Stormshield Realtime Monitor User Guide
Contents
1. A STORMSHIELD GUIDE Stormshield Network REAL TIME MONITOR V 1 2 USER CONFIGURATION MANUAL May 2014 Creation September 2014 November 2014 USER MANUAL STORMSHIELD INTRODUCTION FOREWORD License Products concerned U30 U 0 U120 U250 U450 U1100 U1500 U6000 NG1000 A NG5000 A U30S U OS U150S U250S U500S U800S SN150 SN200 SN300 SN500 SN O00 SN9OO SN2000 SN3000 SN6000 VS5 VS10 V50 V100 V200 V500 and VU Copyright NETASQ 2014 All rights reserved Any copying adaptation or translation of this material without prior authorization is prohibited The contents of this document relate to the developments in NETASQ s technology at the time of its writing With the exception of the mandatory applicable laws no guarantee shall be made in any form whatsoever expressly or implied including but not limited to implied warranties as to the merchantability or fitness for a particular purpose as to the accuracy reliability or the contents of the document NETASQ reserves the right to revise this document to remove sections or to remove this whole document at any moment without prior notice Liability This manual has undergone several revisions to ensure that the information in it is as accurate as possible The descriptions and procedures herein are correct where Stormshield Network firewalls are concerned NETASQ rejects all liability directly or indirectly c2. Zssssssssssssssssssssssssssssssssssssssssssssssss Operating System FreeBSD Figure 32 VULNERABILITY MANAGER Application age 61 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UY USER MANUAL STORMSHIELD REAL TIME INFORMATION O89 00200 0 8 0 08 0 20 0 0 4528 0 086 28 0 280 288 28 06882886206280285 428 8 28 02882806862882826882884862866 2628628088688802 282280 862288205 262 866 888 286 885 288886 288285 082 285 405286804288282 28528260828228044822802808 288208 222008202288 The Applications tab provides information on the application detected within the enterprise Two types of application may be detected e Products these are client applications installed on the host e g Firefox 1 5 e Services these are server applications that are attached to a port e g OpenSSH 3 5 Using information detected by the ASQ engine Stormshield Network VULNERABILITY MANAGER generates information about the detected applications The addition of this feature allows grouping applications by family so by pairing such information with the vulnerability database SN VULNERABILITY MANAGER also suggests probable security loopholes linked to these applications This tab offers features that include filtering optional column display resizing to fit contents and copying of data to the clipboard It displays information on the detected applications through the columns that can be seen in the window above The window comprises 2 views
3. STORMSHIELD NETWORK ACTIVITY 5 2 ACTIVE UPDATE DEFINITION ACTIVE UPDATE Enables updating the antivirus database ASQ contextual signatures the list of antispam servers trusted root certification authorities and the URLs used for dynamic URL filtering This window displays the status of Active Update on the firewall for each type of update available Antispam Antivirus Contextual signatures Root certificates Dynamic URL File Windows Applications i oiai Refresh P gt Launch Active Update Updates were successful The last Active Update was launched on 14 14 Dashboard State Name Last update License expiry Events Updated Antispam DNS blacklists RBL database 14 14 31 12 2037 1232w 5d 8h 42m 31sec Updated ASQ contextual signature database 14 14 31 12 2037 1232w 5d 8h 42m 31sec Vulnerability Ma Updated Root certificate database 14 14 lt n a gt Updated NETASQ Vulnerability Manager database 14 14 31 12 2037 1232w 5d 8h 42m 31sec B Hosts Updated Kaspersky antivirus database 14 05 2014 14 15 31 12 2037 1232w 5d 8h 42m 31sec Updated Antispam heuristic engine database 14 14 31 12 2037 1232w 5d 8h 42m 31sec Interfaces Quality of Service H Users Quarantine AS VPN tunnels Active Update O Figure 50 Active Update Active Update is used for automatically keeping URL databases up to date by downloading them on servers such as u
4. 4 5 1 Diagram view This view shows the incoming and outgoing throughput associated with the different QIDs defined on the firewall s QoS policy 4 5 2 Connections view The Connections tab displays connections in progress going through the selected queue To find out what data are offered please refer to the chapter of the Hosts module section Connections view for the hosts tab 4 6 USERS 4 6 1 Introduction The User menu enables viewing in the capacity of an administrator the users who are currently connected on the Firewall File Windows Applications t Overview Dashboard Search e Firewall V Name P Group P Address P Expiry P Authentication P Multi userIP P Administrator r amp d labo ihm ih 2h 41m 58sec SSO Agent lt n a gt Yes Vulnerability Ma r amp d labo ihm ih Sh 37m 2sec SSO Agent lt n a gt Yes r amp d labo ihm ih 9h 56m 28sec SSO Agent lt n a gt Yes B kas r8 d labo ihm ih Qh51m 38sec SSO Agent lt n a gt Yes r amp d labo ihm ih 6d 23h 31m 22sec SSL VPN No No Interfaces Quality of Service EU Users Quarantine AS VPN tunnels Active Update Services Hardware Filter policy VPN policy Logs VPN J System Administration sessions K Firewall Do I User P Address Session rights F User rights C O n i admin mon_write base log filter vpn modify mon_write base log filter vpn pki obj
5. Indicates the name of the source host If this option is selected the 5 x es Nee s View destination host Indicates the name ofthe destinationhost Add the source hosttothe This option allows Object base e Creating an object corresponding to the selected source IP address directly in the firewall s object base in Stormshield Network Real Time Monitor e Adding this object to an existing group on the firewall For further information regarding this option please refer to the Technical S Note stormshield Network Collaborative Secut UU Add the destination hostto This option allows the Object base e Creating an object corresponding to the selected destination IP address directly in the firewall s object base in Stormshield Network Real Time Monitor e Adding this object to an existing group on the firewall For further information regarding this option please refer to the Technical Note Stormshield Network Collaborative Security snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR _Miew packet ann Allows opening the tool that will allow viewing malicious packets U Empty alarms nn Urges the list of displayed alarms ws Copy to the clipboard Copies the selected line to the clipboard Uu 2 2 1 5 2 3 Vulnerability Manager In the Vulnerability tab 3 contextual menus can be opened e When right clicking againsta line detailing a vulnerability e When
6. 1 2 2 1 1 Signature verification procedure When you download an application from your client or partner area on https mystormshield eu the following message will appear Open a file or save on your computer e If you choose Open your web browser will check the signature automatically and inform you about the results e f you choose Save recommended option you will need to perform the check manually 1 2 2 1 2 Manual verification To manually check the application s signature follow the procedure below before installing the application w Right click on the Stormshield Network appliance whose signature you wish to check then select the menu Properties from the contextual menu that appears Selectthe Digital signatures tab then the name ofthe signor NETASQ Click on Details this window will indicate whether the digital signature is valid 1 2 2 2 Registration During installation you will be asked to register your product This registration is mandatory in order to obtain your product s license to download updates and to access technical support A ra 11 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UY USER MANUAL STORMSHIELD SN REALTIME MONITOR O08 0900 00 0 0 8 000 0 0 8 0 04028 000628 0284088 280 088286 205628 0285 48 828020882806862892826882882882802 862888808 882800 88228080622680268 282 866 882 288 882 288882 088262 062282 688 285882 288882 288 282602482 2802482 282008280
7. J Firmware on passive partition i Ea 0O am ICMP 0 Model Data tracking o i a ji Interfaces Serial number Dynamic 1 Date time 28 05 2014 10 54 GMT 02 00 Quality of Service Uptime 1w 22h 9m 58sec Temperature CPU 100C User Kernel G Interruption 75C 100 75 50 0 10 39 10 43 10 46 10 39 10 43 10 46 10 50 10 54 Hardware The configurations on both HA appliances are not synchronized last sync lun mai 26 15 52 00 2014 A cwork Dolch Q Global filter rule Politique globale BB Filter rule Labo B Nar rule NAT rules depend on the filter policy SJ ven rule Tunnels Labo SVN IB URL filter rule URL filter rules depend on the filter policy Alarms Vulnerabilities Major alarms in the past 15 minutes 36 HII Critical 19 High 66 Minor alarms over the past 15 minutes gt 100 Moderate 23 Low 36 VPN tunnels Number of IPsec tunnels 22 Number of SSL VPN tunnels 1 Active Update All updates were successful The last Active Update was launched on 09 54 Logs Connections logs use 99 of the available space allowed Q Plugins logs use 100 of the available space allowed Q SSL logs use 100 of the available space allowed Web logs use 99 of the available space allowed Services Services are OK Interfaces Network interfaces are OK HTTP cache Amount of requests Data in byte HTTP cache usage d Last hour Top 5 interfaces for incoming throughput Top 5 interfaces for outgoing th
8. 0 Win 505 B 0 in 0 Interfaces Quality of Service w Users J Quarantine AS VPN tunnels FreeBSD Jee passe Microsoft Windows Services Hardware Filter policy E asia aad Vulnerabilities Applications Information Connections Events 10 Logs Search VPN Severity System 5 392 b s oooococcocrcocolspicococo oO o co OCS OP COP O O O O OO O O OO O O O O e Oo O O O O N O O O O O O O O m m eee o eo eo Oo eo oO oleo oo o P Application na P Name F Family F Type F Internet Protoc WID Figure 35 Hosts snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD REAL TIME INFORMATION The window comprises 3 views e Aview that lists the hosts e A view that lists the Vulnerabilities Applications Information Connections and Events relating to the selected host e Ahelp view that allows working around the selected vulnerability if a solution exists 4 3 1 1 Host view This view allows you to see all the hosts that the firewall detects Each line represents a host The information seen in the Hosts view is as follows Name Name of the source host if declared in objects or host s IP address otherwise Lo 2 6 a a ee nnn ci 1 1 1 P 6 5 an S 2 a a A E Oo op pPoO p C SS Oc ccc 8 0 lg py t T a aba i en E CC aa aa a e SoM ice ce ce E MANAGER event sini Interface Int
9. 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection Priority Config Source Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Notice Destination 8 19 240 118 8 20 213 34 dns2 google com 8 20 213 42 8 20 213 48 8 20 213 42 8 20 213 39 8 20 213 76 8 20 213 39 8 20 213 76 8 20 213 76 Dst port https dns_udp dns_udp microsoft ds_tcp netbios ssn microsoft ds_tcp microsoft ds_tcp microsoft ds_tcp http auth 843 http https http http Idap_udp http Idap_udp dns_udp http http dns_udp dns_udp dns_udp dns_udp dns_udp dns_udp dns_udp dns_udp Details 588 B sent 1 07 539 B sent 1006 Duration 9sec 0 Duration 9sec 0 Duration 9sec Duration 9sec Duration 8sec 9 Duration 5sec 7 Duration 9sec 4 23 B sent Durat Duration 5sec 1 Duration 5sec 6 1 23 KB sent 65 161 B sent 161 806 B sent 348 161 B sent 161 62 B sent 152 B 1 14 KB sent 1 4 1 16 KB sent 52 31 B sent 84 B r 50 B sent 105 B 37 B sent 53 B r 37 B sent 78 B r 50 B sent 105 B 37 B sent 78 B r 37 B sent 53 B r 37 B sent 53 B r
10. 2 2 Hosts view This view allows you to view all the vulnerabilities for a given host Each line represents a host The information provided in the Hosts view is as follows Affected Date on which the host was affected A a l E a C oa G 8 ae 7 ee Perce n a ETT I a Tipe i Client Server Dperatira sustem GI a ia G wu on Pot SS Number af the port on which the vulnerability had been detected n ua ix Lua 8 snengde snrmonitor v1 2 Copuright Netasq 2014 x USER MANUAL STORMSHIELD REAL TIME INFORMATION 4 2 2 3 Help zone The help zone allows uou to get more details relating to the attack Thus the administrator can correct the vulnerabilitu Click on the Show help button to show or hide the help zone associated with a vulnerabilitu Tupicallu help comes in the form of a descriptive file that contains explanations links to the publisher s site or to bug fixes M File Windows Applications PIEJE EJ Overview Firewall s gt uF Duplicate Dashboard 1 vulnerability 3applications 4 events E vents Search tems 1 1 Firewall F Severity Y Name F Affected hosts Family F Target F Exploit Solution F Detected Vulnerability Ma rus i n Low OpenSSH AES 1 SSH server client Local Y Yes 08 11 2013 136306 B s Interfaces Quality of Service Hosts w iii Search Items 1 1 Quaran
11. 36 Figure 47 Users This window comprises 2 views e A users view e An administration session view age 77 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UY USER MANUAL STORMSHIELD REAL TIME INFORMATION 8 00900 20 0 0 8 008 0 000 042200 286 28 0288 288 280688286281280288 428828 00862806862882826882882882802 862880808 882880 882 2808062268268 882 866 882 288 885 288888 0882802 085 282 082 286885 288282 2852824802482282488282408 222208222208 222288 4 6 1 1 Users view The information provided in the users view is as follows Firewall Serial number or name if known of the firewall 2 ee e x Yr E lt 2 ron a te co ayam mesma cca rq arm N duration wa ss 2 jr 088 a A O anal teee Ge S users REMARK As the SSO Agent method only allows one authentication per IP address the value will therefore not be available value lt n a gt displayed 4 6 1 2 Administration sessions view This window enables finding out the session privileges of the user connected to the firewall The information provided in the administration sessions view is as follows Firewall Serial number or name if known of the firewall 7 ena rE am nen Y i E a privileges _ changesin each session modify and mon write privileges u User privileges Indicates privileges that have been given to the conn
12. A ra 92 91 snengde snrmonitor v1 2 Copyright Netasq 2014 STORMSHIELD A ra 93 91 Appendix B Session and user privileges USER MANUAL LOGS Name Description Assigned privileges Logs R Logs consultation base log read Filter R Filtering policy consultation base filter read VPN R VPN configuration consultation base vpn read Logs W Privilege to modify logs configuration modify base log Filter W Privilege to modify filtering policy configuration modify base filter VPN W Privilege to modify VPN configuration modify base vpn Monitoring Privilege to modify configuration from Realtime Monitor modify base mon write Content filtering Privilege for URL filtering Mail SSL and antivirus modify base contentfilter 5 555555 Pe erence acerca PKI Privilege to modify PKI modify base pki Objects Privilege to modify Object database modify base object Users Privilege to modify Users modify base user Network modify base network Routing Privilege to modify routing default route static routes modify base route m and trusted networks J Maintenance Privilege to perform maintenance operations backups modify base restorations updates Firewall shutdown and reboot maintenance antivirus update modification of antivirus update frequency High Availability modification and RAID ee related actions in Realtime Monitor JUL Intrusion Privilege to modify Intrusio
13. Appliance Refers to the security device firewall The terms appliance and security device e are used interchangeably UU Dialup Interface on which the modem is connected Firewall Stormshield Network UTM device product Intrusion Unified Threat Management is also used in its place d prevention laee Configuration slot or policy Configuration files which allow generating filter and NAT policies for example Host Terms used as much to refer to workstations as to users Logs A record of user activity for the purpose of analyzing network activity 1 1 4 GETTING HELP To obtain help regarding your product and the different applications in it e website https mystormshield eu Your secure access area allows you to access a wide range of documentation and other information e user manuals Stormshield Network UNIFIED MANAGER Stormshield Network REAL TIME and Stormshield Network EVENT REPORTER 1 1 5 TECHNICAL ASSISTANCE CENTRE Stormshield Network provides several means and tools for resolving technical problems on your firewall e A knowledge base e Acertified distribution network As such you will be able to call on your distributor e Documents these can be accessed from your client or partner area You will need a client account in order to access these documents For further information regarding technical assistance please refer to the document Support charter 1 2 SOFTWARE INSTALLATION This sectio
14. Items 2507 2507 15 50 Connection 15 50 Connection Notice Notice dns_udp 8 20 213 76 http 37 B sent 78 B r 1 23 KB sent 65 Figure 29 Events In this module the additional Active Suspended button allows switching the status of alarm refreshment If this button is in a suspended status the automatic refreshment will be disabled making it easier to read logs When the Events menu in the menu directory is selected the data displayed by default Indicates the type of logs the possible types of logs are Alarm Plugin Connection pg Web SMTP FTP POP3 Filter U UU aa Action associated with the filter rule and applied on the packet Examples sn BIOCKIP ASS on Priority pri Determines the alarm level The possible values are 0 emergency 1 alert 2 Critical 3 error 4 warning 5 notice 6 information Identifier for the authenticated user ftp e mail address of the sender SMTP identifier for the user if authentication has been enabled WEB snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD REAL TIME INFORMATION Src prt num Source port number involved displayed in digital Destination IP address or name of the object corresponding to the destination host of the packet at At set off the JJ JU Dst port Destination port number of the service or name of the object corresponding to the ee service port of the destination host if it exists and is request
15. Protoc Das 14 05 2014 14 14 OpenSSH62 Server FreeBSD 22 tcp VPN J System Figure 30 VULNERABILITY MANAGER The window has 3 views e Aview of the list of vulnerabilities e Aview ofthe list of hosts affected by this vulnerability e Aview allowing the resolution of the selected vulnerability if a solution exists 4 2 2 1 Vulnerability ies view This view allows you to view all the vulnerabilities that the firewall has detected Each line represents a vulnerability REMARK The number of vulnerabilities is displayed in the tab s label snengde snrmonitor v1 2 Copyright Netasq 2014 Ae 59 91 Sq USER MANUAL STORMSHIELD REAL TIME INFORMATION Page 60 91 M raco 1 O80 90 290 0 0 8 0 08 0 20 0 0 4020 0 08 628 0280 28828048028828628 0288488 28008828068628828068828828628802 2628028088688802 282288 362 288868 882 282 888 286885 288886 288265 082 285 464286484 288282 0852824082822208488282204 282 20822000022228 Firewall Serial number or name if known of the firewall at the source of the vulnerability 2 a 2 ar jj ba lente sais bea aa a p NA according to 4 levels Low Moderate High Critical leee Name Indicates the name of the vulnerability e tan hosts a a C ss S SSS K A 7 7 7 7 E wit e ee a n a a UO C T v _ q s 8 j H j 28 lt WARNING This refers to the date on which the vulnerability was discovered and not the date on which it appeared on the network 4 2
16. Type Server FreeBSD Figure 38 Hosts Events REMARK The number of events is displayed in the tab s label The information provided in the events view is as follows Name Name of the detected OS re Family Family of the vulnerability that is likely to appear Example SSH a ee i E Sp Pn S oe ek ale sn UU application provides a service UU UU Name of the detected OS uzi a C SS i 8 OOO OO Sa s 6 6 6 6 ee a ve aa uaa so a Unique identifier of the vulnerability famiy lCC 4 3 1 5 Connections view o oH o ms Vunerabities_ _Appicatons Information 1 Connections 2 Events 10 om Source MAC address svete Destination MAC addres int 9 Sent Duration Figure 39 Hosts Connections This view allows uou to see the connections that the firewall detects Each line represents a connection The Connections view displaus the following data ia G js S ss n KK U iene A OS S 3 33 U U Z Y a ss s e tugietuiaemiatnaidaae 3 e C A OS S GS u n o C i o ea or re Gi SS so A 68 9 snengde snrmonitor v1 2 Copyright Netasq 2014 UY USER MANUAL STORMSHIELD REAL TIME INFORMATION 8 0000 28 0 0 8 0080 38 0 045280 08628 0288 28828028 828888 8 228 9 288488 288 288 28828828828 8288888 288288 2862882880288 888288 2288862888 808 282 282882 28688228888 288 8282288288 28682888 82 2882828822 82202288 208288282208 288208 2222
17. a name will appear example Linux 2 6 14 To finish click on OK in order to confirm your selection Imposing the hosts OS when it has not been detected will allow in particular viewing the vulnerabilities of services and products according to the system Modify OS on host Current Operating System Not detected Detected Operating System Not detected New Operating System name Name Not detected Not detected Android BlackBerry CentOS Cisco IOS Darwin Debian Fedora FreeBSD Gentoo IBM AIX Add the host to the Object This option allows base e Creating an object corresponding to the selected IP address directly in the firewall s object base in Stormshield Network Real Time Monitor e Adding this object to an existing group on the firewall For further information regarding this option please refer to the Technical a 5 Note Stormshield Network Collaborative Security U UU Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways e Asingle line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard k age 30 91 snengde snrmonitor v1 2 Copuright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR Page 31 91 D aaanannanaannannnnnanannnannnnnannanannnannannnnnannannannannnannannnannannanannannanananananna
18. an application will bring you to the contextual menu a So O O Filter by these criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major note P Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this 5 5 5 5 5 7 destination website aa Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways e Asingle line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard A 26 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR A ra 27 91 Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator will get all the lines containing Major Caution this is a new filter system note ib OB NON WULTE e ro COMMIS _ Filter only this column by This
19. and the language used in the graphical interface Configures memory connection timeout and the frequency with which different parameters will be refreshed Windows The Windows menu enables managing the display windows of the different connected firewalls Duplicate current window Duplicates the current window according to the firewall that you had selected earlier The drop down menu indicates the last screens visited and identifies the current screen with a tick snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD SN REALTIME MONITOR 2 2 2 3 Applications The Applications menu enables connecting to other applications in the Stormshield Network Administration Suite Using the two shortcuts provided the added advantage of not having to reauthenticate on both applications Launch Stormshield Enables opening the Stormshield Network EVENT REPORTER module from the EVENT REPORTER Administration Suite 2224 Help Help Opens a page that accesses your secure access area to allow you to obtain ct documentation L About Provides information on the monitor in use version number credits 2 2 3 APPLICATION SETTINGS Certain parameters can be configured in the REAL TIME MONITOR application Select the menu File Application settings the parameters window will appear 2 2 3 1 Behavior at startup This tab offers the different options that enable configuring the application s b
20. chapter of the Hosts module section Connections view for the hosts tab 4 4 8 Throughput tab The throughput graph represents the real throughput on each of the Firewalls interfaces The throughput scale automatically adapts to the maximum throughput recorded during the period Bandwidth Connections Incoming connections 0 dmz10 Outgoing connections 0 dmz10 Throughput dmz10 Outgoing throughput Incoming throughput Figure 45 Interfaces Throughput For each interface the throughput graph indicates the ingoing and outgoing throughput To modify the interface on which throughput is viewed click on this interface in the legend at the top right section of the graph The interface currently being viewed will be highlighted in blue A k age 75 91 snengde snrmonitor v1 2 Copuright Netasq 2014 UG USER MANUAL STORMSHIELD REAL TIME INFORMATION 4 5 QUALITY OF SERVICE 00S REMARKS 1 Quality of Service which has a high level of abstraction refers to the ability to provide a network service according to parameters defined in a Service Level Agreement SLA The quality of the service is therefore gauged by its availability latency rate fluctuations throughput and rate of lost packets 2 Where network resources are concerned the Quality of service refers to a network element s ability to provide traffic prioritization services and bandwidth a
21. enter the administrator password in the Password field REMARK Selectthe optionRead only toconnectto the firewall in read only mode Click on the Connect button The main window will appear 2 1 2 2 Opening the address book Go to the menu File Address book to open the address book Or if Monitor has been configured to open the address book at startup the Address book window will appear note For more information regarding the address book please refer to Part2 Chapter Address book 2 1 2 3 Connecting automatically to the data source If this option has been selected in Startup behavior Application settings Monitor will directly open the Overview main window and the application will automatically connect to the existing firewalls cf for more information regarding connection please refer to the section Part 2 Chapter Startup behavior 2 1 2 4 None If this option has been selected in Startup behavior Application settings Monitor will directly open the Overview main window but no application will be connected to the firewall Only the Overview menu will be enabled The other menus in the directory will be grayed out cf for more information regarding connection please refer to Part 2 Chapter Startup behavior 2 1 3 Address book The address book can be accessed from the menu File Address book REMARK The address book can also be opened automatically upon the startup of the application if you have selec
22. firewall named 15 38 20 Automatic connection failed no firewall named Performing hostname lookup Start of connection A connection ion has been successfully established Authenticating 4 connection has been successfully established Authenticating Authen was found in the address book twas found in the address book was found in the address book ticated Monitor modification access rights mon_write obtained U events D Hosts D interfaces EY vashboara Figure 23 Overview snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD INFORMATION ON FIREWALLS 3 1 2 Overview of information on vulnerabilities This view indicates the number of vulnerabilities found the number of critical vulnerabilities and the number of vulnerabilities that are remotely accessible on your networks These indications represent links that allowing access to these vulnerabilities VULNERABILITY MANAGER menu Network overview 1 vulnerability was detected on the monitored networks I 0 of the vulnerabilities are critical 9 0 of the vulnerabilities are remote Figure 24 Network overview 3 1 3 List of firewalls This view provides the following information on your product s Auto connect Selecting this option allows you to activate automatic reconnection of REAL TIME MONITOR in the event of a disconnection a ae 2 a Sa a S an ie Connected Disconnect
23. in the following fonts Example snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD INTRODUCTION Menu Interfaces 1 1 2 3 Indications Indications in this manual provide important information and are intended to attract your attention Among these you will find NOTE REMARKS These messages provide a more detailed explanation on a particular point WARNING RECOMMENDATION These messages warn you about the risks involved in performing a certain manipulation or about how not to use your appliance B TIP This message gives uou ingenious ideas on using the options on uour product DEFINITION Describes technical terms relating to Stormshield Network or networking These terms will also be covered in the glossary 1 1 2 4 Messages Messages that appear in the application are indicated in double quotes Example Delete this entry 1 1 2 5 Examples Example This allows you to have an example of a procedure explained earlier 1 1 2 6 Command lines Command lines Indicates a command line for example an entry in the DOS command window 1 1 2 7 Reminders Reminders are indicated as follows Reminder 1 1 2 8 Access to features Access paths to features are indicated as follows Access the menu File Firewall A 8 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD INTRODUCTION 1 1 3 VOCABULARY USED IN THE MANUAL
24. in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard Contextual menu in the Connections tab Right clicking against a line containing a connection will bring you to the contextual menu Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator will get all the lines containing Major note ee Using this option will replace all the current filters on the columns ___ Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website View host This option allows you to view only information of the selected host er i oa ee ee ee N different ways e Asingle line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR Contextual menu in the Events tab Right clicking against a line containing an alarm will bring you to the con
25. information has been entered you may save it using the Save button To opena session on one of the Firewalls from the address book click on its name then on the OK button or simply double click on the name of the Firewall warninc If you modify the Address book is encrypted option the address book has to be saved once more to apply the changes Check the option Display passwords to check the passwords used for each Firewall saved in the address book passwords are displayed in plaintext 2 1 3 1 Adding an address Click on the Add button to add an address to the address book Other information to supply Name The name of the firewall 7 a Y 2 2 2 2 Z 2 7 22 i isj S R lt lt n Luk o S n a oa a eoo n Dn G O n s S D SSSR 2 1 3 2 Modifying an address The procedure for modifuing an address in the address book is as follows EH select the firewall to be modified E click on the Modify button The following window will appear k age 16 91 snengde snrmonitor v1 2 Copuright Netasq 2014 z STORMSHIELD Password CETTE i B i ih B Confirm eer I Figure 3 Modifying an address EJ Make the necessaru changes Click on OK to confirm changes 2 1 3 3 Deleting an address The procedure for deleting a firewall from the address book is as follows EA Select the firewall to delete El click on the Delete button The following message will appear Confirm deletion of these
26. new generation display with the date of the last synchronization You will also notice changes to RAID support 5 4 2 Power supplies If your firewall model supports redundant power supply modules high end models SN3000 and SN6000 the power supply statut will be displayed 5 4 3 S M A R T devices The result of monitorng tests that have been conducted will be displayed for each M A R T peripheral detected snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD NETWORK ACTIVITY S M A R T devices Disk adi monitoring tests PASSED Disk ad2 monitoring tests PASSED Disk ad0 monitoring tests PASSED 5 4 4 RAID The following is the information relating to the status of RAID volumes and the disks that it comprises isku E ur i n makes Up RAID volume Example Mirrored array Raid1 fora RAID volume JJ Disk address Physical location of the disk contributing to a RAID volume Example Upper slot Disk status Status of the RAID volume or of a disk that it comprises Example Degraded Optimal 5 4 5 Log Storage Disks The information relating to the storage medium is Type Indicates the type of storage medium DT E e Ee iss oie ee S A nA s SS U Ss C neon er ce orem reat or aaa In the event of a problem with a disk a message will be displayed in the dashboard A 86 91 snengde snrmonitor v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD m 6 P
27. pa Source src IP address or name of the object corresponding to the source host of the niin packet that set off the event aaa Source address src IP address of the source host of the packet that set off the event Source MAC address MAC address of the object at the source of the connection Source port srcport Port number of the source only if TCP UDP Destination interface dstif Network card of the destination interface Destination dst dstname IP address or name of the object corresponding to the destination host of the packet that set off the event IJ Destination address dst IP address of the destination host or name of the object corresponding to vo the IP address if it exists of the packet that set off the event U U Destination port Port requested for this connection dstport dstportname J lJ e aa Details Describes the event relating to the log This description groups together information from other columns in a single column Example if it is an alarm log information such as whether the alarm is sensitive the filter rule number and rule identifier will be indicated in this column or will otherwise be new columns in order to enoble filtering 55 i 1 j E For the description of additional data available bu column title please refer to the chapter 4 1 EVENTS A ra 70 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD REAL TIME INFORMATION Page 71 91 M roer
28. the right of the table You may use the following operators e Equals the values found have to be equal to those selected e Contains looks for a word in a phrase e Begins with looks for a phrase beginning with a string e Ends with looks for a phrase ending with a string e Joker Wildcard See the table below e Regular expression cf http qt project org doc qt 4 8 qregexp html c E g if c is entered the system will search for all occurrences of c a el ee Fe crate aa eee eee j 6 j 5 j 888 C a js a j S SS mane URE tar O inn s 1 selected the search will be conducted for A or B or C or D If A D is entered the search will be for ABCD if A Z is entered the search will be for all capital letters k age 22 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR Events can therefore be filtered according to one or several values For example displaying events using the protocol HTTP or https It is also possible to negate a criterion by selecting the option No For example displaying all entries except if the protocol is HTTP e Columns can be resized according to their contents option Adjust columns to fit contents Furthermore the administrator can sort the table by clicking on the column by which he wishes to sort 2 2 1 5 2 Contextual menu on lines Right clicking against a line will display a contextual menu that allows variou
29. user from ASQ Enables deleting the users ASQ information This may be useful especially if a user has been affected by an attack The Monitor modify privilege is necessary ea ae ORI Wis I NI Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different waus e A single line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different waus e A single line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard 2 2 1 5 2 8 Quarantine ASQ Bypass 2 contextual menus can be opened in this window e When right clicking against the Quarantine zone e When right clicking against an ASQ Bypass zone Contextual menu from right clicking against the Quarantine zone Right clicking against a line containing a quarantined host will bring you to the contextual menu that will allow you to A ra 34 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR a a Tis aches claws tas s to al oan wo ea pe ek criterion example when filtering by a particular firewall address the administrator will obtain only a
30. 0222229 Destination Name of the object for which a connection has been established aoe lM 688 8 S Ore Re ee ee reo address gee are er x Ezany ep eras _ by the a E 7 divided by the U length of the session UU aaa Destination port Indicates the number of the destination port used for the connection Se noe aaa SE S HCH S OS ope S S OE N sr hians j nn o o gt Data received Number S received during the connection C is ea so oo II o p S 8 IL Cl l aa a a S S 5 SOS a ae jp aa e E E ee E er ers e ee 5 lt s u S ee ey a ee eee example to its initiation establishment or closure 4 3 1 6 Events view 0 Vulnerabilities Applications Information 1 Connections 2 Events 10 Search Items 10 10 Date Logs Action Priority Config Source Destination Dst port Details 15 58 Connection pass Notice dnsl google com dns_udp 583 B sent 1 04 15 58 Connection Notice dns2 google com dns_udp 544 B sent 1 01 15 53 Connection ass Notice dnsl google com dns_udp 589 B sent 1 07 15 53 Connection Notice dns2 google com dns_udp 538 B sent 1005 15 48 Connection Notice dnsl google com dns_udp 658 B sent 998 15 48 Connection Notice dns2 google com dns_udp 725 B sent 1 18 15 43 Connection Notice dnsl google com dns_udp 583 B sent 1 04 15 43 Connection ass Notice dns2 google com dns_udp 544 B sent 1 01 15 33 Connection Notice dnsl google com dns_udp 58
31. 10 35 Information 2 gw Phase established 0x03c679b2 Ox0ccalcSa OxSef2e7aac69b1b2b 0 initiator 10 34 Information 2 gw Phase established 0x07335415 0x02ba5d26 OxSef2e7aac69b1b2b 0 initiator w 10 27 Information 2 gw Phase established Ox0b5d8d5e 0x0a384924 OxSef2e7aac69b1b2b 0 9 initiator irene 10 22 Information 2 gw Phase established 0x0bfd09c2 0x00d88393 0x5ef2e7aac69b1b2b 059 initiator 10 19 Information 2 gw Phase established 0x08807869 0x0b8ea503 OxSef2e7aac69b1b2b 0x9 initiator 10 19 Information 2 gw Phase established 0x03bcSabd 0x065452f2 OxSef2e7aac69b1b2b 0x initiator or 10 14 Information 2 gw Phase established 0x0be54b66 0x0465828e 0x5ef2e7aac69b1b2b 0x9 initiator Acie Nigam 10 10 Information 2 gw Phase established 0x06ab0324 Ox0fbee7dd 0x5ef2e7aac69b1b2b 059 initiator 10 05 Information 2 gw Phase established 0x09f4be6a Ox0f08 c67F OxSef2e7aac69b1b2b 0 initiator 10 02 Information 2 gw Phase established 0x0c6f2f3e 0x0238f89f OxSef2e7aac69b1b2b 0x9 initiator G SEES 10 01 Information 2 gw Phase established Ox0f29e182 0x038f38b9 OxSef2e7aac69b1b2b 0 9 initiator 10 00 Information 2 gw Phase established 0x01417fc3 0x075c43 af 0x5ef2e7aac69b1b2b 09 initiator tima 10 00 Information 2 gw Phase established 0x0380710f 0x05919cf4 OxSef2e7aac69b1lb2b 0 initiator Filt 09 50 Information 2 gw Phase established 0x06e920ef 0x095d7355 0Ox5ef2e7aac69blb2b 09 initiator ae Poy 09 50 Information 2 gw Phase establish
32. 16 31 UDP 10647 Bin 2 09 Kb s 53 H out 1019 B 2 09 KB Filter policy 1627 TCP 18 03 73 7 31 lt 3 51666 Bin 1 76 Kb s 445 H out 27 11 KB 25 88 KB 4 1625 TCP 18 03 73 c7 2b d6 52238 Bin 1 60 Kb s 443 H out 1 46 KB 11 74 KB 1r Figure 53 Filter policy Each row displayed is set out as follows lt identifier for the rule type gt lt identifier for the rule in the slot gt lt filter rule gt Where e lt identifier for the rule type gt can be for implicit rules 1 for global filters and 2 for local filters e lt identifier for the rule in the slot gt this identifier is always for implicit rules e lt filter rule gt filter rule created by Stormshield network 6 1 1 1 Connections view The Connections view sets out for each rule all the connections allowed by the implicit local and global filter policies 6 2 VPN POLICY Definition VPN Virtual Private Network The interconnection of networks in a secure and transparent manner for participating applications and protocols generally used to link private networks to each other through the internet age 87 91 snengde snrmonitor v1 2 Copyright Netasq 2014 x USER MANUAL STORMSHIELD eae File Windows Applications i Overview Dashboard Search Source Source router Direction Protocol Destination router Destination Max lifetime Network_loopback_v6 any_v6 Network_loopback_v4 any_v4 any_v6 Ne
33. 2 20822220222228 2 SN REALTIME MONITOR Stormshield Network REAL TIME MONITOR allows you to visualize your Firewall s activity in real time and provides the information below e Use of the Firewall s internal resources memory CPU etc List of raised alarms when vulnerabilities are detected List of connected hosts and users Real time alarms Number of connections bandwidth use throughput Information on the status of interfaces and VPN tunnels Last logs generated Use of disk space allocated to logs With this tool you can connect to several Firewalls and supervise all of them Stormshield Network REAL TIME MONITOR provides a simple display of connections transiting via the Firewall along with any alarms it has generated Monitor can be shut down by clicking on the cross in the top right corner but this does not Stop it from operating Clicking on the Monitor icon in the taskbar restores it By default Monitor can only be run on a machine connected to the internal network and must be running permanently in order to avoid missing any alarms You can use it remotely through the internet but you would have to explicitly authorize the service Firewall srv in the filter rules 2 1 CONNECTION 2 1 1 Access There are 2 ways to launch the Stormshield Network REAL TIME MONITOR application 5 Via the shortcut Applications Launch the REAL TIME MONITOR in the menu bar on other applications in the Administration Suite 5 Via the m
34. 2m 4sec 0 6 VPN tunnels Q Disabled BIRD dynamic routing Service 2d 1h 52m 7sec Disabled IPv6 BIRD dynamic routing Service 2d 1h 52m 7sec Active Update Q Disabled ClamAV antivirus 2d 1h 52m 7sec 14 05 2014 14 15 31 12 2037 1232w 5d 8h 42m 4sec O Disabled DHCPv6 client 2d 1h 52m 7sec a Q Disabled DHCPV6 server 2d 1h 52m 7sec Disabled DHCP relay 2d 1h 52m 7sec ne Q Disabled Relay DHCPv6 2d 1h 52m 7sec O Disabled DNS Cache Proxy 2d 1h 52m 7sec ne ae Q Disabled LDAP server 2d 1h 52m 7sec z Enabled Logs 2d 1h 52m 7sec 0 7 ES VPN policy Q Disabled Dialup connections server PPP PPTP PPPoE 2d 1h 52m 7sec Disabled VPN server 2d 1h 52m 7sec Logs Q Disabled Router advertisement daemon 2d 1h 52m 7sec Disabled SNMP Agent 2d 1h 52m 7sec VPN Disabled HTTP proxy cache 2d 1h 52m 7sec Disabled HTTP proxy server 2d 1h 52m 7sec EJ System Disabled SMTP proxy server 2d 1h 52m 7sec O Disabled POP3 proxy server 2d 1h 52m 7sec Q Disabled FTP proxy server 2d 1h 52m 7sec O Disabled SSL proxy server 2d 1h 52m 7sec Figure 51 Services Proxies are displayed in 4 distinct entries e HITP Proxy e SMTP Proxy e POP3 Proxy e FTP Proxy Information regarding antivirus can also be seen in this window activity version last update expiry of its license The following data will be displayed when you click on the Services menu Status Indicates whether services are active or inactive Name Indicates the names of services Uptime Ind
35. 3 B sent 1 04 15 33 Connection Notice dns2 google com dns_udp 544 B sent 1 01 Figure 40 Hosts Events This view allows you to view all the events that the firewall has detected Each line represents an alarm The information provided in the Events view is as follows Date time Date and time the line was recorded in the log file at the firewall s local time i mina CTC CCC Sooo ee G S I aussi G O IU U U U U u aa sS 8 55 oj s o R To TO a ee e e RO OOP K A Os Examples Block Pass I UU Prioritu pri Determines the alarm level The possible values are age 69 91 snengde snrmonitor v1 2 Copuright Netasq 2014 Sq USER MANUAL STORMSHIELD REAL TIME INFORMATION 0 emergency 1 alert 2 Critical 3 error 4 warning 5 notice 6 information eh I J a Rule ruleid Number of the filter rule involved in the raised alarm Config Name ofthe application inspection profile that reported the event Policu Name ofthe SMTP URL or SSL filter policu that raised the alarm User Identifier of the user requesting authentication Protocol proto Protocol of the packet that set off the alarm Connection group groupid Identifier that would allow tracking child connections Source interface Network card of the source interface name of the source host or the srcif srcifname object corresponding to the service port of the source machine if it ee exists Ir4rJ
36. 39 admin A j been successfully established 15 38 39 admin Authenticating 15 38 41 admin Authenticated 15 38 47 admin er hostname lookup 15 38 47 fadmin tart of connection 15 38 47 admin j been successfully established 15 38 47 admin Authenticating 15 38 49 admin Authenticated Barty anager dt e Figure 1 Overview 2 1 2 Connection Stormshield Network REAL TIME MONITOR is opened differently depending on the option chosen in the tab Startup behavior in Application settings cf Part 2 Chapter Startup behavior The possible options are e Direct connection e Connect to automatic connection data sources e None 2 1 2 1 Direct connection to a Stormshield Network multifunction Firewall Direct connection allows you to enter connection information for a specific firewall To make a direct connection go to the menu File Direct connection Or if Monitor has been configured to connect directly at startup the following window will appear snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR Figure 2 Direct connection snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD SN REALTIME MONITOR note For more information regarding connection please refer to Part 2 Chapter Startup behavior lil Indicate the firewall s IP address in the Address field Bk enter the administrator login in the User field E
37. 4
38. 882886204280285 48828 020862800862882826882886862806 862868808 868806 282 2800 862288268 2628866 882286 885 288886888282 082 205265286 5805 288282 2882026808282 288488282208 28000822200822228 2 2 1 5 2 14 VPN Policy Right clicking against a line containing a VPN policy will bring you to the contextual menu that will allow you to Filter this column by this criterion This option allows restricting the list of results to the selected field 2 2 1 5 2 15 Logs VPN Right clicking against a line containing a VPN policy will bring you to the contextual menu For example if the data is filtered by the priority Major the administrator will get all the lines containing Major note Using this option will replace all the current filters on the AS a S 5 5 nn ColUMNS smi Filter only this column bu this criteri This option allows you to restrict the list of the results pointed to by the cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Right clicking against a line in the System section will bring you to the contextual menu that will allow you to For example if the data is filtered by the status Enabled the administrator will get all the lines containing Enabled note Using this option will replace all the current filters on the ne E COLUMNS unum Filter only this column by this This option allows
39. D Q 1 8 00900 20 0 0 8 0 08 0 000 04028 0 006 28 0088 088 280 688288 084280288 428 8 28 028628068628 9282688288 2882808862888808 8828800 8822808062268268 882 866 882 288 882288882 088282 085 282 082286885 288282 2852824802482282488 282208282208 22220828228 4 3 2 DHCP leases tab This tab displays all hosts that have a lease in progress or which has ended and specifies the state of this lease The information provided in the DHCP leases tab is as follows Name Name of the host that have a lease in progress or which has ended if declared in u 5 5 objects or hosts IP address otherwise UU Status The status of the lease can be e Active the address has been assigned to a host and the assignment is still in progress e Free the lease has expired and the address can be reused for another lease From Starting date and time of the bail assignment Until Ending date and time of the bail assignment This can be a date and time in the ee eS sss Mac address Physical network identifier of the host with an ongoing or lapsed lease REMARK The leases assigned by reservation static IP address reserved exclusively for a MAC address are not displayed in this screen REMARK When a new host logs on to a network it will send a first request DHCPDISCOVER to the whole network to find out where the DHCP servers are Upon reception the DHCP server will pre reserve an IP address and sends it to the host DHCPOFFER It is possible h
40. Downloads Ji Languages 15 05 2014 16 24 File folder E Recent Places _ irunin dat 15 05 2014 16 24 DAT File Libraries Documents a Music E Pictures Videos J Computer amp Local Disk C og DVD Drive D G File name vr Save as type Address book file dat lt Hide Folders Cancel J Figure 5 Exporting the address book E select the file to export REMARK The file to export should be in dat format El click on Save 2 1 3 6 Search The search covers all information found in the columns Information can be filtered on a column and the search can then be refined Examples e Filter on the Address column containing 129 a list of results will appear next launch a global search by refining according to address e Filter on the Address column beginning with 10 2 then search from the displayed addresses hosts with addresses beginning with 10 2 14 by entering only 14 in the search field snengde snrmonitor v1 2 Copyright Netasq 2014 ue USER MANUAL STORMSHIELD SN REALTIME MONITOR 2 2 GETTING FAMILIAR WITH REAL TIME MONITOR 2 2 1 PRESENTATION OF THE INTERFACE 2 2 1 1 Main window From this window you can open several windows each connected to different firewalls llo of the vulnerabilities are critical P 0 of the vulnerabilities are remote Iems 33 WH A xXx m E O Auto connect Y Read only Y State Y Name Y Address 7 User
41. ERABILITY MANAGER Administration SMTP System IPSec VPN Web SSL VPN in relation to the size allocated on the Firewall for each log type DEFINITION OF LOGS Chronological record of a computer s activity which makes up a journal of events that took place in programs and systems over a given period f LOG TYPES 7 2 4 VPN File Windows Applications Eg Overview j s Dashboard Search Y Date Y Error level Y Phase Y Source Y Destination Y Message Y Peer identity VY In SPI Y Out SPI Y Cookie in out Y Role Y Remote netwo Y Local network UJ Fuen 10 50 Information 2 gw Phase established Ox05d7eflf 0x0d3766c3 OxSef2e7aac69b1b2b 0 initiator Pl _ 10 49 Information 2 gw Phase established 0x000b18e0 0x01241cce OxSef2e7aac69b1b2b 0X initiator Vulnerability Ma 19 43 Information 2 gw Phase established 0x025978eb 0x0 392833 OxSef2e7aac69b1b2b 0x9 _ initiator 10 38 Information 2 gw Phase established 0x02f02c97 0x07c65d72 OxSef2e7aac69b1b2b 0x9 initiator JJ Pests 10 38 Information 2 gw Phase established 0x0c3724cb 0x0d93b764 OxSef2e7aac69b1b2b 0x9 initiator w 10 38 Information 2 gw Phase established Ox016da31le Ox0fca38b3 OxS5ef2e7aac69b1b2b 0x9 initiator a 10 36 Information 2 gw Phase established 0x077f8e54 0x05d2337a OxSef2e7aac69b1b2b 0X initiator Quality of Service 10 35 Information 2 gw Phase established 0x03f0bdca 0x03baa862 OxSef2e7aac69b1b2b 0 initiator
42. I lt oo coc c Oo Figure 42 Interfaces Legend This view allows you to view all the interfaces that the firewall has detected Each line represents an interface The information provided in the legend view is as follows Name and color attributed to the interface The colors allow you to distinguish the interface in the different graphs By default its value is 0 The throughput of a network interface can be configured via UNIFIED MANAGER 4 4 3 REMARK Inactive interfaces are grayed out You will notice the colors of the visible interfaces at the top of the window These colors are defined in the network parameters of the Stormshield Network UNIFIED MANAGER for each interface refer to the Stormshield Network UNIFIED MANAGER user manual Details view Each chart provides statistical information on throughput for each interface Name IP address subnet mask American format see Appendix for explanations connection type 10 or 100Mbits half duplex or full duplex Instantaneous left and maximum right throughput Number of packets and volume in bytes for TCP UDP and ICMP Number of TCP connections Total number of packets accepted blocked and fragmented by the Firewall snengde snrmonitor v1 2 Copyright Netasq 2014 a k age 74 91 Iq USER MANUAL REAL TIME INFORMATION STORMSHIELD 4 4 4 Bandwidth tab The bandwidth graph displays the percentage of use of the a
43. OLICIES 6 1 FILTER POLICY The Filter Policy menu accessible from the menu directory in Monitor recaps the active filter policy by grouping together implicit rules global filter rules and local filter rules File Windows Applications i Overview Firewall gt 1 Duplicate B Dashboard Search Rules W Events Implicit rules 98 Vulnerability Ma 4 Local filter rules 1 11 pass inspection firewall from any to any J sac Implicit NAT rules 22 Local NAT rules 233 Interfaces Quality of Service w Users Search Items 253 253 7 Time 7 Protocol Y Source Y Source MAC address Y Source port Y Source interface WV Destination 7 Destination MAC address Average throuc Y Destination port Destination interface Y Sent data P Received data Duration Quarantine AS 16 29 tcp 64717 sslvpn 611 83 Kb s 443 H out 977 B 148 41 KB 15 29 TCP d4 be d9 97 ec 3b 62720 H in 9 99 Kb s 1300 H out 1 46 MB 2 96 MB lhlm Tie 1625 TCP 18 03 73 c7 2b d6 36632 Bin 8 27 Kb s 443 H cut 1 02 KB 63 63 KB 1 es 1602 TCP 18 03 73 7 31 lt 3 51486 Bin I 7 78 Kb s 993 H out 14 81 KB 1 49 MB err 1623 TCP 53182 Bin 5 84 Kb s 443 H out 2 00 KB 39 47 KB Services 1624 TCP 18 03 73 c7 2b d6 54734 Bin 4 19 Kb s 443 H cut 2 79 KB 25 88 KB 16 25 TCP 18 03 73 c7 2b d6 52245 Bin 2 67 Kb s 443 H out 1 38 KB 18 91 KB 1 NEES 1631 UDP 15812 Bin 2 20 Kb s 53 H cut 1 02 KB 2 21 KB
44. R T devices 85 5 4 4RAID 86 5 4 5Log Storage Disks 86 6 POLICIES 87 6 1 FILTER POLICY 87 6 2 VPN POLICY 87 a oe 7 1 STATUS OF USE 89 7 2 LOG TYPES 89 7 2 1VPN 89 f l System 90 snengde snrmonitor v1 2 Copyright Netasq 2014 age 7 91 Sz gt STORMSHIELD USER MANUAL INTRODUCTION 1 INTRODUCTION 1 1 BASIC PRINCIPLES 1 1 1 WHO SHOULD READ THIS This manual is intended for network administrators or at the least for users with IP knowledge In order to configure your Stormshield Network UTM firewall in the most efficient manner you must be familiar with IP operation its protocols and their specific features ICMP Internet Control Message Protocol IP Internet Protocol TCP Transmission Control Protocol UDP User Datagram Protocol Knowledge of the general operation of the major TCP IP services is also desirable HTTP FTP Mail SMTP POP3 IMAP Telnet DNS DHCP SNMP NTP If you do not possess this knowledge don t worry any general book on TCP IP can provide you with the required elements The better your knowledge of TCP IP the more efficient your filter rules and the greater your IP security 1 1 2 TYPOGRAPHICAL CONVENTIONS 1 1 2 1 Abbreviations For the sake of clarity the usual abbreviations have been kept For example VPN Virtual Private Network 1 1 2 2 Display Names of windows menus sub menus buttons and options in the application will be represented
45. When right clicking against the Connections tab e When right clicking against the Events tab e When right clicking against the help zone Contextual menu relating to a host rums a A Gon sss SasAs s example if the data is filtered bu the prioritu Major the administrator will getallthe lines containing Major note Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Remove host from ASQ Enables deleting the host s ASQ information This may be useful especially if a host has been hacked The Monitor modify privilege is necessary A message will appear asking you to confirm this action Reset Vulnerability Manager Resets VULNERABILITY MANAGER data for the selected host The Monitor information modify privilege is necessary A message will appear asking you to confirm this action When you perform this reset the host will be deleted from the VULNERABILITY MANAGER database and as well as from data ee counters detected vulnerabilities software UU U Send to quarantine The quarantined host will be dynamically blocked for a duration to be specified This duration can either be 1 minute 5 mi
46. Y Firmware Y Active Update Y Vulnerability Manager Y Antivirus Y Backup versior Y Last alarm Y Vulnera 9 Connected admin Enabled Enabled Q Disabled Major 1 Minor 1 T Connected admin Enabled Enabled O Disabled Major 0 Minor 0 admin fonnection logs 15 38 20 Automatic connection failed no firewall named was found in the address book 15 38 20 Automatic connection failed no firewall named twas found in the address book 15 38 20 Automatic connection failed no firewall named was found in the address book Performing hos Start of connection Figure 6 Overview Once Monitor is connected it will open a welcome window Overview Menu which will display various types of information on the firewall s activity It consists of five parts e Amenu bar e Ahorizontal bar containing icons relating to connection and a search zone e A vertical bar containing a menu directory allowing Stormshield Network REAL TIME MONITOR options to be viewed and configured e Aresult display zone e Astatus bar REMARK The other windows in the menu directory may contain the following buttons e Refresh e Show Hide help e Firewall e Duplicate age 19 91 snengde snrmonitor v1 2 Copyright Netasq 2014 z STORMSHIELD USER MANUAL SN REALTIME MONITOR 2 2 1 2 Ll 2 2 1 3 Description of icon Generates a web report for the selected firewall e Summary of system resources memory CPU etc e List of co
47. _main Communication error while reading user updates E 12 27 SSOAgent Agent sso_agent_backup is active 12 21 sysevent La configuration a t modifi e sess 12 06 sysevent La configuration a t modifi e Filt ii 11 15 sysevent Active Update Mise jour r ussie Vaderetro gcd sae 11 15 HA Successfully synchronized au_Vaderetro from to all 11 15 sysevent Active Update Mise a jour r ussie Patterns Eg bial ase 11 15 HA Successfully synchronized au_Patterns from to all 10 37 sysevent La configuration a t modifi e E ass 10 37 HA Successfully synchronized userprefs from to all 10 33 HA Successfully synchronized config from to all w 09 55 SSOAgent Agent sso_agent_backup successfully connected on Kh 09 55 SSOAgent Agent sso_agent_backup Connected to the agent 09 55 SSOAgent Agent sso_agent_backup successfully connected on Figure 56 System The following data is displayed when you click onthe System menu Date Date and time entry was generated Service Name of the service Message Indicates the action applied Page 90 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD LOGS A ra 91 91 8 0090020 0 0 8 0 08 0 2 00 042 28 0 000 28 0288 088 280 088280 08428828558 0 28 8088 280888288 280888 288 2882806 8628888088822800 882280862280888 8828866 882286 885 288882 088282 082 204 682285885 288282 085282608282584482285 208288208 22220822228 APPENDICES Appendix A FAQ 1 what is
48. ailable By deploying this line details of the hosts concerned will appear as well as the service that has been affected by the vulnerability Help in the form of links may be suggested to correct the detected flaw Once the network administrator becomes aware of the vulnerability he can correct it at any moment quarantine the affected host s and generate a report A ra 58 91 snengde snrmonitor v1 2 Copyright Netasq 2014 ue USER MANUAL STORMSHIELD REAL TIME INFORMATION VULNERABILITY MANAGER can also perform weekly monthly or yearly analyses using the application Stormshield Network EVENT REPORTER Autoreport See the Stormshield Network EVENT REPORTER user guide When you click on the VULNERABILITY MANAGER menu in the menu directory the scan window will consist of the following e A Vulnerabilities tab e An Applications tab e An Events tab 4 2 2 Vulnerabilities tab i oe Refresh Show help B Dashboard 1 vulnerability 3 applications 4events E Search M vents P Firewall Y Severit P Affected hosts Y Family T Target P Exploit T Detected VID OpenSSH AES 1 SSH server client Local 08 11 2013 Vulnerability Ma Interfaces gt Quality of Service KJ Users Quarantine AS VPN tunnels Active Update EJ Services Hardware Hosts t wy Filter policy Search il cae f Assigned Y Name Y Application 7 Type 7 Operating syst V Port Y Internet
49. allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR 1 O80 928 0 0 8 4 48 2 284 888288885 288 248 288 288028828828 82288 28 2488 288 288 28828828828 08888880 2882 882862282880 2882882882 2888622888868 882 288882 28288228888 888 82828 282282 6866288 822288282 288 282208282282 282 282288282208 22220628228 Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways e A single line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard Contextual menu for a line containing an event Right clicking against a line containing an event will bring you to the contextual menu that a a A Gaal cae ee en y example if the data is filtered by the priority Major the administrator will get all the lines containing Major note Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination websit
50. an check the IP address es really assigned to the Firewall e That the access provider for the graphical interface has not been deactivated on the Firewall 2 How can I check the IP address es really assigned to the Firewall If you wish to check the IP address es or the operating mode transparent or advanced you need only connect to the Firewall in console mode To do so you can either conduct an SSH session on the Firewall if SSH is active and authorized or connect directly to the firewall by the serial port or by connecting a screen and a keyboard to the firewall Once connected in console mode with the admin login type the command ifinfo This will give you the network adapter configuration and the present operating mode snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD LOGS 3 What is the meaning of the message You lost the MODIFY privilege Only one user can be connected to the Firewall with the MODIFY privilege This message means that a user has already opened a session with this privilege In order to force this session to close you need only connect adding an exclamation mark before the users name admin WARNING If an administrator session is open on another machine with the MODIFY right it will be closed 4 What is the meaning of the message The operation has exceeded the allotted time As a security measure any connection between the Firewall
51. and the graphic interface is disconnected after a given time whether finished or not In particular this prevents an indefinite wait for a connection if the Firewall cannot be reached via the network 5 How do know if there has been an attempted intrusion Each attempted intrusion triggers a major or minor alarm depending on its gravity and configuration You are informed of these alarms in four ways e Firstly the LEDs on the front panel of the firewall light up red or flicker yellow to alert you e Then the alarms are logged in a specific file which you can consult from the graphical interface Stormshield Network REAL TIME MONITOR or Stormshield Network EVENT REPORTER e You can receive an alarm report at regular intervals see Receiving alarms via the Stormshield Network UNIFIED MANAGER application which can be configured so that whenever an alarm is raised an e mail is sent When several alarms are raised ina short period they will be sent in a collective e mail e Finally Stormshield Network REAL TIME MONITOR displays on the screen the alarms received in real time 6 It is possible to allow protocols other than IP The Stormshield Network Firewall can only analyze IP based protocols All protocols that the Firewall does not analyze are regarded as suspicious and are blocked However in transparent mode Novell s IPX IPv6 PPPoE AppleTalk and NetBIOS protocols may be allowed through even though they are not analyzed
52. arms during the past 15 minutes that the product has been connected The maximum value indicated is 100 even if the number of alarms exceeds this value To view the alarms click on either link of your choice the Events menu will appear and will set out the list of alarms according to the selected criticality 3 2 10 Vulnerabilities This view indicates the number of vulnerabilities for a specific level The 4 levels of vulnerability are Critical High Moderate Low To view a list of vulnerabilities click on one of the levels and the menu Vulnerability management will appear Cf chapter Vulnerability Manager 3 2 11 VPN Tunnels This view indicates the number of configured VPN tunnels To view a list of configured VPN tunnels click on the link the VPN Tunnels menuwill appear 3 2 12 Active Update This view indicates the status of updates that have been performed success or failure as well as the last time the Active Update module had been launched date and time To view a list of updates and their status click on the link the Active Update menu will appear 3 2 13 Logs This window indicates whether there are problems with the logs To view a graph that represents the current size of the log file in real time Alarms Authentication Connections Filters Monitor Plugins POP3 VULNERABILITY MANAGER Administration SMTP System IPSec VPN Web SSL VPN in relation to the space allocated to each log type on
53. aused by errors or omissions in the manual as well as for inconsistencies between the product and the manual Notice x WEEE Directive a All NETASQ products that are subject to the WEEE directive will be marked with the mandated crossed out wheeled bin symbol as shown above for items shipped on or after August 13 2005 This symbol means that the product meets the requirements laid down by the WEEE directive with regards to the destruction and reuse of waste electrical and electronic equipment For further details please refer to the website at this address http www netasq com recycling html k age 2 91 snengde snrmonitor v1 2 Copuright Netasq 2014 z STORMSHIELD CONTENT 1 1 BASIC PRINCIPLES 1 1 1 WHO SHOULD READ THIS 1 1 2 TYPOGRAPHICAL CONVENTIONS 1 1 3VOCABULARY USED IN THE MANUAL 1 1 4GETTING HELP 1 1 5TECHNICAL ASSISTANCE CENTRE 1 2 SOFTWARE INSTALLATION 1 2 1PRE REQUISITES 1 2 2 INSTALLING VIA YOUR PRIVATE AREA 2 SN REALTIME MONITOR 2 1 CONNECTION 2 1 1Access 2 1 2 Connection 2 1 3Address book 2 2 GETTING FAMILIAR WITH REAL TIME MONITOR 19 2 2 14 PRESENTATION OF THE INTERFACE 2 2 2 INTRODUCTION TO MENUS 2 2 3APPLICATION SETTINGS 2 2 4DEFAULT MONITORING SETTINGS 3 INFORMATION ON FIREWALLS 3 1 OVERVIEW 3 1 1 Introduction 3 1 2 Overview of information on vulnerabilities 3 1 3 List of firewalls 3 1 4Connection logs 3 2 DASHBOARD 3 2 1 Introduction 3 2 2 Selecting a produ
54. bring you to the contextual menu that ae will allow you to nnn Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered bu the priority Major the administrator will get all the lines containing Major note vv Using this option will replace all the current filters onthe columns Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the status Enabled the displayed list will only present the elements containing this status Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different waus e A single line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard 2 2 1 5 2 12 Hardware This is the menu dedicated to high availability Please refer to sections 3 2 7 and 5 4 2 2 1 5 2 13 Filter policy This menu allows you to view different types of rules Implicit rules e Global filtering rules e Local filtering rules e NAT rules for local For more information please refer to section 6 1 k age 37 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR O80 020 0 0 8 0 08 0 00 0 040200 08628 0280 288 28 06
55. ct 3 2 3System information 3 2 4Memory 32 9 CPU 3 2 6Temperature 3 2 7 Hardware 3 2 8Active network policies 3 2 9Alarms 3 2 10 Vulnerabilities 3 2 11 VPN Tunnels 3 2 12 Active Update 3 2 13 Logs 3 2 14 Services 3 2 15 Proxy Cache 3 2 16 Interfaces 3 2 1 Top 5 interfaces for incoming throughput 3 2 18 Top 5 interfaces for outgoing throughput 3 2 19 Top 5 hosts for incoming throughput 3 2 20 Top 5 hosts for outgoing throughput age 7 91 EZ gt 19 40 41 USER MANUAL INTRODUCTION el eh cert 4 1 EVENTS 55 4 2 SN Vulnerability Manager NVM 58 4 2 1Introduction 58 4 2 2 Vulnerabilities tab 59 4 2 3 Application tab 61 4 2 4Events tab 63 4 3 HOSTS 65 4 3 1 Hosts tab 65 4 3 2 DHCP leases tab r1 4 4 INTERFACES 71 4 4 1 Introduction 71 4 4 2Legend view or tabular view of interfaces 73 4 4 3 Details view ee 4 4 4 Bandwidth tab 74 4 4 5 Connections tab 74 4 4 6 Incoming connections tab ra 4 4 7 Qutgoing connections tab 75 4 4 8 Throughput tab 75 4 5 QUALITY OF SERVICE QoS 76 4 5 1 Diagram view a4 4 5 2 Connections view P 4 6 USERS l 4 6 1Introduction A 4 7 QUARANTINE ASQ BYPASS 78 4 7 1 Quarantine view r9 4 7 2 ASQ Bypass view 79 SLA lh re 80 5 1 VPN TUNNELS 80 5 1 11PSec VPN Tunnels tab 80 5 1 2SSL VPN Tunnels tab 82 5 2 ACTIVE UPDATE 83 5 3 SERVICES 84 5 4 HARDWARE 85 5 4 1 High availability 85 5 4 2 Power supplies 85 5 4 3S M A
56. d outgoing SA View logs ofincoming SPie This option will allow displaying the SPic of the negotiated incoming SA ki rreres eio mameri Mk Tama Gl cae ce ee ee View the incoming policy Hypertext link enabling the display of the incoming policy visible in the nr A a Saamemanmmaamansamunpaannamaauamarqaanaaapansasnanasanatpuman Reset this tunnel The selected tunnel will be deleted but the configuration on the firewalls will still be active The SAs matching the selected tunnel will be cleared new SAs will have to be renegotiated so that the tunnel can be used snengde snrmonitor v1 2 Copyright Netasq 2014 UY USER MANUAL STORMSHIELD SN REALTIME MONITOR 1 809809 00 0 8 0 08 0 000 040200 08628 0288 288 28 028028 000428 0280488 28 028628068628828268828828628862 2628688088688856 8822820 062288268 2862 868 882 286 885 288888 2882862 085 204062 285885 288282 282282 6802482 208488282208 2802020822200228228 2 2 1 5 2 10 Active Update Right clicking against a line in the Active Update section will bring you to the contextual menu that will allow you to Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways e Asingle line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard 2 2 1 5 2 11 Services Right clicking against a line containing a service will
57. e Aview that lists the applications e Adetailed view that lists the hosts 4 2 3 1 Application s view This view allows you to see the applications that the firewall detects Each line represents an application REMARK The number of applications is displayed in the tab s label The Applications tab displays the following data Firewall Serial number or name if known of the firewall Name Name of the software application The version is not specified except for the Operating Syste A Family The software application s family e g web client Type Software type Client the software does not provide any service Server the 57 software application provides a service Operating system U 0 Instance Number of software applications detected in the monitored networks For a server the same service may be suggested on several ports E g an Apache http server which provides its services on port 80 and port 8080 web proxy would appear A 62 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD REAL TIME INFORMATION 4 2 3 2 Hosts view This view allows you to see all the applications for a given host Each line represents a host The information seen in the Hosts view is as follows Name Host name Z a eo ee ee nn Type ee han ae Giles gee ee eee lt r n ay on a software application provides a service Operating system 1vulnerabiity a
58. e consulted the displayed list will only present the elements containing this destination website View the host The Hosts menu directory will open to display additional information on the detected host During pre filtering the host concerned will be selected The data will be filtered according to the hostname if available or by its ee ee Add the host to the Object This option allows base e Creating an object corresponding to the selected source IP address directly in the firewalls object base in Stormshield Network Real Time Monitor e Adding this object to an existing group on the firewall For further information regarding this option please refer to the Technical 5 O lD D Note Stormshield Network Collaborative Security UU Copu to the clipboard Copies the selected line to the clipboard Data can be copied in two different waus e Asingleline is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard k age 28 91 snengde snrmonitor v1 2 Copuright Netasq 2014 USER MANUAL STORMSHIELD SN REALTIME MONITOR 2 2 1 5 2 4 Hosts Many contextual menus can be opened in this window e When right clicking against a host e When right clicking against the Vulnerabilities tab e When right clicking against the Applications tab e When right clicking against the Information tab e
59. e criteria cursor Example If your cursor pointed the destination website consulted the displaued list will onlu present the elements containing this destination website A 25 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR Add the host to the Object This option allows base e Creating an object corresponding to the selected source IP address directly in the firewall s object base in Stormshield Network Real Time Monitor e Adding this object to an existing group on the firewall For further information regarding this option please refer to the Technical View the host The Hosts menu directory will open to display additional information on the detected host During pre filtering the host concerned will be selected The data will be filtered according to the hostname if available or by its U address ZU r Copu to the clipboard Copies the selected line to the clipboard Data can be copied in two different waus e Asingleline is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard In the Application tab 2 contextual menus can be opened e When right clicking againsta line detailing an application e When right clicking againsta line detailing a host Contextual menu for a line containing an application Right clicking against a line containing
60. e interfaces to display the Throughput tab graph in the Interfaces menu 3 2 19 Top 5 hosts for incoming throughput This zone displays the list of the 5 hosts that have registered the most incoming throughput Click on any one of the interfaces to display the throughput tab graph in the Interfaces menu 3 2 20 Top 5 hosts for outgoing throughput This zone displays the list of the 5 hosts that have registered the most outgoing throughput Click on any one of the interfaces to display the throughput tab graph in the Interfaces menu A ra 54 91 snengde snrmonitor v1 2 Copyright Netasq 2014 STORMSHIELD USER MANUAL REAL TIME INFORMATION 4 REAL TIME INFORMATION 4 1 EVENTS The alarms generated by the Firewall will appear in this window File Windows Applications Overview C refresh P Actvatea show help Dashboard UJ Events Vulnerability Ma UJ Hosts Interfaces Quality of Service w Users Quarantine AS VPN tunnels Active Update Services Hardware Filter policy ES VPN policy Logs VPN J System Date Search Logs 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 51 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection 15 50 Connection
61. ected user these privileges include adding modifying deleting or reading in different applications Session Number identifying the session identifier 4 7 QUARANTINE ASQ BYPASS DEFINITIONS 1 Dynamic quarantine the quarantine is manually done and for a set duration 2 Static quarantine the quarantine is automatic and for permanent Static quarantining is configuring in the application Stormshield Network UNIFIED MANAGER A 78 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD REAL TIME INFORMATION File Windows Applications EJ Overview Quarantine Dashboard B Search 4 Events Vulnerability Ma E Interfaces Quality of Service f Addresses Type E9 Quarantine AS VPN tunnels Active Update Services Hardware Filter policy VPN policy EB Logs Addresses Y Type one LJ System Figure 48 Quarantine This window comprises 2 views e A Quarantine view e An ASQ Bypass view 4 7 1 Quarantine view This window shows the hosts that have been dynamically quarantined Hosts in static quarantine are not reflected in this list The information provided in the Quarantine view is as follows Addresses IP address of the host s affected by the quarantine Type 2 options are possible Host to host and Host to all Expiry Time at which the quarantine will expire 4 7 2 ASQ Bypass v
62. ed ua SS Os s p 5 OoOO HYP O O K o A OO Z u J j aaa j 558 5 ppo o PU UI SSCS m a O OF A rr a a ias Ge 7 tae A u aT TE u faeces o TE failure s Antivirus Indicates the status of the antivirus Options OK Disabled AET ul rT r a S nA opa im a ne nen L e ee Last alarms Indicates the number of major and minor alarms for the latest alarms over the past 15 minutes The maximum value is 100 even if the number of alarms exceeds this value Vulnerabilities Indicates the number of vulnerabilities n Global fiter indicates whether a global filter rule has been activated if so Global policy will be indicated a ace OC Oe S OoOo n oo AA C C C U t UX 3 T n n e 7 8 8 8 i n a ee yuyun rss mas n a ee a ae on aor 555 j ore wy re era A 48 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD INFORMATION ON FIREWALLS 3 1 4 Connection logs This window indicates logs of connections between REAL TIME MONITOR and the firewall Connection logs 15 38 20 Automatic connection failed no firewall named Was found in the address book 15 38 20 Automatic connection failed no firewall named twas found in the address book 15 38 20 Automatic connection failed no firewall named Was found in the address book A connection has been successfully established Authenticating Authenticated Performing hostname lookup Start of c
63. ed Ox08b508d5 0x060851b7 OxSef2e7aac69b1b2b 0 9 initiator i 09 50 Information 2 gw Phase established Ox0af86a6d 0x040c00fb OxSef2e7aac69b1b2b 0x 9 initiator pos 09 48 Information 2 qu Phase established Ox04e2b641 OxDed47bca Ox5ef2e7aac69b1b2b 09 initiator 09 48 Information 2 gw Phase established 0x07a8b0f9 0x060adc58 OxSef2e7aac69b1b2b 0x9 initiator 09 47 Information 2 gw Phase established 0x034b4626 0x002a46d5 OxSef2e7aac69b1lb2b 0x 9 initiator 09 47 Information 2 gw Phase established 0x085bdb78 Ox0b7a8c67 OxSef2e7aac69b1lb2b 0 initiator VEN 09 46 Information 2 gw Phase established 0x0ac79320 0x071bb81f 0x5ef2e7aac69b1b2b 09 initiator 09 34 Information 2 gw Phase established 0x01693195 0x050ec1d1 0x5ef2e7aac69b1b2b 09 initiator B wass 09 31 Information 2 gw Phase established 0x0f83bade 0x0368cdd8 OxSef2e7aac69b1b2b 0x9 initiator 09 31 Information 2 gw Phase established Oxdec7cdea 0x00be457b OxSef2e7aac69b1b2b 0x initiator Figure 55 VPN The following data is displayed when you click onthe VPN menu Date Date and time the entry was generated 7 xttV CC se aa oa S e main u ak isc 6 8 5 ea a Peer identity Identity of the peer indicated in pre shared key configuration where IP address has not been specified as the identity type Page 89 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD LOGS In SPI SPI number of the negotiated incoming SA in he
64. ed for this connection Details Description of the event relating to the log This column groups some of the information gathered from the other columns Example If an alarm log is concerned information such as whether it was a sensitive alarm the number of the filter rule rule ID already given in the columns Sensitive alarm Rule and Rule ID will be grouped in this column This column displays the icon that specifies the type of detection according to the UTC start date UTC date at the start of an event a connection startime tz JJ JU I A NYAT Timezone tz Firewall s timezone Rule ruleid Number of the filter rule involved in the raised alarm Protocol proto Protocol of the packet that set off the alarm Connection group Identifier that would allow tracking child connections n groupid J JJ IJJ Source interface Name of the firewall interface on which the event was raised source interface srcif srcifname network card Source port Source port number of the service or the name of the object corresponding to the srcport srcportname service port of the source host only if TCP UDP Destination interface Network card of the destination interface E dstif dstifmame eee L a Destination address IP address of the destination host of the packet that set off the event N das xr RR sss la Authentication Authentication method used Sensitive alarm Indicates whether an alarm is sensitive This alarm is rais
65. ed whenever the sensitive intrusion prevention system detects a sensitive packet and for which it has been configured in intrusion detection mode If the alarm is sensitive an icon in the form of an exclamation mark followed by Yes will appear Otherwise No will be indicated When the alarm is blocked the icon will be grayed out it is disabled note Only protocol alarms can be described as sensitive For alarms that are not in this class the column will be empty A ra 56 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD REAL TIME INFORMATION Copy repeat Indicates the number of an events occurrences within a defined period This period is configured in Stormshield Network UNIFIED MANAGER in the menu Logs Advanced option Write log duplicates every Context class Text indicating the category to which the alarm belongs system protocol filter etc ie esas eg ene er indicating the asss a i eens EET T Saa classification tupe of detection according to the categories Applications Malware and Protections a a OO lt s a se e u G S Sl SSS m ul Number of KB received duingthe connection n a aS e FIP PUT MPUT GET DELETE e HTTP GET PUT POST e EDONKEY SENDPART e POP3 RETR LIST e FIP DELETE LIST Result Result of the operation in the protocol example 404 which indicates an error 7 a a 8 8 C Z U l S os Gu
66. ehavior at startup n H ee Settings Behavior at startup External tools Report Addressbook Miscellaneous Direct connection Connect automatically to data sources None Figure 13 Behavior at startup Direct connection If this option is selected the direct connection window will open when Monitor Starts up It will enable you to enter the IP address of the desired firewall and the ener user PASSWOK Dt Connect automatically If this option is selected the connection will be established automatically on to data sources different firewalls in the address book k age 41 91 snengde snrmonitor v1 2 Copuright Netasq 2014 Iq USER MANUAL STORMSHIELD SN REALTIME MONITOR 2 2 3 2 External tools Settings Behavior at startup Report Miscellaneous Packet analyzer You can add the packet_flle parameter absolute packet file to the packet analyzer tool of your choice This parameter will be automatically added as the last parameter if you do not explicitly use it Path Le Parameters Figure 14 Settings External tools Packet analyzer When an alarm is triggered on a Stormshield Network Firewall the packet responsible for setting off the alarm can be viewed In order to do this you need a packet viewing tool like Ethereal or Packetyzer Specify the selected tool in the field Path Indicates the location of the directory containing the application
67. els Active Update Services Hardware Filter policy e VPN policy Assigned Name Internet Protoc 14 05 2014 14 14 14 05 2014 14 14 Y Application Detail Microsoft Wind Microsoft Wind Microsoft Wind Microsoft Wind Mi Wind Mi ft Wind P Operating syst P Port Microsoft Windows OS detected Logs VPN D ser Vulnerable Products Description This host runs a Microsoft Windows operating system Risk level Null E Advisory release date Solution Target type CVE Client References Possible Exploitation Local SEISMO Detection Yes since ASQ v 3 5 0 Figure 34 Help REMARK Refer to the user guide Stormshield Network UNIFIED MANAGER to configure VULNERABILITY MANAGER 4 3 HOSTS From the menu directory click on Hosts This window lists the connected hosts 4 3 1 Hosts tab Hosts DHCP leases F Vulnerabilities P Applications P Information P Open ports F Interface F Bytes in F Bytes out P Throughput in P Throughput out 0 0 0 0 0 0B in 6 00 KB 4 35 KB 0 0 0 0 0 P Operating system Microsoft Windows Microsoft Windows Microsoft Windows Microsoft Windows 0 0 0 0 0 0 0 Win 10 77 KB 10 59 KB 0 in 11 48 KB 8 63 KB 0M in 1 18 MB 141 16 KB 0B in 16 53 KB 10 64 KB 0B in 5 83 KB 4 05 KB o W in 5 69 KB 0B in 0 0 in 0 1 0 0 sslvpn 0M in 0 0 in 496 B 0B in 2 51 KB 0 in 1 40 KB
68. enu Start Programs Stormshield Administration Suite 1 0 Stormshield Network REAL TIME MONITOR A 12 91 snengde snrmonitor v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD SN REALTIME MONITOR If this is your very first time connecting to your product a message will prompt you to confirm the serial number found on the underside of the firewall The Overview windowwill open upon connection File Windows Applications E Network overview erview SJ 1 vulnerability was detected on the monitored networks Dashboard II 0 of the vulnerabilities are critical 0 of the vulnerabilities are remote Events Search Items 33 G gt VW XY mm EID O Vulnerability Ma P Auto connect F Read only P State P Name _ Y Address P User P Model P Firmware P Active Update Y Vulnerability M J Hosts Z 7 Connected admin Enabled Enabled SE F E Connected admin Enabled 0 days remai Interfaces Z E admin Quality of Service a Users Quarantine AS VPN tunnels Active Update EJ Services Hardware Filter policy VPN policy S ios 9 vn LJ System Connection logs 15 38 20 Automatic connection failed no firewall named as und in the address boo 15 38 20 Automatic connection f ror geod rewall named ound in the address book 15 38 20 Automatic connection failed no firewall named be d in the addre 15 38 39 admin n perinning Ait lookup 15 38 39 admin Start of connection 15 38
69. enu on columns Right clicking on a column header will displau the following options Filter by this Isolates a set of events according to the criteria provided For example filtering by column events with a minor protocol When a filter has been applied to a column the icon Y will appear in blue in the column label l Clear column filter Removes the filter that was previously set on the column l n a a Clear all filters except Removes the filters set on all the columns except for the filter on the selected Wis i n 5 5 5 5 5 Hide column Hides the selected column R Toer EE T A ra 21 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD SN REALTIME MONITOR Adjust column width Columns will be resized according to the contents to fit contents When the menu Filter by this column is selected the following screen will appear Filter by User column Hide blank fields Filter by selected values Figure 7 Filter by this column The screen relates to the column that had been selected previously g Filter by the Details column e Hide blank fields option allows displaying only fields that contain data e Filter by selected values a value can be entered manually or selected from the suggested list To create a filter you only need to select one or several values from the suggested list and add them in order for them to appear in the section to
70. erface on which the hostis connected 7 ee ee NA s IA SFU ss LJ Butes out Number of butes that have passed through the Firewall to the source host since rs SID Ill L Throughput in Actual throughput of traffic to this host passing through the Firewall nunus suilla s cin clenched te eee KU 4 3 1 2 Vulnerabilities view This tab describes the vulnerabilities detected for a selected host Each vulnerability can then be viewed in detail 0 in 0 in 0 in 0 E in Vulnerabilities 1 Applications 2 Information 2 Connections Events 18 Application name Name Family Detected Exploit Solution Internet Protoc Y ID OpenSSH AES SSH 14 05 2014 14 14 Local W Yes 22 tcp Figure 36 Hosts Vulnerabilities k age 66 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UY USER MANUAL STORMSHIELD REAL TIME INFORMATION The information provided in the vulnerability view is as follows Firewall IP address of your Stormshield Network Firewall where the vulnerability comes from I j tae ued SASS O tages an ban A l o N G according to 4 levels Low Moderate High Critical oL Name Indicates the name of the vulnerability A Family to which the vulnerability belongs Tupe 3 uuu s S thea cen i ane en See INT Teer ae TP es application provides a service uU a Target One o
71. ewalls licenses synchronization Click on the descriptive phrase in the Hardware zone in order to display the Hardware menu and to obtain information on high availability and the status of the firewall s components S M A R T peripherals RAID volumes where possible disks and power supply units If the backup firewall is not available information on the active firewall can be viewed Refresh High availability Last sync ven mai 16 10 33 00 2014 Model Version Quality Mode License i Master Active partition i Main Backup partition version ven mai 9 09 30 40 2014 Jeu avr 17 16 45 46 2014 Running Ready OK in lil OK Backup link z Faulty No Supervisor Yes 11 ASQ s Sync connection to 11 Switchover Figure 28 Hardware k age 52 91 snengde snrmonitor v1 2 Copuright Netasq 2014 Sq USER MANUAL STORMSHIELD INFORMATION ON FIREWALLS 3 2 8 Active network policies This view indicates whether slots are active If so the label of the activated rule is indicated The rules mentioned here are Global filter rule Name of the activated global filter policy gt e ee A p o o o b 5 NaTrule Name ofthe activated translation policy URL filter rule Name of the activated URL filter rule REMARK lt None gt means that no policy has been activated for the rule that contains this indication 3 2 9 Alarms This view indicates the number of major and minor al
72. f 2 targets Client or Server e m UU sar eette Gea ee i ji a a a j sN 5 o S j C wARNING This refers to the discoveru date and not the date on which the vulnerabilitu appeared on the network 4 3 1 3 Applications view 0 0 0 0 Vulnerabilities 1 Applications 2 Information 2 Connections Events 20 Search Version a Vulnerability Family OpenSSH6 2 a 1 SSH OpenSSH Client 6 2 0 SSH Figure 37 Hosts Applications This tab describes the applications detected for a selected host It is possible to view applications in detail later The Applications view displays the following data Version Name and version of the application ISA dann s sins animus m Family The software application s famiy ee Type UU O I ee A jS l E E re software application provides a service uU Port Port used by the application if it uses one a a DT nique identifier ofthe vulnerability family A 67 91 snengde snrmonitor v1 2 Copyright Netasq 2014 STORMSHIELD USER MANUAL REAL TIME INFORMATION 4 3 1 4 This tab describes the information relating to a given host Information view 0 0 in 0 0B in Vulnerabilities 1 Applications 2 Information 2 Connections Events 20 OpenSSH 6 2 Unix OS detected Operating System Client SSH Detail Detected 14 05 2014 14 14 14 05 2014 14 14 Internet Protoc Y ID 22 tcp
73. firewall for which you intended to generate a report By clicking ona link in the list the information will be displayed in table or graph form In the example below information on memory Is displayed Fragmented ICMP Connections Data tracking Dynamic Figure 17 Memory information 2 2 3 4 Address book Settings Behavior at startup External tools Report Address book Miscellaneous AddrBook gap C Reset Figure 18 Settings Address book The Stormshield Network UNIFIED MANAGER Stormshield NetworkREAL TIME MONITOR and Stormshield NetworkEVENT REPORTER applications use the same address book and therefore the same address book file To retrieve a gap file Stormshield Network project file simply click on Browse snengde snrmonitor v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD SN REALTIME MONITOR 2 2 3 5 Miscellaneous Behavior at startup External tools Report Address book Language Engish _ _ OT Online help URL Start screen V Enabled Console Enabled Minimize in systray instead of closing application E Enabled Language You can select a language for the interfaces menus The automatic selection will choose the language installed on the PC s Windows OS After a language selection Splash screen If you select this option the first window that appears on startup will contain the name logo version and load
74. g information buffer The buffer is linked to the stateful module and corresponds to saving the context Buffer sizes vary according to product type and product version Cleaning algorithms optimize the operation of Hosts Fragmented ICMP and Connections buffers Entries in the Fragmented and ICMP buffers are initialized at fixed intervals each entry has a limited lifetime TTL This illustrates part of the Firewall s activity A high percentage may mean the Firewall is overloaded or that an attack has been launched snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD INFORMATION ON FIREWALLS 3 2 5 CPU DEFINITION Better known as a processor this is the internal firewall resource that performs the necessary calculations I a vo i Oi O f 9 3 3 ap y 6 iii a sn 3 2 6 Temperature This graph displays the temperature of the appliance in degrees Celsius C This temperature is not available on virtual machines For multi core processors the value displayed is the average of all the CPUs 3 2 7 Hardware DEFINITION OF HIGH AVAILABILITY A specific architecture in which a backup firewall takes over when the main firewall breaks down while in use This switch is totally transparent to the user If high availability has been activated an additional section will provide you with the information regarding high availability status of fir
75. g raised and to get help in the event of I O ee Hosts List of hosts on your network Interfaces This window allows you to get statistics on bandwidth connections and throughput Quality of service This window allows you to analyze your bandwidth connections and throughput __ Users This window allows you to get information on users and session privileges on ne SUSU UU u s Quarantine ASQ This window displays the list of dynamically quarantined hosts 7 BBB8SS rr L IlClLLLlIYCC O a VPN Tunnels This window displays static information on the operation of VPN tunnels and on the 5 SUS N T D uu ssssss s w9 Active Update This window sets out the status of Active Update on the firewall for each tupe of ee s u Services This window shows the active and inactive services on the firewall and how long a MEY NAVE DEEN ACUVEANATIVE UU Hardware This window shows information on the initialization of high availability and RAID Filter policy This window displays the active filter policy by grouping the implicit and local rules VPN policy This window allows viewing the configuration of different VPN tunnel policies P a sj a e e The sub menu VPN provides information on VPN logs 222 5 5 S A 5 oO Y Y U 5 2 2 1 5 Result display zone Data and options from the selected menus in the horizontal bar appear in this zone These windows will be explained in further detail in the corresponding sections 2 2 1 5 1 Contextual m
76. he address book window to allow the selection of a registered address book to the firewall i connection list ro u Add this firewall to the Opens a window that will allow saving the selected firewall in the address E address book OO ro C leon Edit the address book Opens the address book window to enable editing A ra 23 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR A ra 24 91 Add a new firewall to the Displays the direct connection window to enable connecting to a firewall connection list and connect E tojt Nitti Add a firewall from the Opens the address book window to allow the selection of a registered address book to the firewall 7 COMME CON list umn Edit the address book Opens the address book window to enable editing Copy Copies the selected log line s Copy Link ncation Copies the location of he Ink iiss 7 Selectall elects all the log lines OOOO y aaa F Clearlogs DeletesallloglineS a 2 2 1 5 2 2 Events Right clicking against a line containing an event will bring uou to the contextual menu that will allow uou to Filter bu these criteria This option allows restricting the list of results to the selected field For example if the data is filtered bu the prioritu Major the administrator will getallthe lines containing Major note eae en nee ee Using this option will replace all the current filters on the columns View source host
77. icates the number of number of days the service has been running and the time of activation g Page 84 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD NETWORK ACTIVITY age 85 91 Rss 5 4 HARDWARE 5 4 1 High availability This window displays information concerning the initialization of high availability 9 DEFINITION OF HIGH AVAILABILITY High availability is an option that allows two firewalls identified through a MasterHA and BackupHA license to exchange information on their statuses via a dedicated link in order to ensure service continuity in the event one of the firewalls breaks down Firewalls in high availability have the same configuration only their serial numbers licenses Master or Backup and most of all their status active or passive differ Z Overview Dashboard High availability UJ Events Vulnerability Ma I UJ Hosts i N Passive E i Master i Master Main Last sync ven mai 16 10 33 00 2014 Main Active partition Backup partition version e ven mai 9 09 30 40 2014 Backup partition date jeu avr 17 16 45 46 2014 Priority Uptime State Main link Backup link Active Update i Supervisor 1i ASQ Services ion 3 Sync connection to 11 Switchover Figure 52 Hardware note Version 1 0 of Stormshield Network multifunction firewalls allows you to benefit from high availability support and a
78. iew The information provided in the ASQ Bypass view is as follows Addresses IP address of the host s affected by the ASQ Bypass Type 2 options area possible Host to host and Host to all Expiry Time at which the ASQ Bypass will expire A 79 91 snengde snrmonitor v1 2 Copyright Netasq 2014 STORMSHIELD 5 NETWORK ACTIVITY 5 1 VPN TUNNELS The VPN Tunnels module presents IPSec VPN and SSL VPN tunnels under two separate tabs 9 1 1 IPSec VPN Tunnels tab The following window appears when you click on the VPN Tunnels menu USER MANUAL NETWORK ACTIVITY File Windows Applications Eg Overview Firewall Dashboard IPSec VPN tunnels SSL VPN tunnels Search LJ Events 9 Source Y Source address Y Bytes Y Destination Y Destination ad Y Status Y Lifetime Y Authentication Y Encryption Y Outgoing SPI Y Incoming SPI Y Outgoing ReqID Y Incoming ReqID a sae gw 10 2 0 2 mature 29m 8sec hmac shal aes cbc 0x0a384924 0x0b5d8d5e 16397 16398 J Hosts 42 26 KB 08 KB gw 10 2 0 2 mature 7m 51sec hmac shal aes cbc 0x0e392833 0x025978eb 16415 16416 Interfaces DES 95 05 KB gw 10 2 0 2 dying 55m 53sec hmac shal aes cbc 0x075c43af 0x01417fc3 16415 16416 Quality of Service 18 90 KB E70 KB gw 10 2 0 2 mature 18m 19sec hmac shal aes cbe Ox0fca38b3 0x016da31e 16427 16428 ae 15062 KB TT ke gw 10 2 0 2 mature 19m 57sec hmac shal aes cbc 0x05d2337a 0x0778e54 16393 16394 FE gt 10 2 0 2 mature 22m 4sec hmac shal ae
79. ing status of the software If it is not selected the start Console If the option Enable is selected you will be able to access firewalls in console mode CLI commands When this window is validated a Console menu will be added ee underthe Overview menu directory UU aa Minimize in systray f this option is selected the application will be minimized in Systray instead of instead of closing being shut down application snengde snrmonitor v1 2 Copyright Netasq 2014 A 44 91 UY USER MANUAL STORMSHIELD SN REALTIME MONITOR age 45 91 2 2 4 DEFAULT MONITORING SETTINGS This menu enables configuring when all information contained in Monitor will be refreshed There are 6 parameters that regulate the frequence of data retrieval You can define how long the different logs in number of lines and datagrams in minutes will be displayed The default parameters for monitoring can be accessed from the menu File Default monitoring settings 2 2 4 1 Updates Wodne Event refreshment frequency Graph refreshment frequency Activity data update frequency System data update frequency Log refreshment frequency Configuration data update frequency Event refreshment Specifies in seconds when the list of detected events will be refreshed The frequency refreshment frequency is set to 30 seconds by default and may be a aa minimum of 1 second and a maximum of 3600 seconds U Graph refreshment Specifies in seconds when graph
80. items EJ Click on Yes or No to confirm deletion or cancel 2 1 3 4 Importing an address book The procedure for importing an existing address book is as follows ET Click on the Import button The following window will appear JI k gt Computer gt Local Disk C Administration Suite gt Organize v New folder USER MANUAL SN REALTIME MONITOR fl r Favorites Name Date modified BEL Desktop J Documents 15 05 2014 16 24 File folder g Downloads J Languages 15 05 2014 16 24 File folder 1 Recent Places irunin dat 15 05 2014 16 24 DAT File Libraries Ea Documents d Music fe Pictures E Videos W Computer L Local Disk C a DVD Drive D G tu Network File name v Address book file dat lt Figure 4 Importing the address book snengde snrmonitor v1 2 Copuright Netasq 2014 USER MANUAL STORMSHIELD SN REALTIME MONITOR CEF N x age 18 91 Select the file to import REMARK The file to import should be in dat format E click on Open 2 1 3 5 Exporting an address book The procedure for exporting an existing address book is as follows ET click on Export The following window will appear Address book export Ved Wb gt Computer Local Disk C Administration Suite gt Ranreh Au e Organize w New folder A x Favorites Name Date modified Type BE Desktop d Documents 15 05 2014 16 24 File folder J
81. lected field criterion snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR A ra 36 91 Filter only this column by this This option allows restricting the list of results to the criteria under your criterion cursor Example If your cursor pointed a username the displayed list will only present the elements containing this username View host This option allows displaying in the Hosts module in Real Time Monitor all the characteristics of the host corresponding to the IP addresses ee vulnerabilities applications connections ete Remove this tunnel This option allows instantaneously shutting down the selected SSL VPN tunnel lt IPSec VPN Tunnels tab Right clicking against a line containing a VPN tunnel will bring you to the contextual menu that will allow you to Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator ccna Will get all the lines containing Major U UU Filter only this column by this This option allows you to restrict the list of the results pointed to by the criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website View logs of outgoing SPIs This option will allow displaying the SPIs of the negotiate
82. ll the relevant lines note Page 35 91 A rass ee poe ws Option wirpa e a tne uen nur on Me coumns Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Contextual menu from right clicking against the ASQ Bypass zone Right clicking against a line containing a quarantined host will bring you to the contextual menu that will allow you to Filter this column by this This option allows restricting the list of results to the selected field For criterion example when filtering by a particular firewall address the administrator will obtain only all the relevant lines note ee 7 7 7 7 YUY In e PO ee een Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed a source address the displayed list will only present the elements containing this source address 2 2 1 5 2 9 VPNTunnels This module now presents tunnels set up via IPSec VPN and SSL VPN under two separate tabs lt SSL VPN Tunnels gt tab By right clicking on a row of SSL VPN tunnels you will access a contextual menu that allows you to Filter this column by this This option allows restricting the list of results to the se
83. n prevention IPS modify base asq APIE VENTON l configuration U uuu S Vulnerability Privilege to consult or modify vulnerabilities modify base pvm Manager O Objects global Privilege to access to global objets modify base globalobject Filter global Privilege to access to global filtering policy modify base globalfilter The base privilege is assigned to all users systematically This privilege allows reading the whole configuration except filtering VPN logs and content filtering The modify privilege is assigned to users who have writing privileges The user who has logged on as admin will obtain the admin privilege This is the only privilege that allows giving other users administration privileges or removing them Appendix C SA states A a ZZ ZZ Z Larval The SA is in the process of being negotiated or has not been completely negotiated Mature The SA has been established and is available the VPN tunnel has been correctly set up Dying The SA will soon expire A new SA is in the progress of being negotiated Dead The SA has expired and cannot be used The tunnel has not been set up and is therefore a A E E 5 Orphan A problem has arisen in general this status means that the tunnel has been set up in only one direction snengde snrmonitor v1 2 Copyright Netasq 2014 x USER MANUAL STORMSHIELD LOGS g STORMSHIELD documentation stormshield eu Page 94 91 snengde snrmonitor v1 2 Copyright Netasq 201
84. n provides you with the elements for installing the software suite that would allow you to administer your product For further information on the appliances and how to k age 9 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD INTRODUCTION 1 O80 0 0 0 8 0 08 0 000 0 45280 0 08 0280280 288 28 028828062806280285 4882802882806862892826882882862280626286280828688802 2822820 0622882868262 886 882 28628228888 8888282 082 205 4622855805288288 082282688282 202482282208 288208222008 22228 install them please refer to the product installation guide Presentation and installation of Stormshield Network products Ref naengde product installation pdf You will need the graphical interface installation file This file can be found on the website https mystormshield eu The installation file is in English and French You will also need your firewall s internal IP address as well as its serial number 1 2 1 PRE REQUISITES The basic library corresponds to all the modules necessary for the other programs 15 3 MB of hard disk space Is necessary The minimum installation groups together e Stormshield Network Unified Manager Graphical interface for the administration of Stormshield Network Firewalls e Stormshield Network Real Time Monitor Real time viewer of your Stormshield Network Firewall 2 58 MB e Stormshield Network Event Reporter Log consultation and management on your firewall 140 MB The in
85. n you wish to change the target firewall or lt all gt and view 2 2 1 8 Search engine The search zone is presented in 2 different formats 1 format the bar shown below can be seen on all screens except for the Events screen Search Items 77 Figure 11 Search zone 2 format the bar below appears in the Events menu Search Items 186 186 Figure 12 Search zone Events snengde snrmonitor v1 2 Copuright Netasq 2014 A 39 91 z STORMSHIELD age 40 91 L D aaanannananananannnann USER MANUAL SN REALTIME MONITOR The Filters button contains the filters defined by the application and allows obtaining only the lines below e Alarm e SSL e Virus e SSLVPN e Connection e Authentication e Web e Applications alarme e Mail e Protections alarme e FIP e Malwares alarme e Filter 2 2 1 8 1 Search In this zone you will be able to conduct searches through elements in the list Elements are filtered at the same time search criteria are being entered 2 2 2 INTRODUCTION TO MENUS 2 2 2 1 File The File menu concerns connections to the firewall and the application s general options Application settings LLLE Opens a new Firewall connection window Enter the IP address of the Firewall and the user password Determines the behavior that Monitor should adopt at startup enables getting a packet analyzer defining a destination folder for reports
86. nannananannannannannannanannaanannnnnannnnnannnnanananannnnananananannanaanaaaannaanannaannaananaaannananaannanannaanannananaanannanananannnaannnnannnannnnnanannannn Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator will get all the lines containing Major note Using this option will replace all the current filters onthe columns Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different waus e A single line is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator will get all the lines containing Major note ee O i a pu On Wile piece ah We 5 ene nS Filter only this column This option allows you to restrict the list of the results pointed to by the curso
87. nd latency time control File Windows Applications a x Z Overview LC Refresh Firewall gt L Duplicate B Dashboard l Items 1 1 UJ Esas QID Traffic Reverse traffic W Packets Reverse packet Y Rejected packe Y Rejected revers W Bytes Reverse bytes Veteocia ile H Bypass 0 0 0 0 0 0 0 0 E to Interfaces 27 Quality of Service U ves Quarantine AS VPN tunnels Active Update Services az BYPASS Connections 375 BYPASS Filter policy g VPN policy Logs Outgoing throughput Incoming throughput VPN E sx Figure 46 Quality of service This window consists of 2 views e Atable view e Agraph view The following data is displayed when you clickonthe Quality of service menu OID Name of the policy defined for accepting or rejecting packets Traffic Indicates in real time the incoming throughput that the QID manages Reverse traffic Indicates in real time the outgoing throughput that the QID manages Packets Number of incoming packets in real time over a defined period Reverse packets Number of outgoing packets in real time over a defined period Rejected packets Number of rejected incoming packets on the network Rejected reverse Number of rejected outgoing packets M PACKETS OCO ua Bytes Value in Kbits or Mbits Reverse Bytes Value in Kbits or Mbits A ra 76 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Iq USER MANUAL STORMSHIELD REAL TIME INFORMATION
88. nformation relating to the operating system to various active services as well as to the different applications that have been installed As a result descriptive profiles can be made of network elements The following are Stormshield Network VULNERABILITY MANAGER s aims e To configure your company network s security policy e To analyze the status of the risk e To optimize the level of security e To report security events The procedure is as follows ET stormshield Network s intrusion prevention engine ASQ extracts data in real time using network protocols that it knows E VULNERABILITY MANAGER then combines and weights these data The vulnerability found can then be treated using databases that have been indexed dynamically Once all this information has been collected they will be used in Monitor so that flaws on the network can be corrected or prohibited software can be detected or the real risk relating to the attack can be identified in real time The profile is therefore complete E one or several solutions can thus be considered Example A company has a public website that it updates twice a month via FTP At a specific date and time a vulnerability that affects FIP servers is raised and Monitor immediately takes it into account enabling the network administrator to detect it at practically the same time This vulnerability is represented by a line that indicates the number of affected hosts and whether a solution is av
89. nnected hosts IP address interface to which the user is connected amount of data transferred number of connections throughput used e List of authenticated users user name IP remaining time on authentication period e List of alarms raised major and minor e List of active VPN tunnels e List of active services e Status of the Active Update module e Statistics Menus The main window contains the following menus File Windows Applications and Help Overview age 20 91 Ane D Enables you to execute the two other applications making up the Stormshield Network Administration Suite Stormshield Network UNIFIED MANAGER et Stormshield Network EVENT REPORTER Allows you to access the relevant Help file and to know which version the monitor runs on This window lists the firewalls Monitor opens in this window once the connection has been established The Console sub menu When the option Enable is selected in the menu Application parameters Miscellaneous inthe console zone you will be able to access firewalls in console mode CLI commands When this window snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR 55 U 66 UU u Dashboard This window gives uou a summaru of the main information relating to uour product s KI A Events This window lists events that the firewall has raised Vulnerability Manager This window allows you to view alarms bein
90. nnel has been set up in only one direction k age 81 91 snengde snrmonitor v1 2 Copuright Netasq 2014 UG USER MANUAL STORMSHIELD NETWORK ACTIVITY 5 1 2 SSLVPN Tunnels tab By clicking on the SSL VPN tunnels tabs in the VPN Tunnels menu the following screen will appear File Windows Applications J Overview Dashboard IPSec VPN tunnels ee Search Events J o User VPN IP address Source IP address Received Sent Duration Port Vulnerability Ma eee 192 168 123 6 11 28 Mb 1 55 Mb 28m 40sec J Hosts Interfaces Quality of Service KU Users Quarantine AS VPN tunnels It displays statistics on the operation of SSL VPN tunnels that have been set up The data displayed in this window are User Name of the user that initiated the tunnel VPN IP Address IP address assigned by the OpenVPN server to the client for communications through te he SSL VPN tunnel tn Source IP IP address of the client workstation outside the SSL VPN tunnel local network Address address gs Received Amount of data the client has received through the SSL VPN tunnel unit bits a aan Sf data the client has sent through the SSL VEN tunnel anit bits ee aca An aie tian ania ot the SST ETE a ss an w s minutes and seconds UU aaa Port Source port used by the client to set up the SSL VPN tunnel A 82 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL
91. nutes 30 minutes or 3 hours The Monitor modify privilege is necessary You will not be asked to confirm this action Manually setthe Operating This option allows specifying a host s operating system when Stormshield System A ra 29 91 Network Vulnerability Manager is unable to detect it automatically The window will then offer several fields Current operating system The OS that Stormshield Network VULNERABILITY MANAGER uses for detecting vulnerabilities on a host The OS of a host may not be detected sometimes Detected operating system OS that Stormshield Network VULNERABILITY MANAGER detects after performing a traffic scan on a host The Restore button allows removing the OS indicated by the user and reverting to the OS detected by VULNERABILITY MANAGER snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD SN REALTIME MONITOR MANAGER it is possible to impose it by selecting it from the suggested list In this case 2 situations may arise 1 You are unable to specify the correct version examples Android Blackberry etc In this case the Version field will remain grayed out Click on OK in order to force the OS to accept this value 2 You are able to specify the version example Linux In this case the Version field will be modifiable and you will be able to enter a version number example 2 6 Next click on Validate If VULNERABILITY MANAGER detects the version
92. of Service w Users Quarantine AS VPN tunnels Active Update Services Hardware Filter policy VPN policy Logs VPN System Introduction USER MANUAL INFORMATION ON FIREWALLS d From the menu directory the Overview menu allows you to display several types of information regarding your firewalls Once the connection with the firewall is established this information will be available The Overview menu consists of five zones e The menu directory e An overview of information on vulnerabilities found on your network Corresponds to the Part 4 Chapter2 VULNERABILITY MANAGER menu e Asearch and icon bar e Alist of your firewalls e Aview of connection logs Network overview 9 1 vulnerability was detected on the monitored networks Ilo of the vulnerabilities are critical 0 of the vulnerabilities are remote Search tms 33 A AX aao Auto connect F Read only F State Connected Connected F Name P Address P Model Firmware P Active Update Vulnerability Manager Y Antivirus Enabled Enabled P Backup versior Y Last alarm P Vulnerabilities P Globa Major 0 Minor 1 Major 0 Minor 0 Enabled Enabled Disabled Q Disabled I 2 vulnerability Manager data Connection logs 15 38 20 Automatic connection failed no firewall named 15 38 20 Automatic connection failed no
93. onnection A connection has been successfully established Authenticating Authenticated 15 46 07 admin Monitor modification access rights mon_write obtained Figure 25 Connection logs N TIP You can erase logs bu right clicking on the Connection logs view DASHBOARD 3 2 DASHBOARD 3 2 1 Introduction The Dashboard menu allows displaying on a single screen all the useful information concerning real time monitoring It basicallu picks out useful information from some of the menus in the Stormshield Network REAL TIME MONITOR menu directory and adds on other additional information The data displayed in this window are e System information e Logs e Memory e Services e CPU e HTTP Cache e Hardware e Interfaces e Active network policies e Top 5 interfaces for incoming throughput e Alarms e Top 5 interfaces for outgoing throughput e Vulnerabilities e Top 5 hosts for incoming throughput e VPN tunnels e Top 5 hosts for outgoing throughput e Active Update Ae 49 91 snengde snrmonitor v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD INFORMATION ON FIREWALLS File Windows Applications l x B oere a Oz 5 Rani One or several problems require your attention System information Memory UJ Events Firewall name lt Unnamed gt Protected hosts 3 Firmware on active partition m o ow Fragmented 0 Vulnerability Ma Active partition Main ATA 0
94. option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website View the host The Hosts menu directory will open to display additional information on the detected host During pre filtering the host concerned will be selected The data will be filtered according to the hostname if available or by its 555 ee Add the host to the Object This option allows base e Creating an object corresponding to the selected source IP address directly in the firewall s object base in Stormshield Network Real Time Monitor e Adding this object to an existing group on the firewall For further information regarding this option please refer to the Technical UU Note stormsiield Network Collaborative S i U In the Information tab 3 contextual menus can be opened e When right clicking against a line containing information e When right clicking againsta line detailing a host e When right clicking against the help zone Contextual menu for a line containing information Filter by these criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major note E e 55 E E O a 55 2 Filter only this column by This option
95. or Updates Memory Miscellaneous Number of log lines to be downloaded Graph period Maximum number of events displayed Maximum number of connections to display Graph period Indicates how long graphs will be displayed Statistics from the Interfaces menu Maximum number of events Configures the number of event lines that you wish to display in the displayed Events menu By default the value is set to 20 000 events and may be a minimum of 1 events and a maximum of 2 000 000 events The number of alarm lines indicated influences the memory used The memory used for 150 000 event lines indicated for a firewall is about 220 MB The memory used for 300 000 event lines indicated for a firewall is about ae 430MB Maximum number of Configures the maximum number of connections that you wish to display in connections displayed the Hosts Interfaces Filter policy and Quality of Service modules If the value is zero the function will be disabled By default the value is set to 20 000 events 2 2 4 3 Miscellaneous Connection timeout When the firewall does not respond the connection will be shut down at the end of the period determined in this field Ae 46 91 snengde snrmonitor v1 2 Copyright Netasq 2014 A STORMSHIELD Page 47 91 3 INFORMATION ON FIREWALLS 3 1 OVERVIEW 3 1 1 Dashboard UJ Events Vulnerability Ma J Hosts Interfaces Quality
96. oughput Num ber of bits Figure 41 Interfaces The Interfaces menu presents different statistics concerning e Bandwidth e Connections e Throughput e Statistics are displayed in the form of graphs The vertical and horizontal axes are graduated The horizontal axis represents time and the vertical axis is either Bandwidth percentage e The number of connections or e Throughput expressed in bytes kilobytes or megabytes 4 4 1 1 Interface types e Vian Las e Ethernet Li e PPTP LF e Dialup REMARK The interfaces are grayed out or do not appear at all when they are inactive The window consists of 3 views e Aviewofthe interfaces in tables or legend e A details zone e Azone for viewing graphs snengde snrmonitor v1 2 Copyright Netasq 2014 z STORMSHIELD age 73 91 2 gt USER MANUAL REAL TIME INFORMATION 4 4 2 Legend view or tabular view of interfaces Ma ethernet fj ethernet fj ethernet Mf ethernet M ethernet fj ethernet fj ethernet fj ethernet M fj ethernet fj ethernet M ethernet fj ethernet fj ethernet IPv4 Address mask IPv6 Address mask Media Bandwidth 1Gb0 1Gb0 00 00 1Gb0 00 00 00 Throughput in Throughput ot Y Connections 48 14 Kb s 25 21 Kb s 54 44 Kb s 19 16 Kb s 0 0 0 0 169 25 Kb s 206 14 Kb s 0 0 0 Ge Soe o Oo IN OC N 00 00 00 00 lt lt S S SS S S S S lt S S
97. owever that this host already uses the address range of another DHCP server During this pre reservation period 2 minutes the IP address will no longer be available but will appear in the list as free If many pre reservations are made within a short period the server may run out of available addresses while the screen continues displaying free addresses 4 4 INTERFACES 4 4 1 Introduction DEFINITION A zone whether real or virtual that separates two elements The interface thus refers to what the other element need to know about the other in order to operate correctly snengde snrmonitor v1 2 Copyright Netasq 2014 x USER MANUAL STORMSHIELD REAL TIME INFORMATION Firewall v Duplicate Items 14 14 P IPv4 Address mask P IPv6 Address mask P Throughput in P Throughput ot P Connections Media P Bandwidth 48 14 Kb s 25 21 Kb s 1Gb0 54 44 Kb s 19 16 Kb s 1Gb0 0 0 00 0 0 00 169 25 Kb s 206 14 Kb s 1Gb 0 0 0 00 0 00 0 00 00 00 00 00 00 lt J lt J S lt J S SJ S S SSS S ISI IS 4 218 Packets 31 12KB Bytesin 376 66KB Bytes out 0 Connections Bandwidth Connections Incoming connections 0 dmzi0 Outgoing connections 0 dmzi0 Throughput dmz10 Outgoing throughput Incoming thr
98. pdateX stormshield eu The Monitor screen indicates the result of the last update successful or failed and the date of the last update The following data will be displayed when you click on the Active Update menu Status Indicates the status of the Active Update 2 options are possible The last update failed Updated llle Name Indicates the update data categories 7 an a C sin Ci 2 SSS RAR A 83 91 snengde snrmonitor v1 2 Copyright Netasq 2014 STORMSHIELD 5 3 SERVICES USER MANUAL NETWORK ACTIVITY This window sets out the services active and inactive on the Firewall and for how long they have been active inactive File Windows Applications lJ Overview Dashboard Search UJ Y Status Y Name Y Uptime Y CPU Y Version Y Last update License expiry Enabled _ Web portal 1d 6h 12m 14sec Vulnerability Ma Enabled NTP client 2d 1h 50m 49sec Enabled DHCP server 2d 1h 50m 52sec 5 To Enabled DHCP client 2d 1h 50m 58sec Enabled VPN SSL server 2d 1h 51m 15sec kuskas Enabled ASQ monitoring stated 2d 1h 51m 32sec Enabled High availability 2d 1h 51m 34sec Quality of Service Enabled Event server 2d 1h 51m 42sec Enabled SSH server 2d 1h 51m 46sec EU ro Enabled Interface monitoring 2d 1h 52m 0 2 Enabled ASQ supervision service 2d 1h 52m 4sec Quarantine AS Enabled Hardware monitoring service 2d 1h 52m 4sec Enabled Communication server 2d 1h 5
99. pplications events Search Firewall Name Family Affected host s V ID 1 8 Hosts Search Assigned Name 14 05 2014 14 14 14 05 2014 14 14 Pn TEE g Microsoft Windows OS detected Description This host runs a Microsoft Windows operating system Vulnerable Products Figure 33 VULNERABILITY MANAGER Events The Information tab informs you of your network s activity You can therefore see the programs that are at risk of generating attacks The window is divided into 3 sections e List of programs e List of hosts e Help zone e 4 2 4 1 Information view This view allows uou to see all the events that the firewall detects Each line represents an event REMARK The number of events is displayed in the tab s label The Information view displays the following data A 63 91 snengde snrmonitor v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD REAL TIME INFORMATION age 64 91 L manaanaaanananaaanssan s a s s n s a s s an n an s Familu Host familu Example SSH Affected hosts Number of hosts affected These hosts are identified in the Hosts view in this tab REMARK The number of hosts indicated in the column Affected hosts is not always the Same as the number of elements indicated in the Hosts zone in this window In fact the same service may use several ports For example the service thh
100. r by this criterion Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Copy to the clipboard Copies the selected line to the clipboard All the elements as well as the root element will be added to the clipboard Contextual menu in the Informations tab Right clicking against a line containing data will bring you to the contextual menu that will display the following information snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR A 32 91 Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator will get all the lines containing Major note Using this option will replace all the current filters onthe columns Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website List the hosts that present Allows filtering on hosts that have similar events the same information I LJ n n Copu to the clipboard Copies the selected line to the clipboard Data can be copied in two different waus e A single line is selected
101. right clicking againsta line detailing a host e When right clicking against the help zone Contextual menu relating to a vulnerability Right clicking against a line containing vulnerability will bring you to the contextual menu that will allow you to Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator will get all the lines containing Major note lD Using this option will replace all the current filters on the columns ___ Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Contextual menu relating to a host Right clicking against a line containing a host will bring you to the contextual menu that will allow you to Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator will get all the lines containing Major note SS SS S Using this option will replace all the current filters on the columns ___ Filter onlu this column bu This option allows uou to restrict the list of the results pointed to bu the thes
102. roughput H hui 9 35Mb s W sys 12 77 Mb s cut 8 11Mb s I virtual 11 63 Mb s I sys 736 46 Kb s W out 1 28 Mb s BB virtual 193 10Kb s asq 602 41 Kb s HE 75 68Kb s i build 337 33 Kb s Top 5 hosts for incoming throughput Top 5 hosts for outgoing throughput met w 7 42 Mb s m lt m 350 88 Kb s 3 88 Mb s Wawa umm 338 47 Kb s syslog ng 231 37 Kb s gt 85 09 Kb s 185 96 Kb s gt amp 75 94 Kb s n e 75 03 Kb s gt 36 56 Kb s EB overview KS vnoci E VPN tunes y E Logs i E oroa Figure 26 Dashboard snengde snrmonitor v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD INFORMATION ON FIREWALLS Page 51 91 a a 3 2 2 Selecting a product When you click on the Dashboard menu a product selector window may open if several firewalls have been registered Figure 27 Search ET ifthe list of firewalls is long look for the desired firewall using the Search field E select the firewall Click on OK The Dashboard of the desired firewall will appear 3 2 3 System information Firewall name Name given to the product when it was registered in the address book o a a a O P partiton rr sss ss ssslinnsnsnnE s Active Partition Partition on which the firewall was booted E a s o ooo k partition r III Model Firewall s model number a a a l s a a Y P r amas T nae Rena nT 3 2 4 Memory This refers to the use in percentage of memory reserved for storin
103. s Statistics Interfaces QoS and VPN SA frequency will be refreshed The refreshment frequency is set to 30 seconds by SS S default and may be a minimum of 10 seconds 1 U Activity data refreshment Specifies in minutes when activity data hosts authenticated users and frequency Vulnerability Manager will be refreshed The refreshment frequency is set ccd 3 minutes by default and may be a minimum of 1 minute l System data refreshment Specifies in minutes when system data session data high availability frequency RAID cryptography card quarantine services and Active Update will be refreshed The refreshment frequency is set to 3 minutes by default and Seen ener 5 5 E 5 5 i s ed 7 7 U Log refreshment frequencu Specifies in minutes when log data Log space filters VPN system traffic and filter logs will be refreshed The refreshment frequency is set to 5 um a minutes by default and may be a minimum of 1 minute J 1 Configuration data update Specifies in minutes when configuration data Anti spam anti virus frequency proxies SPD and system properties will be refreshed The refreshment frequency is set to 5 minutes by default and may be a minimum of 1 minute REMARK The Default button allows you to reset the parameters to their default values snengde snrmonitor v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD SN REALTIME MONITOR Number of log lines to be downloaded 2 2 4 2 Memory monit
104. s cbc 0x02ba5d26 0x07335415 16391 16392 Quarantine AS 3935 KB OI 2891 KB OW 10 2 0 2 mature 37m 15sec hmac shal aes cbc 0x065452f2 0x03bc5abd 16433 16434 o Mier sealer GT gw 10 2 0 2 mature 6m 43sec hmac shal aes cbc 0x0d3766c3 0x05d7ef1f 16441 16442 ase passe 74 78 KB yA gw 10 2 0 2 dying 54m 44sec hmac shal aes cbe 0x0238f89f 0x0c6f2f3e 16441 16442 EJ Services 10 2 0 2 dying 56m 22sec hmac shal aes cbc 0x05919cf4 0x0380710f 16389 16390 Hardware pos aia 81 39 KB gw 10 2 0 2 mature 17m 50sec hmac shal aes cbc 0x07c65d72 0x02f02c97 16403 16404 Filter policy gw 10 2 0 2 mature 17m 55sec hmac shal aes cbc 0x0d93b764 0x0c3724cb 16455 16456 ES VPN policy 39 48 KB a WB gw 10 2 0 2 mature 46m 15sec hmac shal aes cbc 0x0fbee7dd 0x06ab0324 16445 16446 ie nam gw 10 2 0 2 mature 3m 16sec hmac shal aes cbc Ox0F1265c3 0x046F4448 16429 16430 o as 370 10 KB 9w 10 2 0 2 dying 51m 17sec hmac shal aes cbc 0x0f08c67f 0x09f4be6a 16429 16430 33 76 KB gw 10 2 0 2 mature 7m 1sec hmac shal aes cbc 0x01241cce 0x0b18e0 16437 16438 LJ 113 08 Ae 036 KB gw 10 2 0 2 dying 55m 2sec hmac shal aes cbc 0x038f38b9 0x0f29e182 16437 16438 23821 KB 00 KB gw 10 2 0 2 mature 41m 57sec hmac shal aes cbc 0x0465828e 0x0be54b66 16431 16432 22 39 KB s KB gw 10 2 0 2 mature 21m 2sec hmac shal aes cbc Ox03baa862 0x03f0bdca 16399 16400 30556 KB a kB gw 10 2 0 2 mature 37m 6sec hmac shal aes cbc 0x0 b8ea503 008807869 16405 16406 949 09 KP OF KB gw 10 2 0 2 mat
105. s operations The options offered vary according to the table 2 2 1 5 2 1 Overview 3 contextual menus can be opened in this window e When right clicking against a firewall e When right clicking against an empty zone in the list of firewalls e When right clicking against in the Connection logs view Contextual menu relating to a firewall Show dashboard Opens the Dashboard menu ofthe selected firewall Generate an instant web Clicking on this button will generate a report in HTML This report will report contain the following information at any given moment system information memory connected users services Active Update status bandwidth statistics connection statistics vulnerabilities number of hosts authenticated users number of major and minor alarms quarantine the number of VPN tunnels filter rules and configured IPSec GS US S s s ss This feature will run the web Allows logging on to the web administration interface of the selected administration interfacefor firewall firmware in version 9 or higher otherwise Unified Disconnect Allows disconnecting from the selected firewall Remove this firewall from Enables disconnecting and deleting the entru that corresponds to this the connection list U _ G i S S 5 55 ns Adda new firewall to the Displaus the direct connection window to enable connecting to a firewall connection list and connect Ait l ll lt lt tUau muu Add a firewall from the Opens t
106. ss ee ee ee S s s ns A A D spamlevel treatment of the message and the nature of the message could not be u determined if antispam has been enabled U a Virus virus Indicates whether there is a virus if the antivirus has been enabled aa Peers or emma 7 ee ee S O pn U C cca tial Head Season i ea a A saccade ak ae OS N here Sensitive information such as passwords is removed Packet Indicates the IP packet for which the alarm was raised Right clicking on this packet allows it to be viewed through a packet analyzer The information displayed in this column shows the size of the IPv4 packets value beginning with 45 The size of captured packets is 1536 bytes wARNING To view a packet a software program needs to be installed on your workstation The logs will now be displayed for models without hard drive A ra 57 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD REAL TIME INFORMATION 4 2 SN Vulnerability Manager NVM 4 2 1 Introduction Stormshield Network VULNERABILITY MANAGER is a module that allows network administrators to gather information in real time and to analyze it in order to spot possible vulnerabilities that may compromise the security of their networks Among other things it also allows raising alarms generated by ASQ and thus to maintain an optimal security policy Stormshield Network VULNERABILITY MANAGER collects and archives in particular i
107. stallation comprises all the graphic configuration tools of the Stormshield Network Suite which serve as the interface between the user and the appliance These tools have to be installed on an administration workstation The Stormshield Network Firewall is fully configured via a software program developed by NETASQ Stormshield Network UNIFIED MANAGER Using this program you will be able to configure your firewall from a Windows workstation You will need the following elements in order to install this software e CPU with a minimum of 2GHz e Aminimum of 2 GB of RAM Windows 7 for client software 2 GB for server software e About 300MB of hard disk space as this is what the software will occupy after its installation If possible reserve several gigabytes of space for the database depending on the activity of the connected firewall s e Ethernet 100 or 1000 Mbps network card Software applications are supported on the following operating systems e Microsoft Windows 7 and 8 e Microsoft Windows Server 2008 and 2012 k age 10 91 snengde snrmonitor v1 2 Copuright Netasq 2014 UG USER MANUAL STORMSHIELD INTRODUCTION 1 2 2 INSTALLING VIA YOUR PRIVATE AREA Download the necessary files from the website and execute the EXE program corresponding to the administration suite The installation information will appear in the same language as the version of Windows that has been installed 1 2 2 1 Verification procedure
108. ted the option in Application settings Behavior at start up See Part 2 Chapter Startup behavior k age 15 91 snengde snrmonitor v1 2 Copuright Netasq 2014 UY USER MANUAL STORMSHIELD SN REALTIME MONITOR O08 80 48 0 204 04028 0 086 28 0280 28828 02882886 206280280 48 828008628 088628828268028828622806262862806 8688802 282 2820262288 868 882 288 888 28688228888 8 888282 082 205565 285205 288285 2822024082822808488282208 2802008222008 22228 Itis possible to store connection data on your different Firewalls This information is stored on the same client workstation on which the interface has been installed It may be encrypted if you check the option Address book is encrypted In this case you will be asked to enter an encryption key The information that is stored for each firewall includes the IP address login name connection password and the serial number of the Firewall to which you wish to connect This password belongs to an authorized user By specifying a serial number you will protect yourself from man in the middle attacks If you attempt a connection on a firewall that does not meet the serial number criterion indicated in the address book the monitor will inform you that you are attempting to connect to an unknown firewall You will also be asked if you wish to add this serial number to the list of authorized firewalls Verify the information displayed in the monitor before accepting such a request Once this
109. textual menu that ae will display the following information Filter this column by this This option allows restricting the list of results to the selected field For criterion example if the data is filtered by the priority Major the administrator will get all the lines containing Major note U eee Using this option will replace all the current filters on the columns ____ Filter only this column by This option allows you to restrict the list of the results pointed to by the this criterion cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website View the packet that raised This will open the tool that will allow you to view malicious packets d healaim ee Copu to the clipboard Copies the selected line to the clipboard Data can be copied in two different waus e Asingleline is selected in this case this line as well as the lines of details will be copied e Several lines are selected in this case only these lines will be copied to the clipboard 2 2 1 5 2 5 Interfaces Right clicking against a line containing an interface will bring you to the contextual menu a ee Filter by these criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major Filter only this col
110. that allows KI analyzing PACKETS U UU UU u a Parameters The parameter packet file can be added to the packet analuzer 2 2 3 3 Report Behavior at startup External tools Report Address book Miscellaneous Destination folder Monitor Reports axa C Reset Number of events 500 Figure 15 Settings Report Destination folder Enables selecting the destination folder for the report sss s OS OE 5 r O Ds eS sa Number of events Allows defining the number of events desired when generating the report By default the value is set to 500 lines REMARK The report can be generated by right clicking on a line in the Overview menu and by selecting the optionGenerate a web report a x age 42 91 snengde snrmonitor v1 2 Copyright Netasq 2014 d STORMSHIELD Page 43 91 Iq USER MANUAL SN REALTIME MONITOR The report contains the following information Firewall Top ning services Active Update status Statistics bandwidt Statistics connections Vulnerability Manager 0 vulnerabilities Vulnerability Manager 0 applications Vulnerability Manager 0 events 1 host 0 authenticated users Alarms MAJOR 26 minor 40 uarantine 0 ASQ Bypass 0 VPN Tunnels Serial number Firewall date and time ven mai 16 15 52 42 2014 Active partition Firewall Uptime 1d 6h 39m 45sec Top Figure 16 Synthesis report It displays information regarding the
111. the firewall click on the link The Logs menu will appear A 53 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD INFORMATION ON FIREWALLS 3 2 14 Services This zone indicates whether there are problems with the services To view a list of services and their status Enabled Disabled click on the link the Services menu will appear 3 2 15 Proxy Cache These 3 pie charts represent the use of the http cache when it has been enabled in the filter rules The first graph compares the number of cached requests and the number of requests that were not saved in memory The second graph compares the amount of cached data and the amount of data not saved in memory The third graph represents the distribution of cached data on the hard disk data cached in RAM and data not saved in memory 3 2 16 Interfaces This zone indicates whether there are problems with the interfaces To view information on bandwidth connections and throughput click on the link The Interfaces menu will appear 3 2 1 Top 5 interfaces for incoming throughput This zone displays the list of the 5 interfaces that have registered the most incoming throughput Click on any one of the interfaces to display the Throughput tab graph in the Interfaces menu 3 2 18 Top 5 interfaces for outgoing throughput This zone displays the list of the 5 interfaces that have registered the most incoming throughput Click on any one of th
112. the meaning of the message Impossible to locate the machine on x x x x 2 How can I check the IP address es really assigned to the Firewall 3 what is the meaning of the message You lost the MODIFY privilege 4 what is the meaning of the message The operation has exceeded the allotted time 5 How do know if there has been an attempted intrusion 6 Itis possible to allow protocols other than IP 1 What is the meaning of the message Impossible to locate the machine on X X X X This message means that the host on which you are connected cannot reach the Firewall by the IP address you have specified in the connection window This may be for one of several reasons Check e That the IP address which you have specified in the connection window is that of the Firewall that of the internal interface in advanced mode e That your host has indeed a different IP address from the Firewall but is on the same Sub network e That the connections are properly in place use a crossover cable only if you are connecting the Firewall directly to a host or a router Type arp a in a DOS window under Windows to see if the PC recognizes the Stormshield Network Firewall s physical address Ethernet If it doesn t check your cables and the physical connections to your hub e That you have not changed the Firewall s operating mode transparent or advanced e That the Firewall recognizes the IP address see How c
113. tine AS F Assigned P Name Y Application P Type F Detail Operating syst Port Internet Protoc VPN tunnels 14 05 2014 14 14 OpenSSH 6 2 Server FreeBSD 22 tcp Active Update a Services Hardware Open in browser Filter policy c F VPN policy OpenSSH AES GCM Ciphers Privilege Escalation Vulnerability Logs Risk level Description A vulnerability has been reported in OpenSSH which can be exploited by malicious local users to gain escalated privileges Low g VPN The vulnerability is caused due to an error when an AES GCM cipher is selected during key exchange and can be exploited to dereference System uninitialised callback pointers and subsequently e g execute arbitrary code with escalated privileges Adsare ass Successful exploitation requires OpenSSH to be built against an OpenSSL library that supports AES GCM ciphers 2013 11 08 The vulnerability is reported in versions 6 2 and 6 3 Target type Vulnerable Products Vulnerable Software OpenSSH 6 x Client Solution Update to version 6 4 Possible Exploitation er Local CVE CVE 2013 4548 References _ htto waw openssh com txt gomrekey adv Figure 31 Help 4 2 3 Application tab C Refresh lvulnerabiity 3 applications Search P Firewall P Family P Type P Instance FreeBSD Operating System Operating System 1 OpenSSH SSH Server 1 OpenSSH Client SSH Client 2 Hosts Search Name P Application Type P Operating system Port P Internet Protocol
114. tpd server 2 25b can listen to 2 different ports thus increasing the number of elements 4 2 4 2 Hosts view This view allows you to see all the events for a given host Each line represents a host The information seen in the Hosts view is as follows Assigned Date and time of the event s occurrence as lt 558 O 6 6 6 aa O S YY 7 lq Warne of GS as well as Reversion Favellable Type ie nn a ae ee er 2 i a a eee ee software application provides a service Operating system UU Detail Details about the operating system pss a C t 3 ne r m a a 4 2 4 3 Help zone The help zone allows you to get more details relating to the attack Thus the administrator can correct the vulnerability Click on the Show help button to show or hide the help zone associated with an event Typically help comes in the form of a descriptive file that contains explanations links to the publisher s site or to bug fixes snengde snrmonitor v1 2 Copyright Netasq 2014 z STORMSHIELD USER MANUAL REAL TIME INFORMATION Applications ivulnerabiity 3applications 4events Search Items 4 4 F Firewall Name F Family P Affected host PID Linux OS detect Operating System 1 Microsoft Wind Operating System 8 SSH Server is ru SSH 1 Unix OS detected Operating System 2 Interfaces Quality of Service Gy v Hosts E Quarantine AS I Search VPN tunn
115. twork_loopback_v6 any_v4 Network_loopback_v4 Network_dmz4_v4 Pub_FW_Spoke_B L Pub_FW_Hub Private_Net_Hub unique 16385 Network_dmz4_v4 Pub_FW_Spoke_B i Pub_FW_Hub Private_Net_Spoke_A unique 16387 Private_Net_Spoke_A Pub_FW_Hub o Pub_FW_Spoke_B Network_dmz4_v4 unique 16388 Private_Net_Hub Pub _FW_Hub Pub_FW_Spoke_B Network_dmz4_v4 unique 16386 Quarantine AS VPNtunnels Active Update Services Hardware Filter policy VPN policy Figure 54 VPN policu The VPN section allows viewing the configuration of different VPN tunnel policies defined in the active VPN slot These VPN policies do not necessarilu have to be used in order to be displaued The VPN slot onlu needs to be activated The following information is displaued in this window Source Traffic endpoint Indicates the source network u sn a SSS we en A n ns os e e e U _ i aaa e n Wa ee 5 n Destination Traffic endpoint Indicates the destination network i T E E NA 5 C REMARK This level is defined when creating the VPN tunnel according to the encryption and authentication algorithm age 88 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD LOGS f LOGS 7 4 STATUS OF USE A graph represents the current size of the log file in real time Alarms Authentication Connections Filters ftp Monitor Plugins POP3 VULN
116. umn by this This option allows you to restrict the list of the results pointed to by criterion the cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Display hosts associated with this This option allows displaying the list of hosts that have the same interface interface 2 2 1 5 2 6 Quality of Service Please refer to chapter A 33 91 snengde snrmonitor v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD SN REALTIME MONITOR QUALITY OF SERVICE QoS 2 2 1 5 2 Users 2 contextual menus can be opened in this window e When right clicking against the users zone e When right clicking against an administration sessions zone Contextual menu from right clicking against the users zone Filter this column by This option allows restricting the list of results to the selected field For example this criterion if the data is filtered by the priority Major the administrator will get all the lines containing Major note r nn 53 Using this option will replace all the current filters on the columns Filter only this column This option allows you to restrict the list of the results pointed to by the cursor by this criterion Example If your cursor pointed the destination website consulted the displayed nn list will only present the elements containing this destination website Remove
117. ure 34m 46sec hmac shal aes cbc 0xd88393 Ox0bfd09c2 16411 16412 Iean 359 75 KB gw 10 2 0 2 mature 21m 4sec hmac shal aes cbc Ox0ccalcSa 0x03c679b2 16395 16396 Figure 49 IPSec VPN tunnels Here you will see statistical information on the tunnel s operation The data displayed in this window are as follows Destination Destination IP address E E E ran Py r a a a Ce eT ere re ccc this lifetime as well as the value expressed in hours minutes and seconds Authentication The authentication algorithm The tunnel is made up of two sub tunnels one for each direction of the datagram transmission Page 80 91 snengde snrmonitor v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD NETWORK ACTIVITY REMARK The algorithms and limits have been configured in the Stormshield Network UNIFIED MANAGER refer to the Manager user and configuration guide help for further details TIP You will find other information on the parameters in this window in the RFC Further information may be found in RFC 2401 IPSEC http www ietf org rfc rfc2401 txt oron sites such as http www guill net reseaux Ipsec html This status is color coded The line containing VPN information will use the color corresponding to the tunnels status Dead the SA has expired and cannot be used the tunnel has not been set up and is therefore no longer active Orphan a problem has arisen in general this status means that the tu
118. vailable bandwidth on each interface in real time Bandwidth usage 16 05 Time Figure 43 Interfaces Bandwidth Each interface is represented by a different color of which the legend may be found at the top of the graph Maximum bandwidth represents the theoretical maximum throughput supported by the interface Example For a 100Mbits s line used in full duplex this maximum is 200 Mbits s and for a 10Mbits s line used half duplex itis 10 Mbits s 4 4 5 Connections tab The connection graph displays in real time the number of connections on each of the Firewall s interfaces during the defined period ji Connections Incoming connections 0 dmz10 Outgoing connections 0 dmz10 Throughput dmz10 Figure 44 Interfaces Connections Each interface is represented bu a different color of which the legend mau be found at the top of the graph snengde snrmonitor v1 2 Copuright Netasq 2014 USER MANUAL STORMSHIELD REAL TIME INFORMATION 4 4 6 Incoming connections tab The screen displays incoming connections in progress relating to the selected interface To find out what data are offered please refer to the chapter of the Hosts module section Connections view for the hosts tab 4 4 7 Outgoing connections tab The screen displays outgoing connections in progress relating to the selected interface To find out what data are offered please refer to the
119. xadecimal Out SPI SPI number of the negotiated outgoing SA Cookie Temporary identity markers for the initiator and recipient of the negotiation incoming I outgoing O Role Indicates the user s endpoint File Windows Applications K Overview Dashboard Search Date Service Message LY ani 1557 x Sysevent La configuration a t modifi e sys g gt 15 57 HA Successfully synchronized userprefs from to all E 15 45 sysevent La configuration a t modifi e 15 45 HA Successfully synchronized userprefs from to all w ain 15 29 sysevent La configuration a t modifi e are 15 28 sysevent La configuration a t modifi e 15 24 sysevent La configuration a t modifi e Quality of Service 12 31 SSOAgent Agent sso_agent_backup successfully connected on 12 31 SSOAgent Agent sso_agent_backup successfully connected on 12 31 SSOAgent Agent sso_agent_backup successfully connected on uJ ss 12 31 SSOAgent Agent sso_agent_backup Connected to the agent Quarantine AS 12 29 SSOAgent Agent sso_agent_main is active 12 29 SSOAgent Agent sso_agent_main successfully connected on 12 29 SSOAgent Agent sso_agent_main successfully connected on a 12 29 SSOAgent Agent sso_agent_main successfully connected on 1 Active Update 12 29 SSOAgent Agent sso_agent_main Connected to the agent 12 29 SSOAgent Agent sso_agent_backup timed out during configuration ack x 12 27 SSOAgent Agent sso_agent
120. you to restrict the list of the results pointed to by criterion te cursor UU Copu to the clipboard Copies the selected line to the clipboard k age 38 91 snengde snrmonitor v1 2 Copuright Netasq 2014 ue USER MANUAL STORMSHIELD SN REALTIME MONITOR 2 2 1 6 Status bar EJ overview Vulnerability Manager data all Events Figure 9 Status bar The status bar contains menus from the menu directory that may have been opened during a session Being able to do so is particularly useful when you are monitoring several firewalls at a time You will be able to get back the same information window for each firewall and thus make simultaneous comparisons 2 2 1 7 Button bar Refresh Show help Firewall i Duplicate Figure 10 Button bar This bar appears in most menus in Monitor 2 2 1 7 1 Refresh This button allows you to reinitialize the list displayed Alarms VULNERABILITY MANAGER Hosts Interfaces Quality of Service Users Quarantine VPN Tunnels Active Update Services Hardware Filter Policy VPN Logs 2 2 1 7 2 Show Hide help This button allows you to show or hide a help screen Subsequently you only need to click on the selected line to get help when necessary 2 2 1 7 3 Firewall This drop down menu allows you to filter the list of alarms on a selected firewall 2 2 1 7 4 Duplicate The window can be duplicated using the button found in it This comes in handy especially whe
Download Pdf Manuals
Related Search