Anchiva SWG Administration Guide 3.00 v2

© 2009 Anchiva Systems Ltd.

Administration Guide

Secure Web Gateway

Ver 3.00

Copyright © 2009 Anchiva Systems Ltd. All rights reserved.Anchiva Systems and the Anchiva logo are registered trademarks of Anchiva Systems, Inc.Anchiva-206, Anchiva-500, Anchiva-506, Anchiva-1000X, Anchiva-1000XT, Anchiva-1000FXT, Anchiva-2000X,Anchiva-2000FXT and AnchivaOS aretrademarks of Anchiva Systems Ltd. All other trademarks and registered trademarks are theproperty of their respective companies.Information in this document is subject to change without notice.No part of this document may be reproduced or transmitted in any form or by any means,electronic or mechanical, for any purpose, without receiving written permission from:

United States OfficeAnchiva Systems Ltd.P.O. Box 4157Santa Clara, CA 95056-4157Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

FCC StatementThe following information is for FCC compliance of Class A devices: This equipment has beentested and found to comply with the limits for a Class A digital device, pursuant to part 15 of theFCC rules. These limits are designed to provide reasonable protection against harmful interferencewhen the equipment is operated in a commercial environment. The equipment generates, uses,and can radiate radio-frequency energy and, if not installed and used in accordance with theinstruction manual, may cause harmful interference to radio communications. Operation of thisequipment in a residential area is likely to cause harmful interference, in which case users will berequired to correct the interference at their own expense.

DisclaimerTHE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARESET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND AREINCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THESOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR ANCHIVA SYSTEMSREPRESENTATIVE FOR A COPY.

United States Address:Anchiva Systems Ltd.P.O. Box 4157Santa Clara, CA 95056-4157Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

Taiwan Office4F, No 34, Sec 5, Chenggong RoadNei-Hu, Taipei, 11477 Taiwan, R.O.C.Phone: +886-936 467 342Fax: +886-2-2790 0072Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

China OfficeB 601A, SP Tower, Tsinghua Science ParkBeijing , P. R. ChinaPhone: +86 (10) 51266678Fax: +86 (10) 62780230Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

Hong Kong OfficeRoom 601, 6/F Wah Yuen Building145-149 Queen's RoadCentral, Hong Kong.Tel: +852 82266982Fax: +852 30139612Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

2Contents

2

Anchiva Secure Web Gateway Administration Guide

Table of Contents

6.......................................................................................................................... Introduction

................................................................................................................................. 8About this document

................................................................................................................................. 8Anchiva service and technical support

................................................................................................................................. 9Obtaining technical support

11.......................................................................................................................... WebUI OVerview

................................................................................................................................. 11Connecting to the WebUI

................................................................................................................................. 12Using the WebUI

14.......................................................................................................................... System Management

................................................................................................................................. 14Configuring host settings

............................................................................................................................. 14Setting the host name

............................................................................................................................. 15Enabling SNMP

............................................................................................................................. 15Setting the system time

............................................................................................................................. 16Configuring DNS servers ................................................................................................................................. 16Setting the inspection mode

................................................................................................................................. 18Setting the fail-safe operational mode

................................................................................................................................. 18Enabling feedback reporting

................................................................................................................................. 19Enabling hardware bypass mode

................................................................................................................................. 19Report storage settings

................................................................................................................................. 19Email Settings

................................................................................................................................. 21Log settings

............................................................................................................................. 23Saving logs to Syslog servers

............................................................................................................................. 24Log severity levels ................................................................................................................................. 25Email Alerts

................................................................................................................................. 26SNMP Traps

................................................................................................................................. 28Network Settings

............................................................................................................................. 28Interfaces ......................................................................................................................................................... 28Vlan1 interface

......................................................................................................................................................... 29Viewing the interface list

......................................................................................................................................................... 30Editing the interface properties

......................................................................................................................................................... 31Route mode and transparent mode

............................................................................................................................. 33About VLANs

............................................................................................................................. 34Configuring VLANs

............................................................................................................................. 35Static MAC

............................................................................................................................. 36ARP probe

............................................................................................................................. 36Routing table

............................................................................................................................. 37Zone

............................................................................................................................. 39HA ......................................................................................................................................................... 39Configuring HA settings

......................................................................................................................................................... 42Using interface weights as HA failover trigger

Anchiva Secure Web Gateway Administration Guide3


......................................................................................................................................................... 43Connecting an HA pair

......................................................................................................................................................... 43Connecting an HA cluster to your network

......................................................................................................................................................... 43Upgrading firmware for an HA cluster

................................................................................................................................. 45Maintenance

............................................................................................................................. 45Configuring update settings ......................................................................................................................................................... 45Updating firmware and system configuration

......................................................................................................................................................... 47Updating scan engine definitions

......................................................................................................................................................... 50Proxy authentication

............................................................................................................................. 51License

............................................................................................................................. 52Shutting down the system

............................................................................................................................. 52Generating the technical support file ................................................................................................................................. 54Admin Accounts

............................................................................................................................. 54Viewing the administrator accounts

............................................................................................................................. 55Adding an admin account

............................................................................................................................. 56Configuring admin access controls

58.......................................................................................................................... Dashboard and Statistics

................................................................................................................................. 58Using the dashboard

................................................................................................................................. 61Viewing statistics

............................................................................................................................. 61System statistics

............................................................................................................................. 62Interface statistics

............................................................................................................................. 63HTTP/HTTPS statistics

............................................................................................................................. 65FTP statistics

............................................................................................................................. 66POP3 statistics

............................................................................................................................. 67SMTP statistics

............................................................................................................................. 69Web Filter

............................................................................................................................. 71Applications

73.......................................................................................................................... Reports and Logs

................................................................................................................................. 73Reports

............................................................................................................................. 77Saved Reports

............................................................................................................................. 78Setting up report schedules

............................................................................................................................. 80Generating reports ................................................................................................................................. 80Logs

............................................................................................................................. 80Automatic encoding transformation

............................................................................................................................. 81Client incidents

............................................................................................................................. 83Malware detected

............................................................................................................................. 85Webfilter

............................................................................................................................. 86Server Protection

............................................................................................................................. 87Event logs

............................................................................................................................. 90Normal emails

............................................................................................................................. 91Applications

............................................................................................................................. 94Management

97.......................................................................................................................... Policies

................................................................................................................................. 97Object Settings

............................................................................................................................. 97Time Object

............................................................................................................................. 98Bandwidth Object ............................................................................................................................. 100User Defined Protocol

................................................................................................................................. 101AD (Active Directory)

4Contents

4


................................................................................................................................. 102Blacklist

................................................................................................................................. 102Security Groups

................................................................................................................................. 103Security Profiles

................................................................................................................................. 104Policy List

............................................................................................................................. 105Session tracking overview

............................................................................................................................. 107Application Policies

............................................................................................................................. 108Service Policies

111.......................................................................................................................... Anti-Malware

................................................................................................................................. 112Global Service Settings

............................................................................................................................. 112File handling ................................................................................................................................. 114File block

............................................................................................................................. 114Block by extension

............................................................................................................................. 115Block by file name ................................................................................................................................. 116Web Services

............................................................................................................................. 116Web services processing overview

............................................................................................................................. 117HTTPS Content Inspection

............................................................................................................................. 118Configuring HTTP/HTTPS anti-malware settings ......................................................................................................................................................... 121Configuring exempt IP and URL lists from HTTP upload blocking

......................................................................................................................................................... 122HTTPS Whitelist

............................................................................................................................. 122Configuring HTTP/HTTPS warning messages ................................................................................................................................. 126FTP Services

................................................................................................................................. 129Email Services

............................................................................................................................. 129Configuring SMTP anti-malware settings

............................................................................................................................. 130Configuring SMTP email signatures

............................................................................................................................. 131Configuring POP3 anti-malware settings

............................................................................................................................. 133Configuring POP3 email signatures ................................................................................................................................. 135File Quarantine

............................................................................................................................. 135Managing quarantined HTTP/HTTPS files

............................................................................................................................. 136Managing quarantined FTP files

............................................................................................................................. 137Managing quarantined SMTP emails

............................................................................................................................. 138Managing quarantined POP3 emails ................................................................................................................................. 140Anomaly Detection

............................................................................................................................. 140Anti-ARP spoof

............................................................................................................................. 141DNS checking

............................................................................................................................. 141Port monitor

143.......................................................................................................................... Application Controls

................................................................................................................................. 143Whitelist

................................................................................................................................. 144Non-productive applications

................................................................................................................................. 145Productive applications

................................................................................................................................. 146Instant messenger

................................................................................................................................. 148IM Content Audit

149.......................................................................................................................... Web Filter

................................................................................................................................. 149Web filtering processing overview



................................................................................................................................. 150URL formats

................................................................................................................................. 151Configuring URL whitelists

................................................................................................................................. 152Configuring URL balcklists

................................................................................................................................. 153Configuring malicious site detection

................................................................................................................................. 154Configuring application sites detection

................................................................................................................................. 155Configuring the URL Filter

156.......................................................................................................................... Server Protection

158.......................................................................................................................... Syslog Message Reference

................................................................................................................................. 158Message format

............................................................................................................................. 158PRI part

............................................................................................................................. 159Message header

............................................................................................................................. 159Message body ................................................................................................................................. 159Message categories

................................................................................................................................. 159Message header

................................................................................................................................. 160Message Body

............................................................................................................................. 160Admin audit messages

............................................................................................................................. 160Email messages

............................................................................................................................. 161Malware messages

Introduction 6


Introduction

Anchiva's Secure Web Gateways (SWG) provide organizations a centralized security gatewayto secure, control and maximize internet use in the workplace. Utilizing an ASIC acceleratedcontent inspection engine, the SWG quickly and accurately inspects, classifies and filtersHTTP/HTTPS, FTP, SMTP and POP3 content, filtering malware and unwanted content, withoutimpacting the internet speeds on the network. In addition, user and group based URL filters andapplication controls allow administrators to enforce acceptable use internet policies.

Malicious content including spyware, viruses, rootkits, adware and trojans are identified andblocked at the gateway while non-productive applications such as online gaming, stock tradingand streaming applications are detected and blocked based on granular user defined policies.

Key features of the Anchiva SWG include:

§ Industry leading threat database provides the most comprehensive anti-malware gatewaydefense in the industry§ Application controls to prevent the use of online gaming, gambling, stock trading, P2P, and

many others§ Categorized URL filter prevents access to offensive and productive draining websites§ Bandwidth management guarantees bandwidth for mission critical apps such as VOIP and

CRM§ Protects against silent malware installations that could result in the theft of sensitive

corporate and customer data§ High performance platforms and transparent mode deployment integrate seamlessly into the

network§ Low management overhead as the gateways can automatically update their threat databases§ Multiple interface and protocol support allow the systems to secure multiple threat vectors

The Anchiva gateways come in several models which scale to secure small/remote officenetworks to large enterprise and service provider networks.

Figure 1: Anchiva SWG model comparison

Integrating deep content web and email data inspection, the Anchiva gateways are bestdeployed at internet access points in the network which allows the SWG to inspect all inboundand outbound traffic for malicious content and unwanted application use on the network. Typicaldeployments pair the SWG with the corporate firewall.

In these deployments, the firewall filters traffic at the TCP/IP level (layer 3 and 4) while the SWGinspects traffic at the protocol and data level (layer 7), allowing it to detect malicious programsand unwanted application use.



Figure 2: Anchiva gateway Deployment

Malware Prevention: Inbound and Outbound content inspection

Spyware and virus infected hosts can cause damage in multiple ways. While inboundthreat scanning is most commonly discussed in the industry, it is also important tomonitor outbound traffic.

• Common behavior of virus infected hosts include viral replication used to spreaditself and infect other hosts, thus creating a virus outbreak.• Spyware on the other hand is stealthier and is often used to steal sensitiveinformation from the infected host and upload the information, out of the network to a centralserver on the internet.

By providing bidirectional traffic control, the Anchiva gateway prevents infectedworkstations from becoming infected and from already infected hosts from uploading malwareout of the protected network.

Non-productive application and internet management

The internet has become an essential and necessary tool for organizations to grow and expandtheir business. The Anchiva SWG allows security administrators to control unwanted abuse ofinternet privileges by monitoring and filtering access to unwanted websites while at the sametime monitoring and controlling the use of productivity draining and bandwidth eating applicationssuch as P2P, streaming media, online gaming, stock trading and many others.

Network Segmentation

The Anchiva gateways come equipped multiple tri-mode 10/100/1000 gigabit interfacesthat allow the system to secure traffic for multiple network segments such as Internal, External,DMZ, Wireless, guest and management networks. A key part of network segmentation is theAnchiva SWG can set distinct and independent policies for each network, ensuring that onenetwork does not impact the other by containing a spyware or virus outbreak to one network.

Introduction 8


Onboard logging and reporting

Detailed logs and reports available internally and externally via syslog report on malware activityan unproductive internet use. Onboard reports clearly identify hosts which have the mostmalware activities and which users are attempting to access inappropriate internet content andapplications. Reports can be generated based on a schedule and auto emailed to theadministrator.

About this document

This administrator guide describes how to manage and configure the Secure Web Gateway to secure inbound and outbound internet traffic in a protected network. The target audience for this document are security administrators in charge of managing and configuring Anchiva Secure Web Gateways.

Additional documentation available:

• Anchiva Secure Web Gateway Quick Start User GuideQuick start installation and user guide for the Anchiva gateway.

• Anchiva Secure Web Gateway CLI GuideLists and explains available CLI commands for the AnchivaOS operating system.

Anchiva service and technical support

Anchiva Systems Ltd. maintains technical support centers in both the US and China.Technical support can be contacted directly by Anchiva customers as well asAnchiva's technology re-sellers and integrators.

Anchiva gateways are guaranteed with a one-year hardware warranty. For failures tothe hard disk, power supply or other faulty hardware components within the first yearof purchase, Anchiva will replace the faulty part under the standard warranty.For software support, new users are entitled to download the newest versions ofAnchivaOS released within 30 days from date of purchase. To receive AnchivaOSupgrades after the initial 30 days, a software subscription is required.

Anchiva's RapidRx security lab provides multiple updates per day to the anti-malwaredatabase, providing zero-day protection against the latest threats spreading on theinternet. Full access to database updates are available for the first 30 days afterpurchasing the Anchiva gateway. To receive updates after this trial period, asubscription is required for your system to receive updates after the first 30 days.

Note: If a subscription is not purchased, the system will still function with the existing anti-malware definition but will have limited capabilities to stop new malware threats not included in the existing malware definition file.



Obtaining technical support

To contact Anchiva Customer Support for technical or general customer servicequestions, please see the following contact options:

North America Support Contact InformationUnited States address:

P.O. Box 4157Santa Clara, CA 95056-4157Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

Asia Pacific RegionFor customers in the Asia Pacific area, please contact the Asian Pacific RegionTechnical Support Center (APAC) in Beijing, China.

China address:B 601A, SP Tower, Tsinghua Science ParkBeijing , P. R. ChinaPhone: +86 (10) 51266678Fax: +86 (10) 62780230Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

Customers can receive technical supports in following three ways:Telephone: Anchiva Systems Technical Support Center offers support Mondaythrough Friday from 8:30am to 5:30pm.Toll-free: 800-810-3678 (24 by 7 in mainland China)For international users, please dial +86-10-51266678

Taiwan Office4F, No 34, Sec 5, Chenggong RoadNei-Hu, Taipei, 11477, Taiwan, R.O.C.Phone: +886-936 467 342Fax: +886-2-2790 0072Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

Hong Kong OfficeRoom 601, 6/F Wah Yuen Building145-149 Queen's Road Central, Hong Kong.Tel: +852 82266982Fax: +852 30139612Email: [email protected] (Sales Marketing)[email protected] (Support)Web: www.anchiva.com

http://www.anchiva.com

Introduction 10


Web site: http://www.anchiva.com.cnYou can download the data sheets of latest products from our technical support website, find answers to many frequently asked questions, and submit your questions online.



WebUI OVerview

Management of the Anchiva gateway can be performed using a secure webconnection (HTTPS) and by a command line interface (CLI).See the AnchivaOS Command Line Guide for more information on how to use the CLIto manage and configure the Anchiva gateway.

Note: Configuration changes made from the WebUI and CLI take affect immediately. Whenmaking changes using the CLI, to save the settings and make them permanent, you mustmanually issue the "save configuration" command. When using the WebUI, configurationchanges are automatically saved.

Connecting to the WebUI

Using a secure HTTPS connection, the administrator can manage and configure theAnchiva gateway using the supported web browsers.

• Internet Explorer 6.0 and above• Firefox 1.50 and above

To access the WebUI, configure a PC with an IP address of 192.168.20.100/24 andconnect via ethernet to interface eth0 of the Anchiva gateway. The table listed belowshows the default IP and administrative account to log in to the WebUI and CLI.

Note: See the Anchiva Quick Start Guide for a step-by-step guide on how to manage andconfigure the Anchiva gateway out of the box.

Table 1: Default administrator account information

Op Mode Transparent mode.

Caution: A routing loop can be introduced into thenetwork if more than 2 SWG interfaces are connected toswitch interfaces that are part of the same VLAN.

IP Address 192.168.20.200

Username 'administrator'

Password 'password'

Language English

To log on to the Anchiva gateway's WebUI1 From a web browser, enter ths path and address

https://<Anchiva_gateway_ip_address>.

2 To log on to the WebUI, enter the default administrator user name and password.

3 Select the WebUI display language, English, Simplified Chinese, or TraditionalChinese.

4 Click Login.

WebUI OVerview 12


For security reasons, please change the password of the default "administrator"account after the first logon. For information about how to change the password, see“Adding an admin account”.

Using the WebUI

The opening page of the WebUI is the Home > Dashboard page, which displays critical system information, system statistics, and malware inspection highlights.

Figure 3: Dashboard

The Anchiva system’s functions are grouped into the following main menus, whichcontain more submenus:

§ Home: Used for accessing the dashboard and real-time system statistics

§ Report and Logs: Used for viewing the malware, URL, application and event logs andgenerating reports.

§ Policies: Under this main menu, you create application and service policies along withcreating security profiles, security groups, client blacklists, bandwidth objects and adding AD(Active Directory) information.

§ Anti-Malware: The menu options contain configurable malware and file blocking rules to beapplied to HTTP/HTTPS, FTP, SMTP, and POP3. Other options configured in this menuinclude warning messages and replacement emails.

§ Application Controls: The application control options to configure the actions the SWGsystem will take when detecting productive, non-productive and IM applications.

§ Web Filter: The web filter options are for configuring the URL whitelist, blacklist,malicioussites, application sites, Application sites and the URL filter.



§ Server Protection: The server protection settings are used to enable the detection of attackspatterns aimed at disrupting web server operations.

§ Management: Under this main menu, you can configure the system settings,network settings, admin accounts, and other system management settings.

The configuration window can contain two types of information, statistics or user configurableoptions. In some screens, the statistics will be displayed in charts or graphical format.

In the top right corner of the WebUI, you can find the following frequently used tools. The nameof the currently logged in administrator is displayed in the top bar for reference.

Figure 4: WebUI tools

Online Help Click to open the online help.

Logout Click to exit the WebUI. Make sure to log out from the WebUI before closing

the Web browser. Otherwise, the WebUI will automatically log out from the

Anchiva gateway after the login timeout (default timeout is 15 minutes).

WebUI OVerview 14


System Management

The System Management chapter will cover the following topics:

§ Configuring host settings§ Enabling SNMP§ Setting the system time§ Configuring the DNS servers§ Setting the inspection mode§ Setting the fail-safe operational mode§ Enabling feedback reporting§ Enabling hardware bypass mode§ Report storage settings§ Email Settings§ Log disk storage settings§ Log settings§ Email Alerts§ SNMP traps§ Network Settings§ Maintenance§ Admin Accounts

Configuring host settings

Select Management > System Settings > Host to configure the following basicsystem settings:

• Setting the host name

• Enabling read-only SNMP polling

• Setting the system time

• Specifying DNS servers

Setting the host name

The host name is the appliance’s identifier.

To change the host name

1 Select Management > System Settings > Host.

2 Under Hostname, enter a new name. The host name can consist of letters,



numbers, and the underscore character '_'.

3 Click Apply.

Enabling SNMP

You can configure the Anchiva gateway to allow read-only SNMP polling.

To enable read-only SNMP polling on the Anchiva gateway


2 Select Enable SNMP.

3 Enter the Read only community string (if different from the default "public"). The read only community string is a password for SNMP authentication, which the Anchiva gateway uses to allow or deny SNMP requests. For security reasons, it is recommended to change the default string.

The next step requires enabling SNMP management on the interface(s) that will be acceptingSNMP requests.

4 Select Management > Network Settings > Interfaces.

5 Click the interface name that you want to allow SNMP requests.

6 For Management Access, select SNMP.

7 Click Apply to save the changes.

Note: You can download Anchiva SNMP MIBs from Anchiva’s customer Product InformationServer (PIS). For details, contact Anchiva Technical Support.

Setting the system time

It is important to set the correct time for your Anchiva gateway for synchronizing thelogs and reports and scheduling updates to the signature databases.

To set the system time, the Anchiva system offers the manual setting of the clock andthe recommended option of using NTP.

To set the system time


2 From the Time Zone Offset list, select the time zone you are in.

3 If you want to manually set the time, enter the time, then click Apply.

System Management 16


4 If you want to synchronize with an NTP server, select Enable NTP Server, specify anNTP server, and specify the Auto Sync Interval.

5 Click Apply.

6 To refresh the system time display, click Refresh.Note: To make use of the NTP feature, the Anchiva gateway must have internetconnectivity.

Configuring DNS servers

You can specify a primary and secondary DNS server for the Anchiva gateway touse. Configuring DNS server entries are important for the Anchiva gateway to communicate withthe Anchiva ASDN servers to download its threat databases.

The DNS servers should be reliable andaccessible.

To specify DNS servers


2 For Primary DNS Server, enter the IP address of the primary DNS server.

3 For Secondary DNS Server, optionally enter the IP address of the secondary DNSserver.

4 Click Apply.

Setting the inspection mode

The Anchiva gateway can be deployed in two modes, inline Preventative and offline Reconmode. Choose the deployment best for your network.

Note: When the operational mode is changed, a system reboot is necessary.

Preventative ModeThe Anchiva gateway is deployed in-line in the network.

Figure 4: Preventative mode inline deployment



• The Anchiva gateway actively scans web and email traffic, blocking any malwarefrom reaching and infecting hosts on the network.• Preventative mode is the recommended mode of deployment and offers thehighest level of security for your network.• Best deployed as part of a multi-layered security design, the Anchiva gateway istypically deployed in close network proximity or directly behind the corporatefirewall.• Interoperable with core networking equipment, routers, switches, firewalls and alsowith application servers, HTTP proxys and email servers

Recon modeThe Anchiva gateway is deployed offline the network. SPAN port on the switch mustsee all traffic destined to the Internet.

Figure 5: Recon mode offline deployment

• The Anchiva is deployed on a span or monitor port off the core switch.• Web and Email traffic are monitored and inspected for malware content.• Logs and Reports are used to identify which hosts on the network are downloadingspyware, viruses, trojans, and other malware.• Recon mode is ideal for auditing network traffic and initial installations, allowingyou to determine the best location to deploy the Anchiva in preventative mode so itcan actively block malware from entering the network.

Note: The Anchiva gateway can prevent malware from reaching the end users only inPreventative mode. The gateway cannot block malware downloads in Recon mode.



To change the system’s inspection mode

1 Select Management > System Settings > Op Modes.

2 Select an inspection mode.

3 Click Apply.

Setting the fail-safe operational mode

In cases when the web, FTP, or email traffic load on the network exceeds the capacityof the Anchiva system, the fail-safe mode will determine how new sessions that matcha “Filter” policy will be processed.

Note: The fail-safe feature only applies to new sessions that match a policy with “Filter”action. It does not apply to traffic that matches the policies with “Permit” or “Deny”action. For information about policy actions, see “Policies”.

To set the fail-safe mode


2 Select one of the following two modes:

Fail-open Allows and forwards new sessions that match a Filter policywithout performing content inspection

Fail-close Blocks new sessions that match a Filter policy

3 Click Apply.

Enabling feedback reporting

Anchiva’s RapidRx lab consistently identifies new malware threats and non-productiveapplications and updatesthe malware definitions, malicious sites and application control databases.

If you want to send the suspicious files and virus logs to Anchiva’s research lab forfurther analysis, you can enable the feedback reporting feature on the Anchivagateway.

To enable feedback reporting


2 Select Enable Feedback Reporting.

3 Click Apply.



Enabling hardware bypass mode

For SWG models whose hardware supports hardware bypass, enabling the hardware bypassmode provides link-open, uninterrupted network to network connections. In the event the bypassmode is triggered network traffic continues to flow from bypass interface to bypass interface

without being scanned. Events that can trigger the bypass mode are when the Anchiva Gatewayexperiences software and power failures.

SWG models that support hardware bypass mode: SWG 206, 500, 506, 1000FXT, 2000FXT

Most of the Gateway's interfaces support hardware bypass, except for eth0 and eth1, which arereserved for management and HA. All fibre interfaces do not support hardware bypass either.

To enable hardware bypass mode


2 Select Enable hardware bypass mode.

3 Click Apply.

Report storage settings

The Anchiva gateway can generate and store various report according to yourrequirements.All the reports are stored on the Anchiva appliance’s local disk. You can specify themaximum days to keep the reports and the maximum disk space the report files canuse.

To configure report storage settings

1 Select Management > System Settings > Reports.

2 For Max days to keep reports, enter a number between 1 and 60.

3 For Max storage on disk, enter a number between 1 and 1000 (MB).

4 Click Apply.

Email Settings

The email alert settings are globally used for sending email alerts to notify theadministrator of web. FTP and email malware incidents, HA failures and to send warning



notifications of upcoming license expirations.

Web and email users will also receive replacement messages for every malwareincident detected. For details, see “Configuring HTTP/HTTPS anti-malware settings” and“Managing quarantined HTTP/HTTPS files”.

Figure 5: Email Settings

To configure the email settings:

§ Configure the email account information

§ Configure the alert threshold parameters

Configure the email account information:

1 Select Management > System Settings > Email Settings.

2 Enter the sender and recipient email addresses. This account will alsobe used by the Anchiva system to forward quarantined email and reports.

3 If the emails need to be routed through an external email server, specify the SMTP server’s IP address or hostname. If the SMTP server requires secure connection, enable the SSL option.Specify the SMTP port number used by the server.

4 Enter the Email server port number.

5 Under SMTP Authentication, specify the user name and password that will be usedfor authentication on the SMTP server. (Required for forwarding of Quarantined emails)

6 Configure the event thresholds to trigger alert emails in the Email Alerts page



Log settings

The Anchiva gateway logs system activities, such as the admin events,malware detection, and webfiltering findings.The logs can be saved locally on the appliance’s hard disk, exported to a FTP server,or sent to Syslog servers.

Select Management > System Settings > Logs > Log Settings to enable logging,configure disk usage, and export log messages to an FTP server.

Figure 7: Log Settings



Max Keep Days Maximum length of days to store logs. Logs older than the time period will be automatically deleted.

Max Disk Space Max hard disk space to use for logs. Valid range is from 100 to 20000 MB.

Usage Alarm

Threshold Values range from 1 to 100% of use. If the percentage threshold is metor exceeded, the system can be configured to send an alert email tothe administrator, and a pop-up message will also be generated,warning the administrator of the high disk use and to delete or exportsome logs to clear up disk space.

Full Log Disk

Action When the log files reach the specified maximum disk space used, thesystem will either stop accepting new logs. It is highly recommendedto configure a schedule to export and remove the existing logs from thesystem.

Enable Logging Select which of the following activities to log:

Admin Events: Records administrator activities including system login,

logout, and configuration changes made. To view the admin logs, see

“Management”.

System Events: Records the system activities.

Malware Events: Records the malware incidents detected by the Anchivagateway in the HTTP/HTTPS, FTP, SMTP, and POP3 traffic. To view themalwareevent logs, see “Client Incidents”.

Events: Records the traffic anomalies. See “Anomaly Detection”

and “Event logs”.

Normal Email: Records the meta-information of the normal emailsprocessed by the Anchiva gateway. To view the email logs, see “Normal Emails”.

Application Control: Records the usage information of non-productiveapplications and IM applications. To view the application control logs, see“Application Controls”.

Server Protection Records webserver attacks detected by the Server Protection rules.

WebfilterLogging Select the Web Filter events to enable logging.

Enable LogExport Export the log files to a FTP server.

Schedule Specify a schedule to export the files. The schedule can be weekly or any

interval between 1 and 30 days.

FTP Server to



export log files to Specify the following server settings:

Server IP FTP server IP address

User name FTP user account

Password FTP user password

Remove local log files after export Choose to delete the log files from the hard disk after thelog files are exported.

Export Now Click to send the log files to the FTP server immediately.

Saving logs to Syslog servers

You can save the log files to up to three Syslog servers. For details about the syslogmessage formats and contents, see “Syslog Message Reference”.

Figure 8: Syslog Settings

To configure Syslog server settings

1 Select Management > System Settings > Logs > Syslog Settings.

2 Configure the following settings and click Apply.

Enable Syslog Enable to start logging to Syslog servers.

Enable Logging Select which of the following activities to log:

Admin Events: Records administrator activities including system login,logout, and configuration changes made. To view the admin logs, see“Management”.

System Events: Records the system activities.

Malware Events: Records the malware incidents detected by the Anchivagateway in the HTTP, FTP, SMTP, and POP3 traffic. To view the malwareevent logs, see “Client Incidents”.



Normal Email: Records the meta-information of the normal emailsprocessed by the Anchiva gateway. To view the email logs, see “Normal Emails”.

Events: Records the traffic anomalies. See “Anomaly Detection”

and “Event logs”.

Application Control: Records the usage information of non-productiveapplications and IM applications. To view the application control logs, see“Application Controls”.

Server Protection Records webserver attacks detected by the Server Protection rules.

WebfilterLogging Select Web Filter events to enable logging.

Syslog Servers Configure the following syslog server settings. You can configure up to three syslog servers.

IP: Enter the IP address of the syslog server.

Port: Enter the port number used to communicate with the syslog server.

The default port is 514.

Level: Select a logging severity level. See “Log severity levels”.

Facility: Facility indicates to the syslog server the source of a log message.If you have more than one Anchiva gateway, you may need to use facilitynumbers to differentiate log messages from different gateways.

Log severity levels

When you want the Anchiva gateway to send log files to Syslog servers, you candefine the severity level of the logs. The Anchiva gateway will log the messages atand above the specified severity level.You can select from the following logging severity levels:

Emergency Top level message. The gateway is experiencing severe problems.

Alert Alert level log messages include detected virus and spyware from HTTP,

SMTP, POP3 and FTP traffic.

Critical Critical log messages records information which affect system functionality,

such as high CPU usage, low memory, and low HDD space.

Error Error log messages point to errors that may affect system functionality.

Warning Messages that may affect system functionality, such as interface link

up/down status.

Notification Logs normal system events, such as system configuration changes (admin

auditing), and normal emails processed.



Information General system log events, such as firmware updates, malware and

malicious site updates.

Email Alerts

The email alert settings are globally used for sending email alerts to notify theadministrator of HTTP/HTTPS, FTP and email malware incidents, HA failures and to sendwarning notifications of upcoming license expirations.

Web and email users will also receive replacement messages for every malwareincident detected. For details, see “Configuring HTTP/HTTPS anti-malware settings” and“Managing quarantined HTTP/HTTPS files”.

Configure the email alert threshold settings:

1 Choose Management > System Settings > Alerts > Email Alerts. Enable Sendconsolidated email alerts.

2 Specify the email sending interval and the malware incident threshold. Both parameters mustbe met for an alert email to be sent for malware incidents.

3 Select the protocols.

4 Optionally modify the notification messages.

5 Select Enable alerts for HA events if you want to send alert emails for HA failures.

6 Select Enable alerts for license expiration date to have the system send notificationmessages based on the number of days before the subscription services will expire. Enter thenumber of days before expiration to send the notification email.

7 Click Apply.

Figure 9: Email Settings



SNMP Traps

You can configure the Anchiva gateway to send SNMP traps to an SNMP manager. On the SNMP server side, you can monitor the Anchivagateway’s system activities, such as alerts and other log messages.The Anchiva gateway supports both SNMP v1 and v2 compliant SNMP managers.You can also enable the read-only SNMP polling on the gateway so that the SNMPservers can poll SNMP information from the gateway. For details, see “Enabling SNMP”.

Figure 10: SNMP traps

To specify the SNMP servers

1 Select Management > System Settings > Alerts > SNMP Traps.


Trap Version Select a SNMP trap version that the SNMP server supports.

SNMP Server You can specify up to three SNMP servers to receive the Anchiva appliance’s SNMP traps. For each SNMP server, configure the following settings:



IP: Specify the IP address of the SNMP server

Community: Specify the SNMP read-only community

Port: Specify the port number for SNMP traps



Network Settings

Go to Management > Network Settings to configure and manage the Anchivagateway’s network interfaces, VLANs, routing, zones, and high availability (HA)settings.

This section contains the following topics:

• Interfaces• About VLANs• Configuring VLANs• Using MAC addresses to control access to interfaces• ARP probe• Routing table• Zone• HA

Interfaces

The Anchiva gateways vary in the number of available physical network interfaces.Current gateway models have between 4 to 8 network interfaces. The interfaces are generic andcan be assigned to either face the internal LAN or the external network facing the firewall ornetwork router.

The vlan1 is a virtual interface, that is accessible by default from all physical interfaces. Themanagement IP address is assigned to the vlan1 interface and will be used for CLI and WebUImanagement access. Management controls such as HTTPS, SSH, PING and SNMP areconfigured at the physical interface level. This allows the SWG to enable and/or disablemanagement at the physical interface level.

Out of band managementThe Anchiva SWG support out of band management configurations. To use this option themanagement IP address can directly be assigned to a physical interface. The managementinterface is then used to process management traffic only, user traffic will not flow through thisport.

Vlan1 interface

Apart from the physical interfaces, the Anchiva gateway is configured with a nativeVLAN interface called vlan1.When connecting to the Anchiva gateway for the first time, it is recommended thatyou access the WebUI via vlan1 through eth0 to configure the gateway. For details,see “Logging on to the WebUI”.The vlan1 interface is bridged to all network interfaces. The default configuration for allphysical network interfaces is transparent mode. Therefore, no initial IP addressneeds to be assigned to access the WebUI.

To configure the vlan1 interface IP address




2 Click the vlan1 interface name in the Device Interface List.

3 Enter the IP address and netmask for vlan1.

4 Click Apply.

Viewing the interface list

Go to Management > Network Settings > Interfaces to view the appliance’sinterface information.

Figure 11: Interface List

Name Click the name to edit the interface properties. You can also select thecheckbox and then click the Edit button to edit the interface properties. Fordetails, see “Editing the interface properties”.

IP Address IP address of the interface.

Mac Address Displays the MAC address of the interface.

Link Status The green arrow or the red arrow indicates the current link status of theinterface. The green arrow means that the interface is connected to thenetwork.

Note: In the case of the vlan1 interface, the vlan1 is a pseudo interface thatis bound to all interfaces configured in transparent mode. If all transparentmode interfaces have a link down status, then the vlan1 will also have a linkdown status. If any of the transparent mode interfaces have a link up status,then the vlan1 interface will also show as having a link up status.

Mode Displays the interface’s running mode, either transparent or route mode. Fordetails about the two modes, see “Route mode and transparent mode”.

Speed/Duplex Displays the speed of the interface: auto, 10, 100, or 1000; the duplexcommunication settings: auto, full-duplex, or half duplex.For details, see “Editing the interface properties”.

Zone Displays the zone that the interface belongs to. For information about zones,

see “Zone”.



Editing the interface properties

You can configure the settings and management properties for both the physical interface andthe vlan1interface.

Note: the vlan1 interface only supports Transparent mode.

Figure 12: Editing an interface

To configure the physical interface


2 Click the interface name you want to edit.

3 Edit the following information and click Apply.

IP Address /Netmask If you select the Route mode for the interface, enter an IP address and

netmask for the interface.ZoneMembership From the dropdown list, optionally select a zone to which you want to

assign the interface.

Interface Mode Select either Transparent or Route mode. For details, see “Route mode and transparent mode”.

ManagementAccess Specify the protocol that the administrators are allowed to use to access

the interface: HTTPS, SSH, PING, SNMP, NMS or AD.

Port AdminStatus Select Up to enable the admin port/interface and thus allow management



access to the interface; select Down to disable the admin port/interface andthus block management access to the interface.

Link State Specify the interface’s speed and duplex settings.

Auto-negotiate The interface will negotiate with the other end for the best

suitable settings.

Fixed Specify the speed (10, 100, or 1000 MB per second) and duplex

settings (either half duplex or full duplex) for the interface.

Inbound Rate Specify amount of bandwidth to allocate for inbound transmissions for this

interface. If no value is entered the traffic can use the full amount of

bandwidth allowed by the interface. Choose the scale to be either

'kbps' (kilo bits per second) or 'mbps' (megabits per second).

Outbound Rate Specify the amount of bandwidth to allocate for outbound transmissions for

this interface. If no value is entered the traffic can use the full amount of

bandwidth allowed by the interface. Choose the scale to be either

'kbps' (kilo bits per second) or 'mbps' (megabits per second).

External Interface Specify this interface as an external interface. The traffic statistics for the

external interfaces are used to calculate the amount of internet traffic

on the network.

Note: By default, the traffic going through the interfaces will not be filtered. To filter the trafficcontent, you must create and apply a policy on the interface. For details, see “Policies”.

Route mode and transparent mode

You can configure any of the physical interface to run in route mode or transparentmode.

Note: It is recommended to configure all interfaces on a system to run in either route modeor transparent mode. Unless you are using a single interface in route mode for out of bandmanagement.

Route mode

Although the Anchiva gateway can acts like a static router connecting multiple subnets,dynamic routing is not supported by the SWG. The preferred deployment mode of deployment istransparent mode as it requires minimal changes to tne network.

Transparent Mode

Anchiva's transparent mode implementation acts like a layer-2 bridge device on thenetwork. Packets are received on an interface and quickly inspected to determine theapplication type, no modifications are made to the ethernet, IP or TCP addressing orport information contained in the packet headers. As the gateway focuses oninspecting web and email traffic, all other application types, such as VoIP anddatabase applications, are quickly switched from interface to interface without anyinterference.



Supporting transparent mode deployments allows the Anchiva gateway to beseamlessly deployed into an existing network. The ease of deployment eliminates theneed to re-design the IP architecture of the network. In addition, since the gateway isinteroperable with stateful inspection firewalls, you can easily integrate anti-malwaresecurity at the gateway without having to do a forklift replacement of the existingfirewall.While inspecting web and email traffic, the gateway takes advantage of the RapidRxcore ASIC to quickly scan web downloads and email messages against its threatdatabase. With its high performance scanning engine, web browsing and email trafficare quickly inspected for malware content without noticeable delay to end users.Since transparent mode is easy to deploy and most likely to be your first choice, thefollowing sections describes some typical deployment scenarios.

Deployment scenario one: Gateway based spyware and virus protection

• Typical Anchiva gateway deployment behind the corporate firewall. The gatewayinspects all inbound and outbound web and email traffic, blocks any malicious filesfrom infecting users on the network and blocks users on the LAN from sendingmalicious files to hosts outside of the network.• Outbound prevention proves to be as equally important as inbound prevention, asspyware infected hosts can be used to steal then upload sensitive information froman infected host.

• The email server may already have anti-virus software installed and the hosts mayalready have desktop AV clients. The Anchiva gateway acts as a gatewayenforcement point, blocking malware at the gateway, resulting in improvedperformance on the host and email workstations on the network.• Policy based configuration allows the administrator to configure policies per host orsubnet.

Deployment scenario two: LAN and DMZ protection



• Available multiple interfaces allows the gateway to be deployed inline for multiplenetworks.• Typical scenarios include inspecting DMZ traffic where email and web servers maybe located.

Deployment scenario three: Interoperating with a HTTP proxy

• Highly configurable policy controls allow the gateway to listen for web traffic oncustomized ports, which is normally the case when using a HTTP proxy.• The gateway is flexible and can be deployed either behind the HTTP proxy or infront of it. Deploying behind the HTTP proxy and closer to the end users allows thegateway to log malware incidents using the actual host IP address as opposed tologging only the proxy IP address as the HTTP proxy will normally perform NATwhen forwarding web requests.

The content inspection ability of the gateway makes it complimentary with URLfiltering services. Whereas the URL filter can control where a user can browse to,the gateway will control and scan the content downloaded from web sites usersare allowed to visit.

About VLANs

A Virtual Local Area Networks (VLAN) is a method of creating independent logicalnetworks in a physical network. The primary protocol currently used in configuringvirtual LANs is IEEE 802.1Q, which describes how traffic on a single physical networkcan be partitioned into virtual LANs by tagging each frame or packet with extra bytesto denote which virtual network the packet belongs to.

VLANs with the same VLAN ID can communicate with each other no matter whatnetwork segment they belong to. For example, the R & D departments in several



locations may belong to different networks. But if you configure them into VLANs withthe same ID, they can communicate as if they are in the same network segment.One VLAN is a broadcast domain. VLANs only broadcast to the ports that are part ofthe VLAN or trunk link. Therefore, if you add several VLANs on one interface, you willmake broadcast domains smaller, and thus reduce traffic and increase security.

The Anchiva gateway supports both port-based VLANs (Access Mode) and 802.1QTrunk VLANs (Trunk Mode) on its physical interfaces.

• In Access Mode, one physical interface can only belong to one VLAN.

• In Trunk mode, one physical interface can belong to multiple VLANs.

• By default, all the physical interfaces are in transparent mode and belong to thenative VLAN called vlan1.

Note: Anchiva-500 gateways do not support VLANs.

When you create a content filtering policy, you can apply the policy on a physicalinterface, or a VLAN. For details, see “Policies”.

Configuring VLANs

You can create VLANs of any of the following three types on the Anchiva appliance’sinterfaces:

• Access VLAN• 802.1Q Trunk VLAN• vlan1 native VLAN

Note: An interface can only belong to one type of VLAN, either Access or Tagged (802.1Q)

Figure 13: VLAN Configuration

To create a VLAN on an interface



1 Select Management > Network Settings > VLAN.

2 Select an interface from the Interface dropdown list.

3 Do one of the following:

• To create a port-based VLAN, select Access VLAN and specify a VLAN ID. Thenclick Apply.

• To create a trunk VLAN, select 802.1Q Trunk and specify a VLAN ID. Then clickApply. To remove a trunk mode VLAN, select a VLAN ID from the box, selectRemove, then click Apply. To add the VLAN to a zone, select a VLAN ID from theVLAN ID list and then select a zone from the Add the VLAN to a Zone list.

• To assign an interface to vlan1, select Native vlan1, then click Apply.

• In the default configuration all physical ports belong to the native VLAN, vlan1.

Static MAC

You can lock down which MAC addresses are allowed to access a specific physicalinterface and/or a VLAN interface. For information about VLAN interfaces, see “About VLANs”.

Figure 14: Adding a static MAC address

To allow a static MAC address to access an interface

1 Select Management > Network Settings > Static MAC.

2 Click Add.

3 Specify the MAC address.

4 From the VLAN dropdown list, select a VLAN interface that the MAC address isallowed to access.

5 From the Interface dropdown list, select an interface that the MAC address is allowedto access.

6 Click Apply.



ARP probe

ARP probe can be used to find out if an IP address has been used by other interfacesin the network.

An ARP probe sends an ARP Request packet, broadcast on the local link, with an all 0's as the“sender IP address”. The “sender hardware address” must contain the hardwareaddress of the interface sending the packet. The “target hardware address” fieldshould be set to all zeroes. The “target IP address” field must be set to the addressbeing probed.

To view the ARP probe entries

1 Select Management > Network Settings > ARP Probe.

Figure 14: ARP Probe display

2 The ARP probe entry list displays the following information:

Target IPAddress Displays the target IP addresses to probe.

VLAN Displays the VLANs within which the ARP probe the IP addresses.

To add an ARP probe entry

1 Select Management > Network Settings > ARP Probe.

2 Click Add.

3 Specify the target IP address to probe.

4 From the VLAN dropdown list, optionally select a VLAN ID if you want to track IPaddresses on different trunk VLANs. For information about VLANs, see “AboutVLANs” on page 50.

5 Click Apply.

Routing table

The Anchiva gateway lists all connected routes, static routes, and the default route inits routing table. For each interface configured in route mode and assigned an IP address, a



connected route will automatically be entered for that subnet.

To view the routing information, go to Management > Network Settings > RoutingTable.

Note: The Anchiva gateway supports a maximum of 255 static routes.

Figure 15: Adding a route

To add a static or default route

1 Select Management > Network Settings > Routing Table.

2 Click Add.

3 To add a default route, select Add as Default Route, and enter the gateway IPaddress. If the Anchiva gateway itself acts as a gateway, from the Interfacedropdown list, select an interface that is used as the gateway interface.

4 To add a static route, deselect Add as Default Route, and enter the destinationsubnet, netmask, and gateway IP address. If the Anchiva gateway itself acts as agateway, from the Interface dropdown list, select an interface that is used as thegateway interface.

5 Click Apply.

Zone

You can group interfaces into security zones to simplify policy creation. For example, if yougroup eth1, eth2, and eth3 interfaces into one zone, instead of creating three policiesfor each interface, you can create one policy for one zone, which includes the threeinterfaces. This grouping can also apply to VLAN interfaces as well for policy consolidation.

Note: A single interface can only belong to one zone.You add interfaces to zones when you edit the interface properties. For details, see“Editing the interface properties”.

On the Management > Network Settings > Zone page, you can view the existingzones.

Figure 16: Zone list



To create a zone

1 Select Management > Network Settings > Zone.

2 Click Add.

3 Enter name for the new zone.

4 Click Apply.

Once Zones have been created, interfaces can be added to the zone by entering the interfaceconfiguration.

Figure 17: Interface Zone membership

To change a zone name

1 Click the zone’s name.

2 Enter a new name.

3 Click Apply.

To delete a zone

1 Select the checkbox for the zone to delete.

2 Click Delete.



HA

High availability (HA) provides network reliability by allowing up to two Anchivagateways to work in a master-backup synchronized cluster. In an HA configuration, the systemdesignated as the master will process internet traffic and apply inspection policies, while thebackup will act as a hot standby, keeping its configuration synchronized with the master.

Upon a failover event, the backup system will automatically take ownership of themaster role and will process, inspect and perform policy checks to internet traffic. This willensure internet flowing in and out of the network is always inspected for malicious and unwantedcontent.

The master and the backup gateways must be the same model and running thesame firmware build. When you upgrade the firmware, you must upgrade it on bothgateways. For details, see “Upgrading firmware for an HA cluster”.The HA interfaces used on both gateway is configurable but be the same port. For example, ifone gateway uses eth4 port for HA connection, the other gateway must also useeth4 port.

The current AnchivaOS release only supports HA in transparent mode. But the HAinterface must be in route mode and have a static IP address assigned. The peerIP addresses are the IP addresses bound to the HA interfaces on the master andbackup systems so the peer IP addresses must be on the same subnet.

When sending HA heartbeats, the master uses the IP address assigned to its HA interface asthe source IP address on the packet and forwards it to the IP address (peer IP) of thebackup system.

To set up an HA cluster, follow these general steps:

1 Configuring HA settings on both gateways.

2 Connecting an HA pair with each other.

3 Connecting an HA cluster to your network.

4 Upgrading firmware for an HA cluster.

Configuring HA settings

Before you can set up an HA master and backup pair, you must configure the HAsettings on both gateways.

Figure 18: HA settings



To configure HA settings

1 Select Management > Network Settings > HA.


Enable HA Enable this option on both Anchiva gateways in the HA cluster.

HA Status Either Master or Backup.

MAC Block To prevent loops, the master and backup will learn the MAC addresses ofeach other. The master will block, and not forward any packets with theMAC address of the Backup system.

Failover Status When the gateway is running as the master in the HA pair, clicking SetFailover will force the gateway to the backup role and thus the previousbackup gateway will become the master. To end the appliance’s failoverstatus and bring the gateway back to the master role, click Unset Failover.This option is useful when performing firmware upgrades.

Cluster IPAddress/Mask Enter the IP address for the HA cluster. This is the virtual IP address you

use to manage the HA cluster. When the HA cluster is in operation, themaster has the ownership of the cluster IP address. In the event of failover,the backup will take over the role of the master and thus the cluster virtual IP address.



HA Interface Specify an interface that will be used to connect to the other appliance’s HAinterface for HA heartbeat and synchronization communication. The twointerfaces must use the same port on both gateways. For example, if youuse eth3 port for HA connection on the master gateway, you must also useeth3 port on the backup gateway.The HA interface chosen must be in route mode and must be assigned anIP address. The IP addresses assigned to the HA interfaces must be in thesame subnet.

HA Priority Set an HA priority number for the gateway.If the two gateways start up at the same time, the gateway with highernumber becomes the master gateway in the HA cluster. If you want thegateway to always become the master whenever it starts up, set thenumber to 254. Valid range is between 1 and 254.

Group ID Set a number as the HA cluster’s group ID.The master and backup gateways must have the same group ID. If youhave several HA pairs in your network, the group IDs for every pair must bedifferent.

KeepaliveInterval Set the time interval when the gateway should send heartbeat packets to

the other gateway to verify the synchronization status.The two gateway keep communicating with each other, so that the backupgateway will know when the master gateway stops functioning.If three consecutive heartbeats are missed, the backup gateway willassume that the master gateway is down and take ownership of the masterrole.If one of the monitored interfaces on the master gateway is down, thebackup gateway will take over the master role right away.

Peer IP Enter the IP address of the other appliance’s HA port.

Enable FailoverThreshold

This option prevents the HA master ownership from flapping back and forthtoo many times. For example, if both the HA systems have monitoredinterfaces that go into a down state, maybe both downstream switches lostpower. By setting the maximum number of failover events the system willstop the HA flapping if the count/time threshold is met. The current master at that moment will continue to be the master.

TrackingTimeout

Set the timeout for host tracking. When the timeout is reached, a failover willbe initiated to the slave gateway.

Tracking HostThreshold

Enter a number from 1 to 32.Adding a weight to the tracking IP is used to prevent premature failoverevents.For the IP tracking mechanism to cause a failover event, the sum of theweights of the missed IP tracking events must meet or exceed the TrackingHost Threshold value. For an IP tracking event to be considered inactive,three consecutive pings must be missed.



Tracking HostIP 1 to 3

You can configure the Anchiva gateway to poll up to three hosts as ameasure of network reachability. The gateway will send Ping requests tothe hosts.If the timeout is reached without replies, a failover will be initiated to theslave gateway.

MonitoredInterfaces

You can choose to monitor the interfaces on the master gateway.Whenever one or more interfaces are down on the master gateway, thebackup gateway will take over the master role right away and the masterwill run as a backup.Optionally, you can use the interface weights as the failover trigger. Fordetails, see “Using interface weights as HA failover trigger” on page 58.Only monitor the interfaces that are connected to the network.

Enable PreemptMode

If you prefer to have a specific Anchiva gateway in a HA pair to be alwaysthe master when it is powered on and operating correctly, enable preemptmode on the master Anchiva system. If the HA master with preempt modeenabled fails over and reboots, it will assume the master status for the HAgroup after a successful reboot and recovery.

Preempt Delay Specify the amount of time the system should assume the master status. Avalue of 0 sets the system to take over the master status immediately after a successful reboot and recovery.

Using interface weights as HA failover trigger

The interface weights are used to generate health scores for the master and backupdevices in a HA cluster. The weights are used to control when a HA failover event occurs and toavoid premature failover events.

The interface weights are configured separately on the master and the backup. Andthe values are not synchronized from the master to the backup.

To effectively use the interface weight as a failover trigger, you must assign higherweight values on the master system. When the HA heartbeat messages are sent fromthe master to the backup, the weights are included as part of the heartbeatinformation.

As the master and backup units are constantly exchanging health information in the HAheartbeats, If the backup finds that its interface weight is higher than that of the current master,the backup will assume the master has suffered a failure and will automatically take ownershipof the master role in the HA cluster.



Connecting an HA pair

When configuring a HA pair, follow these steps to bring up the master and the backupsystem. These steps assume you have already assigned IP address to each system to accessthe WebUI. The HA configuration can also be configured using the CLI but this example will focus on usingthe WebUI management configuration tools.

1 Choose which HA interface is to be used.

2 Enable HA on the first system in the cluster.

3 Complete the HA configuration on the system. It will automatically become the Masterof the HA group.

4 Connect the systems (master and backup) via the chosen HA interface. The HAinterfaces can be connected directly or through a switch.

5 Enable HA on the backup system and complete the HA configuration on the backup.Make sure the HA group ID matches on both HA configurations.

6 After completing the HA configuration on the backup, log on to the CLI of the masterand synchronize the configuration from the master to the backup from the CLI:

sync configure

Executing this command will automatically force the master to synchronize itsconfiguration with the backup. HA heartbeats will be auto-generated and exchanged between themaster and backup.

Connecting an HA cluster to your network

After you connect both gateways together, you can deploy the cluster into your network.

For example, if the master has eth0 and eth1 connected to the network and eth3connected to the HA backup, the backup must be connect in the same manner (eth0and eth1 to the network and eth3 to the HA master).

Since the AnchivaOS HA only supports transparent mode, you do not have toconfigure IP addresses on the non-HA interfaces.

For details about connecting the gateways to your network, see the Anchiva SecurityAppliance Quick Start Guide.

Upgrading firmware for an HA cluster

Since the HA pair must be running the same firmware build, when you upgrade onesystem the other must also be upgraded as soon as possible.If your HA cluster is running, to minimize interruption to your network, follow theseprocedures to upgrade the firmware.



To upgrade firmware for an HA cluster

1 Upgrade the backup system. Use the vlan1 IP address to access the system. Thesystem will automatically reboot.

2 After upgrading the backup, manually failover the master to the backup role toupgrade its firmware. Go to Management > Network Settings > HA and click SetFailover or use the following CLI to force the current master to the backup role in theHA cluster.

set ha failover

3 After the failover, upgrade the new backup (former master). The system willautomatically reboot.



Maintenance

Under Management > Maintenance, you can perform the following systemmaintenance tasks:

• Configuring update settings

• License

• Shutting down the system

• Generating the technical support file

Configuring update settings

The Anchiva Services Distribution Network (ASDN) provides a highly reliable deliveryinfrastructure that can deliver real-time malware signature, malicious sites, andapplication control updates to Anchiva gateways around the world.

The URLs of the known spyware host sites are also collected and compiled into amalicious site list. With the consistently updated malicious site list, the Anchivagateway can block the spyware applications that actively collect confidentialinformation from you PC and attempt to phone home.

You can get the latest features by updating the firmware.

If your Anchiva gateway connects to the Internet through a proxy server, you mustconfigure the proxy authentication settings. For details, see “Proxy authentication”.

Updating firmware and system configuration

On the Management > Maintenance > Update > Firmware page, you can view thecurrent AnchivaOS firmware version, previous version, the last update date, and thelast update status.

You can also upgrade or downgrade the firmware.Firmware updates can be downloaded from the Anchiva Technical Support web site ifyou have a current support contract.

Caution: Updating the system firmware requires system reboot, which will lead to a temporaryservice interruption.

Figure 19: Firmware and configuration update



To upgrade or downgrade the firmware

1 Select Management > Maintenance > Update > Firmware.

2 For Update New Firmware, click Browse to locate the firmware image on your localPC.

3 Choose when to apply the firmware upgrade. Choose "Execute update immediately after fileuploading finishes" to apply immediately or "Schedule update" and choose the time to apply theupdate.

4 Click Apply.

Managing the configuration file

You can download the Anchiva appliance’s configuration file to your PC, uploadconfiguration file from you PC to the gateway, or restore the system to factory defaultconfigurations.

To upload the system configuration

1 Select Management > Maintenance > Update > Firmware.

2 For Update New Configuration, click Browse to locate the configuration file.

3 Click Apply.

To save the system configuration

1 For Save and Download Configuration, click Save.

2 Save the file to your PC.

The configurations will be saved as a zip file.

Note: The zip file includes three files: the system configuration file, the URL blacklist, andthe URL whitelist. In case you need to upload the backup system configuration, youmust upload the URL blacklist and whitelist. For details about how to upload the URLblacklist and whitelist, see “Configuring the URL whitelist” and



“Configuring the URL blacklist”.

To restore the system to factory default settings

1 For Restore System to Factory Defaults, click Restore.

2 Click OK.

Note: All your configuration changes will be lost if you restore the system to factory defaultsettings.

Updating scan engine definitions

You can view the current versions and update status of the scan engine, malwaredefinition, malicious site definition, and application control definition. You can alsoschedule update intervals or get updates immediately by using manual updates.

Figure 20: Scan engine and definition updates

Viewing the current scan engine and definition versions

On the Management > Maintenance > Update > Malware page, you can view thecurrent scan engine and definition versions, the last update time, and the last updatestatus.

Update Scan Engine, Malware Definition, Malicious Sites, and Application Control.

Version Current version loaded and running on the gateway.

PreviousVersion Displays the previous version number if a previous version was installed

before.

Last UpdateDate Time stamp of the last update.

Update Status Displays either Updated, Up to date, or Contacting the Update Server.Updated means a version was downloaded and applied.Up to date means the system contacted the ASDN update server but found



the running database is up to date.

Scheduling scan engine and definition updates

You can set up a schedule to get the latest scan engine and definition updates fromthe Anchiva Update Center. The schedule can be hourly or daily.

To schedule the updates

1 Select Management > Maintenance > Update > Signature.

2 Select Schedule Signature Update.

3 Do one of the following:• Select Hourly Interval and specify an hourly update interval.• Select Daily Schedule and specify the time to download updates every day. If youenter 00:00 the system will download updates at midnight.

4 Click Apply.

5 To update the SWG will dynamically find the most capable ASDN server to connect and download its updates from. DNS servers must be configured to perform this task.

Note: By default, the Anchiva gateway downloads updates once every week. It is highlyrecommended to configure the update schedule to poll the update server every four toeight hours to arm the anchiva system with the latest threat database and thus blockthe latest malware threats from entering your system.

Manually updating definitions

You can manually update definitions of malware, malicious sites, and applicationcontrol even if you have configured automatic updates.

Figure 21: Manual updates of the threat databases



To manually update definitions

1 Select Management > Maintenance > Update > Signature.

2 Under Update, do one of the following and click Apply.

• Select Manually update Malware definition to immediately connect to the updateserver to get the latest malware definitions.

• Select Manually update Malicious Sites to immediately connect to the updateserver to get the latest malicious site list.

• Select Manually update Application Control to immediately connect to theupdate server to get the latest application control definitions.

• Select Manually update URL Filter to immediately connect to theupdate server to get the latest application control definitions.

• Select Manually update Server Protection to immediately connect to theupdate server to get the latest application control definitions.

• Select Local update of Malware definition and click Browse to locate themalware definition file on your local PC.

• Select Local update of Malicious Sites and click Browse to locate the malicioussite definition file on your local PC.



• Select Local update of Application Control and click Browse to locate thedefinition file on your local PC.

• Select Local update of URL Filter and click Browse to locate thedefinition file on your local PC.

• Select Local update of Server Protection and click Browse to locate thedefinition file on your local PC.

Rolling back to previous malware definition or malicious sites

In case you want to revert to the known good previous version of the definitions, youcan do so on the Management > Maintenance > Update > Signature page.

Proxy authentication

For the Anchiva gateway to update its malware definitions and malicious site list, thegateway must be able to connect to the Internet. And if the gateway connects to theInternet through a proxy server, you must configure the proxy authentication settings.

Figure 22: Proxy Authentication

To configure the proxy authentication settings

1 Select Management > Maintenance > Update > Proxy Auth.


Enable ProxyAuthentication Select this option if the Anchiva gateway connects to the Internet through a

proxy server.AuthMechanism Depending on the proxy server authentication methods, select one of the

following options:None-auth: Select this option if the proxy server does not requireauthentication. After selecting this option, you only need to specify the proxy



server’s IP address and port number.Basic: Select this option if the proxy server uses local username/passworddatabase to perform authentication. After selecting this option, specify theproxy server IP, port, and credentials.NTLM: Select this option if the proxy server authenticates users against aremote Windows Active Directory database.

Domain If the proxy server uses NTLM authentication, you must specify the Windows

domain which the Anchiva gateway belongs to.

IP Address ofAuth Server Enter the IP address of the proxy server.

Port Enter the port of the proxy server your LAN uses to connect to the Internet.

Username Enter the user name for proxy server authentication.

Password Enter the password for proxy server authentication.

License

The Anchiva RapidRx Lab continuously updates the malware definitions, scan engine,application control, and applications sites databases to allow the SWG to detect, block andenforce malicious and unwanted programs from entering and leaving your network. To receivethe updated definitions, you must have a validsubscription license.

If a valid license was not purchased at the time of system purchase, to obtain a license, contactthe technology partner or Anchiva Technical Support.After receiving the license, install it onto your Anchiva Secure Web Gateway.

The Anchiva gateway also supports the Google Safe Browsing Service, which prevent accidentalaccess to internet phishing and malware infected websites. To activate and use this service, youcan visithttp://code.google.com/apis/safebrowsing/key_signup.html to sign up for a licensekey. After you receive the key, install it onto the Anchiva gateway to activate and use theservice.

Figure 23: License



To install an anti-malware license key

1 Select Management > Maintenance > License.

2 Click Browse and locate the license key file for the service needed to enable.

3 Click Apply.

To install a license key for Google Safe Browsing Service

1 Select Management > Maintenance > License.

2 For Google Safe Browsing, click Install Key.

3 Enter the key.

4 Click Apply.

Shutting down the system

You can remotely reboot or shut down the Anchiva gateway from the WebUI.

To reboot or shut down the Anchiva gateway

1 Select Management > Maintenance > System Reset.

2 From the dropdown list, select an action.

3 Click Apply.

Generating the technical support file

The technical support file contains critical logs and system core files which will help Anchiva’stechnical support team to troubleshoot and diagnose system problems. As required whentroubleshooting systems problems with Anchiva technical support, you may be asked generatethe technical support file and send it to the Anchiva technical support team.



Note: Since the technical support file may be large, contact Anchiva Technical Support foran appropriate method to submit the file. Anchiva technical support can set up a temporary FTPaccount for uploading of the file.

To generate the technical support file

1 Select Management > Maintenance > Tech Support.

2 Click Generate Tech-Support File.

3 Save the file to your PC.



Admin Accounts

Administrator accounts are used to manage and configure the Anchiva SWG by way of thesecure WebUI and the CLI, When configuring new system administrators, they can be assignedone of three roles,

• Read-Write - full system access, to add and edit configuration options

• Read-Only - limited system access to view mode only of the system configuration and logsand reports.

• Audit - limited system access to view the logs and reports only. The Audit role cannot view thesystem configured parameters.

The superuser account "administrator" is the only account that has privileges to create new andedit existing user accounts. The password can be changed but the username ("administrator")of the superuser cannot be changed. Up to 9 additional administrator accounts can be added.


• Viewing the administrator accounts

• Adding an admin account

• Configuring admin access control

Viewing the administrator accounts

Go to Management > Admin Accounts > Administrators to view the detailedinformation about the administrator accounts.

Figure 24: Administrators

Index Numbering of admin accounts.

Privileges Either Read-Write or Read-Only.

AdministratorNames Displays names of the administrator accounts.

Click the names to edit the account information.You can change the passwords and privileges for the admin accounts. Forthe super user accounts, you can only change the password.

Add Select to add a new admin account. For details, see “Adding an admin

account” on page 70.



Edit Edit an admin account by selecting the check box and clicking the Editbutton. You can also click on the administrator name to edit the account.The super user account can change the passwords and privileges of allother admin accounts. The super user account can not be removed, but thepassword can be changed.

Delete Select an admin account and then select the Delete button to remove the

account.

Adding an admin account

As the super user, you can add new admin accounts or edit existing accounts.

Figure 25: Adding an admin account

To add an admin account

1 Select Management > Admin Accounts > Administrators.

2 Click Add.

3 Enter an administrator user name. The user name can only use English characters azand numbers 0-9. Upper case characters are not supported.

4 Enter a password.The password for an administrator account must be a minimum of 6 characters andcan be up to a maximum of 20 characters. Supported characters include alpha andnumeric characters and special characters ( !, @, #, $, %, ^, &, *, ?).To prevent unauthorized access to the management consoles, choose passwords thatuse a mix of alpha, numeric and special characters.

5 Reenter the password.

6 Select either Read-Write, Read-Only or Audit privileges for the admin user.

7 Click Apply.



Configuring admin access controls

For added system security, management access to the SWG can be locked down to a list ofhost IP's or subnets and the application ports used for communication to the managementinterface can be adjusted to use non-standard ports.

Note: Management is enabled at the interface level. The parameters configured here are globaland apply to all management communications.

Figure 26: Access control

To configure the administrator access settings

1 Select Management > Admin Accounts > Access Control.

2 Specify the following settings and click Apply:

Idle Timeout The WebUI will automatically log out an administrator due to inactivity withinthe specified amount of time. Valid idle timeout is between 5 and 30minutes. Default is 5 minutes.

Login RetryTimes Number of failed login attempts allowed before the system stops accepting

new login attempts. Valid retry times are between 0 and 10. Default is 5times.



Retry Wait Time The amount of time the system locks out any new management loginattempts after the "Login Retry Times" has been exceeded. Valid time isbetween 5 and 30 minutes. Default is 5 minutes.

HTTPS Port Specify the port number for HTTPS access. Default port number

is 443.

SSH Port Specify the port number for SSH access. Default port number is

22.

NMS Port Specify the port number for NMS access. Default port number is

4438.

ManagementHosts Enter the host IP address or network subnet and click Add to only allow

management access from the specified hosts. You can also delete amanagement host.

Note: The Anchiva gateway will only accept system management requests from the trustedmanagement hosts. If you do not specify any management host, the user can log onto the gateway from any subnet.

Dashboard and Statistics 58


Dashboard and Statistics

After you log on to the Anchiva system WebUI, the default display page is theDashboard page under the Home main menu. The Dashboard gives you quickaccess to frequently used configurations and allows you to view criticalsystem information, including the inspection summary and firmware, and definition updates. TheSWG can be configured to automatically update and maintain its malware, malicious sites andapplication control definitions based on a schedule.

The Statistics submenu is used to view and display real-time system and applicationinformation such as current and historical session and network utilization information.


• Using the dashboard

• Viewing statistics

Using the dashboard

The Home > Dashboard page gives you quick access to frequently usedconfigurations and important information, such as recent malware detectionhighlights.

Figure 27: Dashboard

System Time Displays the current system time. To set up the time, go to Management >

System Settings > Host.

Refresh Click to refresh the dashboard right away. To set the dashboard refresh

interval, select a number (in seconds) from the dropdown list. If you set therefresh interval to 0,



the page will not be refreshed. The refresh setting does not apply to otherWebUI pages.

System and Threat Engine Status

Host Name The host name of the Anchiva gateway. The host name can consist of

English letters, numbers, the underscore '_' .

To change the host name, see “Setting the host name” .

Memory Usage Displays the percentage of memory currently in use.

Log Disk Usage Displays the percentage of disk space used by the saved logs.

Hardware Acceleration Displays whether the Anchiva gateway is installed with the Anchiva

acceleration card. The card is Anchiva’s ASIC-based malware detection

engine. If the acceleration card is installed, Accelerated will be displayed.

If the card is not installed, Un-equipped will be displayed.

The acceleration card option is not available for all Anchiva products. For

details, contact your Anchiva product sales representative or visit

www.anchiva.com.

HA Status Displays the Anchiva appliance’s HA status: Standalone, Master orBackup. To configure the HA settings, go to Management > NetworkSettings > HA.

Firmware Version Displays the version number of the firmware currently running on the

gateway. To update the firmware, click Update beside Firmware Version.

For details, see “Configuring update settings” .

Serial Number Displays the serial number of the Anchiva gateway, which is the unique

identifier of the gateway.

Inspection Mode Either Preventative or Recon. For details about the two modes, see “Setting the inspection mode”.

Up Time Displays the total length of time the system has been in operation from last

startup. UP Time is shown in days, hours, and minutes.

Malware Definition Displays the version of the current malware definition file installed on thesystem. If a subscription has been purchased for your SWG, click Update todownload and install the latest definition updates from Anchiva'sdistribution servers. For details, see "Configuring update settings" .

Malicious Sites Displays the database version number of Anchiva’s collection of known

malicious sites.

If a subscription has been purchased for your SWG, click Update to

download and install the latest definition updates from Anchiva'sdistribution servers.

For details, see "Configuring update settings" .

Application control Displays the definition version of the current application control database

installed on the system.


download and install the latest definition updates from Anchiva's

http://www.anchiva.com.



distribution servers.


URL Filter Displays the definition version of the current URL Filter database

installed on the system.


download and install the latest definition updates from Anchiva'sdistribution servers.


Server Protection Displays the definition version of the current Server Protection threatdatabase installed on the system. If a subscription has been purchased foryour SWG, click Update to download

and install the latest definition updates from Anchiva's distribution servers.


Engine Version Displays the version number of the current malware scan engine. If youhave a valid service contract, click Update to get the latest updates. Fordetails, see “Configuring update settings” .

Engine Status Software-Normal: this status indicates that the software engine is theactive content inspection engine. The hardware-based systems (Anchiva1000X/1000XT, 2000X, 2000FX) can also display the next state. Thesystems with no hardware acceleration (Anchiva 206/500/506) only havethe Software-Normal choiceHardware-Normal: this status indicates that the ASIC, hardwareaccelerated engine is the active content inspection engine. The hardware-based systems have a fallback mechanism. When the hardware enginefails, the system falls back to the software engine. When an engine fallbackoccurs, the system will generate a syslog message and send a SNMP Trapto alert the administrator. If your system has a fallback, contact Anchivatechnical support.Initializing: this status indicates that the system is applying a newlydownloaded malware definition.During this stage, new and existingsessions are not dropped.Disabled: this status indicates that both the software and hardwareengines are not running. If the system displays this engine status, contactAnchiva technical support.

Malware License Displays the anti-malware license status. For details, see “License”.

ApplicationControl License Displays the application control license status. For details, see

the “License” section.

URL Filter License Displays the URL Filter license status. For details, see


Server ProtectionLicense Displays the Server Protection license status. For details, see


Inspection Summary Displays the following information for the HTTP/HTTPS, SMTP, POP3, and FTP traffic:

• Active sessions



• Malware detected today• Total malware detected• Total files inspected

System Statistics

CPU Usage Displays the CPU usage information in a graph view.If the Anchiva gateway experiences high CPU usage for an extended time,you may need to investigate the causes.

NetworkUtilization Displays the total throughput in Mbps for every minute in the past hour.

Inspection Highlights

MalwareDetected Displays the number of malware incidents detected in the HTTP/HTTPS,

SMTP, POP3, and FTP traffic every minute in the past hour.

Files Inspected Displays the number of files inspected in the HTTP/HTTPS, SMTP, POP3, and FTP traffic every minute in the past hour.

SessionCounter Displays the number of HTTP/HTTPS, SMTP, POP3, and FTP sessions by

minutes in the past hour.

ProtocolBandwidthUtilization Displays the recent bandwidth usage by protocols in the past hour.

Viewing statistics

After you have set up your Anchiva gateway, configured the malware detectionsettings, and created traffic filtering policies, the Anchiva gateway will start to inspectthe network traffic going through the gateway and display various detailed systeminformation and malware detection information under Home > Statistics.The Statistics pages will help you to monitor your network activities, readjust themalware detection settings and policies, and troubleshoot the security issues.

Under Home > Statistics, you can view the following information:

• System statistics• Interface statistics• HTTP statistics• FTP statistics• POP3 statistics• SMTP statistics

System statistics

The Home > Statistics > System page displays the current and historical statisticsabout the CPU usage and network bandwidth usage.



Figure 28: System statistics

Interval Select the statistics interval to display: Past Hour, Daily, Weekly or Monthly.

Refresh Click Refresh to refresh the page.

CPU Usage Displays the CPU usage information both in text and a graphic.

If the Anchiva gateway experiences high CPU usage for an extended time,

you may need to investigate the causes.

Network Displays the network bandwidth usage information.Utilization

Interface statistics

The Home > Statistics > Interfaces page displays the following detailed statisticalinformation of all the interfaces.

Figure 29: Interface counters

Name Name of the interface.



IP Address IP address assigned to the interface.

Link Status Either up or down.

Note: In the case of the vlan1 interface, the vlan1 is a pseudo interface thatis bound to all interfaces configured in transparent mode. If all transparentmode interfaces have a link down status, then the vlan1 will also have a linkdown status. If any of the transparent mode interfaces have a link up status,then the vlan1 interface will also show as having a link up status.

Mode Either Transparent or Route mode. For more information, see

“Route mode and transparent mode” .

Zone Displays the zone that the interface belongs to. For information about

zones, see “Zone”.

Rx Pkts Total packet received on the interface.

Rx Errors Error packets received on the interface.

Tx Pkts Total packets sent through the interface.

Tx Errors Error packets sent through the interface.

Refresh Click Refresh to get the latest information.

HTTP/HTTPS statistics

The Home > Statistics > HTTP/HTTPS page displays the current and historical statisticsabout the HTTP/HTTPS traffic, such as the number of detected malware incidents, number ofinspected HTTP/HTTPS files, HTTP/HTTPS sessions, and HTTP/HTTPS network utilization.

Figure 30: HTTP/HTTPS statistics



Interval Select the statistics interval to display: Past Hour, Daily, Weekly, or

Monthly.


HTTP/HTTPS Sessions Displays the HTTP/HTTPS session counts both in text and a graphic.

HTTP/HTTPS NetworkUtilization Displays the network bandwidth usage information both in text and a

graphic.

HTTP/HTTPS: FilesInspected Displays the number of inspected HTTP/HTTPS files in the specified

interval.

HTTP/HTTPS: MalwareDetected Displays the number of detected malware incidents in the specified

interval.

MaliciousAccessDetected Displays the log records of the 5 most recent malware incidents in the

specified interval. To see all the log records, click More. For details about

malware incident logs, see “Client Incidents” .

Most Detected



Malware Displays the top 5 malwares detected in the HTTP/HTTPS traffic.

Clients WithMalwareActivity Displays the top 10 clients who experience the most malware intrusions.

FTP statistics

The Home > Statistics > FTP page displays the current and historical statistics aboutthe FTP traffic, such as the number of detected malware incidents, number ofinspected FTP files, FTP sessions, and FTP network utilization.

Figure 31: FTP statistics

Interval Select the statistics interval to display: Past Hour, Daily, Weekly or Monthly

Refresh Click Refresh to refresh this page.

FTP Sessions Displays the FTP session counts both in text and a graphic.

FTP NetworkUtilization Displays the network bandwidth usage information both in text and a

graphic.



FTP: FilesInspected Displays the number of inspected FTP files in the specified

interval.

FTP: MalwareDetected Displays the number of detected malware incidents in the specified

interval.



malware incident logs, see “Client Incidents”.

Most DetectedMalware Displays the top 5 malwares detected in the FTP traffic.


POP3 statistics

The Home > Statistics > POP3 page displays the current and historical statisticsabout the POP3 traffic, such as the number of infected emails, number of inspectedPOP3 emails, POP3 sessions, and POP3 network utilization.

Figure 32: POP3 statistics



Interval Select the statistics interval to display: Past Hour, Daily, Weekly or Monthly


POP3 Sessions Displays the POP3 session counts both in text and a graphic.

POP3 NetworkUtilization Displays the network bandwidth usage information both in text and a

graphic.

POP3: FilesInspected Displays the number of inspected POP3 emails in the specified

interval.

POP3: MalwareDetected Displays the number of infected POP3 emails in the specified

interval.




Most DetectedMalware Displays the top 5 malwares detected in the POP3 traffic.


SMTP statistics

The Home > Statistics > SMTP page displays the current and historical statisticsabout the SMTP traffic, such as the number of infected emails, number of inspectedemails, SMTP sessions, and SMTP network utilization.

Figure 33: SMTP statistics



Interval Select the statistics interval to display: Past Hour, Daily, Weekly or Monthly.


SMTP Sessions Displays the SMTP session counts both in text and a graphic.

SMTP NetworkUtilization Displays the network bandwidth usage information both in text and a

graphic.

SMTP: FilesInspected Displays the number of inspected SMTP emails in the specified

interval.

SMTP: MalwareDetected Displays the number of infected SMTP emails in the specified

interval.






Most DetectedMalware Displays the top 5 malwares detected in the SMTP traffic.


Web Filter

The Home > Statistics > Web Filter page displays URL events associated with the MaliciousSites and Google Safe Browsing filters.

When both of these URL filters are enabled the system will log URL requests to websites thatmatch entries in either URL database. Statistics for both the malicious sites and the googlefilters will include the most recent URL matches, the most URL's matched, and the top clientsmaking requests to URL's in either URL database.

Malicious Sites

Figure 34: Malicious Sites counter

Figure 11: Malicious Sites statistics

Interval Select the statistics interval to display: Past Hour, Daily, Weekly, orMonthly.


Malicious SitesCounter Displays the events charted based on the time interval.



Malicious AccessDetected Displays the most recent website access that matched a malicious sites

filter.

Most URLs Detected Displays the top URL's requested that matched a malicious sites entry.

Most Clients Detected Displays the top clients who made the most URL requests that matched a

malicious sites filter.

Google Safe Browsing

Figure 35: Google Safe Browsing counter

Figure 12: Google Safe Browsing statistics

Interval Select the statistics interval to display: Past Hour, Daily, Weekly, Monthly.


Malicious SitesCounter Displays the events charted based on the time interval.

Malicious AccessDetected Displays the most recent website access that matched a Google filter.

Most URLs Detected Displays the top URL's requested that matched a Google entry.

Most Clients Detected Displays the top clients who made the most URL requests that matched a

Google filter.



Applications

The Home > Statistics > Applications page displays the Realtime Monitor and TrafficStatistics for application control events.

When application control filtering is enabled, the system will create an event log that will includethe application detected along with the client information associated with use of the application.

The Realtime Monitor logs the application control events, displaying the logs from the mostrecent and active applications. The Traffic Statistics page displays logs specific to a particularapplication along with the applications that transferred the most traffic (measured in bytestransferred) and clients who were found to have transferred the most data (measured in bytestransferred).

Realtime Monitor

Figure 36: Realtime Monitor header

Figure 13: Realtime Monitor statistics

Search Used to search the application logs for specific records.

Click Run to start the search.

Refresh Refreshes the page statistics.

App Name Displays name of the applications.

App Group Displays application group associated with the detected application.

Client IP Displays the client IP where the application was detected.

Sent Bytes Displays the number of bytes transferred by the application.

Received Bytes Displays the number of bytes received by the application.

Traffic Statistics

Figure 37: Traffic Statistics header



Figure 14. Traffic Statistics

Interval Select the statistics interval to display: Past Hour, Daily, Weekly, orMonthly.

Application Name Choose the application to display the traffic statistics.


Most Traffic ApplicationsDetected Displays the top applications that transferred the most data.

Most Traffic ClientsDetected Displays the top clients that transferred the most data.



Reports and Logs

The Anchiva SWG provides onboard real-time and archived logging and activity reports. Theavailable logs and reports give the administrator a detailed view of web and email security eventsincluding malware activity, URL activity, webserver targeted attacks and application usage onthe network.

Inbound as well as outbound events logs are displayed. For outbound malware activity thesemay point to internal hosts that may already be infected with malware and attempting to infector upload the malware to hosts outside of the network.

Reports

The reports section is broken down into three main sections:

· Saved

· Schedule

· Generate

Logs

The logs sections contain separate and specific log to display the following events:

· Client Incidents

· Malware Detected

· Web Filter

· Server Protection

· Event Logs

· Normal Emails

· Applications

· Management

Reports

Detailed logs and reports can be generated onboard the system. The reports are broken downinto 6 main categories.

Reports and Logs 74


Figure 37: Report categories

Summary Reports Predefined event summary reports

Emails Reports SMTP and POP3 malware and top email sender and recipient reports

HTTP/HTTPS Reports HTTP/HTTPS malware activity reports

FTP Reports FTP malware activity reports

Webfilter reports Reports for Blacklist sites, Malicious Sites, Google Safe Browsing Sites,URL Filter and Application sites

Application BandwidthUsage reports

Reports for the top bandwidth using clients and applications



Figure 38: Predefined summary reports

Reports and Logs 76


Figure 39: Emails Reports listing

Figure 40: HTTP/HTTPS Reports listing

Figure 41: FTP Reports listing



Figure 42: Webfilter Reports listing

Figure 43: Application Bandwidth Reports listing

Saved Reports

On the Reports and Logs > Reports > Saved page, you can view, download, ordelete the generated reports. These are reports that were previously generated using a scheduleor the generate, on-demand option.

Reports and Logs 78


Figure 44: Saved reports display

To manage the saved reports

1 To view a report, click the Reports Type. A new page will open exposing the individual reports.

2 To download a report to your local PC, click the icon in the Export column.

3 To delete a report, select the report and click Delete.

Setting up report schedules

Based on a recurring schedule the system can auto generate reports based on a configuredschedule and using configured report parameters.

Figure 45: Setting up report schedule



To set up a report schedule

1 Select Reports and Logs > Reports > Schedule.

2 In the Report For section choose the report information to include in the report (see below forthe report options)

3 Configure the Client IP information if a report is needed for a specific host, subnet or SecurityGroup.

4 Under Schedule Report, specify the day(s) and time to generate reports. Reports will be autogenerated based on the recurring schedule configured.

5 Under Action for Generated Reports, select either Save Report Locally to store thereports on the Anchiva appliance’s hard disk, or Email Report to email the reports tothe email account you configure under Management > System Settings > Email Setting

6 Click Apply to save the settings.

Reports and Logs 80


Generating reports

The Generate Reports option is used to manually generate reports. Reports using the GenerateReports option are automatically saved to the local hard disk but cannot be emailed as thescheduled reports can be. After a report is generated, the report can be displayed anddownloaded from the WebUI.

To generate reports

1 Select Reports and Logs > Reports > Generate.

2 Under Report For, specify what types of reports you want to generate.

3 Under Client IP Address, choose all or a specific IP host or subnet or a Security Group thatwill be the target source for the report.

4 Under Choose the time period to collect the report data, choose one of thefollowing two options to specify a time frame:

• From the In dropdown list, select Today, Yesterday, Past 7 days, Past 14 days,or Past 30 days.

• In the From and To boxes, specify the start and end date and time.

5 Click Apply to generate the specified reports immediately. After the reports aregenerated, go to the Saved page to view the reports.

Logs

The system log settings are configured under Management > System Settings > Logs > LogSettings.

When events are detected the logs can be viewed in the Reports and Logs > Logs section.

Automatic encoding transformation

There are cases where some logs cannot be displayed correctly in the browser because theoriginal file or email did not contain any encoding information, thus preventing the browser fromproperly interpreting and displaying the information.

In such cases, the Anchiva gateway can transform the logs with no encodinginformation to UTF-8. For example, for users in China whose browsers are set to useGBK or some other encoding types, if the logs are not readable, the users can changetheir browser settings to UTF-8 to read the logs.



Client incidents

The client incident logs displays malware incidents with the logs separated based on the application engine (HTTP/HTTPS, SMTP, POP3 or FTP) that detected the malware incident.

Reports and Logs 82


Figure 45: Client Incidents logs

To manage the client malware incident logs

1 Select Report and Logs > Logs > Client Incidents.

2 Select the HTTP/HTTPS, FTP, SMTP, or POP3 submenu.

3 For the malwares detected in the HTTP/HTTPS and FTP traffic, you can view the followinginformation of each log:

Date Date when the malware was detected.

Time Timestamp when the malware was detected.

Client IP IP address of the HTTP or FTP client.

Server IP IP address of the HTTP or FTP server.

Method (HTTP/HTTPSonly) Either Get or Post.

URL (HTTP/HTTPS only) Source URL where the malware was detected.

Filename (FTP only) Name of the malware-infected file.

Direction (FTP only) Download or Upload.

Malware Name Name of the detected malware.

Malware Type Displays the malware types categorized by the Anchiva RapidRx Lab. For

details, see http://www.anchiva.com/virus

http://www.anchiva.com/virus



Action Forwarded, blocked, or quarantined.

For the malwares detected in the SMTP and POP3 traffic, you can view the followinginformation of each log:



Sender IP(SMTP only) IP address of the email sender.

Receiver IP(POP3 only) IP address of the email recipient.

From Sender’s email address.

To Recipient’s email address.

Subject Email subject.



details, see http://www.anchiva.com/virus.

Action Forwarded, deleted, quarantined, file deleted, or file quarantined.

4 To delete all the log records, click the Clear All Logs button.

5 To save the logs to your local PC, click Export Logs. You can export the logs in HTMLor CSV format.

To search the malware incident logs

6 If you want to search or delete logs by time range, specify a time range in theDate/Time Range list.

7 If you want to search or delete logs by other criteria, such as sender, recipient, andsubject, select the criterion from the dropdown list, then select one of the matchingrules (either include or is), and enter the matching phrase.

8 From the dropdown list, select Search or Clear.

9 Click Run.

Malware detected

In addition to reporting on malware incidents per client, the Anchiva system also generates areport for each application protocol to summarize the malware activity broken down by malwarename. For example, if one client

http://www.anchiva.com/virus.

Reports and Logs 84


has encountered the same malware 10 times, the client malware incident log will have10 log entries for the 10 incidents. Meanwhile, the Malware Detected log will have onelog entry only, because all the incidents are triggered by one malware.

The Anchiva gateway can transform the logs with no encoding information to UTF-8.

Figure 46: Detected Malware logs

To manage the malware logs

1 Select Reports and Logs > Logs > Malware Detected.

2 Select the HTTP/HTTPS, FTP, SMTP, or POP3 submenu.

3 For each protocol, you can view the following information of each log:





details, visit http://www.anchiva.com/virus.

Affected Clients Number of hosts affected by the malware.

Count Number of times the malware was detected.


5 To save the logs to your local PC, click Export Logs. You can export the logs in HTMLor CSV format. The exported log file will sort the malwares from the most to the leastoccurrences.

To search the malware logs


7 If you want to search or delete logs by malware name, select one of the matchingrules (either include or is), then enter the matching phrase.


http://www.anchiva.com/virus.



9 Click Run.

Webfilter

The webfilter logs record the following types of web activities:

• Information about the malicious sites that contains spyware detected by theAnchiva system. Each Anchiva gateway is equipped with the latest malicious sitedefinitions. For more information about malicious sites, see “Configuring malicious site detection”.

• Information about users’ access application sites. For the application sitesconfiguration details, see “Configuring application sites detection.

• Information about users’ access to the blacklisted URLs. For the URL blacklistconfiguration details, see “Configuring the URL blacklist”.

• Information about the malicious sites detected by the Google Safe BrowsingService. For more information about using the Google Safe Browsing Service, see“Configuring HTTP anti-malware settings”.

• Information about websites that matched entries the URL Filter. For the URL Filterconfiguration details, see “Configuring the URL Filter”.

The Anchiva gateway can block or allow access to the above types ofURLs and record the meta-information about the web access activities.You can view, search, delete, or export the log messages.

Figure 47: Webfilter blacklist log

To view or clear the webfilter logs

1 Select Reports and Logs > Logs > Web Filter.

2 Select the Malicious Sites, Application Sites, Blacklist or Google submenu.

3 You can view the following information of each log record:

Reports and Logs 86


Date Date when the URL was detected and blocked.

Time Timestamp when the URL was detected and blocked.

Client IP IP address of the user who attempted to access the URL.

Server IP IP address of the URL server.

Method Either GET or POST.

URL Name of the URL.

Type(malicious and application siteslogs only) Displays one of the six categories the malicious site belongs to. The six

malicious site categories are listed on the Web Filter > Malicious Sitespage.

Malware(malicious and application siteslogs only) Name of the malware detected by the Anchiva gateway.

Action Either Blocked or Forwarded.

Google Type(Google only) Google Safe Browsing Service categories malicious sites into two types:

either Malware or Phishing



To search the webfilter logs

6 If you want to search or delete logs by time range when the Anchiva gatewayprocessed the URL, specify a time range in the Date/Time Range list.

7 If you want to search or delete logs by client IP, server IP, URL, or action type, selectone option from the dropdown list, then select one of the matching rules (eitherinclude or is), and enter the client IP, server IP, URL or action.


9 Click Run.

Server Protection

The Server Protection logs display attacks aimed at the disrupting the normal operations of theweb server.

• The server protection logs include the attack name, the client and server IP and the HTTP method the attack was launched against the web server.



Figure 48: Server Protection log

To view or clear the webfilter logs

1 Select Reports and Logs > Logs > Server Protection.


Date Date when the URL was detected and blocked.

Time Timestamp when the URL was detected and blocked.

Client IP IP address of the user who attempted to access the URL.

Server IP IP address of the URL server.


Attack Name Name of the attack (based on the attack signature name).

Action Configurable actions are Forward or Block



To search the webfilter logs

5 If you want to search or delete logs by time range when the Anchiva gatewayprocessed the URL, specify a time range in the Date/Time Range list.

6 If you want to search or delete logs by client IP, server IP, URL, or action type, selectone option from the dropdown list, then select one of the matching rules (eitherinclude or is), and enter the client IP, server IP, URL or action.


8 Click Run.

Event logs

The Anchiva gateway records the file extension block information and all the trafficanomalies, such as anti-ARP spoofing, DNS checking, and port monitoring events.For details, see “File block” and “Anomaly Detection”.

For each protocol HTTP/HTTPS, SMTP, POP3, and FTP, the Anchiva gateway logs the

Reports and Logs 88


following events:

• Actions taken on password protected files, if the option is enabled when youconfigure the service settings.

• Actions taken on file block rule matches, if the option is enabled when youconfigure the service settings.

• Actions taken on oversized files. This option is enabled by default.You can view, search, delete, or export the log messages.

Figure 49: Anomaly logs

To manage the event logs

1 Select Reports and Logs > Logs > Events Logs.

2 Select the Anomaly submenu to view the following information of each anomaly logrecord:

3 Select the HTTP/HTTPS submenu to view the following information of each HTTP event logrecord:

Date Date when the anomaly event occurred.

Time Timestamp of the event.

Events Short descriptions of the event.

Client IP address of the client who triggered the event.

Server IP IP address of the server the client tried to access.

Message Detailed description of the event.



Action Actions taken against the events.

Date Date when the event occurred.




Client IP IP address of the client who tried to access the URL.

URL The URL the client tried to access.


4 Select the SMTP or POP3 submenu to view the following information of each SMTPor POP3 event log record:




Sender IP(SMTP only) IP address of the email sender.

Receiver IP(POP3 only) IP address of the email recipient.





5 Select the FTP tab to view the following information of each FTP event log record:




Client IP IP address of the FTP client.

Server IP IP address of the FTP server.

File Name File name the client tried to access.

Direction Either FTP PUT or FTP GET.

Reports and Logs 90


Action Actions taken against the events



To search the event logs


9 If you want to search or delete logs by other criteria, select one option from thedropdown list, then select one of the matching rules (either include or is), and enterthe matching phrase.


11 Click Run.

Normal emails

The normal email logs records the normal SMTP and POP3 email meta-information.You can view, search, delete, or export email logs by SMTP or POP3 protocols.The Anchiva gateway can transform the logs with no encoding information to UTF-8.

For details, see “Automatic encoding transformation”.

Figure 50: Normal email log

To manage the email logs

1 Select Reports and Logs > Logs > Normal Emails.

2 Select the SMTP or POP3 submenu.

3 You can view the following information of each logged email:

Date Date when the email was processed by the Anchiva gateway.

Time Timestamp when the email was processed by the Anchiva gateway.



Sender IP orReceiver IP Sender’s IP address if you are checking the SMTP traffic, or receiver’s IP if

you are checking the POP3 traffic.




Action For normal emails, the action is forwarded.



To search the email logs


7 If you want to search or delete logs by sender, recipient, or subject, select From, To,Sender IP or Subject from the dropdown list, then select one of the matching rules(either include or is), and enter the sender address, recipient address, sender IP, orsubject.


9 Click Run.

Applications

The Applications logs are broken into two categories, the 'Control Logs' and the 'IM ContentLogs'.

Control Logs

The Control Logs record the use of applications on the network including non-productive,productive, whitelisted and IMapplications. For information about the types of applications, see “Application Controls”.

Reports and Logs 92


Figure 51: Application Control logs

To manage the application control logs

1 Select Reports and Logs > Logs > Applications > Control Logs.




Client IP IP address of the application user.

Server IP IP address of the server that the application connects to.

Port Communication port the application uses.

ApplicationClient Name Name of the application.

Action Either forwarded or blocked, depending on the settings you specify in



IM Content Logs

As required, the SWG can monitor and audit MSN and Yahoo IM messenger chat logs.The enabling of chat auditing can be enabled/disabled per security profile.

To enable IM auditing select Application Controls > IM Content Audit

Figure 28: IM Content Logs



To manage the IM content logs

1 Select Reports and Logs > Logs > Applications > IM Content Logs.

2 Select the IM application under Chat Tool:




Client IP IP address of the application user.

From Username who sent the message.

To Username the message was sent to.

Message The text of the message sent.



Searching the logs


2 If you want to search or delete logs by other criteria, select one option from thedropdown list, then select one of the matching rules (either include or is), and enterthe matching phrase.


4 Click Run.

Reports and Logs 94


Management

Management logs are divided into two categories: admin logs and system logs.

Admin logs

The admin logs record administrator activities including system login, logout andconfiguration changes.You can view, search, delete, or export the log messages.

Figure 52: Admin Logs

To manage the admin logs

1 Select Reports and Logs > Logs > Management > Admin Logs.

2 You can view the following information of each log records:

Date Date when the operation occurred.

Time Time when the operation occurred.

Client IP The admin user’s IP address.

Administrator The admin user who performed the operation.

Action Short description of the operation.





To search the admin logs


6 If you want to search or delete logs by administrator, client IP, or action, selectAdministrator, Client IP, or Action from the dropdown list, then select one of thematching rules (either include or is), and enter the administrator name, client IP, oruser action.


8 Click Run.

System logsThe system logs record all the non-admin system activities, such HA, updates, andinterface status.You can view, search, delete, or export the log messages.

Figure 53: System logs

To manage the system logs

1 Select Reports and Logs > Logs > Management > System Logs.

2 You can view the following information of each log records:

Date Date when the activity occurred.

Time Time when the activity occurred.

System Event Short description of the event.

Reports and Logs 96



4 To save the logs to your local PC, click Export Logs.

To search the system logs5 If you want to search or delete logs by time range, specify a time range in theDate/Time Range list.

6 If you want to search or delete logs by other criteria, specify the matching rules.


8 Click Run.



Policies

Policies and the related objects allow the administrator to configure very granular rules to applyto traffic.

This section includes the following topics:

§ Object Settings§ AD§ Blacklist§ Security Groups§ Security Profiles§ Policy List

Object Settings

The object settings are used to configure objects applied in security profiles and groups,application controls and other areas.

This section will describe the following object types:

§ Time Object§ Bandwidth Object§ User Defined Protocol

Time Object

The time objects are used to configure schedules that can be applied to applications orapplication groups in the application control profiles.

For example, an organization may not allow the use of specific applications during normalbusiness hours 9am - 600pm daily but may allow the use of those same applications outside ofnormal business hours. The time objects are used to control the use of applications under theseconditions.

1 To configure Time Objects follow Policies > Object Settings > Time Object

Figure 54: Adding a new Time Object

Policies 98


2 Click Add.

3 Enter the following information and click Apply.

Name Enter a name for the new object.

Description Enter a description for the time object.

Week Select the day or days this time object will apply.

Time Range 1#: Select start and end times

Time Range 2#: Select the start and end times for the second time range.

Note: For time ranges that will span overnight, a range 1# and range 2# must be entered.

Example: To configure a time object that spans from 600pm to 600am you must configure thefollowing ranges:

Bandwidth Object

Bandwidth objects are used to to set inbound and outbound guaranteed and maximumbandwidth allocations. The bandwidth objects are used with 'Security Profiles' and can also beapplied to application control categories to rate limit bandwidth use or set a high or low priorityon traffic. To configure bandwidth settings, the interface bandwidth settings must first be set.

Note: Not all applications or application groups can be rate limited. Expanding the applicationsin the non-productive and productive groups displays a note for non-supported applications.

Bandwidth objects are applied to security groups and supported applications or applicationgroups listed in the Application Controls section.



1 To configure Time Objects follow Policies > Object Settings > Bandwidth Object

Figure 55: Adding a new Bandwidth Object

2 Click Add.



Default Make this the default bandwidth object to use. The default bandwidth

object is applied to security groups that are associated with an interface

that has bandwidth shaping enabled.

Note: Only 1 bandwidth object per interface can be configured.

Interface Select the interface to associate with this bandwidth profile.

Note: The inbound and outbound bandwidth settings must be enabled

on the chosen interface to use. See Editing the interface properties for

more information.

Priority Select the priority for this object. See below for more information on how

bandwidth properties are applied.

Inbound Rate: Select the scale of the bandwidth.Guaranteed Rate: The amount of bandwidth that will be available for objectLimit Rate: Normally set higher than the guaranteed, the limit is the maximum bandwidth allowed by this object

Outbound Rate: Select the scale of the bandwidth.Guaranteed Rate: The amount of bandwidth that will be available for objectLimit Rate: Normally set higher than the guaranteed, the limit is the maximum bandwidth allowed by this object

About Bandwidth Priority:

Along with the guaranteed and maximum bandwidth, a priority is also set to determine howunallocated bandwidth is used. The unallocated bandwidth is the available interface bandwidthand can be used by a program if its allocated bandwidth has exceeded its guaranteedmaximum.

Policies 100


Example:

Interface Bandwidth for interface 'ETH-X':

Inbound = 50 Mbps

Outbound = 50 Mbps

The following bandwidth objects are assigned to interface ETH-X

bw-obj-1 inbound = 20 Mbps, outbound = 30 Mbps, priority =0

bw-obj-2 inbound = 20 Mbps, outbound = 30 Mbps, priority =1

In this example, if traffic assigned to bw-obj-1 is currently flowing at 20 Mbps, and trafficassigned bw-obj_2 is currently flowing at 20 Mbps, this will leave 10 Mbps of unallocatedbandwidth on interface ETH-X.

Since traffic assigned has a priority of '0' (higher priority) its traffic will be given the firstopportunity to use the unallocated bandwidth (10 Mbps) to reach its maximum limit rate.

User Defined Protocol

This option allows administrators to define custom applications or protocols used on thenetwork. Upon configuration the user-defined protocols are added to the 'Productive' categoryunder the Application Controls listing. The user-defined application list is subject to the sameconfiguration as the system defined applications including time schedule enforcement and userconfigurable actions.

1 To configure: Policies > Object Settings > User-defined Protocol

Figure 56: Adding a user defined protocol

2 Click Add.





Name Object name - up to 32 characters. UP to 8 customapplications can be defined.

IP/Mask Enter the IP address of the custom application server

Port Range Choose the TCP or UDP port information that the customapplication will establish communications on.

AD (Active Directory)

The AD feature is used by the Anchiva system to enforce user based policies. The Anchivasystem gathers user and user group information from a Windows Domain using Active Directoryas the authentication server. The AD process on the system communicates with an Anchiva ADagent that is installed on the Active Directory server to extract AD user and user groupinformation.

Once the AD information has been collected and added into the Anchiva system, the user anduser group information are used in 'Security Groups' which are then used in the Application andService policies to create user based access and application usage policies. the Ad informationis also used in the Blacklist option to create blacklists by using the AD users and user groupsinformation.

To configure: Policies > AD

The following options will be available:

AD ServerAdd the IP address of the AD server and enable the AD daemon.The Anchiva system will establish communications to the AnchivaAD agent installed on the AD server. Click apply to establish alink with the Anchiva AD agent.

AD User Displays a list of AD users collected from the AD server.

AD Active User Displays a list of active AD users collected from the AD server.

AD Group Displays a list of AD user groups collected from the AD server.

The AD agent can be downloaded from the Anchiva support website.

Policies 102


Blacklist

The Blacklist are used to configure lists of clients that are prevented from application

and internet use.

Clients are referenced in the blacklist using:

§ Host IP

§ IP Subnet

§ IP Range

§ AD User Name

§ AD Group Name

Figure 57: Global client blacklist configuration

Security Groups

Security Groups are used to create IP host and subnet groupings. Most large enterprises havecomplex networks that are distributed and are segmented by job function or network accessrights. These logical network groupings in most cases are also used by network and securityadministrators to develop internet use policies that are applied at the group level.

The security groups feature gives administrators the ability to create the logical groupings by IPaddress, and then enforce internet use policies to the group, thus simplifying the policyconfiguration process.

An advantage of the security groups feature is to simplify policy management as a single policy,and internet profile, can be applied to one or multiple groups of subnets or AD users and ADuser groups. The clients can be grouped based on functional group. For example finance,marketing human resources and engineering may be grouped together or separately andpolicies can be configured to apply different internet privileges for each group.



To create or edit a Security Group

1. Select Policies > Security Groups.

2. Click Add to add a new group or Edit and existing group.

3. To add a new group, enter a Security Group name and click Apply.

4. To edit the group and add members click on the group name and the edit window will appear.

5. The editable properties of a security group include:

IP RangeHost or subnet IP addresses to include in the security group

AD User Displays a list of AD users collected from the AD server that canbe added as members to the security group.

AD Group Displays a list of AD user groups collected from the AD serverthat can be added as members to the security group.

6. Security Groups are objects used within Application and Service policies

Security Profiles

Security Profiles allow the administrator to configure customized internet use configurations thatcan be applied to a security group. For example, the IT staff may require less strict internetaccess rights as part of their job duties. While the Finance and HR groups require stricterenforcement of internet use.

The security profiles provide the tools needed to create very customized internet useconfigurations. Each profile is independent of each other and each profile may have differentproperties with regards to malware inspection, web filtering, email inspection, applicationcontrols, file block rules, and URL whitelists and balcklists.

To configure Security Profiles go to: Policies > Security Profiles

1 Edit and existing profile by clicking on the profile name, or add a new profile.

2 Add a descriptive name to the profile, for example Finance, HR, Engineering.

3 Choose a bandwidth object to apply to this security profile.

Note: Choose the interface to display the list of configured bandwidth objects.

4 Configure the properties for each available data inspection feature by clicking the edit box inthe far left column.

Figure 58: Security Profile configuration

Policies 104


4 Click Apply to save the changes

The security profiles are used in policies as the source or destination IP filter. See "Policies" formore information.

Policy List

A policy defines the action taken towards the traffic originating from a specificinterface, VLAN, or zone.

By defining policies, you can specify protocol types and sources of the traffic to befiltered for virus and spyware content. Traffic must match the following policy objectsfor the action to be taken on that traffic:

• Source IP or Security Group

• Destination IP or Security Group

• Applications (HTTPS, HTTP, FTP, SMTP, POP3) to enforce content inspection

• Security profiles to enforce application controls and URL filters

Policy actions



The Anchiva gateway can take the following actions against the traffic that is definedin a policy:

• Filter: The Anchiva gateway will filter the traffic according to the settings youspecify.

• Deny: The gateway will block the traffic without filtering.

• Permit: The gateway will allow the traffic without filtering. This is recommended for caseswhere you know the host is trusted.

Policies are directional

Policies are directional. When creating a policy on an interface, VLAN, or zone, youmust choose the source interface where the traffic originates. There is no need tochoose a destination interface.

The policy configuration is flexible and allows you to configure different policies fordifferent departments, or customers for the scenario where the Anchiva gateway isdeployed as part of a managed security service.For example, if the Engineering subnet is connected to the eth0 interface and theAccounting subnet is connected to the eth1 interface, you can create different policiesfor the two departments on two interfaces.The VLANs you configure on an interface give you even more flexibility to logicallygroup your hosts and thus give you the ease to apply different policies to differentdepartments. For information about VLANs, see “About VLANs” and“Configuring VLANs”.

Policy order checkingThe Anchiva gateway matches traffic against polices in the policy list from top tobottom for each interface, VLAN, and zone. Therefore, if you want to have an exemptpolicy for a interface/VLAN or zone, you must put the exempt policy above othergeneral policies for that interface/VLAN zone.For example, you have the following two policies for the Engineering VLAN with VLANID 100 on the eth0 interface:

VLAN Action Client IP Server IP Protocol100 Permit 0.0.0.0/0.0.0.0 10.10.0.100/255.255.255.255 HTTP100 Filter 0.0.0.0/0.0.0.0 0.0.0.0./0.0.0.0 HTTP|FTP|SMTP|POP3

The first policy exempts all HTTP traffic originating from the Engineering VLAN anddestined to the server 10.10.0.100 from being filtered, although the second policydefines that all traffic will be filtered. In this case, you must put the exempt policy (thefirst policy) above the general policy (the second policy) for the Engineering VLAN.When creating a new policy, you can insert it in any position in the policy list. You canalso reorder the policies by moving them up or down in the list.

Session tracking overview

The session tracking architecture of the Anchiva gateway allows for deployments into complexnetworks to secure traffic from multiple network segments without breaking the traffic

Policies 106


connections.The Anchiva gateway supports both session u-turn and asymmetric routing by usingzones.

Session tracking overview

Stateful session tracking (SST) is the process of actively tracking the state of a TCPconnection from session setup to session teardown. Maintaining precise session stateprovides the basis for network security systems like firewalls, IPS, and web and emailsecurity gateways to apply and enforce security policies to traffic. The sessiontracking engine provides a key function as it verifies the legitimacy of client to servercommunications by matching sessions that contain a client request to the session thatcontains the specific server response to a client’s request. When sessions are notmatched correctly in the tracking table, internet traffic can be blocked or unknown datacan enter the network without being inspected for malicious content.AnchivaOS utilizes SST and policy engines to determine when and how to activelytrack sessions that pass through its interfaces. When packets arrive at the interface,one of the first tasks of AnchivaOS is to classify the traffic to determine if the sessioncontains client requests to connect to a web (HTTP/HTTPS, FTP) or email (SMTP, POP3)server. For non-web and email traffic, the packets are automatically forwarded to theegress interface and the SST does not track these sessions.Sessions that are classified as web and email traffic follow a different path and arechecked against the policy list for a match. For packets found to match a policy profile,the SST creates a new entry into its session tracking table and begins its work oftracking the client to server and server to client communications. Packets that do notmatch a policy are immediately forward to its next hop destination.

Session u-turn mode

U-turn traffic takes place when the same session is forwarded through the same pathmultiple times before reaching its destination. One example of u-turn traffic is when arouter on the network performs one-armed routing, and acts as the default gateway formultiple subnets.In the following topology, the SYN request from the client to web server traverses thesame path from the switch to the router and back again from the router to the switchbefore ever reaching the web server.If a stateful based system is deployed between the switch and the router, system willsee the same SYN packet twice and may misinterpret the same SYN as a newsession, resulting in this session becoming corrupted in the state table and not beingtracked correctly or the session blocked, preventing the client from communicatingwith the web server.

Figure 59: Session U-Turn example



Asymmetric routing mode

Asymmetric routing occurs when sessions, such as a client setup request to a server,are routed through path A. But the return traffic, the server response to the client, isrouted through a different path, path B. This usually happens when a network utilizestow or more ISP links, load balancing outbound internet traffic to both links forredundancy to take advantage of the combined bandwidth of both ISP links. A sideaffect of the load balancing may result in client requests being forwarded out from ISPnumber 1 and the server responses returning from ISP number 2. Many stateful basedsystems do not have the advanced session tracking capabilities to monitorsymmetrically routed sessions, preventing them from applying security policies to thetraffic.

Application Policies

Application policies are used to enforce application use privileges for each client. Whenconfiguring application policies there is no need to choose the services, HTTP, HTTPS, etc..Instead the Security Profiles and Security Groups information determines a clients applicationuse privileges.

In the order of checking, the Application policies are checked before the Service Policies areenforced. The Service Policies are primarily used when the system needs to enfore Web Filterrules and inspect data for malware content.

To add an Application Policy follow Policies > Policy List > Application Policies

Figure 60: Application Policy configuration

Policies 108


Policy Name Enter a descriptive name to identify the policy.

Interface/VLAN Select an interface or VLAN from the dropdown list. Forinformation about VLANs, see About Vlans andConfiguring Vlans.

Zone Select a zone from the dropdown list you want to applythe policy to the zone. For information about zones, seethe Zone configuration.

Security Profile In the drop down menu choose the security profile toapply to this policy. The View option is used to view theproperties of the chosen security profile.

Client IP/Mask OR Security Group Specify the source IP address the policy will apply to. Ifyou enter "any" or 0.0.0.0/0.0.0.0, the policy will applyto the traffic from any source IP addresses.Or Choose the Security Group to apply the policy to.

Server IP/Mask OR SecurityGroup

Specify the destination IP address the policy will applyto. If you enter "any" or 0.0.0.0/0.0.0.0, the policy willapply to the traffic to any destination IP addresses.Or Choose the Security Group to apply the policy to.

Service Policies

Service policies are used to enforce web filter and malware detection rules. The service policiesare checked after the application policies are enforced. Service policies are checked after theApplication Policies are checked for a match. The reasoning behind checking the applicationpolicies first is to allow or block internet communications of applications. For applications thatare allowed to communicate outside of the protected network, the service policies will performdeep content inspection of the communications, filtering unwanted and malicious content fromentering and leaving the network.



To add an Application Policy follow Policies > Policy List > Service Policies

Figure 61: Service Profile configuration

Policy Name Enter a descriptive name to identify the policy.

Interface/VLAN Select an interface or VLAN from the dropdown list.For information about VLANs, see About VLANs andConfiguring VLANs.

Zone Select a zone from the dropdown list you want toapply the policy to the zone. For information aboutzones, see Zone.

Action Select Filter, Permit or Deny.

Security Profile In the drop down menu choose the security profileto apply to this policy. The View option is used toview the properties of the chosen security profile.

Client IP/Mask OR Security Group Specify the source IP address the policy will applyto. If you enter "any" or 0.0.0.0/0.0.0.0, the policywill apply to the traffic from any source IPaddresses.OrChoose the Security Group to apply the policy to.

Server IP/Mask OR Security Group Specify the destination IP address the policy willapply to. If you enter "any" or 0.0.0.0/0.0.0.0, thepolicy will apply to the traffic to any destination IPaddresses.OrChoose the Security Group to apply the policy to.

Policies 110


Services Specify the protocols to enable for the policy

HTTP Enable and Specify an HTTP port if you use a portother than the default port 80.

SMTP Enable and Specify an SMTP port if you use a portother than the default port 25.

POP3 Enable and Specify a POP3 port if you use a portother than the default port 110.

FTP Enable Specify an FTP port if you use a port otherthan the default port 21.

HTTPS Enable and Specify a HTTPS port if you want use aport other than the default port 443.



Anti-Malware

The Anti-malware topics will discuss file handling, file blocking by name and extension and alsothe anti-malware deep content settings per protocol.

Topics to be discussed in this section include:

§ File Handling§ File Block§ Web Services§ FTP services§ Email Services§ File Quarantine§ Anomaly Detection

Anti-Malware 112


Global Service Settings

Under the Anti-Malware main menu, you can configure the Anchiva appliance’s trafficinspection settings.

The Global Settings submenu allows you to configure file block settings, malwarescanning settings, and file quarantine settings which can be applied to HTTP/HTTPS, SMTP,POP3, and FTP traffic scanning.


• File handling

File handling

To improve the Anchiva appliance’s performance, you can set or adjust the filescanning threshold. For example, if you set the maximum file size to scan very large,the appliance’s performance may be affected when there are big files passingthrough.

The Anchiva gateway supports malware-infected file quarantine for HTTP/HTTPS, SMTP,FTP and POP3 traffic.

Figure 62: File handling settings

To configure malware scan settings

1 Select Anti-Malware > Global Settings > File Handling.

2 Under Malware Scan Settings, specify the following settings and click Apply.

To configure file quarantine settings

1 Under File Quarantine Settings, specify the following settings and click Apply.



Max File Size to Scan -Uncompressed

Enter a file size in MB. If the file size is larger than thesize specified, the file will be forwarded without beingscanned. Valid range is from 0 to 100 MB.

Max Layers toUncompress

Specify how many layers the Anchiva gateway willuncompress the zipped files before the gateway scansthe uncompressed files. Valid range is from 0 to 20layers. Zero means that no uncompressing will be taken.

Max Days to storequarantined files

Specify how many days the quarantined files will bestored on the appliance’s hard disk. Valid range is from 1to 30 days. The quarantined files will be deleted whenreaching the time limit.

Max Disk Usage forQuarantined Files

Specify the maximum disk space that will be used to store thequarantined files. Valid range is from 1 to 2000 MB. When thequarantined files reach the space limit, the oldest files will bedeleted to give room to the newer files.

Max File Size toQuarantine

Specify the maximum file size the gateway willquarantine. Valid range is from 1 to 100 MB. Files largerthan the specified size will be deleted.

Current Quarantine DiskUsage Displays the quarantine file disk usage information.

Anti-Malware 114


File block

The file block rules allows the Anchiva gateway to block files based on their fileextensions and/or their full file names.

The file block rules can be enabled or disabled per protocol, HTTP/HTTPS, SMTP, POP3 orFTP.

File block processing:File blocking rules take precedence over anti-malware scanning. The Anchiva gatewayapplies the file block rules first, if the file matches an existing rule, either by extension or byname, the file will be blocked without inspection for malware content.

Block by extension

You can block files by the file extension. For example, to block all executable files, youcan configure a rule to block "exe" type files.

Note: When adding a file extension, you need only enter the extension name. For exampleadding “exe” will block executable files. There is no need to add the period “.” or awildcard “*” as part of the name, ".exe" and "*.exe" for example. However, you can usewildcard “*” to block all file extensions.

File extension entries are not case sensitive.

On the Anti-Malware > File Block > Block Extension page, youcan view the existing file extensions to be blocked. You can also specify the protocolsfor which the file extensions will apply.You can also edit or delete the file extension.

To create a file extension

1 Select Anti-Malware > File Block > Block Extension.

2 Click on the security profile name to edit.

3 To add a New Extension, enter a file extension.

4 Click Add.

Figure 63: File extension configuration

5 Select the protocols to which the file block extension will apply.



6 Click Apply.

Block by file name

You can block files by the exact file names. For example, if you know the exact filename of an active virus, you can choose to block the specific file. For example,virus.exe.

To specify a file name

1 Select Anti-Malware > File Block > Block Fullname.

2 Click on the security profile name to edit.

3 For New Fullname, enter a file name.

4 Click Add.

Figure 64: File name configuration

5 Select the protocols to which the file block extension will apply.

6 Click Apply.

Anti-Malware 116


Web Services

As internet access has become common in most corporate networks, the need to control andinspect the internet content flowing in and out of today's network has become critical. In today'sinternet, random websurfing in the workplace has become the number one method to getinfected with malware and for users to abuse internet privileges by using productivity drainingand bandwidth consuming internet based applications like online gaming and gambling.

The malware problem should be a major cause of concern for enterprises as hackers areexploiting web access in the corporate network to silently deliver and infect users with malwarethat can be used to steal sensitive corporate and personal information. Other types of malwarefound by Anchiva RapidRx labs include malicious content such as rootkits and backdoorsmeant to give hackers remote control of PC's on the network and to use them to launch attacksor send spam from the network to other websites or corporations.

Anchiva's Secure Web Gateways (SWG) provide the most comprehensive network protection byproviding real-time content inspection of both HTTP and HTTPS requests flowing in and out ofthe network. As internet traffic is received at the SWG, the data within the packets areinspected for malicious malware content and for traces indicating the data is being used by a anapplication that is not approved to be used by the network administrator. Based on theconfigured actions, the SWG can block the malicious content at the gateway before it enters orleaves the network, blocking the data from reaching the end user PC on the network, or from aPC on the network attempting to upload malware to an internet server.

When malicious activity is detected, from a blocked malware upload or download, to applicationuse violation, or from users accessing non-approved websites, the Anchiva SWG will generate awarning to the user by using a replacement webpage, and a log will be generated by the systemalerting the administrator of the malicious incident.

The web services section section contains the following topics:

• Web services processing overview

• HTTPS Content Inspection

• Configuring HTTP/HTTPS anti-malware settings

• Configuring HTTP/HTTPS warning messages

Web services processing overview

The Anchiva gateway executes the content security operations in the following order(from top to bottom):

For HTTP/HTTPS downloads:

• Check the URL whitelist

• Check the URL blacklist

• Check the Malicious Sites

• Check the Google Safe Browsing URL's



• Check the Application sites list

• Check the URL Filter

• File block rules (file extensions and fullnames)

• Oversize file limit

• Malware and application control scan

For HTTP/HTTPS uploads:

• Check the URL whitelist

• Oversized file limit

• File block rules

• Malware scan

HTTPS Content Inspection

HTTPS, also referred to SSL, is a proven and widely adopted method to encrypt sensitiveinformation transferred between a client server. Using HTTPS, data is encrypted using strongcryptographic algorithms and a secure virtual tunnel is established from the client to server,allowing the client to securely transfer information across the internet.

Unfortunately, the benefits of using HTTPS connections are also being exploited by hackers andusers on the network to bypass traditional HTTP filters. The encrypted tunnel established by aHTTPS connection, prevent traditional firewalls from inspecting the data for malicious content.

Anchiva's HTTPS application engine solves the problem of users bypassing HTTP filters.Deployed at the internet gateway, when the SWG detects HTTPS connections beingestablished, the HTTPS engine intercepts the traffic and acts as a trusted man in the middle.The process of intercepting the HTTPS traffic allows the SWG to perform data inspection on theclient and server communications, giving the SWG the ability to identify the traffic and enforceinternet use policies as needed by blocking malware content, non-productive application useand blacklisted websites.

The configuration of the HTTPS content inspection features are directly related to the HTTPfeatures. This includes malware inspection and webfilter rules and will be discussed in moredetail in the next section, "Configuring HTTP/HTTPS anti-malware settings".

Anti-Malware 118


Configuring HTTP/HTTPS anti-malware settings

The HTTP/HTTPS anti-malware settings allow you to enable or disable HTTP/HTTPS contentprotection functions.The HTTP/HTTPS anti-malware settings take affect when user traffic matches a filteringpolicy. For information about policies, see “Policies.

To configure HTTP/HTTPS anti-malware settings

1 Select Anti-Malware > Web Services > Profiles. Click the profile name to edit the WebServices properties for that profile.

Figure 65: Profile listing


Figure 66: Web Services anti-malware settings



Enable Malware Scan Enable to scan the HTTP/HTTPS traffic for malware infections.

Action for infected files: Select Forward, Block, or Quarantine.

Action for password protected files (ZIP and RAR): Select Forward, Block, or Quarantine.

Oversize File Limit: Sets the maximum file size to scan formalware infections.Valid range is from 1 to 100 MB.Note that setting a large file size to scan may affect the appliance’sperformance.

Oversize File Action: Select either to block or forward the files if

Anti-Malware 120


the file size is larger than the specified oversize limit.For information about the priority levels of different contentsecurity features, see “Order of operations” on page 77.

Enable Filtering of HTTP/HTTPSDownloads Enable filtering of HTTP/HTTPS downloads (GET method) traffic.

Enable Filtering of HTTP/HTTPSUploads Enable filtering of HTTP/HTTPS uploads

(PUT and POST methods).

Enable HTTP/HTTPS UploadBlocking Enable to block requests to upload information and files to

websites using the HTTP/HTTPS (PUT and POST methods). If you want certain users to be exempted from uploading to certain web sites, configure the IP or URL exclusion list.

Upload File Size Limit: Sets the maximum allowed upload file size for the IP addresses and/or URLs in the exclusion lists. The allowed uploads will be scanned for malware infections. Valid range is from 0 to 10000KB.

Action for Oversize Uploads: Select either to Block or Forwardand Scan the files if the file size is larger than the specifiedoversize limit.

Enable File Block Rules Enable to use the file block patterns. See “File block” on page 73.

Apply file block rules to: Select HTTP/HTTPS Uploads, Downloads, or Both.

Action for matched files: Select either Block or Forward.If the file is blocked, a replacement message will be sent to theweb user. For details, see “Configuring HTTP/HTTPS warningmessages”.

Enable Web Filtering Enable this option before enabling the options below. This option

serves as the general switch.

Whitelist Enable to use the URL whitelist.

Blacklist Enable to use the URL blacklist.

Malicious Sites Enable to block access to known malicious sites.The malicious sites are the known spyware web sites collectedand compiled by the Anchiva RapidRX content security lab.Click Set Control Levels to configure actions towards themalicious site categories. For details, see “Configuring malicious site detection”.For information about updating the malicious site list, see

“Configuring update settings”.

Enable online application sites controls

Enable to block access to websites that allow the use of non-approved applications.



Click on "Set Application Controls" to see the website categories.

Google Safe BrowsingService Enable to use this service. Click License Key to install a license

for Google Safe Browsing Service. For details, see “License”.

Google Malicious SitesAction Select either Block and Log or Forward and Log for the

malicious sites detected by Google Safe Browsing Service.

URL Filter Select to enable the use of the URL filter. The URL filter settingscan be

edited by clicking on the 'Set URL Filter' button.

A valid license must be added to use the URL Filter.

Enable Heuristic Engine

When enabled, the heuristics engine examines files formalware characteristics. Applying heuristics rules during fileexamination is used to detect and block malware variants thatave not yet been classified. Settings for the heuristics engine include a configurableaction, Block or Forward, and the level of heuristics rules toapply when examining files, High, Medium and Low. Note: Choosing a High setting will apply stricter rules, whereasapplying Medium and Low rules will apply more generalheuristics rules and can potentially cause more false positivemalware detections.

Configure HTTP/HTTPS BypassContent Type Click Configure to add, delete, enable, or disable HTTP/HTTPS

bypass content types. The specified content types will not bescanned.

Configuring exempt IP and URL lists from HTTP upload blocking

The HTTP/HTTPS POST blocking feature is an important security measure you can take toprotect your network.

For example:

• By blocking HTTP/HTTPS POST requests, users are allowed to visit and view nonproductivewebsites such as social networking forums and blogs. But they areblocked from posting or uploading information on those web sites.

• For webmail applications, users are allowed to read emails but not allowed to sendemails. And more importantly they are blocked from uploading attachments toemails.

• Prevents the unauthorized transport of sensitive files from the network by blockingfile uploads and file attachments to web posting web sites and webmail accounts.

• Prevents malware-infected hosts from uploading harvested information from the

Anti-Malware 122


network. Many malware applications silently gather information from an infectedhost and upload the stolen information to a web collection web site. The HTTP/HTTPSPOST controls will block these actions.However, some users on the network, such as network administrators, may need toPOST or upload information to some web sites. In this case, you can use the IP andURL exempt lists to allow overrides for the HTTP/HTTPS POST blocking rules.

To configure the IP exclusion list from HTTP/HTTPS POST blocking

1 Select Anti-Malware > Web Services > Exempt IP

2 Click Configure IP Exclusion List.

3 In the popup dialog box, enter the IP address/subnet that is allowed to use HTTP/HTTPSPOST. You can enter a maximum of 100 IP address entries, which can be hosts orsubnets. The format for entering IP addresses is <ip-address>/<netmask>, forexample, 172.16.10.0/24 or 10.56.1.111/32 for a host.

4 Click Add.

5 To delete an IP address from the exclusion list, select the IP address and click Clear.

To configure the URL exclusion list from HTTP/HTTPS POST blocking

1 Select Anti-Malware > Web Services > Exempt URL

2 Click Configure URL Exclusion List.

3 In the popup dialog box, enter the domain name to which you allow the users toupload information. You can enter a maximum of 250 domains. The format forentering a domain is <domain-name>.<type>, for example, mydomain.com.

4 Click Add.

5 To delete a URL from the exclusion list, select the URL and click Clear.

HTTPS Whitelist

The HTTPS Whitelist allows the SWG to bypass content filtering for the configured HTTPSURLs.

To whitelist a HTTPS URL follow Anti-Malware > Web Services > HTTPS Whitelist

Enter the address and the listening port. Click Add to enable and add to the whitelist.

Configuring HTTP/HTTPS warning messages

The Anchiva gateway blocks or quarantines the HTTP/HTTPS files for any of the followingreasons:



• Malware detections. See “Configuring HTTP/HTTPS anti-malware settings”.• Blacklisted URL is matched. • Malicious URL is matched.• Application Sites URL is matched.• Google Safe Browsing URL is matched.• URL Filter matches a requested URL.• HTTP/HTTPS file matches file-block patterns. See “File block”.• File size exceeds specified threshold.• Password protected files. See “Configuring HTTP/HTTPS anti-malware settings”.• Users are not allowed to use HTTP/HTTPS uploads.

When the Anchiva gateway blocks or quarantines a file, the gateway offers multipleways to alert the user and the administrator of the malicious activity.

Email alert: The system can be configured to send an alert message to theadministrator when malware is blocked from being downloaded. See “Email Alerts”.

Replacement pages: When a download file matches any of the HTTP/HTTPS securitysettings, malware match, oversize file, password protected file, or file type block, theAnchiva gateway will send a replacement web page to the user with a customizablewarning message.

Anti-Malware 124


Figure 64: HTTP/HTTPS warning messages

To customize the warning messages

1 Select Anti-Malware > Web Services > Warning Messages. The 'Preview' option can be



used to view the warning message before applying the changes.

2 Customize the messages.

3 Click Apply.

To discard the changes and restore to default, click Restore Default.

Anti-Malware 126


FTP Services

The Anchiva gateway filters both the FTP upload and download traffic.Using the Anti-Malware > FTP Services menu, you can enable or disable contentsecurity functions for FTP traffic.

For the FTP anti-malware settings to take effect, you must create a policy to filter FTPtraffic. For information about policies, see “Policies” on page 107.

Supported FTP clients

The AnchivaOS supports the following FTP clients:

Supported FTP Clients

ACEftp CoreFTP

CuteFTP FTP commander

GpFtp Internet Explorer - FTP client

LeapFTP Linux FTP client

Windows FTP client

The current AnchivaOS releases do not support the following FTP clients. It isrecommended to use the above fully compatible FTP clients for file transfers.

Not supported FTP clients

ChinaFTP BladeFTP

FileZilla FlashXP

SmartFTP

Figure 36: FTP service settings

To configure FTP anti-malware settings

1 Select Anti-Malware > FTP Services.Click the profile to edit the properties or Add a newprofile.


Figure 65: FTP Services configuration



Enable Malware Scan Enable to scan the FTP traffic for malware infections.

Action for infected files Select Block, Forward, or Quarantine.

Action for passwordprotected files (ZIP and RAR) Select the action ( Block, Forward, or Quarantine) for the

password protected files.

Enable File Block Rules Enable to use the file block patterns to filter the FTP traffic. See

“File block” on page 73.

Action for matched files Select either Block or Forward.

Enable Scan for FTP Upload(FTP PUT) Enable to filter the FTP upload traffic.

Enable Scan for FTPDownload (FTP GET) Enable to filter the FTP download traffic.

Enable Resume BrokenTransfer Enable to automatically resume broken file downloads or

uploads after network connection interruptions.

Oversize File Limit Set the maximum file size that the gateway will scan. Validrange is from 1 to 100 MB.Note that setting a large file size to scan may affect theappliance’s performance.

Oversize File Action Select either to block or forward the files if the file sizes are

Anti-Malware 128


larger than the specified oversize limit.





Email Services

As emails are received at the SWG, the contents are fully inspected for malicious content andfile block rules are applied if required. The SWG has been proven to be compatible with a longlist of email servers including MS exchange and others. The transparent configuration of theSWG is easily deployed without requiring any changes be made to the email server or the MSrecords.

The Anchiva gateway scans both SMTP and POP3 emails for malware and filepattern infections. You can add signatures to emails to inform email recipients if theemails are clean or malware-infected.

You can also send an alert email to the system administrator whenever an email isinfected by malware. For information about configuring alert emails, see “Email Alerts”.


• Configuring SMTP anti-malware settings

• Configuring SMTP email signatures

• Configuring POP3 anti-malware settings

• Configuring POP3 email signatures

Configuring SMTP anti-malware settings

The SMTP anti-malware settings allow you to enable or disable content securityfunctions for SMTP traffic.

For the SMTP anti-malware settings to take effect, you must create a policy to filterSMTP traffic.

Figure 37: SMTP anti-malware settings

To configure the SMTP anti-malware settings

1 Select Anti-Malware > Email Services > SMTP > Profiles.

2 Click a profile name to edit.


Enable Malware Scan Enable to scan the SMTP traffic for malware infections.

Action for infected files Select one of the following actions:

Delete Message: Delete the entire message, including the

email and email attachment.

Anti-Malware 130


Quarantine Message: Quarantine the entire message,including the email and email attachment. Then you can decidewhat to do to the quarantined emails.

Delete Attachment Only: Delete the attachment but forward

the email.

Quarantine Attachment Only: Quarantine the attachment butforward the email. Then you can decide what to do to thequarantined email attachments.

Forward Message: Forward the email with a warning signatureadded to the email subject or email body.

Action for passwordprotected files (ZIP andRAR) Select one of the above actions.

Enable File Block Rules Enable to use the file block patterns.

Action for restricted files Select one of the actions described above.






Configuring SMTP email signatures

When the Anchiva gateway detects malware in the SMTP emails, the gateway cansend an alert email to the system administrator. For information about configuring alertemail addresses, see “Email Alerts”.

In addition, the gateway can add a warning signature to the email subject or emailbody to inform the email recipient of the infection. You can add customized signatures,such as “Infected email” or “Clean email”, to the email subject or email body. You can



also add a note to caution the recipient if the email is infected.

Note: English and Chinese are supported in both email subject and email body signatures.

Figure 67: SMTP email signatures

To configure email signatures

1 Select Anti-Malware > Email Services > SMTP > Signatures.

2 Select Enable Signatures for Infected Emails or Enable Signatures for CleanEmails.

3 If you want to add signatures to the email subject, enter a signature for the emailsubject, such as “Infected Email” or “Clean Email”.

4 If you want to add signatures to the email body, enter a signature for the email bodyand specify whether to append the signature to the beginning or to the end of theemail body.

5 Click Apply.

6 If you want to discard the changes, click Restore Default.

Configuring POP3 anti-malware settings

The POP3 anti-malware settings allow you to enable or disable content securityfunctions for POP3 traffic.

For the POP3 anti-malware settings to take effect, you must create a policy to filterPOP3 traffic.

Figure 68: POP3 anti-malware settings

Anti-Malware 132


To configure POP3 anti-malware settings

1 Select Anti-Malware > Email Services > POP3 > Profiles.

2 Click a profile name to edit.


Enable Malware Scan Enable to scan the POP3 traffic for malware infections.

Action for infected files Delete Message: Delete the entire message, including theemail and email attachment.Quarantine Message: Quarantine the entire message,including the email and email attachment. Then you can decidewhat to do to the quarantined emails. Delete Attachment Only: Delete the attachment but forwardthe email.Quarantine Attachment Only: Quarantine the attachment butforward the email. Then you can decide what to do to thequarantined email attachments. Forward Message: Forward the email with a warning signatureadded to the email subject or email body. For details, see

Enable File Block Rules Enable to use the file block patterns.

Action for restricted files Select one of the actions described above.






Replacement Message When the Anchiva gateway detects malware in a POP3email, the gateway replaces the infected email with areplacement message, informing the email recipient whathappened to the email.



Configuring POP3 email signatures

When the Anchiva gateway detects malware in the POP3 emails, the gateway cansend an alert email to the system administrator. For information about configuring alertemail addresses, see “Email Alerts”.

In addition, the gateway can add a warning signature to the email subject or emailbody to inform the email recipient of the infection. You can add customized signatures,such as “Infected email” or “Clean email”, to the email subject or email body. You canalso add a note to caution the recipient if the email is infected.

Note: English and Chinese are supported in both email subject and email body signatures.

Figure 69: POP3 email signatures

Anti-Malware 134


To configure email signatures

1 Select Anti-Malware > Email Services > POP3 > Signatures.

2 Select Enable Signatures for Infected Emails or Enable Signatures for CleanEmails.

3 If you want to add signatures to the email subject, enter a signature for the emailsubject, such as “Infected Email” or “Clean Email”.

4 If you want to add signatures to the email body, enter a signature for the email bodyand specify whether to append the signature to the beginning or to the end of theemail body.

5 Click Apply.

6 If you want to discard the changes, click Restore Default.



File Quarantine

The Anchiva gateway can quarantine infected files for later review and offline inspection. Filescan can be quarantined from HTTP/HTTPS, FTP, SMTP, and POP3 traffic and saved to the localHDD on the SWG. You can view, delete, or download the quarantined files.

When logging the quarantine activities, the Anchiva gateway can transform the logswith no encoding information to UTF-8. For details, see “Automatic encoding transformation”.


• Managing quarantined HTTP/HTTPS files

• Managing quarantined FTP files

• Managing quarantined SMTP emails

• Managing quarantined POP3 emails

Managing quarantined HTTP/HTTPS files

When configuring the HTTP/HTTPS anti-malware settings you can choose to quarantine themalware-infectedfiles on the Anchiva appliance’s hard disk. As the Anchiva appliance’s systemadministrator, you can view, search, or delete the quarantined files.For more information see "Configuring HTTP/HTTPS anti-malware settings".

Figure 70: Quarantined HTTP/HTTPS files

To view the quarantined HTTP/HTTPS files

1 Select Anti-Malware > Quarantine > Files > HTTP/HTTPS.

2 The quarantined file list displays the following information.

Date/Time Date (in YYYY-MM-DD format) when the file was quarantined.

Timestamp (in 24 hour format) when the file was quarantined.

File Name Name of the quarantined file.

Size (KB) File size of the quarantined file.

Reason Reason for quarantine. Usually the virus or malware name

Anti-Malware 136


Download Downloads the file

To search the quarantined files

1 If you want to search for a file by the file name, enter the file name.

2 If you want to search for files by time range, enter the start time and end time.

3 Click Search.

To delete the quarantined files

1 Select the files to delete.

2 Click Delete.

Managing quarantined FTP files

When configuring the FTP anti-malware settings, you can choose to quarantine the malware-infected files on the Anchiva appliance’s hard disk. As the Anchiva appliance’s systemadministrator, you can view, search, ordelete the quarantined files.

To view the quarantined FTP files

1 Select Anti-Malware > Quarantine > Files > FTP.

2 The quarantined file list displays the following information.



File Name Name of the quarantined file.

Size (KB) File size of the quarantined file.

Reason Reason for quarantine. Usually the virus or malware name

Direction The direction of the file transfer when detected, upload or download.

Download Select the Download icon to download the quarantined file to

your local machine.

To search the quarantined files

1 If you want to search for a file by the file name, enter the file name.

2 If you want to search for files by time range, enter the start time and end time.

3 Click Search.



To delete the quarantined files

1 Select the files to delete.

2 Click Delete.

Managing quarantined SMTP emails

When configuring the SMTP anti-malware settings, you can choose to quarantine the malware-infectedemails or the email attachments on the Anchiva appliance’s hard disk. As the Anchivaappliance’s system administrator, you can view, search, or delete the quarantinedemails.

Email messages and email attachments are quarantined separately.

Figure 71: SMTP email quarantine

To view the quarantined SMTP email messages or attachments

1 Select Anti-Malware > Quarantine > Email > SMTP to view the quarantined emailmessages, or select Anti-Malware > Quarantine > Email Attachment > SMTP toview the quarantined email attachments.

2 For the quarantined email messages and attachments, you can view the followinginformation.



From Email Email sender address.

To Email Email recipient address.


File Name (for emailattachment only) File name of the attachment file.

Reason Reason for quarantine. Either malware infection or file block

match.

Action Select the Download icon to download the quarantined file toyour local machine.If any email is quarantined incorrectly (false positive), select the

Anti-Malware 138


Resend icon to send the email to the recipient. The email willbe sent from the email account you configure underManagement > System Settings > Alerts > Email Alerts. Fordetails, see “Email Alerts” on page 42.

To search the quarantined email messages or attachments

1 If you want to search emails by sender, recipient, or subject, select From, To, orSubject from the dropdown list and enter the sender address, recipient address, orsubject. You can use wildcard * and ?.

2 If you want to search emails by sending date and time, specify the date and time in theFrom and To text boxes.

3 Click Search.

Managing quarantined POP3 emails

When configuring the POP3 service settings, you can choose to quarantine the emails that areinfected bymalware or match the file block patterns. As the Anchiva appliance’s systemadministrator, you can view, search, or delete the quarantined emails.

Email messages and email attachments are quarantined separately.

Figure 72: POP3 email quarantine

To view the quarantined POP3 email messages or attachments

1 Select Anti-Malware > Quarantine > Email > POP3 to view the quarantined emailmessages, or select Anti-Malware > Quarantine > Email Attachment > POP3 toview the quarantined email attachments.

2 For the quarantined email messages and attachments, you can view the followinginformation.

Date Date (in YYYY-MM-DD format) when the file was quarantined.


From Email Email sender address.

To Email Email recipient address.




File Name (for emailattachment only) File name of the attachment file.

Reason Reason for quarantine. Either malware infection or file block

match.

Action Select the Download icon to download the quarantined file to

your local machine.

If any email is quarantined incorrectly (false positive), select theResend icon to send the email to the recipient. The email willbe sent from the email account you configure underManagement > System Settings > Alerts > Email Alerts. Fordetails, see “Email Alerts” on page 42.

To search the quarantined email messages or attachments

1 If you want to search emails by sender, recipient, or subject, select From, To, orSubject from the dropdown list and enter the sender address, recipient address, orsubject. You can use wildcard * and ?.

2 If you want to search emails by sending date and time, specify the date and time in theFrom and To text boxes.

3 Click Search.

Anti-Malware 140


Anomaly Detection

The anomaly detection engine monitors and alerts on suspicious client activities that could pointto infected hosts on the network attempting malicious activity. The anomaly events will belogged under Reports and Logs > Logs > Event Logs > Anomaly for viewing of the detailed IPand session information.

Three categories of anomalous activity can be monitored. Arp-spoofs, DNS checking and a Portmonitoring features which allows the SWG to mimic an application server, acting and loggingrequests to it similar to a honeypot.


• Anti-ARP spoof

• DNS checking

• Port monitor

Anti-ARP spoof

Arp spoofing is a method used by infected hosts to redirect application and routing requests toitself, the infected host, with the intent to steal the information destined for legitimate hosts andservers on the network. To successfully implement an arp-spoof, an infected hosts replies to arprequests for its target machine, which could be a gateway or an application server such as anemail server, a file server, web server or other type of application server. Once the arp tableshave been corrupted to point to the IP of the infected host, all data and other information thatshould have been forwarded to the legitimate server are now directed to the infected host whichcan view and steal all of the information sent to it.

To protect against IP address hijacking of your servers and gateways (ARP spoofing),you can use static ARP entries by mapping MAC addresses to corresponding IPaddresses.

Figure 73: Anti-ARP spoofing

To add an anti-ARP spoofing entry

1 Select Anti-Malware > Anomaly > Anti-Arp Spoof.

2 Enter the server’s IP address and MAC address.

3 Click Add.



Note that you must select the enable option at the top the page for the entries to takeeffect.

.

DNS checking

DNS checking is used to detect large amounts of DNS resolution requests to known maliciouswebsites. Certain malware will use the infected machines to connect to known infected websitesfor uploading of stolen data or to receive remote control commands from a remote hacker.

The DNS checking feature monitors for the requests for known malicious websites. If you seemany requests from PC's on your network for known malicious websites, it may be an indicationthat the PC making those requests is already infected with some form of malware.

As an example, when a host becomes a zombie of a BOTNET, it is known that thecompromised computer uses DNS to communicate to the BOT controller. Detectingand logging many anomalous DNS requests from a host may be an indicator that thehost has been infected with malware and recruited into a BOTNET.

By intercepting the DNS requests, the Anchiva gateway can also preemptively blockaccess to known malicious web sites.

To enable DNS checking

1 Select Anti-Malware > Anomaly > DNS Checking.

2 Select Enable DNS Checking.

3 Click Apply.

Port monitor

Enabling the port monitor feature allows the Anchiva system to act as a honeypot onthe network to monitor and log suspicious network activities. If a host on the networkattempts to establish unsolicited connections to the management IP address of theAnchiva gateway, the event will be logged and the host will be identified.

The behavior of many infected hosts is to scan the network to infect other hosts. If manyunsolicited application connection requests are seen from a particular host, it may be anindication that host it scanning the network looking for other hosts to infect.

To enable the port monitor

1 Select Anti-Malware > Anomaly > Port Monitor.

2 Enable port monitoring on the selected interfaces.

3 Click Apply.

Anti-Malware 142




Application Controls

To prevent the abuse of internet access privileges by users on the corporate network, theAnchiva SWG can detect and block the use of productivity draining and high bandwidth use ofapplications such as Gaming, Streaming Media, P2P, Online TV and Stock Tradingapplications. Being deployed at internet gateway points in the network gives the SWG visibilityinto all internet traffic flowing into and out of the network. By utilizing a deep content inspectionengine the SWG can look into the payload of the packets and determine the application by itscommunication signature.

Once identified, the SWG can be configured to take different actions on the traffic as configuredby the administrator. The traffic can be blocked and logged at the gateway preventing use. Orthe application traffic can be identified and logged for later review by the administrator.Whichever policy your organization may take on how to enforce the use of non-approvedapplications on the network, the flexibility of the policy engine allows the SWG to meet passiveor active requirements to deal with unwanted application use.

This section includes the following topics:

• Whitelist

• Non-productive applications

• Productive applications

• Instant Messenger

• IM Content Audit

Whitelist

The whitelist is used to create a listing of clients that will be exempt from the applicationcontrols. The result of adding clients to the whitelist will be to allow the client to bypass theconfigured application control rules. This option is useful for clients that require specialprivileges, for example IT staff that may need to use or test new applications on the network.

In the configuration clients can be defined by:

§ IP Subnet (including host subnet)

§ IP range

§ AD User Name

§ AD User Group

To configure application control whitelist rules follow Application Controls > Whitelist

Figure 74: Application Whitelist configuration

Application Controls 144


Non-productive applications

Non-productive applications have the potential to distract users from performing their job dutiesand possibly use a high amount of internet bandwidth. are grouped into the following categories:

Gaming Online gaming applications

Stock Trading Online stock trading applications

Online TV Online streaming TV applications. Note: A bandwidth object can be applied to theonline TV application category to control theamount of bandwidth these applications use.

P2P Peer 2 peer applications which also have the potential touse a high amount of bandwidth. Note: A bandwidth object can be applied to the P2Papplication category to control the amount ofbandwidth these applications use.

Tunnelsoftware

Tunneling software that tries to evade firewall rules bytunneling applications in well known ports such as port 80.

Stream Media Streaming media applications that allow users to viewmovies or listen to music on the network.

Configurable actions that can be applied at the group or individual application level:

1. Select Application Controls > Non-Productive.

2. Select the Application Control profile to edit by clicking on the profile name.

3. To expand the categories click on the name.

4. To edit the properties and actions click the edit button in the far left column.



Note: The Bandwidth limiting options are available only on some applications.

5. Time Objects can be applied to all non-productive applications to limit the times they areused. For more information see the Time Obejcts.

6. Bandwidth Objects can be applied to some non-productive applications to rate limit theamount of bandwidth the application can use if allowed. Application that cannot be ratelimited are marked with a note. For more information on bandwidth limits see BandwidthObjects.

Figure 75: Non-productive application listing

Productive applications

Productive applications include useful and often critical applications such as email. Theproductive applications are grouped into the following categories.

WWW Web and web upload applications. Additional rulesincluding malware inspection and the web filters can beapplied for granular web access.

FTP File transfer applications including FTP, TFTP and Gopher

Mail Internet email applications including SMTP and POP3

RemoteAccess

Remote access tools needed by some groups with in thenetwork including VNC, SSH and telnet

System Applications used by some systems including LDAP andRADIUS and others.

User DefinedProtocols

User defined custom protocols and applications used onthe network.



Configurable actions that can be applied at the group or individual application level:

1. Select Application Controls > Productive.


3. To expand the categories click on the name.

4. To edit the properties and actions click the edit button in the far left column.

5. Time and Bandwidth Objects can be applied to productive applications to limit the times theyare used and also limit the amount of bandwidth each application can use. For moreinformation see the Time Obejcts and Bandwidth Objects.

Figure 76: Productive application listing

Instant messenger

Application controls can be applied to IM applications. For MSN and QQ messengerapplications, the Anchiva system can also control specific actions such as file transfers and theuse of audio and video access through the messenger application.

Figure 77: IM application control



To configure the actions for each IM applications

1. Select Application Controls > Instant Messenger.


3. Click the Edit icon in the far right column.

4. For each IM application, select the action:

Additional actions are available for MSN and QQ.

5. When choosing an action other than 'Statistics Only', the system also gives the option toapply a Time Object to the profile which is used to block or allow the use of these applicationduring specific time of the day or week. For more information about configuring Time Objectssee Object Settings.

6. Click Apply.



IM Content Audit

The IM content audit feature allows the Anchiva system to capture and log IM chat sessionsfrom MSN and Yahoo messenger sessions.

The logs can be viewed in the Reports and Logs > Applications > IM Content Logs section

To enable click on the profile and click on the checkboxes to enable the audit logs for eitherMSN or Yahoo chat sessions.

Figure 78: IM Content Audit configuration



Web Filter

The web filter is used to detect web requests to potentially harmful and unwanted websites. Asusers on the network browse to internet websites, the SWG inspects the destination URL andcompares it against onboard categorized URL databases which are grouped into 5 maincategories. The Malicious Sites and Application Sites categories have subcategories that canbe custom configured within a security profile and used in a policy.

URL rules fall into the following categories:

• URL Whitelist - Custom configurable URL list used for adding trusted websites. Datatransferred to and from trusted websites are not subject to content inspection

• URL Blacklist - Custom configurable URL list used for adding untrusted websites. URLrequests made to these websites will be blocked by the SWG.

• Malicious sites - Anchiva's RapidRx research team continuously updates the malicious sitesdatabase as they discover websites that are known to host malicious content. The malicioussites are categorized into 6 subcategories which will are discussed in detail in the malicioussites section.

• Application sites - Also updated and maintained by Anchiva's RapidRx research team, theapplication sites currently contain 3 subcategories of websites that allow the use of potentiallynon-productive applications: online gaming, online stock trading and webmail. The use of eachcategory can be customized within a security profile.

• URL Filter - The URL filter categorizes websites based on their content into main andsubcategories. Different actions can be configured for each main and subcategory. A validlicense is required to use the URL Filter.

If policies have been configured to block access to certain URL's, the SWG will generate acustom configured warning message and deliver to the user attempting to access the harmfulURL.

For details, see “Configuring HTTP warning messages”.

URL's that match a whitelist entry are not logged nor is a warning message sent to the users ifthey access a whitelisted website.

Note: The whitelist and the blacklist can have a maximum of 10,000 URL entries each.

Web filtering processing overview

The Anchiva gateway checks and takes action on URLs against the URL filters in the followingorder:

1 URL whitelist.

2 URL blacklist.

3 Malicious sites.

Web Filter 150


4 Application sites.

5 Google Safe Browsing sites.

6 URL Filter (A license is needed to enable the URL Filter)

If the URL does not match either of these filters, the SWG will perform full content inspection ofdata transferred between the client and server and vice-versa (if the policy matched for traffic hasan action of "Filter").

Note: The URLs in the whitelist have the top priority. This means that if a whitelisted URL ismistakenly entered into the URL blacklist, access to this URL will still be allowed.

URL formats

The Anchiva Gateway supports filtering of the host name portion of a URL. For example,creating an entry for "news.abcsite.com" will control access only to the "news" links from thedomain "abcsite", it will not block access to the top level domain ".abcsite.com". On the otherhand, creating an entry for "abcsite.com" will control all access to the top level domain, abcsite.com.

When specifying a URL, use the following formats:

§ Enter a top-level URL or IP address to control access to all pages on a web site. Forexample, www.abcsite.com or 192.168.1.1 controls access to all pages at this web site.

§ Enter a host name to control access only to the links from the specified host in the URL. Forexample, entering mail.abcsite.com controls access only to the mail host, but access to thetop level domain, abcsite.com, is still allowed.

§ Enter a domain name to control access to all pages with a URL that ends with the domainname. For example, abcsite.com controls access to www.abcsite.com, mail.abcsite.com,www.finance.abcsite.com, and other pages under this domain.

§ Enter a wildcard character * to represent all matching patterns. For example, abcsite.*controls abcsite.com, abcsite.org, and abcsite.net. The wildcard can only be used as a suffixor prefix. For example, *.com and abcsite.* are supported. But abcsite.*.com is notsupported.

§ When importing a URL list, you must add enable or disable before the URL. The following is asample URL list:

# This is a comment line preceded by #. Blank lines are allowed. Characters are not case-sensitive.

enable, 0x15, baidu.com

enable, 0x15, google.com

enable, 0x15, google.com.cn



disable, 0x15, hotmail.com

enable, 0x15, msn.com

Configuring URL whitelists

You can specify the URLs that the Anchiva gateway will exempt from blocking andscanning.You can enter URL entries manually or import a URL list that has been formatted inCSV format. For information about URL formats, see “URL formats” on page 101.You can export the URL list and save it to your local machine for backup purpose.You can also search for a URL in the URL whitelist.

Figure 79: Configuring the URL whitelist

Configure the URL Whitelist

1 Select Web Filter > Whitelist.

2 Enter the URL and click Add.

3 Select Enable if you want the added URL to take effect. If disabled, the URL will nottake effect although it appears in the whitelist.

URL lists can also be imported for easier configuration.

To import a whitelist

1 Click Browse to locate the file.

2 Click Apply.

The format of the list must be in the following format.

status (enable, disable), domain

For example:

Web Filter 152







To export the whitelist

1 Click Export.

2 Specify a file name and location.

3 Click Save.

To search for a URL in the whitelist

1 Enter the URL name beside Search. The URL must be typed exactly as it is enteredin the whitelist. Wildcards are not supported.

2 Click Search.The URL will be displayed if there is a match.

Configuring URL balcklists

Specify untrusted URLs for the Anchiva gateway to block access to. You can enter URL entries manually or import a URL list that has been formatted inCSV format. You can export the URL list and save it to your local machine for backup or reusepurpose.

Configure the URL Blacklist

1 Select Web Filter > Blacklist.

2 Enter the URL and click Add.

3 Select Enable if you want the added URL to take effect. If disabled, the URL will nottake effect although it appears in the blacklist.

URL lists can also be imported for easier configuration.

To import a blacklist

1 Click Browse to locate the file.

2 Click Apply.

The format of the list must be in the following format.



status (enable, disable), domain

For example:






To export the blacklist

1 Click Export.

2 Specify a file name and location.

3 Click Save.

To search for a URL in the blacklist

1 Enter the URL name beside Search. The URL must be typed exactly as it is enteredin the blacklist. Wildcards are not supported.

2 Click Search. The URL will be displayed if there is a match.

Configuring malicious site detection

The malicious sites are rated by severity levels based on the malware's potential to cause harmto the target computer. The levels are grouped into six categories with a configurable action(Block and Log or Log Only) that can be enabled separately for each group.

Web Filter > Malicious Sites

Figure 80: Malicious sites

Configure malicious sites profiles

1 Select Web Filter > Malicious Sites. Choose a profile to edit or add a new web filter profile.

Web Filter 154


2 Select either of the following two actions for the six malicious site categories:

• Block and Log: Block access to the malicious sites and log the incidents.

• Log Only: Allow access to the sites and log the incidents.

Configuring application sites detection

The Application Sites filter categorizes URL's based on the type of application that can be usedon that website. The list of URL's includes websites that are used for non-productive internet usethat can result in lost productivity and potentially high bandwidth use. Currently, the ApplicationSites contains the following categories:

The Application Sites are enabled to block or log and report on the use of potentially non-productive web based applications on your network. The web based application sites arecategorized into three main categories Online Gaming, Online Stock Trading, and Webmail. Theflexibility of AnchivaOS allows the system to apply different configurations for different groups ofusers by using the "Profile" options.

Anchiva security engineers maintain and constantly update the application sites and provideregular updates as part of Anchiva's subscription services.

To configure the Application Sites

1. Select Web Filter > Application Sites

2. Select the "Profile" to apply the settings to. Choose the "default-security-profile" if thesettings will be applied for most users.

3. Click an existing profile to edit the settings

4. Choose the action to take for the Application site categories. Available actions are: Forward(No Logging), Forward and Log, Block and Log

5. Click Apply to save the changes

Figure 81: Application Sites configuration

Note: In future releases, more categories may be added to the application sites list.



Configuring the URL Filter

The URL Filter allows administrator the ability to enforce acceptable use policies in theorganizations' network.

Filtering URL requests based on the content and category type of the website, URL's are brokendown into 7 top level categories (listed below) with the top-level categories then broken down intomore granular sub-categories allowing the administrator fine grained control of the content userson the network are allowed to view and visit while using the internet access on the corporatenetwork.

A license must be purchased to enable and update the URL Filter.

Figure 82: Application Sites configuration

Customizable actions

Each top-level and sub category can be assigned its own unique action: Forward (No logging),Forward and Log and Block and Log

Logging and Reporting

URL matches from the URL Filter are logged locally to to a remote syslog server. The onboardreporting tools on the Anchiva system allows the administrator to generate URL use reportsbased on the client IP address. Logs and reports can be exported in CSV or HTML format forease of viewing and distribution.

Server Protection 156


Server Protection

When deployed in front of webservers, the Server Protection security features are used to detectattacks aimed at disrupting the normal operations of web servers. As clients interact with webservers, the SWG can detect and prevent malicious attacks launched by clients including SQLinjections, buffer overflows and cross-site scripting attacks.

Anchiva's RapidRx research teams continuously update the server protection threat databasewhich are then downloaded by the SWG deployed in the field.

The Server Protection options are located in the Server Protection menu tab.

The topics to be covered in this section include the Profiles and Warning messages.

Profiles

Server Protection profiles can be configured with custom actions.

1. Select Server Protection > Profiles.

2. Select the profile to edit by clicking on the profile name.

3. Choose to enable and action to take when attacks are detected.

Figure 83: Server Protection configuration

4. The sending of warning messages can be disabled or enabled.

Warning Messages

If required, a warning message can be sent by the SWG to the client performing the maliciousaction. The sending of warning messages should be based on company policy. There are caseswhen it may not be best to send a warning back to the attacker to warn them that a securitydevice is in place to protect the web server.

The format of the warning message is an editable HTML file.



The Preview button is used to display the warning in a popup browser page.

Syslog Message Reference 158


Syslog Message Reference

When configuring log settings under Management > Logs > System Logs in theAnchiva appliance’s WebUI, you can choose to send log messages to up to threesyslog servers. For details, see “Saving logs to Syslog servers”.

This section describes the syslog message formats supported by AnchivaOS.This section contains the following topics:

• Message format

• Message categories

• Message header

• Message body

Message format

The syslog messages generated by the Anchiva gateway conform to RFC 3164 andfollow the following format:

• PRI part

• Message header

• Message body

PRI part

The PRI part of each syslog message specifies the log level and severity level of themessage. The Anchiva gateway tags each message with appropriate facility andseverity levels based on your configuration.

The PRI is enclosed in angle brackets as specified in the RFC.

Facility level

Facility indicates to the syslog server the source of a log message.If you have more than one Anchiva gateway, you need to use facility numbers todifferentiate log messages from different gateways.Facility levels supported are the local use, 0-7, levels.

Severity level

The syslog messages supports the following severity levels.

• Emergency



• Alert• Critical• Error• Warning• Notification• Information

Message header

The message header includes timestamp and host name/IP address to differentiatethe source of the messages.

Message body

The message body includes specific information about the message such as the virusor spyware detected and the client and server IP address information.

Message categories

Syslog messages are grouped into the following categories:

• Admin logs: Record administrator activities including system login, logout, andconfiguration changes made.

• Email logs: Record the normal emails processed by the Anchiva gateway.

• Malware logs: Record the malware detected by the Anchiva gateway in the HTTP,FTP, SMTP, and POP3 traffic.

Message header

The message header contains the following information:| Date (date=) | System_ID (System_ID=) |

Example of a message header:2006-08-09 11:16:23 System_ID=Anchiva1000x

Date The year, month, day, hour minute, second when the event occurred.

System_ID The hostname or interface IP address of the Anchiva gateway. TheInterface IP will be the egress interface the message was sent out from. Inmost cases this will be the vlan1 address.



Message Body

The message body is the content of the message. It records the specific informationabout the incident.

The message body formats for each log category are listed in the following topics.

• Admin audit messages

• Email messages

• Malware messages

Admin audit messages

The admin audit logs contain administrator activities including system login, logoutand configuration changes.

The logs contain the following information:

• Admin name• Client IP address• Access method• Action performed

Admin=<admin_name> Client_IP=<source> Access=<Web|Console|SSH>Action=<action>

Email messages

The Anchiva system can log all the normal emails. The information contained in thelogs is extracted from the email header and includes the following information.

• Logcategory (normal email)• Protocol (SMTP or POP3)• Sender IP (SMTP), Receiver IP (POP3)• From (sender email address)• To (recipient email address)• Subject (email subject)• Action (action performed on the email by the Anchiva system. This will always be“Forward” for clean emails. This field is required for certain certifications.)

SMTP message

Logcategory =<type> Protocol=SMTP Sender_IP=<ip_address>From=<email_address> To=<email_addr> Subject=<string>Action=Forward

POP3 message

Logcategory =<type> Protocol=SMTP Receiver_IP=<ip_address>From=<email_address> To=<email_addr> Subject=<string>



Action=Forward

Malware messages

For all malware events, a log will be generated to alert the administrator of an infectionthat was blocked by the system.

HTTP logs

HTTP logs contain the following information:• Logcategory (Virus_Alert or Spyware _Alert)• Protocol (HTTP)• Client IP (IP address of the client who attempted to download an infected file)• Server IP (source of the infected file)• URL (complete URL of the infected file)• Name of the Virus or Spyware blocked by the system• Action performed by the system. In the current release of AnchivaOS, only Blockedis available. The Quarantine option will be available in the next major release.

Logcategory =<type> Protocol=<protocol=> Client_IP=<ip_address>Server_IP=<ip_address> URL=<URL> [Virus=<virusname> |Spyware=<spywarename>] Action =<Blocked | Quarantined>

FTP logs

FTP logs contain the following information:• Log category (Virus_Alert or Spyware _Alert)• Protocol (FTP)• Client IP (IP address of the client who attempted to download an infected file)• Server IP (source of the infected file)• URL (complete URL of the infected file)• Direction: either Download or Upload• Name of the Virus or Spyware blocked by the system• Action performed by the system: either Blocked or Quarantine. In the currentrelease of AnchivaOS, only Blocked is available. The Quarantine option will beavailable in the next major release.

Logcategory =<type> Protocol =<protocol=>Client_IP=<ip_address> Server_IP=<ip_address> URL =<URL>Direction=<DOWNLOAD> [Virus=<virusname> |Spyware=<spywarename>] Action =<Blocked | Quarantined>

SMTP logs

SMTP logs contain the following information:• Log category (Virus_Alert or Spyware _Alert)• Protocol (SMTP)• Sender IP (Client IP where the infected email originated from)• From (email address of the sender of the infected file)• To (email address of the recipient of the infected file)• Name of the Virus or Spyware blocked by the system



• Action performed by the system, either Quarantined or Deleted

Logcategory =<type> Protocol=<protocol=> Sender_IP=<ip_address>From=<email_address> To=<email_address> Subject=<string -subject> [Virus=<virusname> | Spyware =<spywarename>]Action=<Quarantined | Deleted>

POP3 logs

POP3 logs contain the following information:• Log category (Virus_Alert or Spyware _Alert)• Protocol (POP3)• Receiver IP (IP address of the client who attempted to receive the infected email)• From (email address of the sender of the infected file)• To (email address of the recipient of the infected file)• Name of the Virus or Spyware blocked by the system• Action performed by the system, either Quarantined or Deleted

Logcategory =<type> Protocol=<protocol>receiver_IP=<ip_address> From=<email_address>to=<email_address> Subject=<string - subject>[Virus=<virusname> | Spyware =<spywarename>]Action=<Quarantined | Deleted>



Index

- A -

About 8

Admin access controls 56

Admin accounts 54

Admin audit messages 160

Administrator accounts 54

Anomaly detection 140

Anti-ARP spoofing 140

Application controls 91, 143

Application sites 154

Application Whitelist 143

ARP probe 36

Automatic encoding transformation 80

- C -

Client incidents 81

Configuring host settings 14

Configuring vlans 34

- D -

Dashboard and statistics 58

DNS checking 141

DNS servers 16

- E -

Editing interface properties 30

Email alerts 19, 25

Email messages 160

Email services 129

Enable SNMP 15

Event logs 87

Exempt IP addresses 121

- F -

Fail-safe operation 18

Feedback reporting 18

File block 114

File block by extension 114

File block by name 115

File handling 112

File quarantine 135

Firmware updates 45

FTP quarantined files 136

FTP services 126

FTP statistics 65

- G -

Generating reports 80

Global service settings 112

- H -

HA 39

HA cluster 43

HA pair 43

HA settings 39

HA upgrading firmware 43

Hardware bypass 19

HTTP/HTTPS anti-malware settings 118

HTTP/HTTPS quarantined files 135

HTTP/HTTPS Statistics 63

HTTP/HTTPS warning messages 122

HTTPS content inspection 117

- I -

IM Content Audit 148

Inpsection mode 16

Instant messenger 146

Interface list 29

Interface statistics 62

Interface weights 42

Interfaces 28

- L -

Licenses 51

Log settings 21

Log severity levels 24

Logging on to the WebUI 11

Logs 80

Logs and reports 77

Index 164


- M -

MAC address controls 35

Malicious sites 153

Malware detected 83

Malware messages 161

Management 94

Message body 159, 160

Message categories 159

Message Format 158

Message header 159

- N -

Network settings 28

Non-productive applications 144

Normal emails 90

- O -

Obtaining technical support 9

- P -

Policies 97

Policy overview 104

POP3 anti-malware settings 131

POP3 email signatures 133

POP3 quarantined files 138

POP3 statistics 66

Port monitor 141

PRI part 158

Productive Applications 145

Profile 156

Proxy authentication 50

- R -

Report schedules 78

Report storage settings 19

Reports 73

Reports and logs 73

Route mode 31

Routing table 36

- S -

Security groups 102

Security profiles 103

Server Protection 156

service 8

Session tracking 105

Setting the host name 14

Setting the system time 15

Shutting down the system 52

SMTP anti-malware settings 129

SMTP email signatures 130

SMTP quarantined files 137

SMTP statistics 67, 69, 71

SNMP traps 26

support 8

Syslog 23


System configuration 45

System maintenance 45

System settings 14

System statistics 61

- T -

technical 8

Technical support file 52

Transparent mode 31

- U -

Update scan engines 47

Update settings 45

URL blacklists 152

URL Filter 155

URL formats 150

URL whitelists 151

Using the dashboard 58

Using the WebUI 12

- V -

Viewing policies 107

Viewing statistics 61

Vlan1 interface 28

Vlans 33



- W -

Warning message 156

Web filter 149

Web filter processing order 149

Web services 116

Web services - processing overview 116

Webfilter 85, 86

WebUI Overview 11

- Z -

Zone 37

166


Anchiva SWG Administration Guide 3.00 v2

Documents

Transcript of Anchiva SWG Administration Guide 3.00 v2