) balancing

Allows for ‘bonding’ of multiple internet connections.

Two modes offered:

Active/Passive (Failover) where second internet connection only becomes active when primary goes down

Active/Active (Multipath) where all internet connections are active and traffic is balanced across them. Traffic automatically fails over


across them. Traffic automatically fails over to other available links in the event of an outage.

After adding interfaces to Uplink group a new definition called Uplink Interfaces will be automatically created and used by any packet filter and DynDNS rules.

Once Uplink balancing is enabled each interface can be configured with its own default gateway and will have its own routing table.

Refresher ACA /Network Settings / Multipath Rules

Allows administrators to specify which internet connection traffic should use.

This is different from policy routing since the rules benefit from being able to use other connections if the desired Interface is down.

Ability to create sticky or persistant


Ability to create sticky or persistant connections by:

Combination of source and destination

By connection

By source OR destination

By interfaceNOTE: In the Site-to-Site VPN section, there is now a new choice for the “local interfaces” drop-down box, which allows you to select “Uplink Interfaces” which resolves to the first available interface in the available interfaces box, increasing the redundancy available to site-site VPN’s.

Refresher ACA / Network Address Translation / Masquerading

Used if one (or multiple) internal networks should be hidden behind one official IP address.

Especially useful if private IP address ranges are used.

RFC 1918-IP Public IP


Destination Network Address Translation (DNAT) is used if an internal resource should be accessible via an IP address assigned to the firewall, e.g. server in a DMZ

Source Network Address Translation (SNAT) is used like masquerading, but allows more granular settings

Refresher ACA /Network Address Translation / DNAT & SNAT


Note: DNAT occurs before packet filtering takes place. Ensure your packet filtering rules have the translatedaddress as the destination or use the ‘Automatic Packet Filter rule’ option.

Refresher ACA / Packet filtering Architecture

• masquerading• snat• conntrack• mangle

FORWARD

OUTPUTINPUT

POSTROUTING

PREROUTING Routing

• dnat• conntrack• mangle• spoofdrop

Routing

incoming packets

outgoingpackets

• conntrack• mangle

ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.

• mangle• filter• ips


• mangle• ips

OUTPUTINPUT

OUTPUT

Local Processes

Ap

ach

e

EX

IM

SS

HD

SQ

UID

SO

CK

S

BIN

D

IPS

EC

PP

TP

• spoofdrop

• conntrack• mangle• dnat

• mangle• filter• ips

Tables:

NATFilter

Refresher ACA / Packet Filter - Configuration Principles (1)

You only need to maintain one table of filter rules.

ASG automatically creates correct entries in the INPUT, OUTPUT or FORWARD chain as necessary.

The rules in the table are ordered. The first rule to match decides what is done with the packet.


Possible actions are:

Allow

Drop

Reject

Any action allows optional Logging

If no filter rule matches - the packet is dropped and logged!

Astaro Security Gateway starts with an empty table but keeps implicit internal rules for all services it is using itself.


Default ViewSource Destination

Action and

Service

Description(optional)

Enable/Disable


Edit or delete

Groupname

Order


To create new or edit existing rules:

Assign or create a group


Assign or create a groupName: Name for the ruleMove rule to a specific position

The sources: IP or GroupThe service: TCP/UDP/IPThe destinations: IP or GroupWhat to do: Allow, Drop or RejectWhen to do: The timeLog Packets: Yes or NoComment: Whatever helps

Refresher ACA / DNS - Configuration

Global:

Accepts DNS Requests from allowed, internal networks (e.g. your AD-Servers, clients in smaller networks)

Forwarders

Forwards DSN requests of ASG to e.g. Provider DNS servers

Request Routing


Request Routing

When ASG should be able to resolve the hostnames of an internal domain hosted on your own internal DNS server, this server could be used as an alternate server to resolve DNS which should not be resolved by DNS forwarders.

Static Entries

Handles static mappings of hostnames to IP addresses

Refresher ACA High Availability & Clustering/ Overview

redundant

redundant switches

No more single point of failure!


Internet

redundant links

LANredundant Hardware

:= Aggregated Links

Refresher ACA High Availability & Clustering/ HA Modes

Active-Passive HA (Standby)

Only the Master is active

Passive (Slave) takes over in case of failure

Configuration settings and operational states are synchronized

Each ASG requires it’s own base license. Only 1 set of subscriptions are necessary for both units.


Active-Active HA (Cluster)

Offers High Availability AND Load balancing

All appliances are active at the same time

Application traffic is actively balanced across the cluster of nodes

A maximum of 10 units can be added to the cluster.

Each unit in the cluster requires the same licenses for both base and subscriptions.

Refresher ACA High Availability & Clustering/ Hot Standby Mode

Master

Status & ConfigSynchronisation

Hot Standby Mode


All tunnels, SPF-Connections (IP-Conntrack) and quarantined objects

are synchronized

Slave

Synchronisation

Stateful Failover < 2sec

Refresher ACA High Availability & Clustering/ Active-Active-Mode

High Availability(Active/Active) (loadbalancing)

InternetLAN

Cluster Nodes

Scalable

MasterSlave

1 Gigabit/sec VPN, IPS, AV, AS

Active/Active ModeMaster runs Packet Filtering & distributes the load.


Note:

Packet Filtering runs on the Master only

Balanced Services are: AV for HTTP, FTP, SMTP, POP3

AS for SMTP, POP3

IPSec

IPS

Cluster Distribution is round robin, except HTTP which is session based.

InternetLAN

Fully meshedFully meshed

Scalable1 Gigabit/sec VPN, IPS, AV, AS

Slave and cluster nodes handle the load.

Refresher ACA High Availability & Clustering/ Auto Configuration (1)

Automatic Configuration = Default Configuration

Both devices configure themselves upon connection through the HA-Port

To configure an Active/Active Cluster, only the Master needs to be configured to „Cluster Mode“

Appliances: HA interface eth3 (HA port)


Master

Slave

HA port (eth3)


Default setting for appliances (HA-Port)

Step 1:

Activate HA (if necessary)


appliances (HA-Port)

If HA is active, Status will look like this.


If everything is correct, the system switches to active/passive

Step 2:

Connect other HA device

Make sure the cabling is correct

Start the device


system switches to active/passive operation automatically:

Refresher ACA High Availability & Clustering/ Disabling Master-Slave

Disabling Master/Slave:

Switch back Operation mode To „Off“

The slave device will perform a factory reset and shuts down.


factory reset and shuts down.

Refresher ACA High Availability & Clustering/ ASG Cluster Configuration (1)

Cluster Configuration:

For the Master System:

Set Operation Mode to „Cluster“


Set Operation Mode to „Cluster“

Configure NIC

Configure Device name, e.g. Node1

Select Node ID (1, 2, 3…)

Configure an encryption Key

By default the Master will configure any new devices

(Optional) Configure a backup interface which will be used if dedicated NIC fails.

Refresher ACA High Availability & Clustering/ ASG Cluster Configuration (2)

Cluster Configuration:

For the Slave System:

The slave system is still configured to auto configuration on eth2 from before(check, if not sure)

Make sure cabling is correct

Power on the device


Power on the device

Once the slave is working, you can see the HA status.

It will display „Operation Mode: Cluster“

Refresher ACA /User Authentication/ Groups

The Users>>Groups section on the AxG allows the administrator to create and manage local and/or remote user groups

Common Group Types:

Local Groups will consist of static members which are user accounts located on the AxG. These accounts can either be locally or remotely authenticated.


Backend membership groups may be dynamically updated and modified by making changes to the group object on the remote authentication server (an example would an AD security group)

Use the Limit to backend group(s) membershipcheckbox to specify a specific security group or container on your remote authentication server

Use the built in LDAP browser to view the remote server tree if using eDirectory or Active Directory

Refresher ACA /Remote Authentication/ Available Methods

Astaro has the following options for remote user authentication:

eDirectory

Novell, partly LDAP based

Active Directory

Microsoft, partly LDAP based

RADIUS


RADIUS

Remote Access Dial-In User Service

Livingston Enterprises, later RFC

TACACS+

Terminal Access Controller Access-Control System Plus

Cisco, now RFC

LDAP – OSI, X.500, now RFC

Lightweight Directory Access Protocol

Refresher ACA /Remote Authentication/ Global Settings

When using remote authentication the AxG can be configured to automatically add user accounts when users successfully authenticate against:

HTTP Proxy

End User Portal

SSL VPN

WebAdmin


WebAdmin

NOTE: Automatically creating user accounts for HTTP Proxy users in large environments (eDirectory) is not suggested and will have an adverse effect on the AxG performance.

Refresher ACA /Remote Authentication/ Novell eDirectory

With AxG V7 eDirectory SSO, Novell users will only need to authenticate once at initial client login to gain web access to the Internet.

Once authenticated, Web security capabilities of AxG are applied to web surfing based on the user or group without the need for further authentication at the browser level.

Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an administrator to verify their BIND User DN settings as well as verify individual user account credentials.


user account credentials.


Advanced options let you set the synch interval which is how often the AxG will query (Poll) the eDirectory server for updated account information relating to relevant information such as logins/logouts, and group changes.

Prefetching of user accounts can be done on the fly or may be scheduled.

As of version 7.400 the AxG software also supports Event Based eDirectory synchronization. This new feature is an eDirectory option which requires version 8.7 or higher.

Event Based synchronization replaces the existing Polling method which will be used if the

eDirectory server does not


eDirectory server does not

support this feature.

Event Based synchronization

will instruct the eDirectory

server to send notifications of

any changes such as logins or

logouts.

Event Based synchronization

can help to significantly reduce

the network load between the

AxG and the eDirectory server.


When creating Groups from the Novell eDirectory, ASG offers a very convenient eDirectory Browser

It allows you to select user groups directly through the Web Admin Interface


NOTE:

• SSO in eDir does not work on machines where more than one user is logged in. (Terminal Servers)

Refresher ACA /Remote Authentication/ Active Directory

With AxG V7 Active Directory SSO, domain users will only need to authenticate once at initial client login to gain web access to the Internet.

Based on the AxG V7 SSO authenticated user, user/group based access control and content inspection profiles can be assigned.

AD SSO requires either Kerberos or NTLMv2 for authentication

Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an


Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an administrator to verify their BIND User DN settings, verify a user account is active, and to see what group they belong to.

Administration is

eased via the built in

LDAP browser

Prefetching of user

accounts can be done

on the fly or by

schedule.

Refresher ACA /Remote Authentication/ Active Directory

As of version 7.400 the AxG software now supports Windows Server 2008 Native mode.

To enable AD SSO you must:Verify that the time, and time zone settings are the same on both the AxG and on the AD server.

Create a DNS ‘A’ record on the AD server that matches the FQDN hostname you have assigned to the AxG

Configure the AxG to use the AD server as a DNS forwarder OR you must create a DNS request route for the AD domain which points to the


Configure the AxG to use the AD server as a DNS forwarder OR you must create a DNS request route for the AD domain which points to the AD DNS server

When configuring the AD SSO

section the domain must be

complete (ASTARO.COM),

and should be entered in

ALL CAPS.

Use the same admin username

that you had used in the BIND

DN section

Refresher ACA /Web Security/ Overview

Astaro’s Web Security is offered as a subscription on the ASG and as a solution on the Astaro Web Gateway (AWG).

Astaro Web Security provides a complete solution to protect users against malicious content, and allows an organization to enforce their web usage policy through flexible policies

Firewall’s only pass HTTP/S traffic and are unable to scan for malware such


Firewall’s only pass HTTP/S traffic and are unable to scan for malware such as viruses, adware, sypware, and root kits

HTTP/S proxies ensure client pc’s never directly connect to outside resources

Web Security allows administrators to block anonymous proxies, port forwarding sites and applications, and block/control IM/P2P applications

Refresher ACA /Proxies/ Theory

A Proxy (or Application Level Gateway) acts as a relay between a client and a server.

It plays the roles of client and server at the same time.

It speaks one or a few application specific protocols.

HTTP/S RequestHTTP/S Request


HTTP/S Response HTTP/S Response

Client Server

Proxy

Refresher ACA Web Security/ HTTP/S Proxy – Overview

The HTTP/S Proxy provides:

Different proxy modes including user Authentication

Antivirus/malware scanning

Extension/MIME type blocking

Content Filtering

HTTP/S Protocol Enforcement


Local content caching

The ability to create different profiles for different users, groups, or networks

Refresher ACA /Web Security/ HTTP/S Global Configuration

Networks that are listed in the ‘Allowed Networks’ section will be allowed to use the proxy

HTTPS (SSL) traffic can also be proxied and scanned. To do this the AxG will need to create maintain the chain of trust between the client and the web server. This is done via a system of certificate exchanges.


system of certificate exchanges.

The HTTP/S live log will provide detailed

information on connections and the ability

to filter on specific users or IP addresses

Information found in Live Log

includes Date, Time, Source IP,

Username, Status of connection

(Pass, Fail, Timed Out, Target

Service Not Allowed), URL

Refresher ACA Web Security// HTTP/S Global ConfigurationHTTPS Proxy configuration

To establish the chain of trust the HTTPS proxy uses Verification CA’s and a Signing CA

A new tab in Web Security called HTTPS CA’scontains the major Global Verification CA’s which are in use today and the Signing CA


NOTE: It is also possible to upload your own Verification CA if necessary. Under most circumstances though it will not be necessary to make changes on this tab.

Refresher ACA Web Security/ HTTP/S Global ConfigurationHTTPS Proxy configuration/testing

To use the HTTPS proxy the client browsers will need to import or “Trust” the Proxy CA that exists on their AxG. There are 3 ways administrators can deploy this to their users:

Have the users sign in to the UserPortal, select the “HTTPS Proxy” tab, and import the proxy CA certificate. Select all option-boxes and select “OK”, and the import will finish. Note that you should do this for all browsers you use.

Publish the CA using an Active Directory Group Policy. As the administrator, navigate to Web Security�HTTP/S and select the “HTTPS


administrator, navigate to Web Security�HTTP/S and select the “HTTPS CAs” tab. From there, click the “Download” Button at the top in the “Signing CA” section, and use Active Directory to distribute it to your network users.

Have the users directly download it via a special URL directly from the Astaro Device, by navigating to https://passthrough.fw-notify.net/cacert.pem in their browser, and then selecting all the checkboxes on the import dialog box, and selecting “Ok” to complete the process.

Once deployed the HTTPS scanning can be verified by using a test file from a site that vendors use. This file will be reported as “malware/virus” though it is in fact harmless and designed just for this type of testing.

https://secure.eicar.org/eicar_com.zip.

Refresher ACA /Web Security/ HTTP/S Operational ModesStandard

Proxy listens on port 8080

Allows any network listed in Allowed Networks to connect

Client browser must be configured

HTTP proxy service requires a valid Domain Name Server (DNS)

Transparent

Proxy handles all traffic on port 80


Proxy handles all traffic on port 80

Client doesn’t need to touch browser configuration

Proxy cannot handle FTP and HTTPS

Packetfilter must allow port 21 and 443

No HTTP on other than port 80

Clients must be able to resolve DNS hostnames themselves!

*Full transparent mode preserves the original source IP of the client machine instead of replacing it with the proxy IP

Refresher ACA /Web Security/ HTTP/S Operational Modes

Active Directory and eDirectory modes transparently authenticate users but require that the client browser has been configured to use a proxy server

These settings can be configured manually in the browser or pushed out by a group policy


A popular alternative for environments with laptop users is to use a proxy configuration file which can be configured to first check the local network before applying proxy settings. More information and examples can be found at the following URL http://en.wikipedia.org/wiki/Proxy_auto-config

HTTP Content Filter Profiles

HTTP/S Profiles allow you to create different permissions for different users, groups, and/or networks.

The configuration is done by linking Proxy Profiles and Filter Actions through Filter Assignments

Refresher ACA /Web Security/ Content Filter Profiles


and Filter Actions through Filter Assignments

Refresher ACA /Web Security/ Content Filter Profiles

Flexible configuration is possible through Proxy Profiles and Filters.

Each Profile holds a combination of options and settings.

Allows for time, user and user


Allows for time, user and user group based filtering

The suggested way to create profiles is to work from the right to the left.

First create your Filter Actions, then create your Filter Assignments, and then create your Proxy Profiles

Refresher ACA / Email Security Mail Manager/ Overview/Global tab

The Mail Manager allows you to view and manage the Quarantined SMTP and POP3 messages for all users. Additionally you can view the SMTP log which contains a record of all messages that have been handled by the AxG.

Statistics are shown on the Global tab listing e-mails Waiting for Delivery, Quarantined, and Rejected.

The Mail Manager Utility is reached by

clicking the Open Mail Manager in New


clicking the Open Mail Manager in New

Window button.

HINT:Notice that only the administrator can release all type of messages held in quarantine. End users can only release Spam using the User Portal or the Quarantine Report

Refresher ACA / Email Security Mail Manager/SMTP Quarantine

The SMTP Quarantine Option lets the Administrator view all SMTP mails being held in Quarantine, and provides information on why it was not delivered.

Filters are available to sort mails by type (Malware, SPAM, Expression…)

Search by Sender/Subject, Date or any phrase

Global actions for cleanup and release are available


HINT:SPAM false positives that are incorrectly quarantined by the Heuristic engine can be automatically released and reported back to Commtouch.

Refresher ACA / Email Security Mail Manager/SMTP Spool/ Tips

The SMTP Spool Option lets the Administrator view all SMTP mails processed but not delivered.

The AxG Mail Manager also features Tips which can offer guidance or explain terms.


Refresher ACA / Email Security Mail Manager/SMTP Log

The SMTP Log Section displays an entry for all emails processed by the AxG. Messages can be sorted by Reason or Result.


Refresher ACA /Remote Access / Astaro SSL VPN Client

Based on OpenVPN 32 bit version. For 64 bit operating system support download the latest OpenVPN client and configure per the following KB article http://portal.knowledgebase.net/article.asp?article=299973&p=5956

Uses latest SSL version (TLS)

Proven technology

Used for all internet applications

Offers Secure and stable authentication and encryption


Offers Secure and stable authentication and encryption

Easy client installation and configuration

Platform independent client application

Windows, Linux, Mac OS X, Solaris, OpenBSD, FreeBSD, NetBSD…

Accessible from anywhere

Via NAT, UMTS, GPRS, DSL,..

Using dynamic IP addresses…

Refresher ACA SSL-based Remote Access / Configuration/Global

Enable the SSL Remote Access status

Drag and Drop the Users or Group objects

Drag and Drop the Local Networks that users should be able to access


If you unclick Automatic Packet Filter rules you will have to manually create PF rules in the Network Security>>Packet Filter section.

The Server Settings allows you to choose the protocol (TCP or UDP) to be used. Note that UDP will be much quicker though may not work with all applications.

The port number (443 by default). This can be changed if you already use 443 for a NAT rule.

The Override hostname field must use a valid IP or hostname that clients can resolve!

Refresher ACA SSL-based Remote Access / Configuration/ Settings


resolve!

Pool network: The default settings assign addresses from the private IP space 10.242.2.x/24. This network is called the VPN Pool (SSL). If you wish to use a different network, simply change the definition of the VPN Pool (SSL) on the Definitions � Networks page.

Duplicate CN allows multiple users with the same common account name to connect

Refresher ACA /SSL-based Remote Access / Installing the SSL VPN Client on Windows

Installing the SSL VPN Client Software

The installation wizard copies all needed files to the client system.

A virtual network card will be installed during the installation process.


installation process.

Since the relevant driver is not certified by Microsoft, a caution message will appear but can be ignored.


Using the SSL Client

Login in with Username and Password

Connection dialogue box allows to monitor the set-up of the connection.


SSL VPN Remote Access can be disconnected by clicking <Disconnect>.


Connectivity Testing

Login in with Username and Password

Connection dialogue box allows to monitor the set-up of the connection.


connection.

SSL VPN Remote Access can be disconnected by clicking <Disconnect>.


Configuration analysis & troubleshooting

<Show Status> provides all details regarding to authentication,


authentication, encryption, routing, etc.

<View Log> shows details log information depending on

Refresher ACA /SSL-based Remote Access / Configuring logon Scripts to run automatically

There are three different scripts that the SSL VPN GUI can execute to help with different tasks like mapping network drives automatically.

Preconnect: If a file named "***_pre.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed BEFORE the OpenVPN tunnel is established.

Connect: If a file named "***_up.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed AFTER the OpenVPN tunnel is established.

Disconnect: If a file named "***_down.bat" exists in the config folder where *** is the same as your OpenVPN config file name, this will be executed BEFORE the


the same as your OpenVPN config file name, this will be executed BEFORE the OpenVPN tunnel is closed.

Note that the ‘config’ directory may be named something like '[email protected]' and to use the _up.bat you must rename both this directory and the OpenVPN configuration file that is contained within to something without special characters such as '@'. So you could rename this directory and the associated OpenVPN config file to 'userdomain.com'. Once this is done you can simply put your 'userdomain_up.bat' file into this directory and it will launch when you run the SSL VPN application.

Network


In this chapter you will learn about features not covered by the ACA course:

VLAN

Link Aggregation

Bridging

Policy Routing

OSPF

QOS

Networking/ VLAN (1)

Virtual LAN (VLAN) technology allows a network to be separated in multiple smaller network segments on the Ethernet level (layer 2).

A VLAN switch plus a VLAN capable network interface simulate a number of physical interfaces plus cabling.

Every segment is identified by a "tag“ (an integer number).

Adding a VLAN interface will create a virtual hardware device.

Example

PC1 and PC2 on the first floor and PC4 on the second floor will be connected together on

Host6Host4 Host5


Switch a Switch b

Port VLAN

Tag

tagged/

untagged

Port VLAN

Tag

tagged/

untagged

1 10, 20 T 1 10, 20 T

2 (PC1) 10 U 2 (PC4) 10 U

3 (PC2) 10 U 3 (PC5) 20 U

4 (PC3) 20 U 4 (PC6) 20 U

5 10,20 T

second floor will be connected together on VLAN 10.

PC3, PC5 and PC6 will be connected together on VLAN 20.

Both VLAN can communicate through ASGs Rulebase.

Firewall

Router

a1

a2 a3 a4

a5

b1

b2b3

b4

Host1 Host2

Host6

Host3

Host4 Host5

Switch b

Switch a

Networking/ VLAN (2)

VLAN segments are distinguished by a tag (integer value), a 12-bit number, allowing up to 4095 virtual LANs.

When you add a VLAN interface, you will create a virtual hardware device that can be used to add additional interfaces (aliases) too.

NOTES:


- It is essential to check HCL for ensuring VLAN capable NIC’s are supported.

- PPPoE and PPPoA devices cannot be run over VLAN virtual hardware.

- Make sure you have installed a VLAN-capable NIC or refer to the HCL.

Networking/ Overview IEEE 802.3ad Link Aggregation

Link aggregation (LA, also known as "port trunking" or "NIC bonding") allows to aggregate multiple Ethernet network ports into one virtual interface.

Aggregated ports appear as a single IP address.

Link Aggregation Control Layer (LACL) controls the distribution of the data stream to the different ports communication via Link Aggregation Control Protocol (LACP).


Aggregated ports appear as a single IP address.

Link aggregation is useful to

increase the link speed beyond the speed of any one single NIC

to provide basic failover and fault tolerance by redundancy

All traffic routed over the failed port or switch is automatically re-routed to remaining ports or switches.

Failover is completely transparent to the system using the connection.

NOTES:

– In a HA-Environment, Ethernet connections can even be on different HA units.

– Link partners must support IEEE 802.3ad.

– LA and Bridging cannot be combined. LA cannot work with DSL.

Networking / Link Aggregation using ASG

Link aggregation allows to have:

Trunking two links for speed and

Two links in redundancy mode

Requirement:

The link partner needs to support Link Aggregation


Networking / Link Aggregation – Configuration (1)

IEEE 802.3ad Link Aggregation

Link Trunking (for speed)

Link Redundancy (for high availability)

Combination of both

To enable Link Aggregation:

Add Links to the group


Astaro Supports up to 4 Link Aggregation Groups

Networking / Link Aggregation – Configuration (2)

To create a link aggregation group (LAG), proceed as follows: 1. Select the interfaces you want to convert into a link

aggregation group. 2. Select check box for each unconfigured interface you

want to add to the LAG. 3. Enable LAG

Up to four different link aggregation groups with a maximum of four Ethernet interfaces per group possible.

On top of the bonding interface you can create one of the following:


On top of the bonding interface you can create one of the following:

Ethernet Standard

Cable Modem (DHCP)

Ethernet VLAN

Alias interfaces

To disable a LAG, clear the check boxes of the interfaces that make up the LAG and click Update This Group.

The status of the bonding interface is shown on the Support / Advanced / Interfaces Table tab.

Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAG will be used for all other NICs within the LAG.

Networking/ Bridging – Overview (1)

Bridging occurs at the link layer (OSI layer 2)

The link layer controls data flow, handles transmission errors, provides physical (as opposed to logical) addressing, and manages access to the physical medium

Bridges analyze incoming frames,


Bridges analyze incoming frames, make forwarding decisions based on information contained in the frames, and forward the frames toward the destination

Keep SubnetSplit Subnet

NOTE: Bridging does not require splitting a network in two subnets to integrate ASG into an existing network.

Networking/ Bridging – Overview (2)

A bridge transparently relays traffic between multiple network interfaces.

Basically, a bridge connects two or more physical networks together to form one bigger (logical) network.

How it works:

The default gateway for 172.16.1.2 and 172.16.1.4 is


172.16.1.2 and 172.16.1.4 is 172.16.1.1

172.16.1.1 is the bridge interface br0 with ports eth1 and eth2

NOTE: All devices must have the same maximum packet size (MTU) since the bridge doesn't fragment packets.

Networking / Bridging – Overview (3)

The idea is that traffic between 172.16.1.4 and 172.16.1.2 is bridged, while the rest is routed, using masquerading.

How it works:

When ethX interfaces are added to a bridge, then become a part of the br0 interface

The Linux 2.6 kernel has built-in support for bridging via the ebtables


support for bridging via the ebtables project

Ebtables has very basic IPv4 support

Bridge-nf is the infrastructure that enables iptables/netfilter to see bridged IPv4 packets and do advanced things like transparent IP NAT

It forces bridged IP frames/packets go through the iptables chains

Networking/ Bridging – Configuration (1)

Configuration Example:


Networking/ Bridging – Configuration (2)

There two advanced options available:Allow ARP Broadcasts

Ageing timeout

By default, ARP broadcasts are not allowed to pass across the bridged interfaces

If needed, enable the Allow ARP Broadcasts option

As the network can change, we need to specify when to remove an entry due to in activity, this is the Ageing timeout.


timeout.

Prov. A

Networking/ Policy Based Routing (1)

Policy-based routing provides a mechanism for expressing and implementing forwarding/routing of data packets based on the policies defined by the network administrators.

It provides a more flexible mechanism for routing packets, complementing the existing mechanism provided by routing protocols. Router Router

Prov. B

MPLS DSL


Packets can now be routed based on source IP address, source port and destination port, in addition to normal routing which is based on the destination IP address.

Example:

DMZ 1

LAN 1

LAN 2ERP

SMTP

interface = any service = SAP source = Finance target = Provider A

Route ERP traffic from Finance to MPLS Provider

interface = 2 service = SMTP source = DMZ1target = Provider B

Route SMTP traffic from DMZ to DSL Provider

Networking/ Policy Based Routing (2)

Policy based routing will route by selectors: Destination

Source

Service

Source Interface

Policy based routing will route to targets: An interface

A host

Limitations:It is not possible to select all traffic and route it as this would be a default


It is not possible to select all traffic and route it as this would be a default gateway

Policy routes have an order which is evaluated in the same way as the packet filter (top to bottom)

Only user defined policy routes are possible

Network groups in policy routes are not possible

The following benefits can be achieved by implementing policy-based routing in the networks:

Load Sharing

Cost Savings

Source-Based Transit Provider Selection

Quality of Service (QoS)

OSPF/ Overview

OSPF = Open Shortest Path First

Link-state hierarchical routing protocol

Uses Dijkstra‘s SPF Algorithm to calculate the shortest path tree.

Open standard, developed by IETF

ASG supports OSPF version 2, RFC 2328 (using the Quagga package, http://www.quagga.net)

Interior Gateway Protocol (IGP) for routing within one autonomous System (AS)


System (AS)

OSPF uses cost as its routing metric (e.g. by dividing 10^8 through the bandwidth of the interface in bits per second)

The cost of an OSPF-enabled interface is an indication of the overhead required to send packets across a certain interface.

The cost of an interface is inversely proportional to the bandwidth of that interface.

A link state database is constructed of the network topology which is identical on all routers in the area.

OSPF guarantees loop-less routing.

OSPF/ Features & Benefits

Area concepts for hierarchical topologies and reduction of CPU – and memory consumption of routers

Independent from IP subnet classes

Arbitrary, dimensionless metric

Load Balancing for paths with equal costs

Special reserved multicast addresses reduce impact at non-OSPF devices

Authentication

External Route Tags


External Route Tags

TOS-Routing possible

Fast database reconciliation after topology changes

Support for large networks

Low susceptibility for fault routing information

OSPF/ ASG Configuration – OSPF-ID

The OSPF-Id is a unique ID to the router device.

This can be the official Address

It is denoted in x.x.x.x format


OSPF/ ASG Configuration – OSPF Area

Before you can enable the OSPF


Before you can enable the OSPF function, you must have at least one OSPF area configured.

Areas are identified by a 32-bit ID in dot-decimal notation similar to the notation of IP addresses.

OSPF/ ASG Configuration – OSPF Interfaces (1)

The OSPF interface defines Interfaces


The OSPF interface defines Interfaces that can be used to announce OSPF networks.



The OSPF interface must be added to the area that will be announced



The OSPF debug section gives information about the current state of OSPF operations. It shows neighbors, routes interfaces etc. in pop-up windows.

Quality of Service/ Working Principle

Quality of Service (QoS) can reserve guaranteed bandwidths for certain types of outbound network traffic passing between two points in the network.

Inbound traffic is optimized internally by various techniques such asStochastic Fairness Queuing (SFQ) or Random Early Detection (RED).

Without traffic shaping.


ASG leftASG right

Headquarter Branch Office

With traffic shaping.

Quality of Service/ Features and Benefits

QoS allows to

Limit available bandwidth

Guarantee minimum bandwidth

Define traffic directions carefully:


and

Works per Interface

Works per Subnet/Host

Works per Service

Upstream � shapedownstream

Ext. NIC

Int. NIC

HTTP & FTP Download from ANY => outbound from the ext. NICs view

Quality of Service/ Configuration

Status

The Status tab lists the

Traffic Selectors

A traffic

Internal & External

Bandwidth Pool describe the bandwidth shared by multiple


lists the interfaces for which QoS can be configured. By default, QoS is disabled for each interface.

A traffic selector can be regarded as a QoS definition for a certain type of network traffic.

bandwidth shared by multiple sources. Bandwidth Pools can also specify upper bandwidth limits.

Quality of Service/ Configuration: Status Overview

Display all available interfaces

Define the available, physical bandwidth.

Define the guaranteed uplink and downlink bandwidth for any Interface, e.g. the DSL line.


By default, QoS is disabled for each interface

Quality of Service/ Configuration: Traffic Selectors

Traffic Selectors describe what traffic needs to be accounted.

The description contains details about the source of the traffic, its destination and its service.

TOS/DSCP allows to pay respect to „Type of Service“ and „DiffServ“ flags in the traffic.

It is possible to build groups of Traffic Selectors.


Quality of Service/ Configuration: Bandwidth Pools

Bandwidth Pools

They describe the available and guaranteed bandwidth for the available interfaces


NetworkingReview Questions


Networking/ Review Questions

1. How many VLAN’s can you create on an ASG interface?

You can create up to 4095 VLAN’s on each interface.

2. What are two major benefits of Link aggregation?

LAG can be used to increase the link speed beyond the speed of any one single

NIC, and to provide basic failover and fault tolerance by redundancy.

3. On which OSI layer does bridging occur?

Bridging occurs at the link layer (OSI layer 2)


4. Name some of the benefits of using OSPF.

OSPF guarantees loop-less routing.

Support for very large network.

Low susceptibility for fault routing information

Load Balancing for paths with equal costs

5. What are the two major benefits to using QOS?Limit available bandwidth

Guarantee minimum bandwidth

Network Security


In this chapter you will learn about the network security features not covered by the ACA course:

Full NAT

Generic Proxy

Socks Proxy

Ident Proxy

A full NAT is a NAT rule that alters both the source and destination information of a single packet traversing the ASG.

A Full NAT does not make traffic initiated on either side of the ASG possible with one rule -- You still need a DNAT and an SNAT for this!

A full NAT rule is generally used in a network

Network Security / NAT/ Full NAT


A full NAT rule is generally used in a network in which the routes on the internal network would prevent a packet's return traffic from being routed back to the ASG.

There are two common topologies that will require the use of a full NAT:

Two Gateways on the Network

Routes Do Not Allow Return Traffic

In this example, there are two gateways that the host is using. The default gateway is set to the other router. Notice that without the NAT rule, the packet will go out the default gateway.

A) traffic is initiated from the internet to an internal host

B) The ASG DNATs the packet to the

Network Security / NAT/ Two Gateways on the Network


B) The ASG DNATs the packet to the internal server, note that the public source IP of the packet is intact

C) The server sends the return traffic to its default gateway

D) The packet is sent back and may be received, but the session is broken as a result.

In this example, there is a switch that connects a host and a server. If the host attempts to connect to the server's external IP address, the session is dropped unless the

1) PC Sends request to Internal Server's public IP address

2) ASG DNATs The Packet

3) ASG routes the packet to the proper

Network Security / NAT/ Routes Do Not Allow Return Traffic


3) ASG routes the packet to the proper server

4) Server has a proper route directly to the host, breaking the session

4a) If you use a Full NAT, the server will reconnect with the ASG

4b) The ASG will the route the packet normally and the session is intact

Network Security / Advanced

The Generic Proxy is another option when private

SOCKS is an internet protocol to allow clients to

The Ident Protocol is specified in RFC 1413 and


when private networks are being used

allow clients to use the services of a firewall transparently and is short for „SOCKetS“

RFC 1413 and helps identifying users of particular TCP connection.

Works as a port forwarder

Combines features of DNAT and Masquerading

Forwarding all incoming traffic for a specific service to an arbitrary server.

The difference to standard DNAT, however, is that a generic proxy also replaces the source

Network Security / Generic Proxy


that a generic proxy also replaces the source IP address of a request with the IP address of the ASG interface for outgoing connections. In addition, the destination (target) port number can be changed as well.

Network Security / SOCKS

What is it used for?

Can build TCP and UDP connections for client applications

Can provide incoming ports to listen on

Used with systems that incorporate NAT

Where is it used?

IM clients such as ICQ, AIMSocks


IM clients such as ICQ, AIM

FTP

RealAudio

Astaro Security Gateway supports SOCKSv5

User authentication can be used

Socks

Network Security/ IDENT Relay

IDENT is an older protocol

Allows external users to associate a username with a TCP connection

Not very secure because the connection isn't encrypted

Necessary for some services like IRC and some mail servers

Astaro will respond with the string that you specify as the


Astaro will respond with the string that you specify as the default response

Hence the configuration is rather simple, it offers:

Configuration of the string to answer with

Optionally the possibility to forwardIdent requests to the internal clients(which is not always possible)

Network Security/ Review Questions

1. Why would you use a FULL NAT rule?

Full NAT is generally used in two scenarios: when there are Two Gateways on

the Network, and the existing routes Do Not Allow Return Traffic.

2. What is the difference between DNAT and the generic proxy?

DNAT replaces the destination IP of a connection while the generic proxy also

replaces the source IP with the IP of the ASG interface for outgoing connections.

3. What version of SOCKS does the ASG support?

ASG support SOCKS v5.


ASG support SOCKS v5.

4. What is a major disadvantage to IDENT?

IDENT connections are not encrypted

VoIP Security


In this chapter you will learn how

SIP

and

H.323

security work

VoIP Security/ SIP/H.323 Security

SIP and H.323 are so called “Signaling” protocols, which are designed to notify communication partners in telephony like connections. These signals contain information about the state of the connection, like “INVITE”, “RINGING” or “HANGUP”. The actual voice connection takes place on a dynamic port.

Astaro’s VoIP Security uses special

Rick Cory

INVITE Cory@IP-BC = IN IP4 IP-AM = audio 2000 RTP/AVP 0

To IP-B, PORT-S

To IP-A, PORT-S


Astaro’s VoIP Security uses special connection tracking helper modules for monitoring the control channel to determine which dynamic ports are being used and then only allowing these ports to pass traffic when the control channel is busy.

To configure VoIP Security, client and server network definitions need to be made.

Time

To IP-A, PORT-S

200 OKC = IN IP4 IP-BM = audio 4000 RTP/AVP 3

Audio stream to IP-A, 2000

Audio stream to IP-B, 4000

VoIP Security/ SIP – Session Initiation Protocol

Session Initiation Protocol is is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences." (cit. RFC 3261)

A good starting point for reading about SIP is athttp://en.wikipedia.org/wiki/Session_Initiation_Protocol

Rick SIP Proxy

INVITE [email protected]


http://en.wikipedia.org/wiki/Session_Initiation_ProtocolRick

CorySIP Registrar

SIP Proxy

VoIP Security/ H323 – Session Initiation Protocol

H.323 is an umbrella recommendation from the ITU Telecommunication Standardization Sector (ITU-T), that defines the protocols to provide audio-visual communication sessions on any packet network.

H.323 was originally created to provide a mechanism for transporting multimedia applications over LANs but it has rapidly evolved to address the growing needs of VoIP networks.

Currently real-time applications such as NetMeeting and Ekiga (the latter using the OpenH323 implementation) use H323.


A good link to get started with readings about is at http://en.wikipedia.org/wiki/H323

VoIP Security/ SIP/H.323 Security

To configure H.323 or SIP Security, go to the VoIP Security Menu. Each module can be activated individually.


Both modules are rather easy to configure, simply add the allowed clients to the SIP or H.323 configuration and configure one or more SIP servers or H.323 gatekeeper.

General WebAdmin Troubleshooting



Most troubleshooting can be done via the WebAdmin GUI

Webadmin dashboards that show real time statistics, reports, and logs will point to problems and errors

Real time resource indicators such as high CPU usage can indicate problems with running processes

RAM usage depends on applications being used and hardware installed

Swap will increase


Swap will increase

if system runs out of

RAM

Growing log disks

may indicate logging

errors


Network Statistics can identify most active source hosts, services, concurrent connections, and total traffic.



Real time logs in the Logging section will show real time information. If CPU Usage has been running high error messages may be in the System Messages or Self monitoring logs.

System messages should be checked for errors relating to the databases. If found a support ticket should be opened with Astaro.

Self monitoring log should not show many process restarts



Incorrectly Binding a host to a specific interface can prevent packet filter and NAT rules from working



Incorrectly written NAT rules are common issues. Some common problems are trying to translate ‘Any’ service to a specific port.

Not using the ‘Automatic Packet’ filter rule option can prevent many rules from working.


Command Line Troubleshooting Guide


CLI / Linux skills

Command Line or Shell access is not needed during normal operation of the AxG product line

All configuration can and should be done via the WebAdmin GUI

Shell access is used for more in depth and quicker troubleshooting


Shell configuration changes are made at your own risk and can void support.

Basic Linux skills will be needed for shell

Google searches will return plenty of information about Linux

http://www.linux.org/lessons/ offers some free easy beginner courses

CLI/ First steps

When first logging into the Shell some quick things to check are:

System Load

Top processes

Log directories to see which log files are being written to

Disk space utilization

System load and top processes are checked using the ‘top’


System load and top processes are checked using the ‘top’ command which shows the processor activity in real time.

CLI/ First steps

Top shows information such as

uptime, load average, memory, swap,

and processes running.

Load average depends on the hardware

installed and will be displayed via

WedAdmin as CPU Usage. If CPU is

running high then load will be high.

To determine which process is using the


To determine which process is using the

most CPU look at the %CPU column or

sort by pressing the ‘C’ key

To kill a process press the ‘K’ key and

enter the PID #. If no ‘signal’ is chosen

the TERM signal is sent. If the process

does not stop try specifying the ‘KILL’

by using the number ‘9’ when prompted.

CLI/ First steps

The /var/log directory holds logs for both the

current day as well as directories for past

dates.

Logs can be sorted according to time to see

which was last written to by using the ‘ll –tr’

command.

Logs can be viewed by using utilities such as

‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log



as it updates in real time. ‘Grep’ can be used

filter on specific information such as

usernames or IP addresses.

CLI/ First steps

The /var/log directory holds logs for both the

current day as well as directories for past

dates. Additional debug and .lock files are

found in the /tmp directory.

Logs can be sorted according to time to see

which was last written to by using the ‘ll –tr’

command.





as it updates in real time. ‘Grep’ can be used

filter on specific information such as

usernames or IP addresses.

CLI / Packetfiltering basics (1)

•masquerading•snat•conntrack•mangle

FORWARD

OUTPUTINPUT

POSTROUTING

PREROUTING

Routing

•dnat•conntrack•mangle•spoofdrop

Routing

Incoming packets

Outgoingpackets

•conntrack•mangle

ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.

•mangle•filter•ips

Astaro Security Gateway V7 - Astaro Certified Engineer –

•mangle•ips

OUTPUTINPUT

OUTPUT

Local Processes

Apache

EXIM

SSH

D

HTTP

Pro

xy

BIN

D

IPSEC

PPTP

•spoofdrop

•conntrack•mangle•dnat

•mangle•filter•ips

Tables:

NAT

Filter

© Astaro 2004/ ACE_V7.4

CLI / Packetfiltering basics (2)

Verify packet filter rules using the command line interface (CLI) or ShellPacket filter rules can be reviewed using the command iptables –L –nv on the CLI.

With this command the table filter with all its chains and sub-tables will be shown by default.

The available tables can be seen with the commandcat /proc/net/ip_tables_names.


Note: Manual changes to the packet filter with the command iptables will be overridden when a change is done using the WebAdmin.

Important chains within the table filter are: AUTO_INPUT – contains rules that have one of the ASG IP addresses as destination and are configured as a service within the WebAdmin (e.g. DNS to the ASG)

AUTO_FORWARD – contains rules that are forwarded through the ASG and are configured as a service within the WebAdmin (e.g. ping through firewall)

USR_FORWARD – contains packet filter rules that are configured by the Administrator manually in the menu “Packet filter” and do not use an IP address of the ASG itself as source or destination address.


CLI / Packet filter example (1)

Scenario 1: The administrator has locked out himself from the WebAdminThe admin has locked himself out by mistake. A network/host was removed from the list of„Allowed networks“. SSH is activated and the ASG is accessible with SSH.

Verify with: iptables -L AUTO_INPUT -nv |grep 4444

Chain AUTO_INPUT (1 references)pkts bytes target prot opt in out source destination0 0 LOGACCEPT tcp -- * * 192.168.140.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:4444

LOGMARK match 600063 180 LOGDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:4444

LOGMARK match 60005


There is only the network 192.168.140.0/24 allowed for the WebAdmin, all other networks will be blocked and logged by default.

Add a network: iptables -I INPUT -j ACCEPT --source 172.16.65.0/24 -p tcp --dport 4444

Verify with: iptables -L INPUT -nv |grep 4444

Chain INPUT (policy DROP 0 packets, 0 bytes)pkts bytes target prot opt in out source destination0 0 ACCEPT tcp -- * * 172.16.65.0/24 0.0.0.0/0 tcp dpt:4444

Once the WebAdmin is accessible, the according network should be added to the “Allowed networks“ and saved with apply. All manually configurations will be deleted after a restart of the middleware/ASG.


CLI / Packet filter example (2)

Scenario 2: A packet filter rule for VPN doesn’t work, the VPN itself is working correctly.A few packet filter rules where configured for communication with the branch office using the WebAdmin. The access with HTTP in rule 3 isn’t working.

Verify with: iptables -L USR_FORWARD -nv |grep 172.16.67.2


Chain USR_FORWARD (1 references)pkts bytes target prot opt in out sourc e destination0 0 LOGACCEPT tcp -- * eth1 172.16.55.0/24 172.16.67.2 tcp spts:1:65535 d pt:80

LOGMARK match 3

Solution: The network definition (type: host) for the webserver is bound to interface eth1 (WAN), but the tunnel uses interface ipsec0. That is why this rule isn’t working and all packets will be dropped by the „Default drop“.

These errors are hard to find with the WebAdmin and the packet filter table. They are easier to find with the command iptables using the CLI.


CLI / Stateful packet filtering

Scenario 3: Outgoing FTP connections are not working, the packet filter entries are correct.

The Astaro Security Gateway writes every connection to the connection tracking table. The administrator wants to verify if the FTP connection is visible in this table.

Verify with: conntrack –L| grep 192.168.140.213

Working connection:tcp 6 103 TIME_WAIT src=172.16.55.55 dst=192.1 68.140.213 sport=1114 dport=4045 packets=4 bytes=16 8 src=192.168.140.213 dst=192.168.140.225 sport=4045 dport=1114 packets=4 bytes=279 [ASSURED] mark=0 use=1

tcp 6 431987 ESTABLISHED src=172.16.55.55 dst= 192.168.140.213 sport=1113 dport=21 packets=15 byte s=696 src=192.168.140.213 dst=192.168.140.225 sport=21 dp ort=1113 packets=16 bytes=1171 [ASSURED] mark=0 use=3


src=192.168.140.213 dst=192.168.140.225 sport=21 dp ort=1113 packets=16 bytes=1171 [ASSURED] mark=0 use=3

Not working connection (only one entry):

tcp 6 431982 ESTABLISHED src=172.16.55.55 dst= 192.168.140.213 sport=1192 dport=21 packets=9 bytes =419 src=192.168.140.213 dst=192.168.140.225 sport=21 dp ort=1192 packets=9 bytes=686 [ASSURED] mark=0 use=1

Background: FTP works with a second connection for data transfer on different ports. These ports are negotiated dynamically for every FTP conneciton. The Astaro Security Gateway has to relate this second connection to the allowed FTP connection on port 21.

Solution: The connection tracking helper for FTP has to be activated. This is done using Network Security -> Packetfilter -> Advanced and is activated by default.



Networking


CLI / Network problems (1)

Scenario 1: Slow connections between different networks. (1)

The ASG is connected with multiple switches on different interfaces. Users report slow connections from one network to an other one. In this case the connections between the internal network (eth0) and the DMZ (eth2) are very slow. The administrator wants to verify the according interfaces.

Verify with: ifconfig eth0, ifconfig eth2

ifconfig eth0eth0 Link encap:Ethernet HWaddr 00:0C:29:15:E 2:DA

inet addr:172.16.55.225 Bcast:172.16.55.255 Mask: 255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:3095 errors:120 dropped:30 overruns:0 frame:0TX packets:13426 errors:0 dropped:0 overruns:0 carr ier:0


TX packets:13426 errors:0 dropped:0 overruns:0 carr ier:0collisions:0 txqueuelen:1000RX bytes:233056 (227.5 Kb) TX bytes:19608084 (18.6 Mb)Interrupt:177 Base address:0x1424

RX = number of received packets, errors = receiving, dropped = dropped packets when receiving, overruns =, frame = received Frames

TX = number of transmitted packets, errors = errors when sending, dropped = dropped packets when sending, overruns = packets that are bigger than the allowed MTU size, carrier = errors on connection (mostly a broken network cable)

Note: If there is a problem with the connection and the speed and duplex settings are not correct, errors are mostly shown here. Always check both sides of the connection, like the switches on the other side of the cable.


CLI / Network problems (2)

Scenario 2: Slow connections between different networks. (2)

There are errors on the interface. The administrator wants to check the speed and duplex settings for the interfaces. Auto-negotiation is configured on both sides.

Verify with: mii-diag eth2

fw:/root # mii-diag eth2Basic registers of MII PHY #1: 3000 782d 02a8 0154 05e1 c1e1 0009 0000.

The autonegotiated capability is 01e0.The autonegotiated media type is 100baseTx-FD.

Basic mode control register 0x3000: Auto-negotiation enabled.You have link beat, and everything is working OK.Your link partner advertised c1e1: 100baseTx - FD 100baseTx 10baseT - FD 10baseT.


Your link partner advertised c1e1: 100baseTx - FD 100baseTx 10baseT - FD 10baseT.End of basic transceiver information.

There are sometimes network cards (like in VMWare) that are not mii-compatible. For these network cards the ethtool is useful to see nearly the same information.

In this scenario the verification has shown us that the settings on the ASG and the settings on the switch are not the same (100baseT/Full vs. 10baseT/Half).

Solution: The configuration for the interfaces can be changed in the WebAdmin menu Network -> Interfaces -> Hardware. It is possible to configure a fixed speed and duplex mode.


CLI/ Network tools

Tools to test the connectivity

Check if a host is accessible: ping <IP> at the command lineor Support -> Tools -> Ping Check in the WebAdmin

PING 172.16.55.56 (172.16.55.56) 56(84) bytes of da ta.64 bytes from 172.16.55.56: icmp_seq=1 ttl=128 time =2.45 ms64 bytes from 172.16.55.56: icmp_seq=2 ttl=128 time =0.320 ms64 bytes from 172.16.55.56: icmp_seq=3 ttl=128 time =1.12 ms

Check a path to a server on the internet: traceroute <IP/Name> at the command line or Support -> Tools -> Traceroute in the WebAdmin

traceroute to www.astaro.de (85.115.22.4), 30 hops max, 40 byte packets


traceroute to www.astaro.de (85.115.22.4), 30 hops max, 40 byte packets1 port-87-234-47-9.static.qsc.de (87.234.47.9) 2. 865 ms 5.489 ms 3.428 ms…5 DE-CIX2.de.lambdanet.net (80.81.192.74) 22.012 ms 20.533 ms 22.377 ms6 Telemaxx.FRA-1-eth0-145.de.lambdanet.net (217.71 .110.42) 19.606 ms 20.851 ms 19.337 ms7 sw4ch.ka.telemaxx.net (213.144.4.134) 24.037 ms 25.553 ms 22.330 ms8 85.115.22.4 (85.115.22.4) 19.359 ms 19.362 ms 18.378 ms

Discover duplicate IP addresses within your network: arping <IP>

ARPING 172.16.55.56 from 172.16.55.225 eth0Unicast reply from 172.16.55.56 [00:0C:29:68:40:72] 4.687msUnicast reply from 172.16.55.56 [00:0C:29:68:40:72] 0.845msUnicast reply from 172.16.55.56 [00:0C:29:68:40:72] 1.794ms

Note: When the same IP address is configured on different hosts this output shows different MAC addresses.


CLI / Network tools/ Tcpdump

Tcpdump is a packet sniffer utility that allows an administrator to intercept and display traffic traversing a network interface. With tcpdump network traffic can be analyzed for problems and either displayed on the screen in real time or saved into a file which can then be viewed by programs such as ‘Wireshark’.

Parameters can be specified to filter on specific interfaces, ports, and IP

networks or addresses.

Basic examples are:


Basic examples are:

tcpdump -i eth0 port 25 (the ‘i’ specifies which interface to use)

tcpdump -i eth0 port 25 –w test.pcap (the ‘w’ specifies a file name)

tcpdump -i eth0 host 10.10.12.12 and port 25

CLI / Network tools/ Iftop

Iftop can be used to display bandwidth usage on an interface by host

Common parameters which can be used are:

-i = specify the interface to use.

-n = will not resolve IP’s to DNS names

-P = will show ports

as well as IP’s



IM/P2P Security


CLI IM/P2P Security/ Logging (1)

With version 7.200 the Astaro Security Gateway and the Astaro Web Gateway introduced the service Astaro Flow Classifier for IM/P2P control. This service is logging to the file /var/log/afc.log. The log-file can be browsed with the WebAdmin or via command line.

For troubleshooting the AFC, it is necessary to understand the log format correctly. Aan example line from an AFC log file is shown here (Bittorrent):

2008:11:19-15:33:27 (none) ulogd[2517]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log " fwrule="60202 " outitf="eth2" srcip="79.213.68.225" dstip="192.16 8.99.101" proto="6" length="57" tos="0x00" prec="0x00" ttl="1 15" srcport="57389" dstport="18710" tcpflags="ACKPS H“

Log-Entry Meaningid="2017" The ID shows the kind of log-entry, 2017 is only logging

2018 is for file transfer block and 2019 blocks completely


2018 is for file transfer block and 2019 blocks completely

name="AFC Alert" action="log" name and action, corresponding to the ID

fwrule="60202" shows the kind of protocol, 60202 stands for „P2P/Bittorrent“

srcip="79.213.68.225“ dstip="192.168.99.101“ source and destination IP address of the packet

srcport="57389" dstport="18710" source and destination port of the packet

Important for troubleshooting are always the ID, action and the fwrule.

The particular values for ID, action and fwrule are explained in detail in the Astaro knowledge base article 290351.


CLI IM/P2P Security/ Logging (2)

Here is another example for skype blocking, noticeable with the fwrule (Skype) and the ID (Block completly):

2008:11:19-15:36:41 (none) ulogd[2517]: id=" 2019 " severity="info" sys="SecureNet" sub="packetfilter " name=" AFC Block " action="drop" fwrule=" 60103 " outitf="eth0" srcip="192.168.99.3" dstip="62.214. 209.43" proto="6" length="124" tos="0x00" prec="0x00" ttl=" 127" srcport="1238" dstport="21510" tcpflags="ACKPS H"

Scenario 1: High logging impact when activating IM/P2P control with all protocolsWhen activating logging for Instant Messaging and Peer-to-Peer protocols and a high volume of data is processed by the Astaro Security Gateway, there is a lot of logging traffic and this could possibly fill up the log-partition.


Solution: Using IM/P2P -> Settings –> Advanced it is possible to configure a logging limit.

There are four options to choose from:

Off – deactivates logging completely; there is no reporting for IM/P2P any more.

Limit all 5/sec – there will be only 5 log entries per second for all hosts alltogether.

Limit host 1/sec – there is a limit of one log entry per second per host. (default)

Log all – the complete traffic will be logged (Attention!)



High Availability & Clustering


CLI High Availability & Clustering / HA-Status

Scenario 1: The administrator wants to check the HA status. The actual status for a ha-cluster can be seen in the WebAdmin. A more detailed view can be shown using the CLI.

Verify with: ha_utils on the command line

- Status ------------------------------------------- ----------------------------Current mode: HA MASTER with id 1 in state ACTIVE-- Nodes ------------------------------------------- ----------------------------MASTER: 1 Node1 198.19.250.1 7.302 ACTIVE since Mon Nov 3 09:17:46 2008SLAVE: 2 Node2 198.19.250.2 7.302 ACTIVE since Mon Nov 3 09:18:44 2008-- Load -------------------------------------------- ----------------------------Node 1: [1m] 0.50 [5m] 0.41 [15m] 0.39Node 2: [1m] 0.08 [5m] 0.10 [15m] 0.09- Kernel --------------------------------------------------- --------------------


- Kernel --------------------------------------------------- --------------------Current mode: enabled masterinterface: eth3Local ID: 198.19.250.1debug: offverbose: offtso: offppp sync: off- Ctsyncd ------------------------------------------ ----------------------------MASTER- IPSec --------------------------------------------- ---------------------------000 #1460: "S_REF_RxrkmFZPsh_0" [email protected] 2.98.74 [email protected]; tunnel[…]- PostgreSQL --------------------------------------- ---------------------------------reporting: […]pop3: […]

This output shows a HA-configuration with 2 Nodes in active-passive mode. Under IPSec the messages for active tunnels are displayed.


CLI High Availability & Clustering / Connection to slave system

Scenario 2: The administrator wants to view the log files from the HA-slave.

Two ASGs are connected within a HA-configuration and the formerly master has done a reboot. Because of the failover the log files from the old master are now on the “new” slave and are not accessible through the WebAdmin.

An administrator wants to access the log files from the old master (now slave) and save these files for troubleshooting.

Access to the slave via: ha_utils ssh (only as root from the master ASG)

A SSH connection to the slave will be established, the administrator doesn’t need to know the IP


A SSH connection to the slave will be established, the administrator doesn’t need to know the IP address of the slave. This connection is only possible when the SSH daemon is configured on the default Port 22.

The log files can be found in /var/log/ and can be display by the standard linux tools like tail, less and grep. The log files can be copied to the master via SCP.

Example for copying the high-availability.log from the slave to the master:

<S> asg:/var/log # scp high-availability.log [email protected]:/home/ login/high-availability.log.node2


CLI High Availability & Clustering / Connection problems

Scenario 3: The front panel of the ASG shows »MTU ERROR« and the appliance is shutdown completely.

Solution: The HA-cluster interface uses a MTU of 2000 Byte when connecting via a gigabit interface.

The connected switch should support Jumbo Frames, and this feature should be activated on the switch. When the switch doesn’t support Jumbo Frames, the interface configuration should be configured to fixed 100 Mbit/s full-duplex (= MTU 1500) to avoid problems with the ha-cluster interface.

Scenario 4: The link status from one or more interfaces shows »down« frequently, whereby a failover is initiated over and over again.


Where can more detailed information about a link lost for all interfaces be found?

Solution: Check the kernel log using the WebAdmin or on the command line in the file /var/log/kernel.log

There is detailed information of the interface status provided in this file.

For more information about the interfaces have a look at the networking chapter.



User Authentication


CLI User Authentication/ Overview (1)

This diagram demonstrates the different work flows for the three authentication methods Active Directory, eDirectory and LDAP. Within Active Directory and eDirectory there is a differentiation between basic authentication and Single Sign On.

It is discernable which attributes are synced between the different directory services and the local user database of the Astaro Security Gateway.


CLI User Authentication/ Overview (2)

The authentication messages are logged into the file /var/log/aua.log and can be reviewed via command line or the WebAdmin.

2008:11:19-16:26:17 (none) aua[5534]: id="3004" sev erity="info" sys="System" sub="auth"name="Authentication successful" srcip=“172.16.65.2" user=“berlin" caller="portal" engine="adirectory“

Log-Entry Meaning

sub="auth" name="Authentication successful“ Authentication successful

srcip=„172.16.65.2“ Client IP

user=„berlin“ Authenticated user

Calling system process: WebAdmin, User Portal or HTTP Proxy


caller="portal" Calling system process: WebAdmin, User Portal or HTTP Proxy

engine="adirectory“ Authentication method

If this information is not enough for troubleshooting authentication problems it is possible to activate the debug mode for the aua daemon. This is done on the command line with: killall –USR2 aua.bin.

There is a lot of information provided in the aua.log file in debug mode. To disable the debug mode for the aua daemon just use the command killall -USR2 aua.bin again.

Attention: Passwords can be seen in clear text in the debug log.

Note: When having problems with authentication in conjunction with the HTTP proxy it is possible to start the HTTP process in debug mode.


CLI User Authentication / Active Directory (1)

Scenario 1: The administrator wants to check if the AD connection is working properly.

Verify with: Click the button „Test Server“

Possible Answer 1:Connection to ldap://192.168.140.215:389 failed

Solution 1: The IP address of the AD server is not correct or the LDAP service is not accessible. (Maybe a firewall between AD server and ASG is blocking the connection. Missing packet filter rule on this firewall?)

Possible Answer 2:Server exists and accepts connections, but bind to ldap://192.168.140.213:389 failed with this Bind DN and Password


Bind DN and Password

Solution 2: The LDAP service can be accessed but the Bind User DN or the password is not correct.

Scenario 2: Joining the domain with Active Directory Single-Sign-On (SSO) fails.

Joining the domain failed.

Solution: The following premises have to be fulfilled to join a domain:The ASG needs a FQDN (e.g. firewall.mydomain.local), which can be resolved in the local AD domain.

The time difference between the DC and the ASG must not be more than 5 minutes.

The following DNS entries have to be resolvable by the ASG:$host -t SRV _kerberos._udp.MYDOMAIN.LOCAL

$host -t SRV _ldap._tcp.dc._msdcs.MYDOMAIN.LOCAL

When this is not the case a DNS request route can be configured under: Networking » DNS » Request RoutingExample: Domain: MYDOMAIN.LOCAL ->Target Servers: Active Directory Server


CLI User Authentication / Active Directory (2)

Active Directory SSO

There is a tool wbinfo on the command line to see detailed information about the Active Directory SSO connection. Active Directory users and groups can be displayed.

Examples:

Command Meaningwbinfo –u Shows all AD users


wbinfo –g Shows all AD groups

wbinfo –r <user> Shows all groups for a specific user (Note: it shows only group IDs, not the name!)

wbinfo -D <domain> Shows information about a specific AD domain

Detailed information for the tool can be seen with the command wbinfo –-help.


CLI User Authentication / eDirectory

There is a test tool provided in the WebAdmin for Novell eDirectory to test single users. (see Microsoft Active Directory)

Detailed information for Novell eDirectory can be seen in the aua.log file when activating the debug mode for the responsible processes. This can be done on the cli using the command killall –USR2 aua.bin aua_edirsync.plx.

Scenario 3: The administrator wants to check if an eDirectory user is in the cache of the ASG.

Verify with: Bring both processes into debug mode (see above) and check the aua.log.

2008:10:27-12:25:30 (none) aua_edir_sync[23466]: Writing cache entry for dn cn=testuser,ou=FW,ou=Support,o=Karlsruhe


cn=testuser,ou=FW,ou=Support,o=Karlsruhe2008:10:27-12:25:28 (none) aua[1293]: id="3007" sev erity="debug" sys="System" sub="auth" name="SSO: ad ding

IP address 172.26.3.17 to cache“

Scenario 4: The administrator wants to check which eDirectory groups are imported for one user.

Verify with: Both processes are in debug mode, check the aua.log.

2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'a ttrs' => {2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'm odifytimestamp' => [2008:10:27-12:25:30 (none) aua_edir_sync[23466]: '20081027112505Z‘],2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'c n' => [2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'testuser',[…] ],2008:10:27-12:25:30 (none) aua_edir_sync[23466]: ' groupmembership ' => [2008:10:27-12:25:30 (none) aua_edir_sync[23466]: ' ou=FW,ou=Support,o=Karlsruhe '2008:10:27-12:25:30 (none) aua_edir_sync[23466]: ],



Web Security


CLI Web Security/ Categorization

Since Version 7.302 the Astaro Security Gateway includes the content filter product SmartFilter XL from Secure Computing.

Scenario 1: The administrator wants to check in which category a particular web site is included.

Verify with: Start the browser and open the web page: http://www.astaro.com/support/support_resources and click the link “Astaro Web Filtering Site Test”.

It is possible to send an optional


It is possible to send an optional suggestion for a different category.

All filter categories are described in detail in the Astaro Knowledgebase article 297586.


CLI Web Security/ Details of Content Filter Log

On this slide the important fields of the http proxy log file are described for a detailed troubleshooting.

2008:11:18-18:42:46 (none) httpproxy[1729]: id="000 1" severity="info" sys="SecureWeb" sub="http" name= "http access" action="pass" method="GET" srcip=„172.16.65 .2" user="user1" statuscode="200" cached="0" profile="profile_0" filteraction="action_REF_Defaul tHTTPCFFAction„ size="6835" time="782 ms" request="0xb385b88" url="http://www.google.de/" err or="" category="145" categoryname="Search Engines" content-type="text/html“

Log-Entry Meaningsub="http" name="http access" action="pass" Access allowed

srcip=„172.16.65.2“ Client IP

user=„user1“ Logged in user at the http proxy


statuscode="200" HTTP status code »OK«

cached="0" The web page was not loaded from the cache

profile="profile_0" First profile in Web Security » HTTP Profiles

filteraction="action_REF_DefaultHTTPCFFAction" Used filter action, the reference can be resolved in the WebAdmin

using Support » Advanced » Resolve REF_.

size="6835" time="782 ms" Size and download time for this request

url="http://www.google.de/" Requested URL

category="145" Secure Computing SmartFilter XL category ID

categoryname="Search Engines" Category name

content-type="text/html“ MIME type


CLI Web Security/ HTTP Proxy in Debug Mode

Common problems with the HTTP proxy can be solved with an in depth log analysis or are in conjunction with authentication problems (see there). More detailed information is provided when activating the debug mode for the HTTP proxy.

Solution: Changing the debug level for the HTTP proxyThe debug level can only be configured by editing the file: /var/chroot-http/etc/httpproxy.ini [global] » debug= …

Debug level Explanationnone Debugging is deactivated

dns DNS resolution debugging


profile Detailed profile parsing and matching

auth Authentication debugging (NTLM, Basic, E-Dir, etc)

conn connection debugging

hdr HTTP header debugging

scan Content scanning debugging

ssl SSL communication debugging

cache Hard disk cache debugging

Attention: All debug levels are only active until the next change or restart of the http proxy



E-Mail Security


The MailManager provides a SMTP Log whree the administrator can easily see the results of the mail processing and can filter these messages by different filter criteria.

More information about the MailManager can be found in the courseware in the according chapter.

A new window with more information about an e-mail and the Message ID for this e-mail will be opened

CLI E-mail Security/ SMTP Log (1)


A new window with more information about an e-mail and the Message ID for this e-mail will be opened with a double click on an entry in the log view.

The Message ID can be used to find more information about this particular e-mail in the actual SMTP-Log. For an advanced search the last two parts of the ID are necessary to find all information about the e-mail in the log file. For example 0002EF-2t is used to find every log line for this particular e-mail.

This advanced search can be done in the WebAdmin using Logging -> Search Log Files or on the command line in the file /var/log/smtp.log.


CLI E-mail Security/ SMTP Log (2)

Scenario 1: An administrator wants to see all log entries for a particular e-mail.

Verify with: Click on the entry in the MailManager log view, type in the command grep "0002EF-2t" /var/log/smtp.log on the command line

2008:11:20-12:04:50 (none) exim[8571]: 2008-11-20 1 2:04:50 1L37L7-0002EF-2t <= [email protected] H=([192.168.140.158]) [192.168.140.158]:2198 P=esmt p S=682 [email protected]:11:20-12:04:51 (none) smtpd[4015]: QMGR[4015]: 1L37L7-0002EF-2t moved to work queue2008:11:20-12:05:01 (none) smtpd[8573]: SCANNER[857 3]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="192.168.140.1 58" from="[email protected]" to="[email protected]" subject="Standardtestmail an den Trainer" queueid=" 0z2kWS-0002EF-2t " size="102"2008:11:20-12:05:01 (none) exim[8592]: 2008-11-20 1 2:05:01 0z2kWS-0002EF-2t => [email protected] R=static_route_hostlist T=static_smtp H=192.168.140 .213 [192.168.140.213]:252008:11:20 - 12:05:01 (none) exim[8592]: 2008 - 11- 20 12:05:01 0z2kWS- 0002EF- 2t Completed


2008:11:20 - 12:05:01 (none) exim[8592]: 2008 - 11- 20 12:05:01 0z2kWS- 0002EF- 2t Completed

Scenario 2: The information provided by the SMTP log is not enough for troubleshooting.

Solution: The debug mode for the SMTP proxy can be activated like this:Change the following line the file /var/mdw/scripts/smtp:

chroot $CHROOT /bin/smtpd.bin $WORKER intochroot $CHROOT /bin/smtpd.bin $WORKER –debug

and restart the SMTP proxy with /var/mdw/scripts/smtp restart.

Note: The SMTP proxy in debug mode generates a lot of logging messages which can cause a flooded log partition! The debug mode should only be activated for a short period and deactivated after

troubleshooting with the same procedure.


CLI E-mail Security/ Greylisting

Scenario 3: An urgent e-mail was sent by an external partner and the administrator wants to check if the e-mail was delayed by Greylisting.

Solution: Inspection of the log file on the command line. Attention: The message can not bee seen in the MailManager and has to be searched manually.

2008:11:20-12:24:21 (none) exim[9364]: 2008-11-20 1 2:24:21 1L37e0-0002R2-2s Greylisting: Greylisted 192.168.140.1582008:11:20-12:24:21 (none) exim[9364]: [1\19] 2008- 11-20 12:24:21 1L37e0-0002R2-2s H=([192.168.140.158 ]) [192.168.140.158]:2397 F=<[email protected]> temporarily rejected after DATA: Temporary local pr oblem, please try again!2008:11:20-12:24:21 (none) exim[9364]: [2\19] Envel ope-from: < [email protected] >2008:11:20 - 12:24:21 (none) exim[9364]: [3 \ 19] Envelope - to: < [email protected] >


2008:11:20 - 12:24:21 (none) exim[9364]: [3 \ 19] Envelope - to: < [email protected] >2008:11:20-12:24:21 (none) exim[9364]: [4\19] P Rec eived: from [ 192.168.140.158 ] (port=2397)2008:11:20-12:24:21 (none) exim[9364]: [5\19] by asg225.asllab.net with esmtp (Exim 4.69)2008:11:20-12:24:21 (none) exim[9364]: [6\19] (en velope-from <[email protected]>)2008:11:20-12:24:21 (none) exim[9364]: [7\19] id 1L37e0-0002R2-2s[…]--------------------------------------------------- --------------------------------------------------- -----2008:11:20-12:32:02 (none) exim[9630]: 2008-11-20 1 2:32:02 1L37lS-0002VK-1Y Greylisting: Successful greylist retry from 192.168.140.158 (original host was 192.168.140.158/32)[…]2008:11:20-12:32:13 (none) exim[9650]: 2008-11-20 1 2:32:13 0zJj0D-0002VK-1Y => [email protected] R=static_route_hostlist T=static_smtp H=192.168.140 .213 [192.168.140.213]:252008:11:20-12:32:13 (none) exim[9650]: 2008-11-20 1 2:32:13 0zJj0D-0002VK-1Y Completed

In this example above Greylisting rejects temporarily the message first. The second part of this log extract shows the successful retry to deliver the message.Please note that a new message ID is generated when the message is received for the second time.



Reporting


CLI Reporting / Overview (1)

Since version 7.300 all Reporting data is stored in the new PostgreSQL database.

To generate all kind of reports the ASG uses three different data sources:

RRD files to create the graphs

ACCU files with absolute values of the last 30 days

PostgreSQL for long-time data storage for up to 6 month


Furthermore there are 7 reporters for different scopes which can be configured in the WebAdmin separately:

Websec reporter

Mailsec reporter

VPN reporter

IPS reporter

Pfilter reporter

Admin reporter

System reporter


CLI Reporting / Overview (2)

The administrator can check if all database processes and all reporter processes are running properly using the command line.

Verify with: ps -ef |grep postgres on the command line

ps -ef |grep postgrespostgres 2939 1 0 Nov17 ? 00:00:09 /usr/bin/postgres -D / var/storage/pgsql/datapostgres 2948 2939 0 Nov17 ? 00:00:03 pos tgres: writer processpostgres 2949 2939 0 Nov17 ? 00:00:01 pos tgres: wal writer processpostgres 2950 2939 0 Nov17 ? 00:00:01 pos tgres: autovacuum launcher processpostgres 2951 2939 0 Nov17 ? 00:00:12 pos tgres: stats collector processpostgres 14097 2939 0 Nov18 ? 00:00:04 pos tgres: reporting reporting [local] idlepostgres 14333 2939 0 Nov18 ? 00:00:02 pos tgres: postgres smtp 127.0.0.1(36013) idlepostgres 7043 2939 0 00:15 ? 00:00:52 pos tgres: postgres smtp 127.0.0.1(58014) idle


PID 2939 is the postgres main process and the processes 2948-2951 are copying data within the database. Furthermore there are two processes for the SMTP database visible for storing e-mails in the quarantine.

Verify with: ps -ef |grep reporter under the command line

ps -ef |grep reporterroot 4805 2508 0 00:00 ? 00:00:01 /us r/bin/perl /usr/local/bin/reporter/websec-reporter. plroot 4806 2508 0 00:00 ? 00:00:03 /us r/bin/perl /usr/local/bin/reporter/mailsec-reporter .plroot 4807 2508 0 00:00 ? 00:00:00 /us r/bin/perl /usr/local/bin/reporter/vpn-reporter.plroot 4808 2508 0 00:00 ? 00:00:01 /us r/bin/perl /usr/local/bin/reporter/ips-reporter.plroot 4809 2508 0 00:00 ? 00:00:01 /us r/bin/perl /usr/local/bin/reporter/pfilter-reporter .plroot 4810 2508 0 00:00 ? 00:00:01 /us r/bin/perl /usr/local/bin/reporter/admin-reporter.p l

These lines show the running reporter processes that are collecting data from logging (syslog-ng) and are writing this information in the three databases RRD, ACCU, PostgreSQL.


CLI Reporting / Logging & Storage

All database errors can be found in the file /var/log/system.log and can be reviewed via WebAdmin or the command line.

In case of problems with the database or the reporting, the administrator should search the log file for postgreSQL entries.

If there are messages like the following found in the log file, the administrator is requested to open a support call to restore the database with the help of the Astaro support.

ERROR: invalid page header in block 7002 of relatio n "accounting“ERROR: could not open relation 17747/16519/18546: No such file or directoryPANIC: right sibling 1672 of block 110 is not next child of 3 in index "websec_bud_dayidx“FATAL: bogus data in lock file "/var/run/postgresql /.s.PGSQL.5432.lock": "#


FATAL: bogus data in lock file "/var/run/postgresql /.s.PGSQL.5432.lock": "#

Note: The database files are not included in the backup file and can not be restored after a database restore.

Scenario1: The reporting is not working any more, the administrator wants to check if the storage partition is full.

Verify with: at the command line df -h /var/storage/pgsql/data

Filesystem Size Used Avail Use% Mounte d on/dev/disk/by-label/storage 745M 208M 499M 30% / var/storage

Attention: The database files are stored under /var/storage/pqsql/data but this is only a subfolder of the storage partition /var/storage in which in addition the HTTP proxy cache, the SMTP quarantine e-mails and more is stored. When this partition is full it is not necessarily a database problem, but it could be as well a problem with the HTTP cache or the SMTP proxy.



Site-To-Site VPN using certificates


CLI Site-To-Site VPN using certificates / General

Scenario 1: The administrator wants to check if the IPSec connection is established successfully.

Verify with: Check in the WebAdmin with a click on „Site-to-Site VPN“ or on the command line using the command cat /proc/net/ipsec_eroute

asg225:/root # cat /proc/net/ipsec_eroute14 172.16.55.0/24 -> 192.168.150.0/24 => tun0x10 [email protected]


When all lights are green the connection is established with both phases. The output on the command line shows in addition the number of packets sent through the established tunnel.

The following lines should be (similar to these) in the log file for an established tunnel:

2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #273: ISAKMP SA established2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #276: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #276: Dead Peer Detection (RFC 3706) ena bled2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #276: sent QI2, IPsec SA established

There you can see that both phases are established successfully. The administrator should check the log file after the first build-up of the tunnel. This log file can be found under /var/log/ipsec.log.

Note: If the tunnel is fully established in both phases but no packets pass through the tunnel, the packet filter log and the packet filter rules should be checked.


CLI Site-To-Site VPN using certificates/ Connection problems (1)

Scenario 1: The tunnel can not be established.

cannot respond to IPsec SA request because no connection is known for 172.16.55.0/24===192.168.140.225...192.168.140.226= ==192.168.150.0/24

Solution 1: Check the network definitions on both sides of the tunnel. The „Local Networks“ on one side have to be configured as “Remote Networks” on the other site and vice versa.


packet from 192.168.140.226:500: initial Main Mode message received on 192.168.140.225:500 but no connection has been authorized with policy=PSK


Solution 2: Check the policy configuration on both gateways. This is important especially in case of different gateway vendors.

Note: All default policies on the ASG have „strict policy“ disabled. If you see the error message above, it is possible that a connection is established but with different policy settings than specified in the policy. In this case the ASG tries to establish a connection using “higher” security credentials.

In case of activated „strict policy“ on both gateways the following messages will appear in the log file:

2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #309: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1536] refused d ue to strict flag2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #309: no acceptable Oakley Transform2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #309: sending notification NO_PROPOSAL_CHOSENto 192.168.140.226:5002008:11:20-12:50:25 (none) pluto[13925]: packet fro m 192.168.140.226:500: ignoring informational paylo ad, type NO_PROPOSAL_CHOSEN


CLI Site-To-Site VPN using certificates/ Connection problems (2)


2008:11:20-14:41:16 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #494: byte 2 of ISAKMP Identification Payload must be zero, but is not2008:11:20-14:41:16 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #494: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet2008:11:20-14:41:25 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #492: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure : no acceptable response to our first encrypted message

Solution 3: Check the preshared keys on both gateways. These messages indicate different keys.



2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #520: issuer cacert not found2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #520: X.509 certificate rejected2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYe XsYhyWs_0" #520: Signature check (on @asg226.asllab.net) failed (wrong key?); tried *AwE AAdhkV

Solution 4: In this case the authentication was done with certificates and the branch office still use the old local self signed certificate configured using the option “Local X509 Certificate” and not the certificate provided by the head quarter. Check the certificate configuration.

Note: A good overview of the actual tunnel configuration is given in the file /var/chroot-ipsec/etc/ipsec.conf. The entries stating “left” are for the local ASG, the entries stating “right” are for the remote gateway. The file is dynamically created when activating a tunnel and changes to this file are discarded and ignored.



Miscellaneous issues


CLI CLI /Lost passwords

Scenario WebAdmin password has been forgotten or lost.

If the ‘Root & Login’ user passwords are known:

Use SSH or use connect a monitor and keyboard directly to the AxG to login to the shell: Once at the shell prompt enter the configuration utility by following the directions below:

dot10:/root # cc127.0.0.1 MAIN >RAW127.0.0.1 RAW >system_password_reset127.0.0.1 RAW >Ctrl c (keys)


Log back into the WebGui and a set password prompt will appear.


CLI Miscellaneous issues/ Lost passwords

Scenario All passwords have been forgotten or lost (1)

Reset the console passwords with a Linux LiveCDIn order to reset the password to a system that you can not access, you will need to download a Linux LiveCD. There are many distributions and if you have one, it will likely work. The distribution that was used to test this article was Ubuntu Linux. The iso image can be found here:http://mirror.cs.umn.edu/ubuntu-releases/intrepid/ubuntu-8.10-desktop-i386.iso

What that you will need:*Physical access to the ASG


*Physical access to the ASG*Keyboard*Mouse (optional, depending on the distribution you are using)*Monitor*Suitable CD ROM drive (USB for appliances, various types for software based systems).*PC with network access and a CD burner (or access to a LiveCD)

Download a suitable Linux LiveCD. the latest Ubuntu Linux distribution is confirmed to work. Burn the iso image to a CD.

Attach the peripherals to the ASG. You should see a command prompt that says 'login:' on screen. Insert the LiveCD into the CD ROM and reboot the system. You should now be booting into the LiveCD. Depending on the LiveCD, you may need to choose options to boot into the system.


CLI Miscellaneous issues/ Lost passwords

Scenario All passwords have been forgotten or lost (2)

Once booted, enter the console. gain root privileges, this is done with the 'su' commad in most distributions. For Ubuntu, it is 'sudo su'. Run the following, commands that must be typed are in bold.

Linux> suLinux# mkdir /mnt/asgLinux# mount LABEL=root /mnt/asgLinux# chroot /mnt/asg /bin/bashLinux# passwd loginuser Changing password for user loginuser Password:Retype


Linux# passwd loginuser Changing password for user loginuser Password:Retype Password:Linux# passwd Changing password for user root Password:Retype password: Linux# exitLinux# umount /mnt/asg Now take the CD out of the CD ROM and reboot the ASG. Once you have rebooted the ASG, you can now sign in as root on the console of the system using your new root password.Reset the admin password from the ASG's console:Log into the ASG via console and enter the following commands that are in BOLD.

dot10:/root # cc127.0.0.1 MAIN >RAW127.0.0.1 RAW >system_password_reset127.0.0.1 RAW >Ctrl c (keys)


CLI Miscellaneous issues/ Up2date troubleshooting (1)

Scenario System up2dates when applied in WebAdmin do not up2date the system to latest version.

Simulation of RPM installsSimulation of an up2date install is useful for determining why a particular up2date may be failing such as no connection to the Up2date servers. The output will appear in the standard /var/log/up2date.log file or for an individual test by sending to a file will make examination easier. From the shell run the commands in BOLD.

dot10:/root # auisys.plx –simulation Or to pipe the output to a specific file such as ‘up2datetest.log’dot10:/root # auisys.plx --simulation >>up2datetest.log

Scenario Up2date to a specific version is desired


Scenario Up2date to a specific version is desired

This is useful for up2dating to a specific version rather than all the way to the latest in particular with up2dates making large changes as noted by our feature releases of 7.100, 7.200, 7.300, 7.400. Prior to up2dating completely it is usually useful and causes less problems to first up2date to the latest in the series prior to a feature release. As an example up2date only to 7.202 first, then up2date to 7.30x latest after the system reboots with a running 7.202 version.

dot10:/root # auisys.plx --upto 7.300


CLI Miscellaneous issues/ Up2date troubleshooting (2)

Scenario A ‘Force’ of an up2date is required

For up2date issues the combination of the --rpmargs and --force will have the greatest effect on loading all current up2dates. In addition these can be combined with the --upto version in order to create a powerful up2date order. This command is standard to run to effectively force all up2dates present to load on a system despite previous up2date failures which may be triggered by customized RPM packages having been loaded on the system previously.

dot10:/root # auisys.plx --rpmargs –forceOr combined with ‘upto’ versiondot10:/root # auisys.plx --rpmargs --force --upto 7.300

Scenario A downloaded up2date appears corrupt and must be downloaded again.


Scenario A downloaded up2date appears corrupt and must be downloaded again.

Sometimes a new download or removal of an up2date will be required to resolve an issue if an up2date has been corrected on the up2date servers or is otherwise corrupted on a customer system. Remove any affected system up2dates from the AxG and run a new download:

dot10:/root # cd /var/up2date/sysdot10:/var/up2date/sys # rm u2d-sys-7.301* (or whatever up2date you wish to remove)

dot10:/var/up2date/sys # audld.plx (Triggers a new download)

If the download cannot communicate or authenticate to a server the download can be pulled directly from the Astaro ftp servers into the /var/up2date/sys directory with a wget command such as:dot10:/root # cd /var/up2date/sysdot10:/var/up2date/sys # wget http://ftp.astaro.com/ASG/v7/up2date/u2d-sys-7.300.tgz.gpg


CLI Miscellaneous issues/ Restore a Backup from SSH

Scenario WebAdmin access is unavailable but shell access is and there are backups stored on the AxG.

In the event that webadmin access is unavailable it is possible to restore a currently saved backup file from ssh or direct console.

1) Login to ssh:login: loginuserpassword: loginuser passwordroot access: supassword: root password

2) Identify the backup file needed:cd /var/confd/var/storage/snapshots


cd /var/confd/var/storage/snapshotsls -lFiles will appear as example: cfg_21707_1200723302

3) Restore the backup file/usr/local/bin/backup.plx -i /var/confd/var/storage/snapshots/cfg_21707_1200723302


Introduction to ACC


In this chapter you will see:

Astaro Command Center

Astaro Command Center / Overview

Centralized and efficient management of multiple Astaro Gateway’s

Central threat-level monitoring

IPSec VPN Tunnel creation and

monitoring

Central Up2date cache

Using state-of-the-art Web 2.0 technologies


Using state-of-the-art Web 2.0 technologies like AJAX (Asynchronous JavaScript And XML)

Tracking of critical system parameters in real-time

detected threats

license status

software updates

resource usage

No license needed!! It‘s free!!!

ACC System Overview/ Available Appliances

Astaro Command

Center 1000

Astaro Command

Center 2000

Astaro Command Center 3000

Astaro Command Center 4000

Astaro Command Center Virtual Appliance

Max Gateways supported


Administrators*Clients*

14

210

320

440

Small to Large networks

System

Network ports



2 x 10/100 / 1000 Mbps

3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps

System Storage

Log/Reporting

30 GB

40 GB

30 GB

40 GB

30 GB

40 GB

60 GB

80 GB*Depends on hardware

platform used.

*Admin with full-access, clients with access to an average of 5 Gateways and 1/3 of the clients simultaneously logged in.

Astaro Command Center / Features

Inventory management provides comprehensive information about each device (CPU, hard disk, memory, network interfaces, software version and more)

All Astaro Security Gateway devices are automatically organized into device groups


groups

Single-sign-on eases configuration management

Central update management enables the possibility of updating multiple devices through a single click

Role-based multi-administrative support

Astaro Command Center/ ASG Configuration


AxG’s must be configured with the IP/Hostname of the ACC Server and shared secret.

The connection between ASG and ACC is SSL encrypted using port 4433

Packet filter rules to allow this communication are created automatically

Astaro Command Center/ ACC Configuration (1)

ACC has an ‘Administrative’ GUI and a ‘Gateway Manger’ GUI

The Administrative GUI is accessed via port 4444 just like the other AxGproducts

Look and feel is the same with sections for Management, Network settings, etc.


Astaro Command Center/ ACC Configuration (2)

Gateway Manager submenu controls access for Administrators, Clients, and Networks


Astaro Command Center/ Gateway Manager

Gateway Manager access is via port 4422 by default

Different Monitoring views display information on connected Gateways such as:

Threats

Licenses

Versions

Resources


Resources

Services

Availability


Maintenance shows Inventory information and allows for scheduled operations on individual Gateways. Options are to:

Reboot

Shutdown

Prefetch Up2dates

Install Firmware

Install Patters


Install Patters


Management allows for selective control of which Gateways can connect via the Registration submenu

Access Control allows for role based access for Users



Configuration offers a Site to Site VPN configuration wizard.

Easily create and monitor VPN connections between Astaro Security Gateways

Additional configuration options such as Centralized Object creation and management will be available

in later releases


Astaro Command CenterReview Questions


Astaro Command Center/ Review Questions

1. Which technology is ACC built upon?

2. What features does ACC offer?

3. What port is used for communication between ACC and ASG?

4. Is the traffic encrypted?

5. Is it possible to cache the Up2Date packages for multiple ASGs?


Astaro Report Manager

The topics in this chapter will be:


Overview of the Astaro Report Manager

Installation/Configuration of ARM and Syslog software

Astaro Report Manager/ Overview

ARM is a data collection, analysis, and reporting tool

Aggregates and parses syslog data from network devices

Includes:

Real time monitoring

Alerts based on configurable


Alerts based on configurable

parameters

Built in and customizable

reports

Forensic analysis

Astaro Report Manager/ Overview/ Security Center

The Security Center offers manageable Monitoring views and the ability to create ‘Drill Down’ reports by simply double clicking items to bring up a ‘Workbench’


Astaro Report Manager/ Overview / Security Center

The Reporting Section offers more than 800 reports on information such as

Attacks

Bandwidth

Content Categorization

Event

Web Activity

Historical information


Historical information

can be viewed using

the built in calendar

Astaro Report Manager/ Overview / Security Center

Information can be viewed in different formats and exported or printed


Astaro Report Manager/ Installation/Configuration

Hardware requirements are dependant on the number of devices sending data.

Recommended specs:

Pentium 4- 2.8 Ghz or higher

100 GB or higher disk space

2 GB or higher of RAM

Windows server 2k/2003


IIS or Apache (Apache Recommended)

Fast IO

Internet Explorer 6.0 or higher with Java


ARM is available on the Astaro FTP servers accessible through http://my.astaro.com/

Current version is 4.6 which is the only release that works with AxG V7

FTP site contains both the ARM software and the Syslog server software



Installation requires admin rights

Choose ‘Standalone’ for most


Choose ‘Standalone’ for most installations

Encrypt traffic with SSL

Choose Apache Server for most installations


Once Astaro Report Manager installation is complete it will prompt you to install the Syslog server


Choose all of the defaults unless a change is needed for the Sylog port (UDP 514) or you need to use trusted IP’s for connections.


By default the ARM software will check for the presence of a new device sending syslog data every 60 seconds.

Devices will appear on the Devices tab

Devices must have a valid license before Monitoring will begin



Licenses are managed via the License Manger Icon located in the Upper left corner of the ARM screen

The License Manager offers the ability to Add, Manage, and Update licenses and devices



Once a device is licensed and has a checkbox under the Monitoring column it should be accepting Syslog data from your AxG. To confirm that the system is receiving data use the AppStatus Icon

Syslog Statistics will be shown here and clicking the Refresh button should show updated counts



The Astaro Report manager default collection policy does not offer monitoring of event logs. This will result in minimal information on dashboard screens. To enable monitoring change the collection policy by clicking on the Policies button to open the Policy Manager. Highlight and edit the ‘Collect All’ policy and add your device. Once saved the dashboards should start displaying real time information


should start displaying real time information

THE END.


Questions &

Answers.

ACE Engineer

Documents

Transcript of ACE Engineer