BASIC FIREWALL
SERVICES
Services
!
NTP – Network Time
!
DHCP
Relay
Server
!
DNS
Proxy
Server
!
Dynamic DNS
!
High Availability
!
Remote Logging
NTP – Network Time Service
!
NTP server will synchronize the firewall time and is important to
prevent drift in time which may cause VPN issues.
accurate syslog time stamps.
!
Changing the Time Zone requires a reboot to be fully effective.
!
GTA is a member of pool.ntp.org which is a virtual cluster of timeservers
providing NTP service.
!
Peers – Typically not implemented. Instead of client server mode the
firewalls will act in a peer mode where a key can be configured between
peers.
GB-250 & GB-Ware
!
GB-250
Older GB-250 Firewalls does not have a battery and the
initial boot time is: 2000-01-01 00:00:00
The time will be properly adjusted after NTP
synchronization.
!
GB-Ware
The start up time of GB-Ware is either acquired from the
on board battery backed up clock or will have the fixed
start up time of 1970-01-01 00:00:00 in the event the
hardware does not contain a battery backed clock.
GB-Ware default system time will vary depending on the
hardware manufacturer and if the system has a
Network Time Server
Making firewall an NTP Server
!
Go to the Inbound Policies
!
Configure a policy to allow connections to the
DRDoS / Amplification Attack using
ntpdc monlist command
!
GTA has an update in regards to NTP vulnerability in
pending v6.1.6 Pre-release. For more information on
in regards to the NTP issue go to
http://
support.ntp.org/bin/view/Main/
SecurityNotice#DRDoS_Amplification_Attack_using
.
!
!
Until the final release of v6.1.6 or v6.2.0, GTA
recommends;
Configuring your firewall so that it only serves trusted
hosts and does not respond to untrusted or external IP
addresses. This is controlled by your Inbound Security
Policies. By default, GTA firewalls do not allow NTP
requests from clients.
Network Time Server
Trouble Shooting
!
Confirm NTP servers specified resolve and
allow synchronization.
!
Confirm the an explicit or Automatic Remote
DHCP Relay
Requirements
!
GB-OS 5.3.2 or above
!
Supports both IPv4 and
IPv6 Relay (
GB
-OS 6.0 and
Up)
!
DHCP Server with a scope
to be assigned that is on
the same network as a GTA
firewall interface upon
which the DHCP Client
broadcast messages are
received. Or the firewall
has a route to the network
the client will connect
from.
Based on
!
RFC 3046 -
http://
tools.ietf.org/rfc/
rfc3046.txt
!
RFC 2131-
http://
www.ietf.org/rfc/
rfc2131.txt
How it works
!
The firewall will listen for
DHCP client broadcast
messages and changes
these request to unicast
messages and forward
them to the configured
DHCP server(s).
!
Once the client has a DHCP
address and reaches it’s
renewal time it will connect
directly to the DHCP server
to renew the lease.
Configuring DHCP Relay
"
2 Steps
!
Configure DHCP Relay Server IP Address or
Addresses for multiple servers
!
Configure the DHCP server scopes.
!
If from PSN to Protected or PSN to another PSN
add IP Pass Through Host networks and
policies.
DHCP Relay Configuration
Firewall
!
Go to Configure -> Services -> DHCP -> Relay enter the DHCP server IP
address or select an object with the DHCP servers IP addresses.
!
In the Advanced section automatic policies when enabled will create an
automatic remote access policy as needed to accept DHCP responses from
the configured DHCP server(s) and accept requests for addresses.
Example Automatic Policies –
▫
Accept notice ANY nolog udp/67->67 from 192.168.71.254 to 192.168.71.1
Known Issue DHCP Relay
!
Update of the Network services (Interfaces,
Alias) when configured on a VLAN interface
requires DHCP relay to be manually restarted.
DHCP Server Configuration
!
Configured Scope must
match an interface IP
Address/network on the
firewall or a network
reachable from the firewall.
!
Configure any other options
Security Policies
DHCP Relay Protected to
Protected
!
Default – All access is allowed
between Protected networks.
!
If corporate policy requires
strict control of all access then
connections must be allowed
for DHCP server and client
DHCP Relay PSN to Protected,
PSN to PSN
!
By default PSN Networks are
not allowed direct access to
Protected networks or other
PSN networks.
!
IP Pass Through Host
networks must be defined
and IP Pass Through Security
Policies must be set to allow
DHCP from clients to server
and server to the client.
DHCP Server
IPv4
!
DHCP Basic Features
Description
Beginning Address
Netmask
Lease Duration
Default gateway
Domain
Name Servers (3)
WINS Servers (3)
NTP Servers (3)
!
DHCP Advanced Features
MTU (v5.0)
TFTP Server
Assign by MAC address
Exclusion Ranges
!
DHCP starts on the interface which
matches the network defined in
service. Common issue is the
network defined in the DHCP
server does not match a network
defined on the firewall.
!
Multiple DHCP servers can be
configured on a system. This is
usually limited by the number of
interfaces or VLAN’s
DHCP Server
IPv6
!
DHCP Basic Features
Description
Beginning Address
Prefix
Lease Duration
Domain
Name Servers (3)
!
!
DHCP Advanced Features
Assign by Client DUID
Exclusion Ranges
!
DHCP starts on the interface which
matches the network defined in
service. Common issue is the network
defined in the DHCP server does not
match a network defined on the
firewall.
!
Requires Prefix Advertisement to be
enabled for network/prefix and
gateway.
!
Covered further in Advanced Network
IPv6.
Monitor -> Activity-> Services -> DHCP
!
Flush Leases – clears the DHCP lease table.
!Displays all leases and time to expire.
!
Statically assigned leases will not have an
DHCP Trouble Shooting
!
Firewall logs – “server disabled” after enabling.
Check that the scope defined for the DHCP server matches a
network assigned to the firewall.
!
Verification -
ERROR: DHCP Relay and DHCP Server are both
enabled
DHCP relay and DHCP server are mutually exclusive.
!
Firewall logs - May 10 08:39:50 pri=3 msg="dhcrelay: Packet to
bogus giaddr 192.168.78.1. " type=mgmt
The network requesting the relay is not reachable from the
firewall. Check the local routing.
DNS Proxy
! Name Servers
External - 2 Internal - 2
Very important these respond well. Most services depend on DNS being enabled. Slow or poorly responding DNS servers adversely effect firewall services.
! DNS Proxy –
Available on all products
Basic DNS proxy with no caching.
If DNS server is enabled the proxy is not used.
! Automatic policy allows connection from Internal networks to the DNS Proxy.
DNS Server
!
Supports both IPv4 and IPv6 (v6.0 or
later)
!
Limited DNS configuration
Server name
Secondary Name Servers (4)
Forwarders (3)
Domain – number is based on the
product
▫
Domain Name
▫
IP address
▫
Mail exchanger
▫
Hosts - RDNS
Subnets with reverse zones
▫
In most cases firewall will create these
automatically so no in.addr.arp entry is
required.
DNS Server
Trusted Networks
!
Object which specifies the network
which are allowed to perform
recursive searches.
!
If network is not a member of the
Trusted Networks Object then the
firewall will only respond to DNS
look ups for the Domain it is
Allowing Access to DNS server or DNS
Proxy Externally.
If using the firewall DNS server it’s default
automatic policy is to allow connections via the
internal interfaces of type PSN and Protected. A
specific remote access policy will need to be
created to allow access for look ups from External
untrusted networks.
DNS Server Trouble Shooting
!
Local Hosts are not able to perform recursive lookups.
Check that the local networks referenced as Trusted Networks.
!
DNS Proxy - WARNING: External name server set to IP address (204.94.136.5) assigned to
firewall
Firewall DNS server points to it’s self. Using an inbound tunnel for DNS.
Dynamic DNS
!
Automates the process of updating
DNS servers when a dynamically
assigned IP has changed.
!
Use one of four services:
DynDNS (http://www.dyndns.com)
ChangeIP (http://www.changeip.com)
EasyDNS (https://web.easydns.com/)
NoIP (http://www.noip.com/)
!
Configure up to 5 Dynamic DNS
servers.
!
Requirements
Account on either service
DNS configure in the Services -> DNS section.
Dynamic DNS Trouble Shooting
!
Login Failures – Confirm log independent of
the firewall.
!
IPv6 not yet fully supported by the services.
Remote Logging
!
Standard UNIX syslog service
Default UDP
Send syslog to UDP port 514
Change the port by adding :port# behind the IP/Name example: 192.168.172.254:513
!
Advanced -
Binding Interface – Used to send the syslog data through a VPN. Select the local Interface that is a member of the Local Network for the VPN. The firewall will source the syslog packets from this Interface IP.
Syslog
!
WELF format
!
Log is always sent in UTC format
!
Log File Policy Type Notation/Tags
OBP
IBP
PTP
VPN
PPTP
SSL
!
Users Guide Contains additional tags.
!
Example: Aug 8 14:50:30 pri=4 pol_type=IBP pol_action=block
count=2 msg="Block IBP" rule=7 proto=3289/udp
src=192.168.71.206 srcport="47107 (1), 35316 (1)"
dst=255.255.255.255 dstport="3289 (1), 1124 (1)"
interface="EXTERNAL" attribute="alarm,report"
Remote Logging Trouble Shooting
!
No responses required so there is no automatic
policy.
!
Logs not reaching server
If reached via VPN use binding Interface
Use sniffer on log server to see if packets arrive to
server.
Firewall Monitoring & Log Analyzers
!
Log Analyzers
Syslog Watch:
http://www.snmpsoft.com/
syslogwatcher/
Kiwi Syslog:
http://www.kiwisyslog.com
ManageEngine:
http://www.manageengine.com/
products/firewall/
Sawmill:
http://www.sawmill.net/
LinkLogger:
http://www.linklogger.com/
Splunk :
http://www.splunk.com/
!
Monitoring
PRTG :
http://www.paessler.com/prtg/
SNMP
!
