Secure Web Gateway
Network Guardian Administration Guide
For future reference
Network Guardian serial number: Date installed:
Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Network Guardian.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall.
For more information, contact: docs@smoothwall.net © 2001 – 2015 Smoothwall Ltd. All rights reserved. Trademark notice
Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.
Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation.
All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries.
Acknowledgements
Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.
Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor.
Network Guardian contains graphics taken from the Open Icon Library project http://openiconlibrary.sourceforge.net/
Address Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom Email info@smoothwall.net
Web www.smoothwall.net
Telephone USA and Canada: United Kingdom: All other countries:
1 800 959 3760 0870 1 999 500 +44 870 1 999 500
Fax USA and Canada:
United Kingdom: All other countries:
1 888 899 9164 0870 1 991 399 +44 870 1 991 399
Contents
About This Guide ... 1
Audience and Scope ... 1
Organization and Use ... 1
Conventions... 2
Related Documentation... 2
Chapter 1
Network Guardian Overview ... 3
Overview of Network Guardian... 4
Annual Renewal... 4
Accessing Network Guardian ... 4
Dashboard ... 5
Logs and Reports ... 6
Reports ... 6
Alerts ... 6
Realtime ... 6
Logs ... 7
Settings ... 8
Networking ... 8
Configuration ... 8
Filtering ... 9
Routing ... 9
Settings ... 9
Services... 10
Authentication ... 10
User Portal ... 10
Proxies ... 11
SNMP ... 11
Message Censor ... 11
System ... 12
Maintenance ... 12
Central Management ... 12
Preferences ... 13
Administration... 13
Hardware ... 13
Diagnostics ... 14
Certificates ... 14
Guardian ... 14
Quick Links ... 14
Web Filter Policies ... 15
HTTPS Inspection Policies ... 15
Content Modification Policies ... 15
Anti-malware Policies ... 16
Block Page Policies ... 16
Policy Objects ... 16
Swurl ... 17
Web Proxy ... 17
Web Proxy ... 17
Upstream Proxy ... 17
Authentication ... 18
MobileProxy ... 18
Global Proxy ... 18
Configuration Guidelines... 19
Specifying Networks, Hosts and Ports ... 19
Using Comments ... 20
Connecting via SSH ... 20
Connecting Using a Client ... 20
Secure Communication ... 21
Unknown Entity Warning... 21
Inconsistent Site Address ... 21
Chapter 2
Working with Interfaces ... 23
About Network Interfaces and Roles ... 23
Creating an External Connection ... 25
About Load Balancing Traffic over External Connections 26
Editing an External Connection... 26
Deleting an External Connection... 26
Monitoring External Connections’ Status ... 27
Adding a New Interface ... 27
Allocating IP Addresses to Interfaces ... 28
Adding an IP Address ... 28
Editing Allocated IP Addresses ... 30
Deleting Allocated IP Addresses... 30
Configuring Bonded Interfaces ... 30
Creating Bonds ... 30
Editing Bonds ... 32
Deleting a Bond Interface ... 32
Using Virtual Local Area Networks ... 33
Creating a VLAN... 33
Configuring Transparent Bridges ... 34
Creating Bridges ... 34
Editing Bridges... 36
Network Guardian Administration Guide Contents
Using a Point-to-Point Protocol over Ethernet Interface ... 37
Editing a PPPoE Interface... 38
Deleting Parent PPPoE Interfaces ... 38
Adding Alias IP Addresses... 39
Using Domain Name System Services ... 40
Configuring Global DNS Settings ... 40
Configuring the DNS Servers ... 41
Using Conditional DNS Forwarders ... 42
Mapping Static DNS Hosts ... 43
Chapter 3
Deploying Web Filtering ... 45
Getting Up and Running ... 45
Blocking and Allowing Content Immediately ... 46
Blocking Locations ... 47
Excepting Computers from Web Filtering ... 47
About Shortcuts ... 49
About Network Guardian’s Default Policies ... 50
About the Default Web Filter Policies ... 50
About the Default Authentication Policies ... 50
Chapter 4
Working with Policies ... 51
An Overview of Policies ... 52
Types of Policies... 52
How Policies are Applied ... 52
Guardian Getting Started ... 54
Working with Category Group Objects ... 55
Creating Category Group Objects ... 55
Creating Custom Categories ... 56
Editing Category Group Objects ... 57
Deleting Category Group Objects ... 58
Working with Time Slot Objects ... 59
Creating a Time Slot ... 59
Editing a Time Slot... 60
Deleting a Time Slot ... 60
Working with Location Objects ... 60
Creating a Location Object... 61
Editing Location Objects... 62
Deleting Location Objects ... 62
Working with Quota Objects ... 62
About the Default Quota Object ... 62
Creating Quota Objects ... 63
Editing Quota Objects ... 64
Deleting Quota Objects ... 64
Managing Web Filter Policies ... 64
Creating Web Filter Policies ... 65
Editing Web Filter Policies ... 67
Deleting Web Filter Policies... 68
Managing HTTPS Inspection Policies ... 68
Enabling HTTPS Inspection Policies... 69
Editing HTTPS Inspection Policies... 72
Deleting HTTPS Inspection Policies ... 72
Configuring HTTPS Inspection Policy Settings ... 72
Clearing the Generated Certificate Cache ... 74
Managing Content Modification Policies... 74
Creating a Content Modification Policy... 75
Editing Content Modification Policies ... 77
Deleting Content Modification Policies ... 77
Creating Custom Content Modification Policies ... 78
Managing Anti-malware Policies... 79
Creating an Anti-malware Policy... 79
Configuring Anti-malware Protection ... 81
Configuring Anti-malware Status Information ... 82
Editing Anti-malware Policies... 83
Deleting Anti-malware Policies ... 83
Using the Policy Tester... 83
Other Ways of Accessing the Policy Tester ... 85
Working with Policy Folders ... 85
Creating a Policy Folder... 86
Editing Policy Folders... 86
Deleting Policy Folders ... 86
Censoring Web Form Content ... 87
Configuring Organization Accounts ... 89
Chapter 5
Managing Authentication Policies... 91
About Authentication Policies ... 91
Creating Authentication Policies ... 92
Creating Non-transparent Authentication Policies ... 92
Creating Transparent Authentication Policies... 97
Managing Authentication Policies... 101
Editing Authentication Policies ... 101
Deleting Policies ... 102
Managing Authentication Exceptions ... 103
Identification by Location... 103
Using Global Proxy Certificates... 104
Using Multiple, Distinct Proxies ... 105
Using an Unsecured Proxy ... 105
Viewing the Global Proxy Logs... 106
Connecting to Network Guardian... 106
About Non-transparent Connections... 106
About Transparent Connections ... 108
Authentication Scenarios ... 108
New Content Filtering – Changing the Listening Port ... 108
Providing Filtered Web Access to the Public ... 108
Requiring Authentication to Browse the Web... 109
Using Multiple Authentication Methods ... 109
Network Guardian Administration Guide Contents
Chapter 6
Managing Web Security ... 111
Overview of the Web Proxy ... 112
Global Options ... 112
Advanced Web Proxy Settings ... 112
Using PAC Scripts... 116
Using a Built-in Script ... 116
Using a Custom Script ... 117
Managing the Configuration Script... 118
Limiting Bandwidth Use ... 118
Ordering Bandwidth Limiting Policies ... 120
Editing Bandwidth Limiting Policies ... 120
Deleting Bandwidth Limiting Policies ... 120
Configuring WCCP ... 120
Managing Upstream Proxies ... 122
Overview ... 122
Configuring an Upstream Proxy ... 123
Configuring Source and Destination Filters ... 125
Using a Single Upstream Proxy... 127
Working with Multiple Upstream Proxies ... 128
Managing Blocklists ... 130
Viewing Blocklist Information... 131
Manually Updating Blocklists ... 131
Managing Block Pages... 132
About the Default Block Page ... 132
Customizing the Default Block Page ... 133
Using a Custom HTML Template ... 135
Using an External Block Page ... 136
Configuring a Block Page Policy... 136
Managing Block Page Policies ... 137
Working with Block Pages ... 138
Chapter 7
Managing Your Network Infrastructure ... 139
Creating Subnets ... 139
Editing and Removing Subnet Rules ... 140
Using the Routing Information Protocol Service ... 141
Load Balancing Traffic ... 143
Creating Load Balancing Pools ... 143
Reordering Load Balancing Pools ... 145
Example Configuration... 146
Using Source NATs and LLB Policies ... 147
Using LLB Pools for Local Traffic ... 147
Creating a NAT Policy ... 147
Reordering NAT Policies ... 150
Chapter 8
Managing Network Security... 151
Blocking by IP... 151
Creating IP Blocking Rules ... 151
Blocking Services on the Ethernet Bridge ... 153
Managing Exceptions to Blocked Services... 154
Working with Port Groups... 155
Creating a Port Group ... 155
Adding Ports to Existing Port Groups... 156
Editing Port Groups ... 156
Deleting a Port Group... 156
Working with Address Objects ... 157
Creating an Address Object ... 157
Creating Nested Address Objects ... 158
Editing Address Objects ... 159
Deleting Address Objects ... 159
Configuring Advanced Networking Features ... 160
Blocking and Ignoring Traffic ... 161
Enabling Advanced Networking Features ... 161
Configuring ARP Table Size... 162
Configuring Connection Tracking Table Size ... 162
Configuring SYN Backlog Queue Size ... 162
Configuring Traffic Audits... 163
Dropping Direct Traffic... 163
Enabling Network Application Helpers ... 163
Managing Bad External Traffic ... 164
Chapter 9
Using Zone Bridging Rules ... 165
About Zone Bridging Rules ... 165
Creating Zone Bridging Rules ... 166
Editing and Removing Zone Bridge Rules... 167
Example Zone Bridging Rules ... 167
About Group Bridging Rules ... 169
Group Bridging and Authentication ... 170
Creating Group Bridging Rules ... 170
Editing and Removing Group Bridges ... 171
Chapter 10
Managing Inbound Traffic ... 173
Managing Inbound Traffic with Port Forwards ... 173
About Port Forward Rules ... 173
Creating Port Forward Rules ... 174
Chapter 11
Authentication and User Management ... 177
About User Authentication ... 177
Configuring Global Authentication Settings ... 178
About Directory Services ... 179
Configuring a Microsoft Active Directory Connection ... 180
Configuring an LDAP Connection ... 181
Configuring a RADIUS Connection ... 184
Configuring an Active Directory Connection – Legacy
Meth-od ... 185
Configuring a Local Users Directory ... 188
Network Guardian Administration Guide Contents
Editing a Directory Server ... 188
Deleting a Directory Server... 189
Diagnosing Directories... 189
Managing Local Users ... 189
Adding Users... 189
Editing Local Users... 190
Deleting Users... 190
Managing Groups of Users ... 190
About Groups ... 190
Adding Groups ... 191
Editing Groups ... 191
Deleting Groups ... 192
Mapping Groups... 192
Remapping Groups... 192
Deleting Group Mappings ... 193
Managing Temporarily Banned Users... 193
Creating a Temporary Ban... 193
Removing Temporary Bans ... 194
Removing Expired Bans ... 194
Managing User Activity ... 195
Viewing User Activity... 195
Logging Users Out... 195
Banning Users... 195
About SSL Authentication ... 196
Customizing the SSL Login Page... 196
Reviewing SSL Login Pages ... 198
Managing Kerberos Keytabs ... 198
Prerequisites ... 198
Adding Keytabs... 198
Managing Keytabs ... 199
Troubleshooting a Kerberos Service ... 200
Authenticating Chromebook Users... 201
Creating a Google Client ID and Client Secret (Web
Applica-tion) ... 201
Restricting Accepted Google Accounts by Domain ... 202
Customizing the Client Login Page... 203
Managing Chromebooks... 204
Chapter 12
Centrally Managing Smoothwall Systems ... 209
About Centrally Managing Smoothwall Systems... 209
Pre-requirements... 210
Setting up a Centrally Managed Smoothwall System ... 210
Configuring the Parent Node ... 210
Configuring Child Nodes ... 211
Adding Child Nodes to the System ... 212
Editing Child Node Settings... 215
Deleting Nodes in the System ... 215
Managing Nodes in a Smoothwall System ... 215
Monitoring Node Status ... 216
Working with Updates ... 217
Rebooting Nodes ... 218
Disabling Nodes ... 219
Using BYOD in a Centrally Managed System... 219
Glossary ... 221
About This Guide
Smoothwall’s Network Guardian is a licenced feature of your Smoothwall System. This supplement provides guidance for configuring Network Guardian.
Audience and Scope
This guide is aimed at system administrators maintaining and deploying Network Guardian. This guide assumes the following prerequisite knowledge:
• An overall understanding of the functionality of the Smoothwall System • An overall understanding of networking concepts
Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative.
Organization and Use
This guide is made up of the following chapters and appendices: • Chapter 1, Network Guardian Overview on page 3
• Chapter 2, Working with Interfaces on page 23
• Chapter 3, Deploying Web Filtering on page 45
• Chapter 4, Working with Policies on page 51
• Chapter 5, Managing Authentication Policies on page 91
• Chapter 6, Managing Web Security on page 111
• Chapter 7, Managing Your Network Infrastructure on page 139
• Chapter 9, Using Zone Bridging Rules on page 165
• Chapter 10, Managing Inbound Traffic on page 173
• Chapter 11, Authentication and User Management on page 177
• Chapter 12, Centrally Managing Smoothwall Systems on page 209
• Glossary on page 221
• Index on page 231
Conventions
The following typographical conventions are used in this guide:
This guide is written in such a way as to be printed on both sides of the paper.
Related Documentation
The following guides provide additional information relating to Network Guardian:
• Network Guardian Installation Guide, which describes how to install Network Guardian • Network Guardian Operations Guide, which describes how to maintain Network Guardian • Network Guardian Upgrade Guide, which describes how to upgrade Network Guardian • Network Guardian User Portal Guide, which describes how to use the Network Guardian user
portal
• http://www.smoothwall.com/support contains the Smoothwall support portal, knowledge base and the latest product manuals.
Item Convention Example
Key product terms Initial Capitals Network Guardian
Smoothwall System
Menu flow, and screen objects Bold System > Maintenance > Shutdown
Click Save
Cross-references Blue text See Chapter 1, Network Guardian
Overview on page 3
References to other guides Italics Refer to the Network Guardian Administration Guide
Filenames and paths Courier The portal.xml file
Variables that users replace Courier Italics http://<my_ip>/portal
1 Network Guardian
Overview
This chapter introduces Network Guardian, including: • Overview of Network Guardian on page 4
• Annual Renewal on page 4
• Accessing Network Guardian on page 4
• Dashboard on page 5
• Logs and Reports on page 6
• Networking on page 8
• Services on page 10
• System on page 12
• Guardian on page 14
• Swurl on page 17
• Web Proxy on page 17
• Configuration Guidelines on page 19
• Connecting via SSH on page 20
Overview of Network Guardian
Welcome to Network Guardian, the intelligent web content filter that dynamically analyses, understands and categorizes all web content requested by your users.
Network Guardian provides:
• Protection from pornography and objectionable content
• Controlled access to non work-related sites, such as news, sport, travel and auctions. • Protection from web-borne spyware, malware and browser exploits
• Reporting on Internet behavior and resource utilization
• Email security: anti-spam, anti-malware, mail relay and control.
Annual Renewal
To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative.
Accessing Network Guardian
To access Network Guardian, do the following:
1. In a web browser, enter the address of your Network Guardian, for example:
https://192.168.72.141:441
Note: The example address above uses HTTPS to ensure secure communication with your Network Guardian. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Network Guardian as described in the Network Guardian Installation and Setup Guide.
Network Guardian Administration Guide Network Guardian Overview
3. Enter the following information:
4. Click Login.
The Dashboard opens.
The following describe Network Guardian’s user interface.
Dashboard
The Dashboard is the default home page of your Network Guardian system. It displays the status of external interfaces, service information and customizable summary reports.
Field Information
Username Enter admin This is the default Network Guardian administrator account.
Password Enter the password you specified for the admin account when installing Network Guardian.
Logs and Reports
The Logs and reports section contains the following menu items and pages:
Reports
All report functionality, including customizing and scheduling, are found here:
Alerts
You can enable alerts and monitors from here:
Realtime
You can watch Network Guardian’s log files populate in realtime from here:
Pages Description
Summary Displays a number of generated reports. For more information, refer to the
Network Guardian Operations Guide.
Reports Where you generate and organize reports. For more information, refer to the
Network Guardian Operations Guide.
Recent and saved Lists recently-generated and previously saved reports. For more information, refer to the Network Guardian Operations Guide.
Scheduled Sets which reports are automatically generated and delivered. For more information, refer to the Network Guardian Operations Guide.
Custom Enables you to create and view custom reports. For more information, refer to the Network Guardian Operations Guide.
Pages Description
Alerts Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Network Guardian Operations Guide.
Alert settings Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Network Guardian Operations Guide.
Pages Description
System A real time view of the system log with some filtering options. For more information, refer to the Network Guardian Operations Guide.
Firewall A real time view of the firewall log with some filtering options. For more information, refer to the Network Guardian Operations Guide.
Network Guardian Administration Guide Network Guardian Overview
Logs
You can view and download Network Guardian’s log files from here:
Email Displays the email log viewer running in real time mode. For more information, refer to the Network Guardian Operations Guide. Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide.
Portal A real time view of activity on user portals. For more information, refer to the
Network Guardian Operations Guide.
IM proxy A real time view of recent instant messaging conversations. For more information, refer to the Network Guardian Operations Guide.
Web filter Displays the web filter log viewer running in real time mode. For more information, refer to the Network Guardian Operations Guide.
Traffic graphs Displays a real time bar graph of the bandwidth being used. For more information, refer to the Network Guardian Operations Guide.
Pages Description
System Simple logging information for the internal system services. For more information, refer to the Network Guardian Operations Guide.
Firewall Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Network Guardian Operations Guide.
Email Displays sender, recipient, subject and other email message information. For more information, refer to the Network Guardian Operations Guide . Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide .
IM proxy Displays information about instant messaging conversations. For more information, refer to the Network Guardian Operations Guide .
Web filter Displays time, username, source IP and other web filtering information. For more information, refer to the Network Guardian Operations GuideWeb Filter Logs on page 107.
User portal Displays information about access by users to portals. For more information, refer to the Network Guardian Operations Guide.
Log settings Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the
Network Guardian Operations Guide.
Settings
You set global settings for reports, alerts, and log files from here:
Networking
The Networking section contains the following sub-sections and pages:
Configuration
You configure all interfaces, whether they are NICs or software interfaces, here:
Pages Description
Datastore settings Contains settings to manage the storing of log files. For more information, refer to the Network Guardian Operations Guide.
Groups Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Network Guardian Operations Guide
Output settings Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Network Guardian Operations Guide.
Pages Description
Interfaces Configure and display information for your Network Guardian’s interfaces, including VLANs and bridges. For more information, see Configuring Global Settings for Interfaces on page 26.
DNS Configure static DNS settings, and DNS proxy service settings. For more information, see Using Domain Name System Services on page 40.
Link Load Balancing Configure load balancing pools for network interfaces. For more information, see Load Balancing Traffic on page 143.
Source NAT & LLB policies
Configure any source NAT-ing, source mapping policies, and load balancing policies. For more information, see Using Source NATs and LLB Policies on page 147.
Port forwards Configure any port forwarding policies to internal network services. For more information, see Managing Inbound Traffic with Port Forwards on page 173.
Network Guardian Administration Guide Network Guardian Overview
Filtering
You can setup filtering rules here for network traffic:
Routing
You can configure routing rules here for network traffic:
Settings
You set global settings for all networking aspects from here:
Pages Description
Zone bridging Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 165.
Group bridging Used to define the network zones that are accessible to authenticated groups of users. For more information, see About Group Bridging Rules on page 169.
IP block Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 151.
Ethernet bridging Used to block peer to peer traffic across the bridge interface. For more information, see Blocking Services on the Ethernet Bridge on page 153.
Pages Description
Subnets Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see
Creating Subnets on page 139.
RIP Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using the Routing Information Protocol Service on page 141.
Pages Description
Port groups Create and edit groups of ports for use throughout Network Guardian. For more information, see Working with Port Groups on page 155.
Address object manager
Create and edit IP address objects for use in networking configuration. For more information, see Working with Address Objects on page 157.
Advanced Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page 160.
Services
The Services section contains the following sub-sections and pages:
Authentication
You configure user authentication policies here:
User Portal
You configure and manage user portals here:
Pages Description
Settings Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 178.
Directories Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Services on page 179.
Groups Used to customize group names. For more information, see Managing Groups of Users on page 190.
Temporary bans Enables you to manage temporarily banned user accounts. For more information, see Managing Temporarily Banned Users on page 193.
User activity Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 195.
SSL login Used to customize the end-user SSL login page. For more information, see
About SSL Authentication on page 196.
Kerberos keytabs This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 198.
BYOD Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Network Guardian Operations Guide.
Chromebook Used to configure Google credentials for Chromebook authentication. For more information, see Authenticating Chromebook Users on page 201.
Pages Description
Portals This page enables you to configure and manage user portals. For more information, refer to the Network Guardian Operations Guide.
Group access This page enables you to assign groups of users to portals. For more information, refer to the Network Guardian Operations Guide.
User access This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Network Guardian Operations Guide.
Network Guardian Administration Guide Network Guardian Overview
Proxies
You configure the proxy service for Network Guardian’s individual modules, including:
SNMP
You enable and configure the SNMP service here:
Message Censor
You can configure filtering policies for message content here:
Pages Description
Instant messenger Configure the instant messenger proxy service. For more information, refer to the Network Guardian Operations Guide.
FTP Configure the FTP proxy service. For more information, refer to the Network Guardian Operations Guide.
Pages Description
SNMP Used to activate Network Guardian’s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Network Guardian Operations Guide.
Pages Description
Policies Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Network Guardian Operations Guide.
Filters This is where you create and manage filters for matching particular types of message content. For more information, refer to the Network Guardian Operations Guide.
Time This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the
Network Guardian Operations Guide.
Custom categories Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Network Guardian Operations Guide.
System
The System section contains the following sub-sections and pages:
Maintenance
You use the following sections to manage and maintain various aspects of Network Guardian, including:
Central Management
You can setup a centrally managed Network Guardian system here:
Pages Description
Updates Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Network Guardian Operations Guide.
Modules Used to upload, view, check, install and remove Network Guardian modules. For more information, refer to the Network Guardian Operations Guide.
Licenses Used to display and update license information for the licensable components of the system. For more information, refer to the Network Guardian Operations Guide.
Archives Used to create and restore archives of system configuration information. For more information, refer to the Network Guardian Operations Guide.
Scheduler Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the
Network Guardian Operations Guide.
Shutdown Used to shutdown or reboot the system. For more information, refer to the
Network Guardian Operations Guide.
Pages Description
Overview This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System on page 215.
Child nodes This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 211.
Local node settings This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page 210.
Network Guardian Administration Guide Network Guardian Overview
Preferences
You can customize your installation of Network Guardian here:
Administration
You can enable administration access to Network Guardian here:
Hardware
You can configure additional hardware aspects here:
Pages Description
User interface Used to manage Network Guardian’s dashboard settings. For more information, refer to the Network Guardian Operations Guide.
Time Used to manage Network Guardian’s time zone, date and time settings. For more information, refer to the Network Guardian Operations Guide.
Registration options Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, refer to the Network Guardian Operations Guide.
Hostname Used to configure Network Guardian’s hostname. For more information, refer to the Network Guardian Operations Guide.
Pages Description
Admin options Used to enable secure access to Network Guardian using SSH, and to enable referral checking. For more information, refer to the Network Guardian Operations Guide.
External access Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Network Guardian. For more information, refer to the Network Guardian Operations Guide.
Administrative users Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Network Guardian Operations Guide.
Tenants Used to manage tenants. For more information, refer to the Multi-Tenant Installation and Administration Guide. Note you may not see this option if you have not purchased a Multi-Tenant licence.
Pages Description
UPS Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Network Guardian Operations Guide.
Console Configure the system console. For more information, refer to the Network Guardian Operations Guide.
Diagnostics
You can perform diagnostics tests here:
Certificates
You can configure Network Guardian as a Certificate Authority:
Guardian
The Guardian section contains the following sub-sections and pages:
Quick Links
The most commonly used Guardian functions are found here:
Pages Description
Functionality tests Used to ensure that your current Network Guardian settings are not likely to cause problems. For more information, refer to the Network Guardian Operations Guide.
Configuration report Used to create diagnostic files for support purposes. For more information, refer to the Network Guardian Operations Guide.
IP tools Contains the ping and trace route IP tools. For more information, refer to the
Network Guardian Operations Guide.
Whois Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Network Guardian Operations Guide.
Page Description
Certificate authorities
Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, refer to the Network Guardian Operations Guide.
Page Description
Getting started This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see Guardian Getting Started on page 54.
Shortcuts This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see
About Shortcuts on page 49.
Quick block/allow This page enables you to block or allow content immediately. For more information, see Blocking and Allowing Content Immediately on page 46.
Policy tester The policy tester enables you to test whether a URL is available to a specific person at a specific location and time. For more information, see Using the Policy Tester on page 83.
Network Guardian Administration Guide Network Guardian Overview
Web Filter Policies
You configure web filter policies here:
HTTPS Inspection Policies
You can configure HTTPS inspection policies here:
Content Modification Policies
You can configure content modification policies here:Pages Description
Manage policies This is where you manage how web filtering policies are applied. For more information, see Managing Web Filter Policies on page 64.
Policy wizard This is where you can configure a custom web filtering policy. For more information, see Creating Web Filter Policies on page 65.
Location blocking Enables you to block computers at a specific location from accessing web content. For more information, see Blocking Locations on page 47.
Exceptions Here you can exempt computers from any web filtering. For more information, see Excepting Computers from Web Filtering on page 47.
Outgoing This is where you configure outgoing settings for a censor policy for content and/or files posted using web forms. For more information, see Censoring Web Form Content on page 87.
Pages Description
Manage policies This is where you manage HTTPS inspection policies that decrypt and inspect encrypted communications. For more information, see Managing HTTPS Inspection Policies on page 68.
Policy wizard This is where you create custom policies for managing encrypted
communications. For more information, see Creating an HTTPS Inspection Policy on page 69.
Settings This is where you manage CA security certificates and configure HTTPS interception messages. For more information, see Configuring HTTPS Inspection Policy Settings on page 72.
Pages Description
Manage policies This is where you manage content modification policies that apply
recommended security rules and enforce SafeSearch in browsers. For more information, see Managing Content Modification Policies on page 74.
Policy wizard Enables you to create custom policies for applying security rules and enforcing SafeSearch in browsers. For more information, see Creating a Content Modification Policy on page 75.
Content modifications
Create and manage content modification policies. For more information, see
Anti-malware Policies
You can configure anti-malware policies here:
Block Page Policies
You can configure block page policies here:
Policy Objects
You can configure global policy objects to be used in any Guardian policy:
Pages Description
Manage policies This is where you manage policies that protect against malware. For more information, see Managing Anti-malware Policies on page 79.
Policy wizard This is where you can create custom policies to protect against malware. For more information, see Creating an Anti-malware Policy on page 79.
Status page Enables you to customize anti-malware information shown when downloading files. For more information, see Configuring Anti-malware Status Information on page 82.
Settings This is where you enable malware protection. For more information, see
Creating an Anti-malware Policy on page 79.
Pages Description
Manage policies This is where you manage block page policies. For more information, see
Managing Block Page Policies on page 137.
Policy wizard This is where you create and edit block page policies. For more information, see
Configuring a Block Page Policy on page 136.
Block pages This is where you create and edit block pages. For more information, see
Managing Block Pages on page 132.
Pages Description
Category groups This is where you manage content categories used when applying a web filtering policy. For more information, see Working with Category Group Objects on page 55.
User defined This is where you manage custom content categories. For more information, see Creating Custom Categories on page 56.
Time slots This is where you create and manage time slot policy objects for use in content filtering policies. For more information, see Working with Time Slot Objects on page 59.
Locations This is where you create and manage location policy objects for use in content filtering policies. For more information, see Working with Location Objects on page 60.
Quotas This is where you create and manage quota policy objects for use in content filtering policies. For more information, see Working with Quota Objects on page 62.
Network Guardian Administration Guide Network Guardian Overview
Swurl
The Swurl section contains the following sub-sections and pages:
Web Proxy
The Web proxy section contains the following sub-sections and pages:
Web Proxy
You can manage the web proxy service here:
Upstream Proxy
You can managed the upstream proxy service here:
Pages Description
Settings This is where you configure your organization’s Swurl account. For more information, see Configuring Organization Accounts on page 89.
Pages Description
Settings This is where you configure and manage web proxy settings. For more information, see Overview of the Web Proxy on page 112.
Automatic configuration
This is where you create and make available proxy auto-configuration (PAC) scripts. For more information, see Using PAC Scripts on page 116.
Bandwidth limiting This is where you can manage how much bandwidth is made available to clients. For more information, see Limiting Bandwidth Use on page 118.
WCCP This is where you can configure Network Guardian to join a Web Cache Coordination Protocol (WCCP) cache engine cluster. For more information, see
Configuring WCCP on page 120.
Pages Description
Manage policies This is where you manage upstream proxy policies. For more information, see
Working with Multiple Upstream Proxies on page 128.
Proxies This is where you configure upstream proxy settings. For more information, see
Configuring an Upstream Proxy on page 123.
Filters This is where you manage upstream proxy source and destination filters. For more information, see Configuring Source and Destination Filters on page 125.
Authentication
You can manage web proxy authentications here:
MobileProxy
You can manage the MobileProxy service here:
Global Proxy
The Global Proxy section contains the following sub-sections and pages:
Pages Description
Manage polices This is where you manage authentication policies which determine which web filter policies are applied. For more information, see Chapter 5, Managing Authentication Policies on page 91.
Policy wizard This is where you create and edit authentication policies. For more information, see Creating Authentication Policies on page 92.
Exceptions This is where you can exempt content from authentication. For more information, see Managing Authentication Exceptions on page 103.
Ident by location This is where you configure identification of groups and/or users by their location. For more information, see Identification by Location on page 103.
Pages Description
Settings On this page, you configure global MobileProxy server settings. For more information, refer to the Network Guardian Operations Guide.
Proxies On this page, you manage MobileProxyservers for use with mobile devices. For more information, refer to the Network Guardian Operations Guide.
Exceptions On this page, you specify proxy exceptions. For more information, refer to the Network Guardian Operations Guide.
Pages Description
Settings Used to configured Secure Global Proxy. For more information, For more information, see Using Global Proxy Certificates on page 104.
Certificate activity Used to view the Secure Global Proxy logs. For more information, For more information, see Viewing the Global Proxy Logs on page 106.
Network Guardian Administration Guide Network Guardian Overview
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required configuration settings.
Specifying Networks, Hosts and Ports
IP Address
An IP address defines the network location of a single network host. The following format is used:
192.168.10.1
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example:
192.168.10.1-192.168.10.20 192.168.10.1-192.168.12.255
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0 192.168.10.0/24
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples:
255.255.255.0 255.255.0.0 255.255.248.0
Service and Ports
A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:
21 7070
Port Range
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used:
137:139
Using Comments
Almost every configurable aspect of Network Guardian can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement.
Comments are entered in the Comment fields and displayed alongside saved configuration information.
Connecting via SSH
You can access Network Guardian via a console using the Secure Shell (SSH) protocol.
Connecting Using a Client
When SSH access is enabled, you can connect to Network Guardian via a secure shell application, such as PuTTY.
To connect using an SSH client:
1. Check SSH access is enabled on Network Guardian. See Configuring Administration Access Options on page 139 for more information.
Network Guardian Administration Guide Network Guardian Overview
3. Enter the following information:
4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Network Guardian command line.
Secure Communication
When you connect your web browser to Network Guardian’s web-based interface on a HTTPS port for the first time, your browser will display a warning that Network Guardian’s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site.
Unknown Entity Warning
This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Network Guardian’s certificate is a self-signed certificate. Note: The data traveling between your browser and Network Guardian is secure and encrypted.
To remove this warning, your web browser needs to be told to trust certificates generated by Network Guardian.
To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser’s documentation for information about how to import the certificate.
Inconsistent Site Address
Your browser will generate a warning if Network Guardian’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Network Guardian’s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Network Guardian using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future.
Field Description
Host Name (or IP address)
Enter Network Guardian’s host name or IP address.
Port Enter 222
Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption.
2 Working with Interfaces
This chapter describes how to configure the network cards and interfaces on your Network Guardian, including:
• About Network Interfaces and Roles on page 23
• Creating an External Connection on page 25
• Adding a New Interface on page 27
• Allocating IP Addresses to Interfaces on page 28
• Configuring Bonded Interfaces on page 30
• Using Virtual Local Area Networks on page 33
• Configuring Transparent Bridges on page 34
• Using a Point-to-Point Protocol over Ethernet Interface on page 37
• Using Domain Name System Services on page 40
About Network Interfaces and Roles
Note: Support for Internet connections using dial-up modems has been withdrawn. For more information, contact your Smoothwall representative.
“Interface” can refer to both a software interface, such as a virtual LAN, and a physical network interface card (NIC). Within Network Guardian, “interface” typically refers to a software interface, whereas NICs have “roles”.
The following NIC roles are supported:
NIC Role Description
External External interfaces connect your network to the Internet.
For a detailed description of how to configure an external role, see
The following interfaces are supported:
New NICs added to your appliance are automatically added to the configuration as a BASIC interface. You must configure additional interfaces for Internet connections, connections from internal clients for web filtering purposes, and so on.
Note: The configuration entered for the NIC during the installation is to allow access to Network Guardian from the administration user interface. For more information, refer to the Network Guardian Installation Guide.
Basic interface Typically, basic interfaces deal with internal network traffic. During installation, a basic interface is reserved, and configured to provide a direct link to Network Guardian, either through the administration user interface, or through secure shell (SSH).
For a detailed description of how to add an IP address to a basic interface, see Allocating IP Addresses to Interfaces on page 28.
Bond member A bond member is one of two or more NICs combined together to provide high availability. A Bonding interface acts as the combination.
For a detailed description of how to configure a bond member, see
Configuring Bonded Interfaces on page 30.
Bridge member A bridge member is one of two or more NICs that bridge separate network zones together. A Bridge interface acts as the
connection between NICs.
For a detailed description of how to configure a bridge member, see
Configuring Transparent Bridges on page 34.
Interface Description
Bonding A Bonding interface is a software interface that combines NICs to provide high availability.
For a detailed description of how to configure a bonded interface, see Configuring Bonded Interfaces on page 30.
VLAN A virtual local area network (VLAN) is a virtual network zone. VLAN
interfaces are software interfaces, associated with a NIC.
For a detailed description of how to configure a VLAN interface, see
Using Virtual Local Area Networks on page 33.
Bridge A Bridge interface is a software interface that links network zones, that is, NICs, together.
For a detailed description of how to configure a bridge interface, see Configuring Transparent Bridges on page 34.
PPPoE A Point-to-Point Protocol over Ethernet (PPPoE) interface connects network zones using modems, or similar devices.
For a detailed description of how to configure a PPPoE interface, see Using a Point-to-Point Protocol over Ethernet Interface on page 37.
Network Guardian Administration Guide Working with Interfaces
Creating an External Connection
Internet connections are made through the NIC configured as External. You can choose to configure this with a static IP address, or with one set by your ISP’s DHCP server.
Note: “External connection” does not refer to those connections that use a PPPoE interface. For a detailed description of how to configure a PPPoE connection, see Using a Point-to-Point Protocol over Ethernet Interface on page 37.
To create an external connection, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Highlight the relevant interface, and click Edit.
3. Configure the following:
Name — Configure a meaningful name for this connection.
Use as — Select External.
Spoof MAC — If MAC address spoofing is required, enter the new MAC address here.
MTU — If required, you can set the Maximum Transmission Unit (MTU) size, in bytes, for packets using this connection.
Comment — Configure an optional comment for this external interface.
An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name.
You must assign the IP address, and gateway if provided, as advised by your ISP. This can either be a static IP address or one assigned dynamically. For a detailed description of how to do this, see
Allocating IP Addresses to Interfaces on page 28.
Note: IPv6 is not yet supported. For more information, refer to your Smoothwall representative.
About Load Balancing Traffic over External Connections
If multiple external connections are configured on the appliance, Network Guardian balances external-destined traffic, according to weighting, across all functioning connections. This way, a failed connection should not have any noticeable impact on network clients.For a detailed description of how to configure link load balancing weighting, see Load Balancing Traffic on page 143.
Editing an External Connection
To edit an external interface, do the following:1. Browse to Networking > Configuration > Interfaces.
2. From the Ethernet interfaces table, highlight the relevant external interface, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating an
External Connection on page 25. 4. Click Save changes.
Deleting an External Connection
You cannot delete an external connection as this is typically a port on the appliance. To remove an external interface, you delete the IP addresses allocated to the interface. For a detailed description of how to do this, see Deleting Allocated IP Addresses on page 30.
Network Guardian Administration Guide Working with Interfaces
Monitoring External Connections’ Status
You can monitor the status of all external connections configured on your appliance, using Network Guardian’s Dashboard.
To view the status of all external connections, do the following: • From the menu list, browse to Dashboard.
For more information about the Dashboard, refer to the Network Guardian Operations Guide.
Adding a New Interface
In addition to the NICs on your Network Guardian appliance, you can create additional interfaces to process network traffic.
You do this as follows:
1. Browse to Networking > Configuration > Interfaces.
3. The parameters available to configure change depending on the Type of interface you select. For more information, see:
Bonding — Configuring Bonded Interfaces on page 30
VLAN — Using Virtual Local Area Networks on page 33
Bridge — Configuring Transparent Bridges on page 34
PPPoE — Using a Point-to-Point Protocol over Ethernet Interface on page 37
4. Click Add.
Basic interfaces are added automatically when a new NIC is detected. For a detailed description of how to change a basic interface to an external interface, see Creating an External Connection on page 25.
Allocating IP Addresses to Interfaces
Typically, you assign an IP address to the interface during installation - refer to the Network Guardian Installation Guide.
If required, you can assign additional IP addresses to an interface, for example: • Extra static IP address, for later use.
• An IP address, set by DHCP, to an interface with a static IP address already assigned.
• An IP address alias to a PPPoE interface. For a detailed description of how to add an IP address alias to a PPPoE interface, see Adding Alias IP Addresses on page 39.
Note: IPv6 is not yet supported. For more information, refer to your Smoothwall representative.
Adding an IP Address
To add an IP address, do the following:
1. Browse to Networking > Configuration > Interfaces.
2. Click the IP addresses link for the relevant interface to display the Attached addresses table. 3. Click Add new IP address.
4. Configure the following:
Status — New IP addresses are enabled by default. Clear the check box to create a disabled IP address.
Type — Choose whether this IP address is assigned a static IP address (Static IPv4), or an IP address assigned via DHCP (DHCP IPv4).
Network Guardian Administration Guide Working with Interfaces
Depending the type of IP address, additional parameters may require configuration:
Comment — Configure an optional comment for this IP address. Use as Additional Parameter Description
Static IPv4 IP address Enter the additional IP address for this interface.
Subnet mask Enter the subnet mask for the IP address
Gateway If traffic from this IP address needs to go through a gateway, select User defined, and either enter it into the box provided, or choose it from the drop-down list.
Else, leave None selected.
Bandwidth This parameter is only displayed if a User defined Gateway is configured. If multiple gateways are configured and used, enter the minimum bandwidth used to load balance traffic between connections. If a single gateway is configured, load balancing is not used so this parameter can be left at 1.
Select whether the configured value is in kilobits per second (kbps), or in megabits per second (Mbps).
Connection monitoring
This parameter is only displayed if a User defined Gateway is configured. Connection monitoring is enabled by default.
It is not recommended you disable connection monitoring, otherwise Network Guardian assumes the gateway always has an internet connection.
DHCP IPv4 Bandwidth If multiple gateways are configured and used, enter the minimum bandwidth used to load balance traffic between connections. If a single gateway is configured, load balancing is not used so this parameter can be left at 1.
Select whether the configured value is in kilobits per second (kbps), or in megabits per second (Mbps).
Connection monitoring
Connection monitoring is enabled by default.
It is not recommended you disable connection monitoring, otherwise Network Guardian assumes the gateway always has an internet connection.
DHCP client hostname
Optionally, enter the DHCP client hostname as specified by the DHCP server.
An additional button, Show comments, is displayed on the Attached addresses table if any comments are configured. Clicking this displays configured comments under the IP address.
5. Click Add.
Editing Allocated IP Addresses
To edit an allocated IP address, do the following: 1. Browse to Networking > Configuration > Interfaces.2. From the Ethernet interfaces table, highlight the interface, and click IP addresses. 3. From the Attached addresses table, highlight the relevant IP address and click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Using Virtual
Local Area Networks on page 33. 5. Click Save changes.
Deleting Allocated IP Addresses
Note: You cannot delete IP addresses that are assigned elsewhere, for example, used as part of a port forwarding rule (see Managing Inbound Traffic with Port Forwards on page 173) or source NAT policy (see Using Source NATs and LLB Policies on page 147).
To delete an allocated IP address, do the following: 1. Browse to Networking > Configuration > Interfaces.
2. From the Ethernet interfaces table, highlight the interface, and click IP addresses. 3. From the Attached addresses table, locate and highlight the relevant IP address. 4. Click Delete.
Configuring Bonded Interfaces
Network interface card (NIC) bonding involves combining the cards in parallel, in order to increase throughput, provide high availability, and provide redundancy should one of the links fail.
Network Guardian enables you to bind two or more NICs into a single bond.
Creating Bonds
You must first create the “parent” bonded interface, before adding the bonded interfaces. If required, a bridge member interface can also be used as a bonded interface.