CyberGuard SG300 User Manual

CyberGuard SG User Manual CyberGuard 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Email: [email protected]

Introduction 6 Note Not all the LEDs described below are present on all CyberGuard SG appliance models. Also, labels vary from model to model. Label

Firewall 96 Configuring the UPnP Gateway The UPnP Gateway needs to be run on a pair of interfaces, the external interface and the internal interface.

Firewall 97 In each case there are two distincts parts to a tunnel, the source half and the destination half. The source half listens for network con

Firewall 98 Access Control and Content Filtering Inappropriate Internet use during work hours can have a serious effect on productivity. With the Cyb

Firewall 99 Users without web proxy access will see a screen similar to the figure below when attempting to access external web content. Figure 6-8 N

Firewall 100 Browser setup The example given is for Microsoft Internet Explorer 6. Instructions for other browsers should be similar, refer to their

Firewall 101 Figure 6-10 In the row labeled HTTP, enter your CyberGuard SG appliance’s LAN IP address in the Proxy address to use column, and 81 in t

Firewall 102 Web lists Access will be denied to any web address (URL) that contains text entered in the Block List, e.g. entering xxx will block any U

Firewall 103 Content Note Content filtering is only available after your have registered your CyberGuard SG appliance and activated your content filte

Firewall 104 Reports Warning The correct time/date must be set on your CyberGuard SG appliance for reporting to work. The most effective way to do th

105 ZoneAlarm This facility denies Internet access to machines your LAN that are not running the ZoneAlarm Pro personal firewall software. Running p

Introduction 7 CyberGuard SG Gateway Appliance Features Internet link features • 10/100baseT Ethernet port (Internet/WAN) • Serial port • Front pan

Intrusion Detection 106 7. Intrusion Detection Note Advanced Intrusion Detection is only available on SG575 models. Other models offer Basic Instrus

Intrusion Detection 107 The benefits of using an IDS External attackers attempting to access desktops and servers on the private network from the Inte

Intrusion Detection 108 Basic Intrusion Detection and Blocking The following figure shows the Intrusion Detection and Blocking (IDB) configuration: F

Intrusion Detection 109 Several shortcut buttons also provide pre-defined lists of services to monitor. The basic button installs a bare bones select

Intrusion Detection 110 Advanced Intrusion Detection Advanced Intrusion Detection is based on the tried and tested Snort v2 IDS. It is able to detect

Intrusion Detection 111 Advanced Intrusion Detection configuration Figure 7-2 Check Enabled, and select the Interface/network port to monitor. This

Intrusion Detection 112 Note The more rule sets that are selected, the greater load is imposed on the CyberGuard SG appliance. Therefore a conservat

Intrusion Detection 113 Setting up the analysis server Specific open source tools are required to be installed on the Analysis server for a straightfo

114 PHPlot graph library for charts written in PHP http://www.phplot.com/ ACID analysis console http://www.andrew.cmu.edu/~rdanyliw/snort/acid-0.9.6

Web Cache 115 8. Web Cache Note The web cache is only available on SG575 models. Web browsers running on PCs on your LAN can use the CyberGuard SG ap

Introduction 8 Your CyberGuard SG Rack Mount Appliance CyberGuard SG rack mount appliances include: • SG710 • SG710+ The following items are include

Web Cache 116 Web Cache Setup Select Web cache under Networking. A page similar to the following will be displayed. Figure 8-1 Check Enable to enabl

Web Cache 117 Network Shares Typically, you will find the CyberGuard SG appliance’s web cache most useful when utilizing a Network Share for additiona

Web Cache 118 Create the network share Figure 8-2 Launch Windows Explorer (Start -> (All) Programs -> Accessories -> Windows Explorer) and o

Web Cache 119 Set the CyberGuard SG appliance to use the network share Check Use share. Enter the location of the network share in the format: \\H

Web Cache 120 Peers The CyberGuard SG appliance’s web cache can be configured to share cached objects with, and access objects cached by, other web ca

Virtual Private Networking 121 9. Virtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely

Virtual Private Networking 122 Figure 9-1 PPTP Client Setup The PPTP client enables the CyberGuard SG appliance to establish a VPN to a remote networ

Virtual Private Networking 123 If the remote VPN is already up and running, check Start Now to establish the connection immediately as shown in the fo

Virtual Private Networking 124 PPTP Server Setup The CyberGuard SG appliance includes a PPTP Server, a virtual private network server that supports up

Virtual Private Networking 125 Enable and configure the PPTP VPN server The following figure shows the PPTP server setup: Figure 9-3 To enable and co

Introduction 9 Front panel The front panel contains two 10/100 Ethernet four port switches (A and B), two 10/100 Ethernet ports (C and D) and analog/

Virtual Private Networking 126 The following table describes the fields in the VPN Setup screen and the options available when enabling and configurin

Virtual Private Networking 127 Configuring user accounts for VPN server After setting up the VPN server, select Continue and to show the PPTP VPN Serv

Virtual Private Networking 128 The field options in the Add New Account are detailed in the following table. Field Description Username Username for

Virtual Private Networking 129 Configuring the remote VPN client The remote VPN clients can now be configured to securely access the local network. Y

Virtual Private Networking 130 Windows 95, Windows 98 and Windows Me From the Dial-Up Networking folder, double-click Make New Connection. Type Cyber

Virtual Private Networking 131 Click TCP/IP Settings. Confirm that the Server Assigned IP Address, Server Assigned Name Server Address, Use IP Header

Virtual Private Networking 132 Double-click Make New Connection from the main windows. Click Next to show the Network Connection Type window: Figure

Virtual Private Networking 133 Figure 9-11 Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to

Virtual Private Networking 134 Connecting the remote VPN client Verify that you are connected to the Internet, or have set up your VPN connection to a

Virtual Private Networking 135 IPSec Setup CyberGuard SG appliance to CyberGuard SG appliance There are many possible configurations in creating an IP

Introduction 10 CyberGuard SG Rack Mount Appliance Features Internet link features • Two 10/100baseT Ethernet ports (C, D) • Two GbE ports (E, F – S

Virtual Private Networking 136 Figure 9-13 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its

Virtual Private Networking 137 Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitte

Virtual Private Networking 138 Select the Internet port the IPSec tunnel is to go out on. The options will depend on what is currently configured on

Virtual Private Networking 139 • x.509 Certificates are used to authenticate the remote party against a Certificate Authority's (CA) certificate

Virtual Private Networking 140 In this example, select the be a route to the remote party option. Click the Continue button to configure the Local End

Virtual Private Networking 141 Note This option will not be available when the CyberGuard SG appliance has a static IP address and the remote party h

Virtual Private Networking 142 Other options The following options will become available on this page depending on what has been configured previousl

Virtual Private Networking 143 o des-md5-96 uses the encryption transform following the DES standard in Cipher-Block-Chaining mode with authenticatio

Virtual Private Networking 144 Other options The following options will become available on this page depending on what has been configured previousl

Virtual Private Networking 145 TCGID [Siemens] Trust Center Global ID The attribute/value pairs must be of the form attribute=value and be separate

Introduction 11 Your CyberGuard SG PCI Appliance CyberGuard SG PCI appliances include: • PCI630 • PCI635 The following items are included with your

Virtual Private Networking 146 Phase 1 settings Figure 9-17 Set the length of time before Phase 1 is renegotiated in the Key lifetime (m) field. The

Virtual Private Networking 147 Warning The secret must be entered identically at each end of the tunnel. The tunnel will fail to connect if the secr

Virtual Private Networking 148 Phase 2 settings page Figure 9-18 Set the length of time before Phase 2 is renegotiated in the Key lifetime (m) field.

Virtual Private Networking 149 Other options The following options will become available on this page depending on what has been configured previousl

Virtual Private Networking 150 Check the Enable IPSec checkbox. Select the type of IPSec endpoint the CyberGuard SG appliance has on its Internet inte

Virtual Private Networking 151 Select the type of routing the tunnel will be used as. In this example, select the be a route to the remote party opti

Virtual Private Networking 152 Enter a secret in the Preshared Secret field. This must remain confidential. In this example, enter the Preshared Sec

Virtual Private Networking 153 Tunnel List Figure 9-20 Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection

Virtual Private Networking 154 Click Remote Party to sort the tunnel list by the remote party ID/name/address. Status Tunnels that use Automatic Keyin

Virtual Private Networking 155 Figure 9-21 Interfaces Loaded lists the CyberGuard SG appliance's interfaces which IPSec will use. Phase 2 Ciph

Introduction 12 CyberGuard SG PCI Appliance Features Network link features • 10/100baseT Ethernet port • Ethernet LEDs (link, activity) Environmenta

Virtual Private Networking 156 Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for bo

Virtual Private Networking 157 • The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2; pfsgroup=2. The 3_000 refers to cipher

Virtual Private Networking 158 Certificate Management x.509 Certificates can be used to authenticate IPSec endpoints during tunnel negotiation for Aut

Virtual Private Networking 159 To extract the local private key certificate type, enter the following at the Windows command prompt: openssl pkcs12 -n

Virtual Private Networking 160 4. Create the self-signed root CA certificate: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out r

Virtual Private Networking 161 Adding certificates To add certificates to the CyberGuard SG appliance, click the IPSec link on the left side of the We

Virtual Private Networking 162 Adding a CA or CRL certificate Click the Add new CA or CRL Certificate tab. A window similar to the following will be

Virtual Private Networking 163 Adding a local certificate 1 Click the Add new Local Certificate tab. A window similar to the following will be displ

Virtual Private Networking 164 Figure 9-25 The certificate names will be displayed under the appropriate certificate type. Clicking the Delete butto

Virtual Private Networking 165 The remote party does not have a tunnel configured correctly because: o The tunnel has not been configured. o The Pha

Getting Started 13 2. Getting Started This chapter provides step-by-step instructions for installing your CyberGuard SG appliance into your network a

Virtual Private Networking 166 Solution: Confirm that the remote party has IPSec and the tunnel enabled and has an Internet IP address. Ensure that t

Virtual Private Networking 167 Set up LMHOST files on remote hosts to resolve names to IP adresses. • Symptom: Tunnel comes up but the application

Virtual Private Networking 168 GRE The GRE configuration of the CyberGuard SG appliance allows you to build GRE tunnels to other devices that support

Virtual Private Networking 169 On the Brisbane end, click GRE Tunnels from the VPN menu. Enter the following details: GRE Tunnel Name: to_slough

Virtual Private Networking 170 Click Add. Click Add/Remove under Remote Networks and enter: Remote subnet/netmask: 192.168.1.0 / 255.255.255.0 C

Virtual Private Networking 171 Enter the IP Address / Netmask of 10.254.0.1 / 255.255.255.255 at the Slough end, and 10.254.0.2 / 255.255.255.255 at t

Virtual Private Networking 172 Create the GRE tunnel. Select GRE Tunnels from the left hand menu. For the Slough end enter the IP addresses below.

Virtual Private Networking 173 Troubleshooting • Symptom: Cannot ping a host on the other side of the GRE tunnel. Ensure that there is a route set u

Virtual Private Networking 174 L2TP The Layer Two Tunneling Protocol was developed by Microsoft and Cisco as a multi-purpose network transport protoco

Virtual Private Networking 175 L2TP server The L2TP Server runs in a similar way to the PPTP Server. A range of IP addresses is allocated, and then u

Getting Started 14 CyberGuard SG Gateway Appliances Set up a PC to Connect to the Web Management Console The CyberGuard SG appliance ships with initia

System 176 10. System Date and Time Set date and time If you have a Javascript enabled web browser, you will be able to click the top Set Date and Ti

System 177 Figure 10-1 Locality Select your region then select your location within said region. The system clock will subsequently show local time.

System 178 Users User accounts on a CyberGuard SG appliance allow administrative duties to be spread amongst a number of different people according to

System 179 Administration A user with the administration access control is permitted to edit any configuration file on the CyberGuard SG appliance. I

System 180 Internet access (via access controls) A user with this access control is permitted controlled access to the web through the CyberGuard SG a

System 181 Figure 10-3 Network tests Basic network diagnostic tests (ping, traceroute) can be accessed by clicking the Network Tests tab at the top o

System 182 Advanced The options on the Advanced page are intended for network administrators and advanced users only. Warning Altering the advanced co

System 183 You may also upload additional configuration files from your computer to the CyberGuard SG appliance under Upload file. To backup to an enc

System 184 The majority of Linux users will already have a TFTP server installed as part of their distribution, which must be configured and running.

185 Technical Support The System menu contains an option detailing support information for your CyberGuard SG appliance. This page provides basic tro

Getting Started 15 Connect the supplied power adapter to the CyberGuard SG appliance. If you are using the SG530, SG550, SG570 or SG575 model, connect

Appendix A – IP Address Ranges 186 Appendix A – IP Address Ranges IP ranges are fields that allow multiple IP addresses to be specified using a shor

Appendix B – Terminology 187 Appendix B – Terminology This section explains terms that are commonly used in this document. Term Meaning ADSL Asymmet

Appendix B – Terminology 188 Certificates A digitally signed statement that contains information about an entity and the entity's public key, th

Appendix B – Terminology 189 Extranet A private network that uses the public Internet to securely share business information and operations with supp

Appendix B – Terminology 190 IPSec tunnel The IPSec connection to securely link two private parties across insecure and public channels. IPSec with D

Appendix B – Terminology 191 NAT Network Address Translation. The translation of an IP address used on one network to an IP address on another netwo

Appendix B – Terminology 192 Router A network device that moves packets of data. A router differs from hubs and switches because it is "intelli

193 x.509 Certificates An x.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign

Appendix C – System Log 194 Appendix C – System Log Access Logging It is possible to log any traffic that arrives at or traverses the CyberGuard SG ap

Appendix C – System Log 195 Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX e.g

Contents 1. Introduction...1 CyberGuard SG Gateway Appli

Getting Started 16 Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Se

Appendix C – System Log 196 A typical Default Deny: will thus look similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MA

Appendix C – System Log 197 To log permitted inbound access requests to services hosted on the CyberGuard SG appliance, the rule should look something

Appendix C – System Log 198 For example, to log all inbound requests from the IP address 5.6.7.8 to the mail server (port 25) on the machine flubber o

Appendix C – System Log 199 If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+

Appendix C – System Log 200 Administrative Access Logging When a user tries to log onto the Web Management Console web administration pages, one of th

Appendix D – Firmware Upgrade Practices and Precautions 201 Appendix D – Firmware Upgrade Practices and Precautions Prior performing any firmware upgr

Appendix D – Firmware Upgrade Practices and Precautions 202 If you encounter any problems, reset the device to its factory default settings and reconf

Getting Started 17 Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Defa

Getting Started 18 Select Quick Setup Wizard from the center of the page. You will be prompted to log in. Enter the initial user name and password fo

Getting Started 19 The Quick Setup Wizard will display. Figure 2-3 Hostname: You may change the name the CyberGuard SG appliance knows itself by. T

Getting Started 20 Figure 2-4 Note This page will only display if you previously selected Manual configuration. Otherwise skip to the next step. Ent

Getting Started 21 Set up Internet Connection Settings Select your Internet connection type and click Next. Figure 2-5 Cable modem If connecting usin

Getting Started 22 Note For detailed help for each of these options, please refer to the the chapter entitled Network Connections. Once the CyberGua

Getting Started 23 LAN with a DHCP server Add a lease to your existing DHCP server to reserve the IP address you chose in STEP 3 for the CyberGuard SG

Getting Started 24 To manually set up each Windows PC on your network: Click Start -> Settings -> Control Panel and double click Network Connect

Getting Started 25 Alternatively, to activate your CyberGuard SG appliance's DHCP server: Launch Internet Explorer (or your preferred web browser

Internet...51 Internet Connection Metho

Getting Started 26 Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple

Getting Started 27 CyberGuard SG Rack Mount Appliances Set up a PC to Connect to the Web Management Console The CyberGuard SG appliance ships with ini

Getting Started 28 Note It is recommended that you perform the initial setup steps with the CyberGuard SG appliance connected to a single PC only. Ho

Getting Started 29 Figure 2-7 Select Use the following IP address and enter the following details: IP address: 192.168.0.100 Subnet mask: 255.25

Getting Started 30 Set up the Password and LAN Connection Settings Launch Internet Explorer (or your preferred web browser) and navigate to 192.168.0.

Getting Started 31 Note Before continuing, take some time to decide on which roles you will be assigning to your CyberGuard SG appliance’s network po

Getting Started 32 It is recommended that you statically configure your CyberGuard SG appliance’s LAN connection settings rather than rely on an exist

Getting Started 33 Note Do not click Reboot Now. Rebooting your CyberGuard SG appliance at this point may cause it to become uncontactable. Set up I

Getting Started 34 Direct connection If you have a direct connection to the Internet (e.g. a leased line), enter the IP settings provided by your ISP.

Getting Started 35 LAN with a DHCP server Add a lease to your existing DHCP server to reserve the IP address you chose in STEP 3 for the CyberGuard SG

Peers ...120 Set up LAN PCs to Use the

Getting Started 36 To manually set up each Windows PC on your network: Click Start -> Settings -> Control Panel and double click Network Connect

Getting Started 37 Alternatively, to activate your CyberGuard SG appliance's DHCP server: Launch Internet Explorer (or your preferred web browser

Getting Started 38 Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple

Getting Started 39 CyberGuard SG PCI Appliances Install your CyberGuard SG Appliance in a Spare PCI Slot Power off your PC and remove its cover. Sele

Getting Started 40 Next, you must modify your PC’s network settings to enable it to communicate with the CyberGuard SG appliance. Click Start -> Se

Getting Started 41 Set up the Password and Network Connection Settings Launch Internet Explorer (or your preferred web browser) and navigate to 192.16

Getting Started 42 Note The purpose of this step is to configure the IP address for the Web Management Console. For convenience, this will generally

Getting Started 43 The first IP address will be used by the Web Management Console. Figure 2-15 Enter this IP address and the subnet mask for your

Getting Started 44 Figure 2-16 Enter the following details: • IP address the second free IP addresses that is part of the subnet range of your LAN.

Getting Started 45 Alternatively, to set up your CyberGuard SG appliance and PC for auto-configuration: Before continuing, ensure your DHCP server has

Introduction 1 1. Introduction This chapter provides an overview of your CyberGuard SG appliance’s features and capabilities, and explains how to ins

Getting Started 46 Next, configure your PC to obtain its network settings automatically from your LAN DHCP server. Click Start -> Settings -> C

Getting Started 47 Disabling the Reset Button on your CyberGuard SG PCI Appliance For convenience, the CyberGuard SG appliance ships with the rear pan

Network Connections 48 3. Network Connections This chapter describes the Network Setup section of the Web Management Console. Here you can configure

Network Connections 49 If a port is experiencing difficulties auto-negotiating with another device, Ethernet speed and duplex may be set manually by s

Network Connections 50 LAN Network settings for the LAN network port may be assigned statically, or dynamically by a DHCP server (Direct LAN). Altern

Network Connections 51 Internet The CyberGuard SG appliance can connect to the Internet using an external dialup analog modem, an ISDN modem, a perman

Network Connections 52 Cable Select your cable ISP from the list and click Next. If your provider does not appear, select Generic Cable Modem Provide

Network Connections 53 Direct Internet If you have a direct connection to the Internet, select this option. Typically your ISP will have provided you

Network Connections 54 Failover Direct/Cable/ADSL Internet Refer to the section entitled Internet Failover later in this chapter. COM/Modem With a mo

Network Connections 55 The following table describes the fields and explains how to configure the dial up connection to your ISP. Field Description N

Introduction 2 The following figure shows how your CyberGuard SG appliance interconnects. Figure 1-1 CyberGuard SG Rack Mount Appliances The CyberGua

Network Connections 56 Dialin access Select Dialin Access to use this port as a dialin server to allow remote users to connect to your local network.

Network Connections 57 If the servers on the DMZ have public IP addresses, you need to add packet filtering rules to allow access to the services. Se

Network Connections 58 Bridging The CyberGuard SG may be configured as a network bridge. You may bridge between network ports (e.g. Internet – LAN) o

Network Connections 59 Warning The unit may take up to 30 seconds longer than normal to reboot after bridging has been enabled. Load Balancing If you

Network Connections 60 Enable the primary connection for failover Set up your primary broadband Internet connection as described in the Internet secti

Network Connections 61 Note The Failover Cable/DSL/Direct/Dialout Internet option will not appear as an available Configuration until a primary Intern

Network Connections 62 Routes Additional routes The Additional routes feature allows expert users to add additional static routes for the CyberGuard S

Network Connections 63 Advanced The following figure shows the advanced IP configuration: Figure 3-8 Hostname The Hostname is a descriptive name for

Network Connections 64 Figure 3-9 Network Address Translation (NAT/masquerading) The CyberGuard SG appliance can utilize IP Masquerading (a simple fo

Network Connections 65 Dynamic DNS A dynamic DNS service is useful when you don’t have a static Internet IP address, but need to remain contactable by

Introduction 3 It provides central sites the capacity to securely connect hundreds of mobile and remote employees. The SG710 includes a high-performa

Network Connections 66 Change MAC address On rare occasions it may be necessary to change the Ethernet hardware or MAC Address of your CyberGuard SG a

Dialin Setup 67 4. Dialin Setup CyberGuard SG appliance enables remote and secure access to your office network. This chapter shows how to set up th

Dialin Setup 68 Dialin Setup Once an analog modem or phone line has been attached, enable the CyberGuard SG appliance’s COM port or internal modem for

Dialin Setup 69 The following table describes the fields on the Dial-In Setup page: Field Description IP Address for Dialin clients Dialin users

Dialin Setup 70 Dialin User Accounts User accounts must be set up before remote users can dialinto the CyberGuard SG appliance. The following figure

Dialin Setup 71 The following figure shows the user maintenance screen: Figure 4-3 Account list As new dialin user accounts are added, they are displ

Dialin Setup 72 If the change is unsuccessful, an error is reported as shown in the following figure: Figure 4-3 When you have finished adding and mo

Dialin Setup 73 Remote User Configuration Remote users can dialin using the CyberGuard SG appliance using the standard Windows Dial-Up Networking soft

Dialin Setup 74 Check the Log on to network and Enable software compression checkboxes. If your CyberGuard SG appliance dialin server requires MSCHAP

Dialin Setup 75 Windows 2000/XP To configure a remote access connection on a PC running Windows 2000/XP, click Start, Settings, Network and Dial-up Co

Introduction 4 Bridged mode By default, the CyberGuard SG PCI appliance operates in bridged mode. This is distinctly different from the NAT/masquerad

Dialin Setup 76 Figure 4-7 Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote acc

77 Figure 4-9 Enter a name for the connection and click Finish to complete the configuration. By ticking Add a shortcut to my desktop, an icon for

DHCP Server 78 5. DHCP Server Your CyberGuard SG appliance can act as a DHCP server for machines on your local network. To configure your CyberGuard

DHCP Server 79 To configure the DHCP Server, follow these instructions. • Check the Enable DHCP Server checkbox. • Enter the Subnet and netmask of t

DHCP Server 80 Subnet List The Subnet List will display the status of the DHCP server. Interface Once a subnet has been configured, the port which th

DHCP Server 81 Figure 5-3 For each IP address that the DHCP server services, the Status, Hostname, MAC Address will be shown. There is also be an opt

82 DHCP Proxy The DHCP proxy allows the CyberGuard SG appliance to forward DHCP requests from the LAN to an external server for resolution. This all

Firewall 83 6. Firewall The CyberGuard SG appliance is equipped with a fully featured, stateful firewall. The firewall allows you to control both in

Firewall 84 Administration services The following figure shows the Administration Services page: Figure 6-1 By default the CyberGuard SG appliance ru

Firewall 85 CyberGuard SG Administrative Web Server Clicking the CyberGuard SG Web Server tab takes you to the page to configure the administrative we

Introduction 5 Your CyberGuard SG Gateway Appliance CyberGuard SG gateway appliances include: • SG300 • SG530 • SG550 • SG570 • SG575 The followi

Firewall 86 The Web Management Console is usually accessed on the default HTTP port (i.e. 80). After changing the web server port number, you must inc

Firewall 87 Once valid SSL certificates have been uploaded, the CyberGuard SG administrative web server can operate in one of one of 3 different modes

Firewall 88 Packet Filtering By default, your CyberGuard SG appliance allows network traffic as shown in the following table: You can configure y

Firewall 89 Before configuring a filter or NAT rule, you need to define the addresses and service groups. Addresses Click the Addresses tab. Any addr

Firewall 90 Service groups Click the Service Groups tab. Any addresses that have already been defined will be displayed. Click New to add a new serv

Firewall 91 Rules Once addresses and services have been defined, you can create filter rules. Click Rules. Any rules that have already been defined

Firewall 92 The Incoming Interface is the interface/network port that the CyberGuard SG appliance received the network traffic on. The Outgoing Interf

Firewall 93 Source Address The address from which the request originated (for port forwarding you may specify this to restrict the internal service t

Firewall 94 Source Address The address from which the request originated (for masquerading this will typically be a private LAN or DMZ address) Outgo

Firewall 95 Warning Leaving Create a corresponding ACCEPT firewall rule will allow all traffic into and out from the specified private address, i.e.