Secure Web Gateway Network Guardian Administration Guide

(1)

Secure Web Gateway

Network Guardian Administration Guide

For future reference

Network Guardian serial number: Date installed:

(2)

Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Network Guardian.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall.

Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.

Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation.

All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries.

Acknowledgements

Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.

Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor.

Network Guardian contains graphics taken from the Open Icon Library project http://openiconlibrary.sourceforge.net/

Address Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom Email info@smoothwall.net

Web www.smoothwall.net

Telephone USA and Canada: United Kingdom: All other countries:

1 800 959 3760 0870 1 999 500 +44 870 1 999 500

Fax USA and Canada:

United Kingdom: All other countries:

1 888 899 9164 0870 1 991 399 +44 870 1 991 399

(3)

About This Guide

Smoothwall’s Network Guardian is a licenced feature of your Smoothwall System. This supplement provides guidance for configuring Network Guardian.

Audience and Scope

This guide is aimed at system administrators maintaining and deploying Network Guardian. This guide assumes the following prerequisite knowledge:

• An overall understanding of the functionality of the Smoothwall System • An overall understanding of networking concepts

Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative.

Organization and Use

This guide is made up of the following chapters and appendices: • Chapter 1, Network Guardian Overview on page 3

• Chapter 2, Working with Interfaces on page 23

• Chapter 3, Deploying Web Filtering on page 45

• Chapter 4, Working with Policies on page 51

• Chapter 5, Managing Authentication Policies on page 91

• Chapter 6, Managing Web Security on page 111

• Chapter 7, Managing Your Network Infrastructure on page 139

(12)

• Chapter 9, Using Zone Bridging Rules on page 165

• Chapter 10, Managing Inbound Traffic on page 173

• Chapter 11, Authentication and User Management on page 177

• Chapter 12, Centrally Managing Smoothwall Systems on page 209

• Glossary on page 221

• Index on page 231

Conventions

The following typographical conventions are used in this guide:

This guide is written in such a way as to be printed on both sides of the paper.

1 Network Guardian

Overview

This chapter introduces Network Guardian, including: • Overview of Network Guardian on page 4

• Annual Renewal on page 4

• Accessing Network Guardian on page 4

• Dashboard on page 5

• Logs and Reports on page 6

• Networking on page 8

• Services on page 10

• System on page 12

• Guardian on page 14

• Swurl on page 17

• Web Proxy on page 17

• Configuration Guidelines on page 19

• Connecting via SSH on page 20

(14)

Overview of Network Guardian

Welcome to Network Guardian, the intelligent web content filter that dynamically analyses, understands and categorizes all web content requested by your users.

Network Guardian provides:

• Protection from pornography and objectionable content

• Controlled access to non work-related sites, such as news, sport, travel and auctions. • Protection from web-borne spyware, malware and browser exploits

• Reporting on Internet behavior and resource utilization

• Email security: anti-spam, anti-malware, mail relay and control.

Annual Renewal

To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative.

Accessing Network Guardian

To access Network Guardian, do the following:

1. In a web browser, enter the address of your Network Guardian, for example:

https://192.168.72.141:441

Note: The example address above uses HTTPS to ensure secure communication with your Network Guardian. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Network Guardian as described in the Network Guardian Installation and Setup Guide.

(15)

Network Guardian Administration Guide Network Guardian Overview

3. Enter the following information:

4. Click Login.

The Dashboard opens.

The following describe Network Guardian’s user interface.

Dashboard

The Dashboard is the default home page of your Network Guardian system. It displays the status of external interfaces, service information and customizable summary reports.

Field Information

Username Enter admin This is the default Network Guardian administrator account.

Password Enter the password you specified for the admin account when installing Network Guardian.

(16)

Logs and Reports

The Logs and reports section contains the following menu items and pages:

Reports

All report functionality, including customizing and scheduling, are found here:

Alerts

You can enable alerts and monitors from here:

Realtime

You can watch Network Guardian’s log files populate in realtime from here:

Pages Description

Summary Displays a number of generated reports. For more information, refer to the

Network Guardian Operations Guide.

Reports Where you generate and organize reports. For more information, refer to the

Recent and saved Lists recently-generated and previously saved reports. For more information, refer to the Network Guardian Operations Guide.

Scheduled Sets which reports are automatically generated and delivered. For more information, refer to the Network Guardian Operations Guide.

Custom Enables you to create and view custom reports. For more information, refer to the Network Guardian Operations Guide.

Alerts Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Network Guardian Operations Guide.

Alert settings Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Network Guardian Operations Guide.

System A real time view of the system log with some filtering options. For more information, refer to the Network Guardian Operations Guide.

Firewall A real time view of the firewall log with some filtering options. For more information, refer to the Network Guardian Operations Guide.

(17)

Logs

You can view and download Network Guardian’s log files from here:

Email Displays the email log viewer running in real time mode. For more information, refer to the Network Guardian Operations Guide. Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide.

Portal A real time view of activity on user portals. For more information, refer to the

IM proxy A real time view of recent instant messaging conversations. For more information, refer to the Network Guardian Operations Guide.

Web filter Displays the web filter log viewer running in real time mode. For more information, refer to the Network Guardian Operations Guide.

Traffic graphs Displays a real time bar graph of the bandwidth being used. For more information, refer to the Network Guardian Operations Guide.

System Simple logging information for the internal system services. For more information, refer to the Network Guardian Operations Guide.

Firewall Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Network Guardian Operations Guide.

Email Displays sender, recipient, subject and other email message information. For more information, refer to the Network Guardian Operations Guide . Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide .

IM proxy Displays information about instant messaging conversations. For more information, refer to the Network Guardian Operations Guide .

Web filter Displays time, username, source IP and other web filtering information. For more information, refer to the Network Guardian Operations GuideWeb Filter Logs on page 107.

User portal Displays information about access by users to portals. For more information, refer to the Network Guardian Operations Guide.

Log settings Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the

(18)

Settings

You set global settings for reports, alerts, and log files from here:

Networking

The Networking section contains the following sub-sections and pages:

Configuration

You configure all interfaces, whether they are NICs or software interfaces, here:

Datastore settings Contains settings to manage the storing of log files. For more information, refer to the Network Guardian Operations Guide.

Groups Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Network Guardian Operations Guide

Output settings Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Network Guardian Operations Guide.

Interfaces Configure and display information for your Network Guardian’s interfaces, including VLANs and bridges. For more information, see Configuring Global Settings for Interfaces on page 26.

DNS Configure static DNS settings, and DNS proxy service settings. For more information, see Using Domain Name System Services on page 40.

Link Load Balancing Configure load balancing pools for network interfaces. For more information, see Load Balancing Traffic on page 143.

Source NAT & LLB policies

Configure any source NAT-ing, source mapping policies, and load balancing policies. For more information, see Using Source NATs and LLB Policies on page 147.

Port forwards Configure any port forwarding policies to internal network services. For more information, see Managing Inbound Traffic with Port Forwards on page 173.

(19)

Filtering

You can setup filtering rules here for network traffic:

Routing

You can configure routing rules here for network traffic:

Settings

You set global settings for all networking aspects from here:

Zone bridging Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 165.

Group bridging Used to define the network zones that are accessible to authenticated groups of users. For more information, see About Group Bridging Rules on page 169.

IP block Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 151.

Ethernet bridging Used to block peer to peer traffic across the bridge interface. For more information, see Blocking Services on the Ethernet Bridge on page 153.

Subnets Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see

Creating Subnets on page 139.

RIP Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using the Routing Information Protocol Service on page 141.

Port groups Create and edit groups of ports for use throughout Network Guardian. For more information, see Working with Port Groups on page 155.

Address object manager

Create and edit IP address objects for use in networking configuration. For more information, see Working with Address Objects on page 157.

Advanced Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page 160.

(20)

Services

The Services section contains the following sub-sections and pages:

Authentication

You configure user authentication policies here:

User Portal

You configure and manage user portals here:

Settings Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 178.

Directories Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Services on page 179.

Groups Used to customize group names. For more information, see Managing Groups of Users on page 190.

Temporary bans Enables you to manage temporarily banned user accounts. For more information, see Managing Temporarily Banned Users on page 193.

User activity Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 195.

SSL login Used to customize the end-user SSL login page. For more information, see

About SSL Authentication on page 196.

Kerberos keytabs This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 198.

BYOD Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Network Guardian Operations Guide.

Chromebook Used to configure Google credentials for Chromebook authentication. For more information, see Authenticating Chromebook Users on page 201.

Portals This page enables you to configure and manage user portals. For more information, refer to the Network Guardian Operations Guide.

Group access This page enables you to assign groups of users to portals. For more information, refer to the Network Guardian Operations Guide.

User access This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Network Guardian Operations Guide.

(21)

Proxies

You configure the proxy service for Network Guardian’s individual modules, including:

SNMP

You enable and configure the SNMP service here:

Message Censor

You can configure filtering policies for message content here:

Instant messenger Configure the instant messenger proxy service. For more information, refer to the Network Guardian Operations Guide.

FTP Configure the FTP proxy service. For more information, refer to the Network Guardian Operations Guide.

SNMP Used to activate Network Guardian’s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Network Guardian Operations Guide.

Policies Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Network Guardian Operations Guide.

Filters This is where you create and manage filters for matching particular types of message content. For more information, refer to the Network Guardian Operations Guide.

Time This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the

Custom categories Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Network Guardian Operations Guide.

(22)

System

The System section contains the following sub-sections and pages:

Maintenance

You use the following sections to manage and maintain various aspects of Network Guardian, including:

Central Management

You can setup a centrally managed Network Guardian system here:

Updates Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Network Guardian Operations Guide.

Modules Used to upload, view, check, install and remove Network Guardian modules. For more information, refer to the Network Guardian Operations Guide.

Licenses Used to display and update license information for the licensable components of the system. For more information, refer to the Network Guardian Operations Guide.

Archives Used to create and restore archives of system configuration information. For more information, refer to the Network Guardian Operations Guide.

Scheduler Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the

Shutdown Used to shutdown or reboot the system. For more information, refer to the

Overview This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System on page 215.

Child nodes This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 211.

Local node settings This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page 210.

(23)

Preferences

You can customize your installation of Network Guardian here:

Administration

You can enable administration access to Network Guardian here:

Hardware

You can configure additional hardware aspects here:

User interface Used to manage Network Guardian’s dashboard settings. For more information, refer to the Network Guardian Operations Guide.

Time Used to manage Network Guardian’s time zone, date and time settings. For more information, refer to the Network Guardian Operations Guide.

Registration options Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, refer to the Network Guardian Operations Guide.

Hostname Used to configure Network Guardian’s hostname. For more information, refer to the Network Guardian Operations Guide.

Admin options Used to enable secure access to Network Guardian using SSH, and to enable referral checking. For more information, refer to the Network Guardian Operations Guide.

External access Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Network Guardian. For more information, refer to the Network Guardian Operations Guide.

Administrative users Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Network Guardian Operations Guide.

Tenants Used to manage tenants. For more information, refer to the Multi-Tenant Installation and Administration Guide. Note you may not see this option if you have not purchased a Multi-Tenant licence.

UPS Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Network Guardian Operations Guide.

Console Configure the system console. For more information, refer to the Network Guardian Operations Guide.

(24)

Diagnostics

You can perform diagnostics tests here:

Certificates

You can configure Network Guardian as a Certificate Authority:

Guardian

The Guardian section contains the following sub-sections and pages:

Quick Links

The most commonly used Guardian functions are found here:

Functionality tests Used to ensure that your current Network Guardian settings are not likely to cause problems. For more information, refer to the Network Guardian Operations Guide.

Configuration report Used to create diagnostic files for support purposes. For more information, refer to the Network Guardian Operations Guide.

IP tools Contains the ping and trace route IP tools. For more information, refer to the

Whois Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Network Guardian Operations Guide.

Page Description

Certificate authorities

Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, refer to the Network Guardian Operations Guide.

Page Description

Getting started This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see Guardian Getting Started on page 54.

Shortcuts This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see

About Shortcuts on page 49.

Quick block/allow This page enables you to block or allow content immediately. For more information, see Blocking and Allowing Content Immediately on page 46.

Policy tester The policy tester enables you to test whether a URL is available to a specific person at a specific location and time. For more information, see Using the Policy Tester on page 83.

(25)

Web Filter Policies

You configure web filter policies here:

HTTPS Inspection Policies

You can configure HTTPS inspection policies here:

Content Modification Policies

You can configure content modification policies here:

Manage policies This is where you manage how web filtering policies are applied. For more information, see Managing Web Filter Policies on page 64.

Policy wizard This is where you can configure a custom web filtering policy. For more information, see Creating Web Filter Policies on page 65.

Location blocking Enables you to block computers at a specific location from accessing web content. For more information, see Blocking Locations on page 47.

Exceptions Here you can exempt computers from any web filtering. For more information, see Excepting Computers from Web Filtering on page 47.

Outgoing This is where you configure outgoing settings for a censor policy for content and/or files posted using web forms. For more information, see Censoring Web Form Content on page 87.

Manage policies This is where you manage HTTPS inspection policies that decrypt and inspect encrypted communications. For more information, see Managing HTTPS Inspection Policies on page 68.

Policy wizard This is where you create custom policies for managing encrypted

communications. For more information, see Creating an HTTPS Inspection Policy on page 69.

Settings This is where you manage CA security certificates and configure HTTPS interception messages. For more information, see Configuring HTTPS Inspection Policy Settings on page 72.

Manage policies This is where you manage content modification policies that apply

recommended security rules and enforce SafeSearch in browsers. For more information, see Managing Content Modification Policies on page 74.

Policy wizard Enables you to create custom policies for applying security rules and enforcing SafeSearch in browsers. For more information, see Creating a Content Modification Policy on page 75.

Content modifications

Create and manage content modification policies. For more information, see

(26)

Anti-malware Policies

You can configure anti-malware policies here:

Block Page Policies

You can configure block page policies here:

Policy Objects

You can configure global policy objects to be used in any Guardian policy:

Manage policies This is where you manage policies that protect against malware. For more information, see Managing Anti-malware Policies on page 79.

Policy wizard This is where you can create custom policies to protect against malware. For more information, see Creating an Anti-malware Policy on page 79.

Status page Enables you to customize anti-malware information shown when downloading files. For more information, see Configuring Anti-malware Status Information on page 82.

Settings This is where you enable malware protection. For more information, see

Creating an Anti-malware Policy on page 79.

Manage policies This is where you manage block page policies. For more information, see

Managing Block Page Policies on page 137.

Policy wizard This is where you create and edit block page policies. For more information, see

Configuring a Block Page Policy on page 136.

Block pages This is where you create and edit block pages. For more information, see

Managing Block Pages on page 132.

Category groups This is where you manage content categories used when applying a web filtering policy. For more information, see Working with Category Group Objects on page 55.

User defined This is where you manage custom content categories. For more information, see Creating Custom Categories on page 56.

Time slots This is where you create and manage time slot policy objects for use in content filtering policies. For more information, see Working with Time Slot Objects on page 59.

Locations This is where you create and manage location policy objects for use in content filtering policies. For more information, see Working with Location Objects on page 60.

Quotas This is where you create and manage quota policy objects for use in content filtering policies. For more information, see Working with Quota Objects on page 62.

(27)

Swurl

The Swurl section contains the following sub-sections and pages:

Web Proxy

The Web proxy section contains the following sub-sections and pages:

Web Proxy

You can manage the web proxy service here:

Upstream Proxy

You can managed the upstream proxy service here:

Settings This is where you configure your organization’s Swurl account. For more information, see Configuring Organization Accounts on page 89.

Settings This is where you configure and manage web proxy settings. For more information, see Overview of the Web Proxy on page 112.

Automatic configuration

This is where you create and make available proxy auto-configuration (PAC) scripts. For more information, see Using PAC Scripts on page 116.

Bandwidth limiting This is where you can manage how much bandwidth is made available to clients. For more information, see Limiting Bandwidth Use on page 118.

WCCP This is where you can configure Network Guardian to join a Web Cache Coordination Protocol (WCCP) cache engine cluster. For more information, see

Configuring WCCP on page 120.

Manage policies This is where you manage upstream proxy policies. For more information, see

Working with Multiple Upstream Proxies on page 128.

Proxies This is where you configure upstream proxy settings. For more information, see

Configuring an Upstream Proxy on page 123.

Filters This is where you manage upstream proxy source and destination filters. For more information, see Configuring Source and Destination Filters on page 125.

(28)

Authentication

You can manage web proxy authentications here:

MobileProxy

You can manage the MobileProxy service here:

Global Proxy

The Global Proxy section contains the following sub-sections and pages:

Manage polices This is where you manage authentication policies which determine which web filter policies are applied. For more information, see Chapter 5, Managing Authentication Policies on page 91.

Policy wizard This is where you create and edit authentication policies. For more information, see Creating Authentication Policies on page 92.

Exceptions This is where you can exempt content from authentication. For more information, see Managing Authentication Exceptions on page 103.

Ident by location This is where you configure identification of groups and/or users by their location. For more information, see Identification by Location on page 103.

Settings On this page, you configure global MobileProxy server settings. For more information, refer to the Network Guardian Operations Guide.

Proxies On this page, you manage MobileProxyservers for use with mobile devices. For more information, refer to the Network Guardian Operations Guide.

Exceptions On this page, you specify proxy exceptions. For more information, refer to the Network Guardian Operations Guide.

Settings Used to configured Secure Global Proxy. For more information, For more information, see Using Global Proxy Certificates on page 104.

Certificate activity Used to view the Secure Global Proxy logs. For more information, For more information, see Viewing the Global Proxy Logs on page 106.

(29)

Configuration Guidelines

This section provides guidance about how to enter suitable values for frequently required configuration settings.

Specifying Networks, Hosts and Ports

IP Address

An IP address defines the network location of a single network host. The following format is used:

192.168.10.1

IP Address Range

An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example:

192.168.10.1-192.168.10.20 192.168.10.1-192.168.12.255

Subnet Addresses

A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways:

192.168.10.0/255.255.255.0 192.168.10.0/24

Netmasks

A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples:

255.255.255.0 255.255.0.0 255.255.248.0

Service and Ports

A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:

21 7070

(30)

Port Range

A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used:

137:139

Using Comments

Almost every configurable aspect of Network Guardian can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement.

Comments are entered in the Comment fields and displayed alongside saved configuration information.

Connecting via SSH

You can access Network Guardian via a console using the Secure Shell (SSH) protocol.

Connecting Using a Client

When SSH access is enabled, you can connect to Network Guardian via a secure shell application, such as PuTTY.

To connect using an SSH client:

1. Check SSH access is enabled on Network Guardian. See Configuring Administration Access Options on page 139 for more information.

(31)

3. Enter the following information:

4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Network Guardian command line.

Secure Communication

When you connect your web browser to Network Guardian’s web-based interface on a HTTPS port for the first time, your browser will display a warning that Network Guardian’s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site.

Unknown Entity Warning

This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Network Guardian’s certificate is a self-signed certificate. Note: The data traveling between your browser and Network Guardian is secure and encrypted.

To remove this warning, your web browser needs to be told to trust certificates generated by Network Guardian.

To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser’s documentation for information about how to import the certificate.

Inconsistent Site Address

Your browser will generate a warning if Network Guardian’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Network Guardian’s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Network Guardian using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future.

Field Description

Host Name (or IP address)

Enter Network Guardian’s host name or IP address.

Port Enter 222

(32)

Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption.

(33)

2 Working with Interfaces

This chapter describes how to configure the network cards and interfaces on your Network Guardian, including:

• About Network Interfaces and Roles on page 23

• Creating an External Connection on page 25

• Adding a New Interface on page 27

• Allocating IP Addresses to Interfaces on page 28

• Configuring Bonded Interfaces on page 30

• Using Virtual Local Area Networks on page 33

• Configuring Transparent Bridges on page 34

• Using a Point-to-Point Protocol over Ethernet Interface on page 37

• Using Domain Name System Services on page 40

About Network Interfaces and Roles

Note: Support for Internet connections using dial-up modems has been withdrawn. For more information, contact your Smoothwall representative.

“Interface” can refer to both a software interface, such as a virtual LAN, and a physical network interface card (NIC). Within Network Guardian, “interface” typically refers to a software interface, whereas NICs have “roles”.

The following NIC roles are supported:

NIC Role Description

External External interfaces connect your network to the Internet.

For a detailed description of how to configure an external role, see

(34)

The following interfaces are supported:

New NICs added to your appliance are automatically added to the configuration as a BASIC interface. You must configure additional interfaces for Internet connections, connections from internal clients for web filtering purposes, and so on.

Note: The configuration entered for the NIC during the installation is to allow access to Network Guardian from the administration user interface. For more information, refer to the Network Guardian Installation Guide.

Basic interface Typically, basic interfaces deal with internal network traffic. During installation, a basic interface is reserved, and configured to provide a direct link to Network Guardian, either through the administration user interface, or through secure shell (SSH).

For a detailed description of how to add an IP address to a basic interface, see Allocating IP Addresses to Interfaces on page 28.

Bond member A bond member is one of two or more NICs combined together to provide high availability. A Bonding interface acts as the combination.

For a detailed description of how to configure a bond member, see

Configuring Bonded Interfaces on page 30.

Bridge member A bridge member is one of two or more NICs that bridge separate network zones together. A Bridge interface acts as the

connection between NICs.

For a detailed description of how to configure a bridge member, see

Configuring Transparent Bridges on page 34.

Interface Description

Bonding A Bonding interface is a software interface that combines NICs to provide high availability.

For a detailed description of how to configure a bonded interface, see Configuring Bonded Interfaces on page 30.

VLAN A virtual local area network (VLAN) is a virtual network zone. VLAN

interfaces are software interfaces, associated with a NIC.

For a detailed description of how to configure a VLAN interface, see

Using Virtual Local Area Networks on page 33.

Bridge A Bridge interface is a software interface that links network zones, that is, NICs, together.

For a detailed description of how to configure a bridge interface, see Configuring Transparent Bridges on page 34.

PPPoE A Point-to-Point Protocol over Ethernet (PPPoE) interface connects network zones using modems, or similar devices.

For a detailed description of how to configure a PPPoE interface, see Using a Point-to-Point Protocol over Ethernet Interface on page 37.

(35)

Network Guardian Administration Guide Working with Interfaces

Creating an External Connection

Internet connections are made through the NIC configured as External. You can choose to configure this with a static IP address, or with one set by your ISP’s DHCP server.

Note: “External connection” does not refer to those connections that use a PPPoE interface. For a detailed description of how to configure a PPPoE connection, see Using a Point-to-Point Protocol over Ethernet Interface on page 37.

To create an external connection, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Highlight the relevant interface, and click Edit.

3. Configure the following:

 Name — Configure a meaningful name for this connection.

 Use as — Select External.

 Spoof MAC — If MAC address spoofing is required, enter the new MAC address here.

 MTU — If required, you can set the Maximum Transmission Unit (MTU) size, in bytes, for packets using this connection.

 Comment — Configure an optional comment for this external interface.

An additional button, Show comments, is displayed on the Ethernet interfaces table if any comments are configured. Clicking this displays configured comments under the interface name.

(36)

You must assign the IP address, and gateway if provided, as advised by your ISP. This can either be a static IP address or one assigned dynamically. For a detailed description of how to do this, see

Allocating IP Addresses to Interfaces on page 28.

Note: IPv6 is not yet supported. For more information, refer to your Smoothwall representative.

About Load Balancing Traffic over External Connections

If multiple external connections are configured on the appliance, Network Guardian balances external-destined traffic, according to weighting, across all functioning connections. This way, a failed connection should not have any noticeable impact on network clients.

For a detailed description of how to configure link load balancing weighting, see Load Balancing Traffic on page 143.

Editing an External Connection

To edit an external interface, do the following:

1. Browse to Networking > Configuration > Interfaces.

2. From the Ethernet interfaces table, highlight the relevant external interface, and click Edit. 3. Edit the configuration as required. For a detailed description of each setting, see Creating an

External Connection on page 25. 4. Click Save changes.

Deleting an External Connection

You cannot delete an external connection as this is typically a port on the appliance. To remove an external interface, you delete the IP addresses allocated to the interface. For a detailed description of how to do this, see Deleting Allocated IP Addresses on page 30.

(37)

Monitoring External Connections’ Status

You can monitor the status of all external connections configured on your appliance, using Network Guardian’s Dashboard.

To view the status of all external connections, do the following: • From the menu list, browse to Dashboard.

For more information about the Dashboard, refer to the Network Guardian Operations Guide.

Adding a New Interface

In addition to the NICs on your Network Guardian appliance, you can create additional interfaces to process network traffic.

You do this as follows:

(38)

3. The parameters available to configure change depending on the Type of interface you select. For more information, see:

 Bonding — Configuring Bonded Interfaces on page 30

 VLAN — Using Virtual Local Area Networks on page 33

 Bridge — Configuring Transparent Bridges on page 34

 PPPoE — Using a Point-to-Point Protocol over Ethernet Interface on page 37

4. Click Add.

Basic interfaces are added automatically when a new NIC is detected. For a detailed description of how to change a basic interface to an external interface, see Creating an External Connection on page 25.

Allocating IP Addresses to Interfaces

Typically, you assign an IP address to the interface during installation - refer to the Network Guardian Installation Guide.

If required, you can assign additional IP addresses to an interface, for example: • Extra static IP address, for later use.

• An IP address, set by DHCP, to an interface with a static IP address already assigned.

• An IP address alias to a PPPoE interface. For a detailed description of how to add an IP address alias to a PPPoE interface, see Adding Alias IP Addresses on page 39.

Note: IPv6 is not yet supported. For more information, refer to your Smoothwall representative.

Adding an IP Address

To add an IP address, do the following:

2. Click the IP addresses link for the relevant interface to display the Attached addresses table. 3. Click Add new IP address.

4. Configure the following:

 Status — New IP addresses are enabled by default. Clear the check box to create a disabled IP address.

 Type — Choose whether this IP address is assigned a static IP address (Static IPv4), or an IP address assigned via DHCP (DHCP IPv4).

(39)

Depending the type of IP address, additional parameters may require configuration:

 Comment — Configure an optional comment for this IP address. Use as Additional Parameter Description

Static IPv4 IP address Enter the additional IP address for this interface.

Subnet mask Enter the subnet mask for the IP address

Gateway If traffic from this IP address needs to go through a gateway, select User defined, and either enter it into the box provided, or choose it from the drop-down list.

Else, leave None selected.

Bandwidth This parameter is only displayed if a User defined Gateway is configured. If multiple gateways are configured and used, enter the minimum bandwidth used to load balance traffic between connections. If a single gateway is configured, load balancing is not used so this parameter can be left at 1.

Select whether the configured value is in kilobits per second (kbps), or in megabits per second (Mbps).

Connection monitoring

This parameter is only displayed if a User defined Gateway is configured. Connection monitoring is enabled by default.

It is not recommended you disable connection monitoring, otherwise Network Guardian assumes the gateway always has an internet connection.

DHCP IPv4 Bandwidth If multiple gateways are configured and used, enter the minimum bandwidth used to load balance traffic between connections. If a single gateway is configured, load balancing is not used so this parameter can be left at 1.

Select whether the configured value is in kilobits per second (kbps), or in megabits per second (Mbps).

Connection monitoring

Connection monitoring is enabled by default.

It is not recommended you disable connection monitoring, otherwise Network Guardian assumes the gateway always has an internet connection.

DHCP client hostname

Optionally, enter the DHCP client hostname as specified by the DHCP server.

(40)

An additional button, Show comments, is displayed on the Attached addresses table if any comments are configured. Clicking this displays configured comments under the IP address.

5. Click Add.

Editing Allocated IP Addresses

To edit an allocated IP address, do the following: 1. Browse to Networking > Configuration > Interfaces.

2. From the Ethernet interfaces table, highlight the interface, and click IP addresses. 3. From the Attached addresses table, highlight the relevant IP address and click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Using Virtual

Local Area Networks on page 33. 5. Click Save changes.

Deleting Allocated IP Addresses

Note: You cannot delete IP addresses that are assigned elsewhere, for example, used as part of a port forwarding rule (see Managing Inbound Traffic with Port Forwards on page 173) or source NAT policy (see Using Source NATs and LLB Policies on page 147).

To delete an allocated IP address, do the following: 1. Browse to Networking > Configuration > Interfaces.

2. From the Ethernet interfaces table, highlight the interface, and click IP addresses. 3. From the Attached addresses table, locate and highlight the relevant IP address. 4. Click Delete.

Configuring Bonded Interfaces

Network interface card (NIC) bonding involves combining the cards in parallel, in order to increase throughput, provide high availability, and provide redundancy should one of the links fail.

Network Guardian enables you to bind two or more NICs into a single bond.

Creating Bonds

You must first create the “parent” bonded interface, before adding the bonded interfaces. If required, a bridge member interface can also be used as a bonded interface.

Secure Web Gateway Network Guardian Administration Guide

Secure Web Gateway

Network Guardian Administration Guide

Contents

About This Guide ... 1

Audience and Scope ... 1

Organization and Use ... 1

Conventions... 2

Related Documentation... 2

Chapter 1

Network Guardian Overview ... 3

Overview of Network Guardian... 4

Annual Renewal... 4

Accessing Network Guardian ... 4

Dashboard ... 5

Logs and Reports ... 6

Reports ... 6

Alerts ... 6

Realtime ... 6

Logs ... 7

Settings ... 8

Networking ... 8

Configuration ... 8

Filtering ... 9

Routing ... 9

Settings ... 9

Services... 10

Authentication ... 10

User Portal ... 10

Proxies ... 11

SNMP ... 11

Message Censor ... 11

System ... 12

Maintenance ... 12

Central Management ... 12

Preferences ... 13

Administration... 13

Hardware ... 13

Diagnostics ... 14

Certificates ... 14

Guardian ... 14

Quick Links ... 14

Web Filter Policies ... 15

HTTPS Inspection Policies ... 15

Content Modification Policies ... 15

Anti-malware Policies ... 16

Block Page Policies ... 16

Policy Objects ... 16

Swurl ... 17

Web Proxy ... 17

Web Proxy ... 17

Upstream Proxy ... 17

Authentication ... 18

MobileProxy ... 18

Global Proxy ... 18

Configuration Guidelines... 19

Specifying Networks, Hosts and Ports ... 19

Using Comments ... 20

Connecting via SSH ... 20

Connecting Using a Client ... 20

Secure Communication ... 21

Unknown Entity Warning... 21

Inconsistent Site Address ... 21

Chapter 2

Working with Interfaces ... 23

About Network Interfaces and Roles ... 23

Creating an External Connection ... 25

About Load Balancing Traffic over External Connections 26

Editing an External Connection... 26

Deleting an External Connection... 26

Monitoring External Connections’ Status ... 27

Adding a New Interface ... 27

Allocating IP Addresses to Interfaces ... 28

Adding an IP Address ... 28

Editing Allocated IP Addresses ... 30

Deleting Allocated IP Addresses... 30

Configuring Bonded Interfaces ... 30

Creating Bonds ... 30

Editing Bonds ... 32

Deleting a Bond Interface ... 32