NETASQREALTIME MONITOR V.9.0 USERMANUAL
Contents
1. Enabled SSH server 23h 10m 41sec Active Update Enabled Interface monitoring 23h 11m 15sec Enabled ASO supervision service 23h 11m 25sec EJ Services Enabled Hardware monitoring service 23h 11m 25sec aa Enabled Communication server 23h 11m 25sec 0 4 Ci Hardware Enabled Logs 23h 11m 30sec Disabled BGP dynamic routing server 23h 11m 30sec 5 End Filter policy Disabled ClamAV antivirus 23h 11m 30sec 06 09 2011 13 20 05 Disabled DHCP client 23h 11m 30sec ES VPN policy Q Disabled DHCP relay 23h 11m 30sec Disabled Dynamic routing console 23h 11m 30sec e Logs Disabled LDAP server 23h 11m 30sec Disabled Dialup connections server PPP PPTP PPPoE 23h 11m 30sec Le VPN Disabled Dynamic routing network services module 23h 11m 30sec Disabled OSPF dynamic routing server 23h 11m 30sec 91 EJ in Disabled RIP dynamic routing 23h 11m 30sec Disabled Router advertisement daemon 23h 11m 30sec Figure 51 Services Proxies are displayed in 4 distinct entries HTTP Proxy SMTP Proxy POP3 Proxy FTP Proxy JenuelW uONEAINSIJUOI Jas Information regarding antivirus can also be seen in this window activity version last update expiry of its license The following data will be displayed when you click on the Services menu Status Indicates whether services are active or inactive nar E E an ee i ies Ma D m Ma oe o dci a o o a canine oad a TE N TR o 22. Overflow and DoS Vulnerabilities Risk level Critical B Description Two vulnerabilities have been identified in Sun Java Development Kit JDK which could be exploited by remote attackers to take complete control of an affected system or cause a denial of service Advisory release date The first issue is caused by an integer overflow error in the image parser when 2007 05 16 processing ICC profiles embedded within JPEG images which could be exploited by attackers to execute arbitrary code Target type The second vulnerability is caused by an error in the BMP image parser when Client processing malformed files on Unix linux systems which could be exploited by attackers to cause a denial of service Possible Exploitation Vulnerable Sun Java JDK 1 5 x Products Sun Java JRE 1 3 x Remote Sun Java JRE 1 4 x Sun Java JRE 1 5 x 5 x Sun Java JRE 1 6 x 6 x Sun Java SDK 1 3 x Sun Java SDK 1 4 x Solution Upgrade to JDK and JRE 6 Update 1 or later JDK and JRE 5 0 Update 11 or later and SDK and JRE 1 3 1_20 or later http java sun com javase downloads index_jdk5 js CVE CVE 2007 2788 CVE 2007 2789 CVE 2007 3004 CVE 2007 3005 References htto scany beasts ong security CESA 2006 004 html http sunsolve sun com search document do assetkey 1 26 10293 SEISMO Yes since ASQ v 3 5 0 Detection Figure 31 Help NETASQ User Manual we secure IT 4 2 3 Application tab Overview EN Dashboard
3. initiator 10 0 0 128 10 2 31 0 24 14 49 14 Information 2 Firewall_bridge gw Phase established 0x068713ce 0x05c7a780 0x184f3e3a3f12 initiator 10 0 0 128 10 2 19 0 24 14 45 41 Information 2 Firewall_bridge gw Phase established 0x04d04bf5 0x0e94bb11 0x184f3e3a3f12 initiator 10 0 0 128 10 2 28 0 24 14 45 29 Information 2 Firewall_bridge gw Phase established 0x047dd09e Ox0ffc9eec 0x184f3e3a3f12 initiator 10 0 0 128 10 2 6 0 24 14 31 56 Information 2 Firewall_bridge gw Phase established Ox0cdfdbcO 0x068545c7 0x184f3e3a3f12 initiator 10 0 0 128 10 2 38 0 24 14 28 54 Information 2 Firewall_bridge gw Phase established Ox0ac454e6 Ox0dafe04d 0x184f3e3a3f12 initiator 10 0 0 128 10 2 39 0 24 14 28 34 Information 2 Firewall_bridge gw Phase established 0x009f6b23 0x0c037193 0x184f3e3a3f12 initiator 10 0 0 128 10 2 27 0 24 14 25 53 Information 2 Firewall_bridge gw Phase established 0x02cd18f1 0x06d1730b 0x184f3e3a3f12 initiator 10 0 0 128 10 2 40 0 24 14 17 23 Information 2 Firewall_bridge gw Phase established 0x0937f035 0x0f347bf5 0x184f3e3a3f12 initiator 10 0 0 128 10 2 47 0 24 14 16 35 Information 0 Isakmp daemo 14 16 35 Information 2 Firewall_bridge gw Phase established 0x065e034a 0x088bd291 0x184f3e3a3f12 initiator 10 0 0 128 10 2 36 0 24 14 16 30 Information 0 Reloading Isak d 14 12 20 Information 2 Firewall_bridge gw Phase established 0x0280f034 0x036a66c6 0x184f3e3a3f12 initiator 10 0 0 128 10 2 10 0 24 14 07 17 Information 2 F
4. Example fri 9 march 15 46 04 2007 Priority pri Determines the alarm level The possible values are QO emergency Ad alert 2 critical 3 error 4 warning 5 notice 6 information 7 debug IP address or name of the object corresponding to the source host of the packet that set off the alarm Source port srcport srcportname Destination dst dstname Destination port dstport dstportname Source port number of the service or the name of the object corresponding to the service port of the source host only if TCP UDP IP address or name of the object corresponding to the destination host of the packet that set off the event Destination port number of the service or name of the object corresponding to the service port of the destination host if it exists and is requested for this connection Identifier of the authenticated user FTP e mail address of the sender SMTP identifier of the user if authentication has been enabled WEB Message Msg Detailed description of the alarm All commands sent by the client are found here eee Sensitive information such as passwords is removed Sent Number of KB sent during the connection JenuelW uONnEAINSIJUOI Jas Spam level 0 Message not spam 1 2 and 3 spam x error during the treatment of the message and the nature of the message could not be determined if antispam has eres been enabled sms Indicates whether there is a virus in the e mail
5. Filter policy ES VPN policy Vulnerabilities Applications Information Connections Events Logs Search VPN Severity Application name Name Family Type Detail Detected Exploit Solution EJ System Figure 36 Hosts Vulnerabilities The information provided in the vulnerability view is as follows a a ee ag Serer rere erent aaa aa c ecu OL ted cine ah oceanic ee 4 levels Low Moderate High Critical Name Indicates the name of the vulnerability f ee a sn nn nn er nn ee b en ee ere en intense des a aan an den A E eine die ede 2800 ace iie ins aies nes gee a a a sens ii gt Type Software type Client the software does not provide any service Server the software application provides a service a Ta REZ Target One of 2 targets Client or Server m oc ec ee i a CS reer ya p A rene Pa a ee a oo Sn a a AAN we a i a D 0 WARNING This refers to the discovery date and not the date on which the vulnerability appeared on the network User Manual NETASQ we secure IT 4 3 3 Applications view Yulnerabilities Applications 1 Informations 1 Connections Events Search Items 1 1 T Version vulnerability Family v Type Port V Internet Protocc DNS Server 0 DNS Server Server 53 udp Figure 37 Hosts Applications d N This tab describes the applications detected for a selected host It is possible to view applications in detail later The Appl
6. connected users services Active Update status bandwidth statistics connection statistics vulnerabilities number of hosts authenticated users number of major and minor alarms quarantine the number of VPN tunnels filter rules and configured IPSec tunnels Remove this firewall from the Enables disconnecting and deleting the entry that corresponds to this connection list connection is eu eee es ince Gene aa a pa aga Dee connection list and connect a A a Gene haere obscene en ec address book to the connection list Add this firewall to the Opens a window that will allow saving the selected firewall in the address address book book Edit the address book Opens the address book window to enable editing Add a new firewall to the Displays the direct connection window to enable connecting to a firewall connection list and connect a A uence Gee Wen ee ee en ee address book to the connection list N D JenuelW uonein3ijuo2 135N Copy Copies the selected log line s on arian Cr on ddr MM N VI JenuelW uONEAINSIJUOI sN NETASQ we secure IT 2 1522 User Manual Events Right clicking against a line containing an event will bring you to the contextual menu that will allow you to Filter by these criteria 2 1 5 2 3 This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines co
7. 3 14 16 32 proxy Sighup received refresh config va 14 14 41 proxy Sighup received refresh config e ur i 13 52 52 dns cache cycle 12 times each day based on last 60 minutes activity 6 times each day based on activity since first check 25 hours 13 43 59 proxy Sighup received refresh config 2 w 13 43 56 proxy Sighup received refresh config Quarantine AS 13 39 54 proxy Sighup received refresh config D 1 73 proxy URLFiltering profile 01 unable to load rule 8 bypass it 113 37 20 proxy Sighup received refresh config v WN tunadi 13 36 57 proxy URLFiltering profile 01 unable to load rule 8 bypass it Active Update 13 36 54 proxy Sighup received refresh config 13 29 18 proxy URLFiltering profile 01 unable to load rule 8 bypass it 13 29 17 proxy Sighup received refresh config C2 ees 12 52 51 dns cache cycle 11 times each day based on last 60 minutes activity 6 times each day based on activity since first check 24 hours 12 40 03 sysevent Active Update update successful Kaspersky Gy ian aana 12 40 02 proxy Sighup received refresh config ey Filt i 12 40 02 proxy URLFiltering profile 01 unable to load rule 8 bypass it e ee apak 11 52 50 dns cache cycle 15 times each day based on last 60 minutes activity 6 times each day based on activity since first check 23 hours i 10 52 49 dns cache cycle 13 times each day based on last 60 minutes activity 5 times each day based on activity since first check 22
8. 60 knows 7 VULNERABILITY MANAGER then combines and weights these data 8 3 The vulnerability found can then be treated using databases that have been indexed dynamically Once 5 all this information has been collected they will be used in Monitor so that flaws on the network can be 3 corrected or prohibited software can be detected or the real risk relating to the attack can be identified in real time The profile is therefore complete One or several solutions can thus be considered Example A company has a public website that it updates twice a month via FTP At a specific date and time a vulnerability that affects FTP servers is raised and Monitor immediately takes it into account enabling the network administrator to detect it at practically the same time This vulnerability is represented by a line that indicates the number of affected hosts and whether a solution is available By deploying this line details of the hosts concerned will appear as well as the service that has been affected by the vulnerability Help in the form of links may be suggested to correct the detected flaw Once the network administrator becomes aware of the vulnerability he can correct it at any moment quarantine the affected host s and generate a report NETASQ User Manual we secure IT VULNERABILITY MANAGER can also perform weekly monthly or yearly analyses using the application NETASQ EVENT REPORTER Autoreport See the N
9. Connections and Events relating to the selected host JenuelW uonein31juo2 asn A help view that allows working around the selected vulnerability if a solution exists NETASQ User Manual we secure IT 4 3 1 Host view This view allows you to see all the hosts that the firewall detects Each line represents a host The information seen in the Hosts view is as follows Name Name of the source host if declared in objects or host s IP address otherwise _ ee ja Tan Pme ee Tr n aaa Oe Tan a ana OO 2 o gt 17 Sala TT TTT E aaa aa aaa aan aan m A Te Se ee a aman ee La aa an aaa a aa NE MANAGER event ne Interface Interface on which the host is connected Re a te ee ea en Ea eke Gee kc ee ree AK LA el PAG Bytes out Number of bytes that have passed through the Firewall to the source host since startup es aka Te ee cc nn mw a eee NT a JenueW uONEAINSIJUOI asn NETASQ User Manual we secure IT 4 3 2 Vulnerabilities view This tab describes the vulnerabilities detected for a selected host Each vulnerability can then be viewed in detail 4 Events Name 9 Address Users Operating syst P Vulnerabilities Applications Information Open ports Vulnerability M W Interface Bytes in Bytes out 10 2 0 114 10 2 0 114 0 0 0 0 04 25 27 0 0 Vulnerability Ma ri Hosts Interfaces Quality of Service D Users Quarantine AS VPN tunnels Active Update EJ Services ey Hardware
10. When this window is validated a Console menu will be added under the PE Overview menu directory nn Minimize in systray If this option is selected the application will be minimized in Systray instead of being shut instead of closing down application JenuelW uONEAINSIJUOI Jas NETASQ User Manual we secure IT 2 4 DEFAULT MONITORING SETTINGS This menu enables configuring when all information contained in Monitor will be refreshed There are 6 parameters that regulate the frequence of data retrieval You can define how long the different logs in number of lines and datagrams in minutes will be displayed The default parameters for monitoring can be accessed from the menu File Default monitoring settings 2 4 1 Updates E z ih Wl Monitor ian Memory Miscellaneous seconds Event refreshment frequency 30 Graph refreshment frequency 30 seconds Activity data update frequency 3 minutes System data update frequency minutes Log refreshment frequency l minutes Configuration data update frequency j minutes A O JenuelW uonein3ijuo2 195N Event refreshment frequency Specifies in seconds when the list of detected events will be refreshed The refreshment frequency is set to 30 seconds by default and may be a minimum of aaa Second and a maximum of 3600 seconds eee Graph refreshment frequency Specifies in seconds when graphs Statistics Int
11. that set off the event nnn Destination port Destination port number of the service or name of the object corresponding to the N dstport Service port of the destination host if it exists and is requested for this connection Destination interface Network card of the destination interface x dstif dstifname Un User Identifier of the authenticated user FTP e mail address of the sender SMTP identifier of the user if authentication has been enabled WEB Action associated with the filter rule and applied on the packet Examples Block Pass ICMP code icmpcode ICMP code in the alarm logs a draw a WE ee ee cae ce a aa a apang Sensitive information such as passwords is removed Alarm type Code number indicating the alarm category 2 classification Packet Pktlen Length of the captured network packet AE ae wa Se eda eer pence ee Te ARRETE E SAN a TA Na E a A Lawan waana cn nc cn ce ee ee configured in NETASQ UNIFIED MANAGER in the menu Logs Advanced option Write log duplicates every JenuelW uonein3ijuo2 Jas Date and time the line was recorded in the log file at the firewall s local time Example fri 9 march 15 46 04 2007 Priority pri Determines the alarm level The possible values are QO emergency Ad alert 2 critical 3 error 4 warning 5 notice 6 information 7 debug User Manual NETASQ we secure IT Rule number Rules are numbered in order This n
12. 04 ve ities anik Search _ Firewall Name z Family Type Instance perder 100 2 0 1 Adobe Update Manager Web Client Client 3 5 Hot 10 2 0 1 Apache Web Server Server 2 10 2 0 1 Apache Debian Web Server Server 1 Les 10 2 0 1 Apache Ubuntu Web Server Server 1 10 2 0 1 Apache Coyote Web Serwer Serwer 1 Cai of Service 10 2 0 1 CUPS Web Server Server 1 i 10 2 0 1 cURL System Tool Client 1 W User 10 2 0 1 Evolution Mail Client Client 1 10 2 0 1 Firefox Web Client Client 44 ee A 10 2 0 1 FreeBSD Operating System Operating System 36 10 2 0 1 Google Chrome Web Client Client 19 VPN tunnels 10 2 0 1 Google Document Cloud App Client 3 10 2 0 1 Google Spreadsheet Cloud App Client gt Active Update 10 2 0 1 Google Toolbar Web Client Client 3 10 2 0 1 Google Update System Tool Client 15 EJ Service 10 2 0 1 iTunes Media Players Client 3 10 2 0 1 JRE System Tool Client 36 Cd Fe 10 2 0 1 Konqueror Web Client Client 3 10 2 0 1 lighttpd Web Server Server 1 oo Filter policy 10 2 0 1 Linux Operating System Operating System i 10 2 0 1 MAiltro Operating System Operating System 1 40 VPN policy 10 2 0 1 Microsoft Internet Explorer Web Client Client 21 i 10 2 0 1 Microsoft MSN Messenger Instant Messengers Client 1 Logs 10 2 0 1 Microsoft Outlook Mail Client Client 1 10 2 0 1 Microsoft Windows Media Player Media Players Client 4 64 VPN 10 2 0 1 Microsoft Windows Seven Operating System Operating System 23 10 2 0 1 Microsoft Windows Vista Operating Sys
13. 0x184f3e3a3f12 initiator 10 0 0 128 10 2 39 0 24 15 16 35 Information 2 Firewall_bridge gw Phase established 0x03ccc930 0x0249e19f 0x184f3e3a3f12 initiator 10 0 0 128 10 2 27 0 24 15 13 54 Information 2 Firewall_bridge gw Phase established 0x01a37f85 0x0485c83e 0x184f3e3a3f12 initiator 10 0 0 128 10 2 40 0 24 15 10 13 Information 2 Firewall_bridge gw Phase established 0x04 cb285f 0x0da23020 0x184f3e3a3f12 initiator 10 0 0 128 10 2 43 0 24 15 05 24 Information 2 Firewall_bridge gw Phase established 0x0d63b5d6 Ox0cfce275 0x184f3e3a3f12 initiator 10 0 0 128 10 2 47 0 24 15 04 36 Information 2 Firewall_bridge gw Phase established Ox0 cf66601 0x08018061 0x184f3e3a3f12 initiator 10 0 0 128 10 2 36 0 24 15 00 27 Information 2 Firewall_bridge gw Phase established 0x06ceb8c4 0x0d6f710d 0x184f3e3a3f12 initiator 10 0 0 128 10 2 5 0 24 15 00 21 Information 2 Firewall_bridge gw Phase established 0x084e3d94 0x057ea373 0x184f3e3a3f12 initiator 10 0 0 128 10 2 10 0 24 14 55 19 Information 2 Firewall_bridge gw Phase established 0x0c3ac697 0x0b6356ac 0x184f3e3a3f12 initiator 10 0 0 128 10 2 8 0 24 14 55 10 Information 2 Firewall_bridge gw Phase established 00951 c8df 0x01e876b2 0x184f3e3a3f12 initiator 10 0 0 128 10 2 45 0 24 14 54 15 Information 2 Firewall_bridge gw Phase established Ox0aa5c2e6 Ox00cabed4 0x184f3e3a3f12 initiator 10 0 0 128 10 2 32 0 24 14 52 40 Information 2 Firewall_bridge gw Phase established 0x009e8777 Ox0cb6eel8 0x184f3e3a3f12
14. 16409 Firewall_bridge om gw labo netasq com unique 16407 EJ Gervices Firewall_bridge ns gw labo netasq com unique 16391 94 Firewall_bridge ne gw labo netasq com unique 16389 TY Hardware Firewall_bridge Ci gw labo netasq com unique 16387 C kes Firewall_ bridge ne gw labo netasq com unique 16405 ns Filter policy Firewall_bridge i gw labo netasq com unique 16425 o ss Firewall_bridge ne gw labo netasq com unique 16423 gt VPN policy Firewall_bridge ns gw labo netasq com unique L6441 a Firewall_bridge ns gw labo netasq com unique l6421 Logs Firewall_bridge ne gw labo netasq com unique 16449 _ Firewall_bridge ns gw labo netasq com unique L6451 Firewall_bridge ie gw labo netasq com unique 16419 System Firewall_bridge i gw labo netasq com unique l6439 5 Firewall_bridge ns gw labo netasq com unique16403 Figure 55 VPN policy The VPN section allows viewing the configuration of different VPN tunnel policies defined in the active VPN slot These VPN policies do not necessarily have to be used in order to be displayed The VPN slot only needs to be activated NETASQ User Manual we secure IT The following information is displayed in this window Direction Indicates the direction of the traffic represented by the following icons D og a eo o Destination Traffic endpoint Indicates the destination network aan NG ee 0 REMARK This level is defined when creating the VPN tunnel according to the encrypti
15. 2 14 by entering only 14 in the search field O JenuelW uonein3ijuo2 asn NETASQ User Manual we secure IT 2 GETTING FAMILIAR WITH NETASQ REAL TIME MONITOR 2 1 PRESENTATION OF THE INTERFACE 2 1 1 Main window From this window you can open several windows each connected to different firewalls Sete Or et om WO kran abdines were detected on the monitored netreorks MIO of the kar khan are cortical 90 of the vulnerabdites are remote eur Cor Chr feed 222 D wv kad gt w Re Sate terve Address Logn Medel Frmwe Active Update SEISMO Avis Baciug Version Last dauns Wa a o W e lt gt ect om wen 4 eraat 2 mt tre o6 pa mak i echo ean RAT RE 2 sei tie mbeke A0 dr 1 72 90 13 128 Performing hottraent bao pO Of oder 72 90 13 120 The socket hos started etais connection LOLA arret 1 2 50 1 128 A correction hes been sukeh estabiched WOH SO adr 1 72 90 1 128 bathara nig LOC Sf ew 1 72 50 1 128 Athertxeted Figure 6 Overview Once Monitor is connected it will open a welcome window Overview Menu which will display various types of information on the firewall s activity It consists of five parts A menu bar A horizontal bar containing icons relating to connection and a search zone 2 A vertical bar containing a menu directory allowing NETASQ REAL TIME MONITOR options to be viewed and configured Aresult display zone A status bar NETASQ User Man
16. 5 interfaces for incoming throughput BB archi E virtual bench A out Yi Top 5 hosts for incoming throughput 10 10 150 17 10 2 9 2 10 2 17 1 10 2 30 155 10 2 36 101 7 68 MB s 265 41 KB s 158 90 KB s 130 47 KB s 64 54 KB s 16 65 MB s 2 97 MB s 989 33 KB s 420 07 KB s 349 16 KB s Host Fragmented Connections ICMP Data tracking Dynamic Bj NAT rule EX URL filter rule Vulnerabilities Critical 47 Moderate 13 BB virtual BE archi E ca ona E Ha 10 2 9 2 10 10 150 17 10 2 17 1 10 2 7 2 10 2 6 42 Figure 26 Dashboard Firewall 10 2 0 1 10 2 0 1 17 Duplicate TELEFE User 33 Kernel Interruption lt None gt High 14 Low 20 Top 5 interfaces for outgoing throughput Top 5 hosts for outgoing throughput Cumulated used 5 24 MB s 282 76 KB s 166 35 KB s 100 19 KB s 85 80 KB s 1 66 MB s 387 88 KB s 98 90 KB s 21 90 KB s 15 12 KB s User Manual NETASQ User Manual we secure IT 3 2 2 Selecting a product When you click on the Dashboard menu a product selector window may open if several firewalls have been registered Rechercher El ments 3 3 Morn 10 2 15 251 f ihm 4 10 2 14 254 fw_seb 10 2 0 1 Firewall labo Ca Jman Figure 27 Search un Ww T If the list of firewalls is long look for the desired firewall using the Search field Select the firewall ka Click on OK The Da
17. An overview of information on vulnerabilities found on your network Corresponds to the Part 4 Chapter2 VULNERABILITY MANAGER menu A search and icon bar A list of your firewalls A view of connection logs nil NETASQ REAL TIME MONITOR 9 0 l File Windows Applications a x 49 EY Quen Network overview erview E 94 vulnerabilities were detected on the monitored networks B Dashboard 1147 of the vulnerabilities are critical 87 of the vulnerabilities are remote Events Search Items 2 2 A gt Wf M A Ly Vulnerability Ma z Auto connect Read only State Name Address User Model Firmware Active Update Vulnerability M YW Antivirus Backup versior Last alarm Vulnerabilities Global filter 8 Hosts yo 7 10 2 20 226 10 2 20 226 admin E o al mim _ Connected 102041 10 201 fwlaboro U450 A _90 2 beta 44 N Enabled Enabled Disabled _9 0 2 beta 22 N Major 19 Mino 94 _ Politique globale _jo interfaces Quality of Service w Users Quarantine AS VPN tunnels Active Update EJ Services Hardware Filter policy Kg VPN policy Logs VPN B System JenuelW uONEAINSIJUOI sN Connection logs 11 33 51 Automatic connection failed no firewall named 10 2 20 226 was found in the address book 11 33 54 fwlaboro 10 2 0 1 Performing hostname lookup 11 33 54 fwlaboro 10 2 0 1 Start of connection 11 33 54 fwlaboro 10 2 0 1 A connection has been successfully establish
18. Firewall_bridge 10 2 0 1 dm 570 22 KB JW mature 27m 55sec hmac shal aes cbc Services Firewall_bridge 10 2 0 1 yi 1 15 MB gw mature 26m 32sec hmac shal aes chc Hardware ae 88 Gy Firewall_bridge 10 2 0 1 deca 641 41 KB gw mature 26m 6sec hmac shal aes cbc wow FF i wg Filter policy Firewall_bridge 10 2 0 1 pad sadean 183 83 KB gw mature 25m 36sec hmac shal aes cbc a ES VPN policy Firewall_bridge 10 2 0 1 a 0 gw mature 24m 43sec hmac shal aes cbc gt gt a o Logs Firewall_bridge 10 2 0 1 0 gw mature 23m 52sec hmac shal aes cbc gt a VPN Firewall_bridge 10 2 0 1 EEE 11 33 KB gw mature 18m 1sec hmac shal aes cbc c id EE gv g si Firewall_bridge 10 2 0 1 n 811 KB gw mature 15m 40sec hmac shal aes chc o y em A gt Firewall_bridge 10 2 0 1 DEE 12 00 KB gw mature 5m 37sec hmac shal aes cbc Firewall_bridge 10 2 0 1 petals 35 23 KB gw mature 3m 44sec hmac shal aes cbc GC d o E te Firewall_bridge 10 2 0 1 pe 1002 B gw mature 2m 48sec hmac shal aes cbc Firewall_bridge 10 2 0 1 anum 430 57 KB gw mature 2m 40sec hmac shal aes cbc Firewall_bridge 10 2 0 1 KAE 41 25 KB 9w mature sec hmac shal aes cbc Figure 49 VPN tunnels Here you will see statistical information on the tunnel s operation The data displayed in this window are as follows Bytes Indicates incoming and outgoing throughput ee ae a ot _ e Th ers nT E A EREE E ee RTE m a PE cocon a a lifetime as well as the va
19. Phase established 0x0b49d4a7 0x0bacb93f 0x184f3e3a3f12 initiator 10 0 0 128 10 2 32 0 24 13 06 16 Information 2 Firewall_bridge gw Phase established 0x0e56c878 0x0f33elfd Ox184f3e3a3f12 initiator 10 0 0 128 10 2 17 0 24 Figure 56 VPN NETASQ User Manual we secure IT The following data is displayed when you click on the VPN menu Date Date and time the entry was generated sno a Se eRe ee api rte e ae ice AGA Source Connection source address tunnel initiator a aaa a a nn NG EE Ween en esr ne ee a aia ngan sangat eo 2 wa EN specified as the identity type In SPI SPI number of the negotiated incoming SA in hexadecimal a co tc COC ie a ee ei cee a E incoming outgoing mmm Role Indicates the user s endpoint E re P a EN NG ee wg mil NETASQ REAL TIME MONITOR 9 iil File Windows Applications KA Overview Refresh mk Dashboard Search Date Service Message 97 y 15 52 55 dns cache cycle 13 times each day based on last 60 minutes activity 7 times each day based on activity since first check 27 hours Vulnerability Ma 15 40 03 sysevent Active Update update successful Kaspersky 15 40 02 proxy Sighup received refresh config c 14 52 52 dns cache cycle 11 times each day based on last 60 minutes activity 6 times each day based on activity since first check 26 hours D w 14 18 54 proxy Sighup received refresh config o par sae 14 18 11 proxy Sighup received refresh config
20. Security Bypass Vulnerabilities VPN tunnels 10 204 IIl Critical MySQL yaSSL Certificate Handling Remote Buffer Overflow Vulnerability 102 041 Critical Sun Java JDK and JRE Code Execution and Security Bypass Vulnerabilities elu pade 110 2 0 1 Il Critical Sun Java Deployment Toolkit Remote Argument Injection Vulnerability EJ Services 110 2 0 1 Il Critical OpenOffice org Code Execution and Security Bypass Vulnerabilities 110 2 0 1 Il Critical Apple Safari Code Execution and Information Disclosure Vulnerabilities Ey Tae mee 110 2 0 1 Il Critical Apple Safari Code Execution and Information Disclosure Vulnerabilities 110 201 Il Critical OpenOffice org Impress File Processing Buffer Overflow Vulnerabilities o Filter policy 110 2 0 1 Il Critical Apple Safari File Processing Insecure Library Loading Vulnerability 4 il b ES VPN policy Hosts 63 Logs Search Items 11 11 VPN Assigned Name Application Type Detail Operating system Port In 4 C 09 01 2012 12 38 00 10 2 5 1 JRE 1 6 0 07 Client FreeBSD D EJ System 09 01 2012 12 38 00 10 2 27 1 JRE 1 6 0 07 Client FreeBSD P 09 01 2012 12 38 00 10 2 38 1 JRE 1 6 0 07 Client Unix 6 09 01 2012 12 38 00 10 2 39 1 JRE 1 6 0 07 Client FreeBSD 5 09 01 2012 12 38 00 10 2 43 1 JRE 1 6 0 07 Client Unix 09 01 2017 12 38 00 10 2 44 1 IRF 1 6 0 03 Client FreeBSD x a 4 m r 9 aaa er http www netasq com securitykb us fbbd 1a635537 ladc html Open in browser 5 C1 Sun Java Development Kit ICC and BMP Parsing Buffer
21. activation User Manual NETASQ we secure IT 9 5 HARDWARE 5 5 1 High availability This window displays information concerning the initialization of high availability ie DEFINITION OF HIGH AVAILABILITY High availability is an option that allows two firewalls identified through a MasterHA and BackupHA license to exchange information on their statuses via a dedicated link in order to ensure service continuity in the event one of the firewalls breaks down Firewalls in high availability have the same configuration only their serial numbers licenses Master or Backup and most of all their status active or passive differ ul File Windows Applications Overview a Dashboard O Refresh High availability Last sync lun 9 janv 12 52 00 2012 5 X Firewall 10 2 0 1 10 2 0 1 19 Duplicate Djeni U450XA4F 1010300 U450XA511016030 o Model U450 A Model U450 A 2 Version 9 0 2 beta 53 Version 9 0 2 beta 53 ww Host Quality 100 Quality 100 osts Mode Active Mode Passive a License Master License Slave Active partition Main Active partition Main Quality of Service Backup partition ver 9 0 2 beta 22 NO_OPTIM Backup partition ver 9 0 2 beta 22 NO_OPTIM Backup partition date lun 2 janv 12 08 22 2012 Backup partition date lun 2 janv 11 32 45 2012 En Users Priority 0 Priority 0 el Uptime 0 Uptime 0 E i State Running State Ready Main link 172 16 100 1 OK Main link 17
22. akamai net https 443 Active Update 14 54 39 Web pass Notice travail 10 2 511 19318 pixic iadvize com http 80 14 54 38 Alarm block D Minor Config01 10 2 521 55744 wwwacebook https 443 EJ Services 14 54 38 Alarm block D Minor Config01 10 217 1 37235 www facebook https 443 14 54 38 Connection Notice Config01 10 2 30 155 50194 Firewall_loopba domain_udp 53 G Hardware 14 54 38 Connection Notice Config01 10 2 30 155 63363 Firewall_loopba domain_udp 53 a 14 54 38 Connection Notice Config01 Firewall_bridge 20493 dns google com domain_udp 53 E Filter policy 14 54 38 Connection Notice Config01 10 2 25 200 64268 Firewall_loopba domain_udp 53 14 54 38 Connection Notice Config01 10 2 30 155 50094 Firewall_loopba domain_udp 53 ES VPN policy 14 54 38 Connection Notice Config01 Firewall_bridge 16937 dns google com domain_udp 53 14 54 38 Connection Notice Config01 10 2 30 155 62670 Firewall_loopba domain_udp 53 B Logs 14 54 38 Connection Notice Config01 Firewall_bridge 54470 dns google com domain_udp 53 14 54 38 Connection Notice Config01 10 2 30 155 52477 Firewall_loopba domain_udp 53 Figure 29 Events un N When the Events menu in the menu directory is selected the data displayed by default are 7 i NG NK a a a a a a NG aaa an 9 Date time Date and time the line was recorded in the log file at the firewall s local time F Logs Indicates the type of logs the possible types of logs are Alarm Plugin Connection
23. anaa en a A te suis 3 2 6 Hardware 0 DEFINITION OF HIGH AVAILABILITY A specific architecture in which a backup firewall takes over when the main firewall breaks down while in use This switch is totally transparent to the user If high availability has been activated an additional section will provide you with the information regarding high availability status of firewalls licenses synchronization NETASQ User Manual we secure IT Click on the descriptive phrase in the Hardware zone in order to display the Hardware menu and to obtain information on high availability If the backup firewall is not available information on the active firewall can be viewed 8 x Refresh Firewall 172 30 1 128 172 30 1 128 vi f Duplicate High availability Q High Availability available but not activated is 172 30 1 128 Qe VPN tunnels 172 30 1 128 E Dashboard 172 30 1 128 Interfaces 172 30 1 128 E Hardware informations 172 30 1 128 Figure 28 Hardware uw ul 3 2 7 Active network policies This view indicates whether slots are active If so the label of the activated rule is indicated The rules mentioned here are JenuelW uONEAINSIJUOI 195N Global filter rule Name of the activated global filter policy aeae aa ag Tgn a Ba an aaa aa aaa aaa aaa anaa aaa aaa aa aa AN n ae e a an waa eee ni EN NE a 0 REMARK lt None gt means that no policy has been activated fo
24. as passwords is removed Website category cat site Antivirus scan message Sent amount of data sent a Received rcvd amount of data received a Duration duration of the connection NETASQ User Manual we secure IT MAIL a Message msg detailed description of the alarm All commands sent by the client are found here Sensitive information such as passwords is removed Antivirus scan message SPAM level spamlevel Spam level 0 Message not spam 1 2 and 3 spam x error during the treatment of the message and the nature of the message could not be determined if antispam has been enabled 2 Sent amount of data sent Received rcvd amount of data received Duration duration of the connection FTP Message msg detailed description of the alarm All commands sent by the client are found here Sensitive information such as passwords is removed Antivirus scan message Sent amount of data sent a Received rcvd amount of data received a Duration duration of the connection Filter 2 Message Slotlevel indicates whether the log had been started by an implicit 0 global 1 or local 2 rule Rule Ruleid identifier of the rule that set off the log Jenueln uolesn3iyUuod sasn NETASQ User Manual we secure IT NETASQ we secure IT documentation netasq com
25. command ifinfo This will give you the network adapter configuration and the present operating mode NETASQ User Manual we secure IT 3 What is the meaning of the message You lost the MODIFY privilege Only one user can be connected to the Firewall with the MODIFY privilege This message means that a user has already opened a session with this privilege In order to force this session to close you need only connect adding an exclamation mark before the user s name admin Q WARNING If an administrator session is open on another machine with the MODIFY right it will be closed 4 What is the meaning of the message The operation has exceeded the allotted time As a security measure any connection between the Firewall and the graphic interface is disconnected after a given time whether finished or not In particular this prevents an indefinite wait for a connection if the Firewall cannot be reached via the network 5 How do I know if there has been an attempted intrusion Each attempted intrusion triggers a major or minor alarm depending on its gravity and configuration You are informed of these alarms in four ways a Firstly the LEDs on the front panel of the firewall light up red or flicker yellow to alert you Then the alarms are logged in a specific file which you can consult from the graphical interface NETASQ REAL TIME MONITOR or NETASQ EVENT REPORTER ia You can receive an alarm report at regular
26. destination website consulted the displayed list will only present the elements containing this destination website WwW ui JenuelW uONEAINSIJUOI 195N NETASQ User Manual we secure IT 2 1 5 2 9 VPN Tunnels Right clicking against a line containing a VPN tunnel will bring you to the contextual menu that will allow you to a Filter this column by this criterion This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major a Filter only this column by this criteria This option allows you to restrict the list of the results pointed to by the cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website View logs of outgoing SPIs this option will allow displaying the SPls of the negotiated outgoing SA View logs of incoming SPIs this option will allow displaying the SPls of the negotiated incoming SA View the outgoing policy hypertext link enabling the display of the outgoing policy visible inthe VPN Policy menu View the incoming policy hypertext link enabling the display of the incoming policy visible inthe VPN Policy menu Reset this tunnel the selected tunnel will be deleted but the configuration on the firewalls will still be active The SAs matching the sele
27. file that contains explanations links to the publisher s site or to bug fixes and the possibility of quarantining the affected host i Dieii O Refresh Firewall 10 2 0 1 10 2 0 1 17 Duplicate Dashboard 104vuinerabiities u53 applications _12events ae Search Items 104 104 i a P Firewall Severity Name Affected hosts ulnerability Ma y 10 2 0 1 Critical Sun Java Development Kit ICC and BMP Parsing Buffer Overflow and DoS Vulnerabilities 0 Hosts 10 2 0 1 I Critical Sun Java JRE Web Start JNLP File Processing Remote Buffer Overflow Vulnerability 7 110 2 0 1 Il Critical Sun Java JDK and JRE XSLT Stylesheets Processing Code Execution Vulnerability S14 Interfaces 110 201 I Critical Sun Java Command Execution and Information Disclosure Vulnerabilities amen 110 2 0 1 Il Critical Sun Java Runtime Environment Virtual Machine Code Execution Issue Quality of Service 110 2 0 1 Ill Critical Sun Java Runtime Environment Remote Code Execution Vulnerabilities 110 2 0 1 Il Critical Sun Java Multiple Code Execution and Security Bypass Vulnerabilities 5 Users 10 2 0 1 I Critical Sun Java JDK and JRE Code Execution and Security Bypass Issues 10 2 0 1 Il Critical Sun Java JDK JRE Code Execution and Security Bypass Vulnerabilities E Quarantine AS 110 2 0 1 Il Critical Sun Java Multiple Code Execution and Security Bypass Vulnerabilities 110 2 0 1 Il Critical Sun Java Multiple Code Execution and
28. hours khan a 09 52 49 dns cache cycle 15 times each day based on last 60 minutes activity 5 times each day based on activity since first check 21 hours 09 39 57 sysevent Active Update update successful Kaspersky ai 09 39 56 proxy Sighup received refresh config 09 39 56 proxy URLFiltering profile 01 unable to load rule 8 bypass it aii 09 33 36 HA HA HA link 172 16 100 5 is back online 09 33 14 HA HA HA link 172 16 100 5 is down unexpected 09 32 35 sid Too many open connection from 10 2 6 42 max 528 on sld daemon service 09 20 02 dhcp DHCPACK on 10 60 4 4 to 00 50 56 b0 4f 9c W7 PC via eth10 Figure 57 System The following data is displayed when you click on the System menu NETASQ User Manual we secure IT APPENDICES Appendix A FAQ 1 what is the meaning of the message Impossible to locate the machine on x x x x 2 How can check the IP address es really assigned to the Firewall 3 what is the meaning of the message You lost the MODIFY privilege 4 what is the meaning of the message The operation has exceeded the allotted time 5 How do know if there has been an attempted intrusion 6 It is possible to allow protocols other than IP 1 What is the meaning of the message Impossible to locate the machine on X X X X This message means that the host on which you are connected cannot reach the Firewall by the IP address you have specified in the conn
29. in preparing this document it may contain some errors Please do not hesitate to contact NETASQ if you notice any NETASQ will not be held responsible for any error in this document or for any resulting consequence Acceptance of terms By opening the product wrapping or by installing the administration software you will be agreeing to be bound by all the terms and restrictions of this License Agreement NETASQ User Manual we secure IT License NETASQ hereby grants and you accept a non exclusive non transferable license only to use the object code of the Product You may not copy the software and any documentation associated with the Product in whole or in part You acknowledge that the source code of the Product and the concepts and ideas incorporated by this Product are valuable intellectual property of NETASQ You agree not to copy the Product nor attempt to decipher reverse translate de compile disassemble or create derivative works based on the Product or any part thereof or develop any other product containing any of the concepts and ideas contained in the Product You will be held liable for damages with interests therein in favor of NETASQ in any contravention of this agreement Limited warranty and limitation of liability a Hardware NETASQ warrants its Hardware products Hardware to be free of defects in materials and workmanship for a period of one year in effect at the time the Purchaser order is accepted Thi
30. list of antispam servers and the URLs used for dynamic URL filtering This window displays the status of Active Update on the firewall for each type of update available Antispam Antivirus Contextual signatures Dynamic URL NETASQ User Manual we secure IT hil 5 X i Overview O Refresh D Launch Active Update Firewall 10 2 0 1 10 2 0 1 Duplicate Updates were successful The last Active Update was launched on 09 39 57 cy Dashboard s State Name Last update License expiry 2 Events Updated Antispam DNS blacklists RBL database 09 39 43 31 12 2037 1355w 1d 12h 11m cn Updated ASQ contextual signature database 09 39 43 31 12 2037 1355w 1d 12h 11m Vulnerability Ma Updated Antispam heuristic engine database 09 39 57 31 12 2037 1355w1d12h11m Updated NETASO Vulnerability Manager database 09 39 57 31 12 2037 1355w 1d 12h 11m 5 Hosts Updated Kaspersky antivirus database 09 39 57 31 12 2037 1355w 1d 12h 11m Updated NETASQ URL filter database 09 39 43 31 12 2037 1355w 1d 12h 11m Interfaces Quality of Service En Users Quarantine AS VPN tunnels Active Update EJ Services Ci Hardware Filter policy ES VPN policy Figure 50 Active Update Active Update is used for automatically keeping URL databases up to date by downloading them on servers such as updateX netasq com O The Monitor screen indicates the result of the l
31. org Impress File Processing Buffer Overflow Vulnerabilities 2 Office client Remote W Yes 04 08 2010 122556 g ea ee 10 2 0 1 Ill Critical Oracle Sun Java SE and Java for Business Multiple Vulnerabilities 13 System Tool client a Remote W Yes 14 10 2010 123211 10 2 0 1 Il Critical Google Chrome Memory Corruption and Security Bypass Vulnerabilities 2 Web Client client P Remote W Yes 20 10 2010 123282 gt Filter policy 10 2 0 1 l Critical Google Chrome Memory Corruption and Use after free Vulnerabilities 2 Web Client client gt Remote W Yes 04 11 2010 123441 61 10 2 0 1 Il Critical Google Chrome Use after free and Security Bypass Vulnerabilities 2 Web Client client Remote W Yes 03 12 2010 123667 ES VPN policy 10 2 0 1 Il Critical Apple QuickTime Code Execution and Information Disclosure 1 Media Players client Remote W Yes 08 12 2010 123695 10 2 0 1 I Critical Google Chrome Multiple Memory Corruption and Denial of Service 2 Web Client client Remote W Yes 14 12 2010 123765 c Z Logs 10 2 0 1 l Critical Google Chrome and Chrome OS Multiple Memory Corruption Vulnerabilities 2 Web Client client Remote W Yes 13 01 2011 123990 Wn 10 2 0 1 IM Critical Oracle Open Office and StarOffice StarSuite Code Execution Vulnerabilities 2 Office client Remote W Yes 19 01 2011 124046 VPN 10 2 0 1 Il Critical OpenOffice org Buffer Overflow and Directory Traversal Vulnerabilities 2 Office client Remote W Yes 27 01 2011 124126 6 10 201 I Critical Google Chrome Mul
32. past 15 minutes The maximum value is 100 even if the number of alarms exceeds this value Vulnerabilities Indicates the number of vulnerabilities m aea e need ee Caiccia a amma PE ER Filter Indicates the name of the active filter slot a SSS OO oo a OO oo COT Dre a A Na T E a m ea NETASQ User Manual we secure IT 3 1 4 Connection logs This window indicates logs of connections between NETASQ REAL TIME MONITOR and the firewall Connection logs 11 33 51 Automatic connection failed no firewall named 10 2 20 226 was found in the address book 11 33 54 Fwlaboro 10 2 0 1 Performing hostname lookup 11 33 54 fwlaboro 10 2 0 1 Start of connection 11 33 54 fwlaboro 10 2 0 1 A connection has been successfully established 11 33 54 Fwlaboro 10 2 0 1 Authenticating 11 33 55 fwlaboro 10 2 0 1 Authenticated You have not obtained the required access rights Figure 25 Connection logs TIP You can erase logs by right clicking on the Connection logs view DASHBOARD 3 2 DASHBOARD 3 2 1 Introduction 51 7 The Dashboard menu allows displaying on a single screen all the useful information concerning real g time monitoring It basically picks out useful information from some of the menus in the NETASQ REAL TIME MONITOR S menu directory and adds on other additional information The data displayed in this window are 5 2 System information Memory CPU 2 Hardware
33. the event was raised source interface network card IP address or name of the object corresponding to the source host of the packet that set off the alarm Source port number of the service or the name of the object corresponding to the service port of the source host only if TCP UDP IP address or name of the object corresponding to the destination host of the packet that set off the event Destination port number of the service or name of the object corresponding to the service port of the destination host if it exists and is requested for this connection Destination name k dstname iii Destination interface Network card of the destination interface z dstif dstifmame yC l C Olllll User Identifier of the authenticated user FTP e mail address of the sender SMTP identifier of the user if authentication has been enabled WEB Action associated with the filter rule and applied on the packet Examples Block Pass NETASQ User Manual we secure IT Format of log files Log files are text files A log corresponds to a line ending with the characters CR Carriage Return or OD in hexadecimal and LF Line Feed or OA in hexadecimal The lines are in WELF format Blocked packets and allowed packets In each log line it is important to locate the Action token as it enables identifying packets which have been allowed by the filter policy or because they had not been blocked by the ASQ analyses w
34. the help zone associated with an event Typically help comes in the form of a descriptive file that contains explanations links to the publisher s site or to bug fixes and the possibility of quarantining the affected host DNS Server is running Risk level Description Make sure this service is really needed and that the server is up to date with security patches Null 0 O9 Vulnerable Products Advisory release date Solution Target type CVE Client References Possible Exploitation Local SEISMO Detection Yes since ASQ v 3 5 0 JenuelW uonein3ijuo2 195N Figure 34 Help O REMARK Refer to the user guide NETASQ UNIFIED MANAGER to configure VULNERABILITY MANAGER User Manual NETASQ we secure IT 4 3 HOSTS From the menu directory click on Hosts This window lists the connected hosts these hosts had been created earlier as objects in NETASQ UNIFIED MANAGER ul File Windows Applications PE Refresh Show help Firewall 10 2 0 1 10 2 0 1 B Dashboard Search RPA Name Address Users Operating syste P Vulnerabilities Applications Information Open ports Vulnerability M Interface Bytes in Bytes out Throughput in P Throughput ot anan 10206 10206 0 0 0 0 15 40 24 0 0 0 Vulnerability Ma 10 2 0 13 10 2 0 13 0 1 1 1 01 30 18 0 0 0 0 10 2 0 14 10 2 0 14 0 1 1 1 15 29 52 0 0 0 0 LE Hosts 10 20 16 10 2 0 16 0 1 1 1 14 38 25 0 0 0 0 10 2 0 95 10 2 0 95 Linux OS 0 1 2 1
35. will display the following information Filter this column by this This option allows restricting the list of results to the selected field For example criterion if the data is filtered by the priority Major the administrator will get all the lines containing Major nore Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website View the packet that raised This will open the tool that will allow you to view malicious packets 7 thealarm minnie Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard Contextual menu in the help zone Right clicking against a help zone will bring you to the contextual menu that will allow you to Copy Allows copying the help text in order to retrieve it later Copy the link Allows copying the hypertext link Select all Allows selecting all the help text NETASQ User Manual we secure IT 2 1 5 2 5 Interfaces Right clicking again
36. 0 2 20 226 was found in the address book 10 38 37 fwlaboro 10 2 0 1 Performing hostname lookup 10 38 37 fwlaboro 10 2 0 1 Start of connection 10 38 37 fwlaboro 10 2 0 1 A connection has been successfully established 10 38 37 fwlaboro 10 2 0 1 Authenticating 10 38 39 fwlaboro 10 2 0 1 Authenticated You have not obtained the required access rights Eg Overview Figure 1 Overview NETASQ User Manual we secure IT 1 2 2 Connection NETASQ REAL TIME MONITOR is opened differently depending on the option chosen in the tab Startup behavior inApplication settings cf Part 2 Chapter 3 Startup behavior The possible options are Direct connection 2 Connect to automatic connection data sources amp None 1 2 2 1 Direct connection to a NETASQ multifonction Firewall Direct connection allows you to enter connection information for a specific firewall To make a direct connection go to the menu File Direct connection Or if Monitor has been configured to connect directly at startup the following window will appear Address Login Password Read only 14 ri 2 Figure 2 Direct connection 0 gt a note oO S For more information regarding connection please refer to Part 2 Chapter3 Startup behavior 5 c ka Indicate the firewall s IP address in the Address field Enter the administrator login in the User field Enter the administrator password in the Password field 0 REMARK Sele
37. 06 34 47 0 0 0 0 Interfaces 10 2 0 114 10 2 0 114 0 0 0 0 04 25 28 A build 0 100 B 0 0 lt 5 10 2 0 132 10 2 0 132 Linux OS 0 2 2 1 17 57 01 0 0 0 0 Quality of Service 19 2 0 253 10 2 0 253 FreeBSD 0 2 2 1 16 33 25 0 0 0 0 10 211 10 211 0 3 0 0 18 17 32 0 0 0 0 Gy aiii 10 21 10 10 21 10 0 1 0 0 06 01 2012 16 3 0 0 0 0 ti AS 10 2 1 100 10 2 1 100 Microsoft 0 1 2 1 05 01 2012 17 3 0 0 0 0 Quarantine AS DE 10 2 1 251 Microsoft 0 0 1 0 16 59 56 0 0 0 0 VPN tunnels 10 2 2 1 10 2 21 Linux OS 3 6 1 0 18 00 17 0 0 0 0 10 24 10 10 24 10 Linux OS 32 7 4 3 18 10 35 0 0 0 0 Active Update 10 24 11 10 24 11 Microsoft 0 5 2 0 05 01 2012 18 1 0 0 0 0 10 2 4 50 10 2 4 50 FreeBSD 0 1 1 0 03 01 2012 15 1 0 0 0 0 EJ a 10 2 4 254 10 2 4 254 Unix 1 2 1 0 05 01 2012 17 4 0 0 0 0 10 2 5 1 10 2 5 1 FreeBSD 24 5 1 0 18 20 47 0 0 0 0 Hardware 10 2 5 254 10 2 5 254 2 1 0 0 18 08 19 0 0 0 0 xs 10 2 6 1 10 2 6 1 Linux OS 5 6 1 0 18 12 51 0 0 0 0 Filter policy 10 2 6 13 10 2 6 13 Microsoft 0 2 1 0 11 13 50 0 0 0 0 10 26 42 10 2 6 42 Microsoft n A 1 n 16 43 58 n n n n ES VPN policy Vulnerabilities Applications Information Connections 2 Events 7 Logs Search VPN Severity Application name Name Family Type Detail Detected Exploit Solution Port Internet Protocol EJ System O O Figure 35 Hosts The window comprises 3 views A view that lists the hosts 2 A view that lists the Vulnerabilities Applications Information
38. 1 minutes Maximum number of events displayed events Number of log lines to be Configures the number of log lines you wish to display in the Traffic menu OWA nnn Graph period Indicates how long graphs will be displayed Statistics from the Interfaces e Maximum number of events Configures the number of event lines that you wish to display in the Events displayed menu By default the value is set to 20 000 events and may be a minimum of 1 events and a maximum of 2 000 000 events The number of alarm lines indicated influences the memory used The memory used for 150 000 event lines indicated for a firewall is about 220 MB The memory used for 300 000 event lines indicated for a firewall is about 430 MB NETASQ User Manual we secure IT 2 4 3 Miscellaneous F i Hil Monitor em Miscellaneous Connection timeout 900 seconds Connection timeout When the firewall does not respond the connection will be shut down at the end of the period determined in this field A O9 JenueW uonein31juo asn NETASQ User Manual we secure IT 3 INFORMATION ON FIREWALLS 3 1 OVERVIEW 3 1 1 Introduction From the menu directory the Overview menu allows you to display several types of information regarding your firewalls Once the connection with the firewall is established this information will be available The Overview menu consists of five zones The menu directory
39. 2 16 100 2 OK VPN tunnels 92 Backup link 172 16 100 5 OK Backup link 172 16 100 6 OK Active Update Supervisor Yes Supervisor No ASQ 4 AQ 4 2 EJ Services Sync connection to 2 Sync connection to a gt Switchover 7 Switchover 7 O Ci Hardware gt a Filter policy 6 ES VPN policy gt z zf ogs gt o EJ System Figure 52 Hardware Version 9 of multifunction firewalls NETASQ allows you to benefit from high availability support new generation display with the date of the last synchronization of the cases You will also note an evolution in the support RAID Figure 53 Raid O w JenuelW uONEAINSIJUOI 195N NETASQ User Manual we secure IT 6 POLICIES 6 1 FILTER POLICY The Filter Policy menu accessible from the menu directory in Monitor recaps the active filter policy by grouping together implicit rules global filter rules and local filter rules Hil File Windows Applications C Refresh Firewall 10 2 0 1 10 2 0 1 LA Dashboard Search Lu Events Judes gt Implicit rules 138 A Vulnerability Ma P Global filter rules 69 Local filter rules 54 ww rae 4 Local NAT rules 27 1 skip 12 from any to 10 0 0 0 10 0 255 255 Interface 1 nat from 10 60 0 5 on out to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 1 nat from 10 60 0 5 on dmz11 to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 Quality of Service 1
40. ASQ User Manual we secure IT 1 INTRODUCTION 1 1 BASIC PRINCIPLES 1 1 1 Who should read this user guide This manual is intended for network administrators or for users with the minimum knowledge of IP In order to configure your NETASQ Firewall in the most efficient manner you must be familiar with these protocols and their specific features ICMP Internet Control Message Protocol a P Internet Protocol a TCP Transmission Control Protocol UDP User Datagram Protocol Knowledge of the general operation of the major TCP IP services is also preferable HTTP FTP Mail systems SMTP POP3 IMAP Telnet DNS DHCP SNMP NTP o lf you do not possess this knowledge don t worry any general book on TCP IP can provide you with the required elements The better your knowledge of TCP IP the more efficient will be your filter rules and the greater your IP security 1 1 2 Typographical conventions 1 1 2 1 Abbreviations For the sake of clarity the usual abbreviations have been kept For example VPN Virtual Private Network Other acronyms will be defined in the Glossary 1 1 2 2 Display Names of windows menus sub menus buttons and options in the application will be represented in the following fonts Menu Vulnerability Manager d NETASQ User Manual we secure IT 1 1 2 3 Indications Indications in this manual provide important information and are intended to attra
41. Active network policies Alarms Vulnerabilities VPN tunnels 2 Active Update 2 Logs Services Interfaces Top 5 interfaces for incoming throughput a Top 5 interfaces for outgoing throughput a Top 5 hosts for incoming throughput Top 5 hosts for outgoing throughput ul N JenuelW uONEAINSIJUOI 195N NETASQ we secure IT CO Refresh D One or several problems require your attention System information Firewall name lt Unnamed gt Firmware on active partition 9 0 2 beta 44 NO_OPTIM Active partition Main Firmware on passive partition 9 0 2 beta 22 NO_OPTIM Model U450 A Serial number U450XA4F1010300 Date time 09 01 2012 11 53 20 GMT 01 00 Uptime 4d 21h 4m 23sec Hardware HA is operational last sync ven 6 janv 14 35 00 2012 Active network policies Q Global filter rule Politique globale ka Filter rule jour ka VPN rule Tunnels Labo SVN Alarms DD Major alarms in the past 15 minutes 16 D Minor alarms in the past 15 minutes 100 VPN tunnels Number of VPN tunnels 20 Active Update All updates were successful The last Active Update was launched on 11 20 49 Logs Authentication logs use 99 of the available space allowed D Connections logs use 100 of the available space allowed D Plugins logs use 99 of the available space allowed Q Web logs use 100 of the available space allowed Services Services are OK Interfaces Network interfaces are OK Top
42. ETASQ EVENT REPORTER user guide When you click on the VULNERABILITY MANAGER menu in the menu directory the scan window will consist of the following A Vulnerabilities tab An Applications tab An Events tab 4 2 2 Vulnerabilities tab nil NETASQ REAL TIME MONITOR 9 0 iil File Windows Applications ES Overview LO Refresh Show help Firewall 10 2 0 1 10 2 0 1 B Dashboard 97 vulnerabilities 53 applications 12events 2 Events seme pi Firewall Severity Name Affected hosts Family Target Exploit Solution Detected ID Vulnerability Ma 10 2 0 1 l Critical Sun Java Development Kit ICC and BMP Parsing Buffer Overflow and DoS Vulnerabilities 11 Misc server client Remote W Yes 16 05 2007 110845 tu Hosts 10 2 0 1 Il Critical Sun Java JRE Web Start JNLP File Processing Remote Buffer Overflow Vulnerability 11 Misc server client Remote W Yes 10 07 2007 111496 _ 10 2 0 1 l Critical Sun Java JDK and JRE XSLT Stylesheets Processing Code Execution Vulnerability 11 Misc server client Remote W Yes 11 07 2007 111511 hiatas 10 2 0 1 IIl Critical Sun Java Command Execution and Information Disclosure Vulnerabilities 11 Misc server client a Remote W Yes 04 10 2007 112372 10 2 0 1 IIl Critical Sun Java Runtime Environment Virtual Machine Code Execution Issue 11 Misc server client Remote W Yes 23 10 2007 112579 Quality of Service 10 2 0 1 IIl Critical Sun Jav
43. IT 2 3 4 Address book lil Settings P 28 Behavior at startup External tools Report Address book Miscellaneous File C Users AppData Roaming Netasg AS 9 0 AddrBook gap pam NV Reset A D Figure 18 Settings Address book The NETASQ UNIFIED MANAGER NETASQ REAL TIME MONITOR and NETASQ EVENT REPORTER applications use the same address book and therefore the same address book file To retrieve a gap file NETASQ project file simply click on Browse JenuelW uONEAINSIJUOI asn NETASQ User Manual we secure IT 2 3 5 Miscellaneous Ml Settings P s Language English Online help URL http fuwww netasg com securitykb http www netasg com securitykb us 577a6etf54e24b9 1 html start screen Console Minimize in systray instead of dosing application Figure 19 Settings Miscellaneous A ui Language You can select a language for the interface s menus The automatic selection will choose the language installed on the PC s Windows OS After a language selection the Firewall Monitor must be restarted in order to apply the change Splash screen If you select this option the first window that appears on startup will contain the name logo version and loading status of the software If it is not selected the start screen will nnn no longer be displayed Console If the option Enable is selected you will be able to access firewalls in console mode CLI commands
44. Interfaces The Interfaces menu presents different statistics concerning 2 Bandwidth 2 Connections a Throughput Statistics are displayed in the form of graphs The vertical and horizontal axes are graduated The horizontal axis represents time and the vertical axis is either 2 Bandwidth percentage The number of connections or ao Throughput expressed in bytes kilobytes or megabytes O JenuelW uonein31juo2 asn NETASQ User Manual we secure IT 4 4 1 1 Interface types Vian M Ethernet PPTP Lu pl amp Dialup Lu Ey 0 REMARK The interfaces are grayed out or do not appear at all when they are inactive The window consists of 3 views A view of the interfaces in tables or legend 2 A details zone A zone for viewing graphs 4 4 2 Legend view or tabular view of interfaces Name Type Address Netmask Throughput in Throughput out Connections Media Bandwidth Stats out fh ethernet 172 30 1 128 255 255 255 0 112 bjs 48 bis 20 0 Bin M ethernet 172 30 1 128 255 255 255 0 0 0 00 0 D imz Mal ethernet 172 30 1 128 255 255 255 0 0 0 00 0 Figure 42 Interfaces Legend This view allows you to view all the interfaces that the firewall has detected Each line represents an interface O0 JenuelW uonein3ijuo2 195N NETASQ we secure IT User Manual The information provided in the legend view is as follows Address Network Name and color attributed to
45. NETASQ User Manual we secure IT NETASQ REALTIME MONITOR V 9 0 USER MANUAL Bate veson Author es o Reference naengde_nrmonitor v9 0 NETASQ User Manual we secure IT Copyright NETASQ 2010 All rights reserved Any reproduction adaptation or translation of this current document without prior written permission is prohibited except where expressly allowed by copyright laws NETASQ applies a method of continual development and as such reserves the right to modify and improve any product described in the document without prior notice Under no circumstances shall NETASQ be held liable for any loss of data or revenue or any special damage or incident resulting from or indirectly caused by the use of the product and its associated documentation The contents of this document relate to the developments in NETASQ s technology at the time of its writing With the exception of the mandatory applicable laws no guarantee shall be made in any form whatsoever expressly or implied including but not limited to implied warranties as to the merchantability or fitness for a particular purpose as to the accuracy reliability or the contents of the document NETASQ reserves the right to revise this document to remove sections or to remove this whole document at any moment without prior notice To ensure the availability of products which may vary according to your geographical locations contact your nearest NETASQ distribu
46. Q Bypass zone Contextual menu from right clicking against the Quarantine zone Right clicking against a line containing a quarantined host will bring you to the contextual menu that will allow you to Filter this column by this This option allows restricting the list of results to the selected field For example criterion if the data is filtered by the priority Major the administrator will get all the lines containing Major O nore Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Ww gt Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website JenuelW uONEAINSIJUOI Jas Contextual menu from right clicking against the ASQ Bypass zone Right clicking against a line containing a quarantined host will bring you to the contextual menu that will allow you to Filter this column by this This option allows restricting the list of results to the selected field For example criterion if the data is filtered by the priority Major the administrator will get all the ee lines containing Major re Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the
47. Some of the possible values are clean and infected NETASQ User Manual we secure IT Identifier Id Identifier of the entity that caused the entry to be written This field always takes on the ee value firewall Date Time time Date and time the line was recorded in the log file at the firewall s local time D Example fri 9 march 15 46 04 2007 Firewall fw Serial number or name of the firewall if known that caused the event Timezone tz Firewall s timezone at the time the log was written Start date starttime Local date at the start of an event Priority pri Determines the alarm level The possible values are QO emergency Ad alert 2 critical 3 error 4 warning 5 notice 6 information GN A CU Protocol proto Protocol of the packet that set off the alarm Source src srcname IP address or name of the object corresponding to the source host of the packet that set a off the alarm Un Source port Source port number of the service or the name of the object corresponding to the E srcport srcportname service port of the source host only if TCP UDP smn Destination IP address or name of the object corresponding to the destination host of the packet that 2 dst dstname Set Off the event mmm Destination port Destination port number of the service or name of the object corresponding to the wa dstport dstportname service port of the destination host if it exists and is request
48. Web E SMTP FTP POP3 Filter ee gt Action action Action associated with the filter rule and applied on the packet Examples Block Pass Priority pri Determines the alarm level The possible values are g 0 emergency Ad alert 2 critical 3 error 4 warning 5 notice 6 information Config Number of the filtering policy involved in the rise of the event one de 11 Been a a eras aia ee working session of a user on the network umn User Identifier for the authenticated user ftp e mail address of the sender SMTP identifier ner for the user if authentication has been enabled WEB Source IP address or name of the object corresponding to the source host of the packet that set te off the alarm summa Src prt num Source port number involved displayed in digital a SE as TE PP ea ee m 5 eae set off the alarm uw 00 JenuelW uONEAINSIJUOI 125N NETASO User Manual we secure IT Dst port Destination port number of the service or name of the object corresponding to the service Ot Of the destination host if it exists and is requested for this connection ll Details Description of the event relating to the log This column groups some of the information gathered from the other columns E g if an alarm log is concerned information such as whether it was a sensitive alarm the number of the filter rule rule ID already given in the columns Sensitive alarm Rule and Rule ID will
49. a Runtime Environment Remote Code Execution Vulnerabilities 11 Misc server client E Remote W Yes 06 02 2008 113796 10 2 0 1 Critical Sun Java Multiple Code Execution and Security Bypass Vulnerabilities 11 Misc server client Remote W Yes 05 03 2008 114137 55 Users 10 2 0 1 IM Critical Sun Java JDK and JRE Code Execution and Security Bypass Issues 11 Misc server client Remote W Yes 10 07 2008 115421 10 2 0 1 Il Critical Sun Java JDK JRE Code Execution and Security Bypass Vulnerabilities 11 Misc server client Remote W Yes 26 03 2009 117740 Quarantine AS 10 2 0 1 I Critical Sun Java Multiple Code Execution and Security Bypass Vulnerabilities 12 Misc client Remote W Yes 05 08 2009 119045 10 2 0 1 l Critical Sun Java Multiple Code Execution and Security Bypass Vulnerabilities 12 Misc client Remote W Yes 04 11 2009 120021 VPN tunnels 10 2 0 1 I Critical MySQL yaSSL Certificate Handling Remote Buffer Overflow Vulnerability 1 Database server Remote W Yes 28 01 2010 120786 ne PRET 10 201 Il Critical Sun Java JDK and JRE Code Execution and Security Bypass Vulnerabilities 12 Misc client Remote W Yes 31 03 2010 121297 P 10 2 0 1 lll Critical Sun Java Deployment Toolkit Remote Argument Injection Vulnerability 13 System Tool client Remote W Yes 12 04 2010 121403 g oi 10 201 ill Critical OpenOffice org Code Execution and Security Bypass Vulnerabilities 2 Office client Remote W Yes 07 06 2010 121899 10 2 0 1 Il Critical OpenOffice
50. all and the user re P ESSNOTG tannin Connect automatically If this option is selected the connection will be established automatically on different to data sources firewalls in the address book NETASQ User Manual we secure IT 2 3 2 External tools Ml Settings Behavior at startup External tools Report Addressbook Miscellaneous Packet analyzer You can add the Spacket_files parameter absolute packet file to the packet analyzer tool of your choice This parameter will be automatically added as the last parameter if you do not explicitly use it Path Parameters Figure 14 Settings External tools A Packet analyzer When an alarm is triggered on a NETASQ Firewall the packet responsible for setting off the alarm can be viewed In order to do this you need a packet viewing tool like Ethereal or Packetyzer Specify the selected tool in the field Packet analyzer which the Monitor will eee use to display malicious packets nana Path Indicates the location of the directory containing the application that allows analyzing packets JenuelW uONEAINSIJUOI 195N NETASQ User Manual we secure IT 2 3 3 Report ill Settings Behavior at startup External tools Report Address book Miscellaneous o Destination folder rs Documents Wetasg A5 9 0 Monitor Reports au Reset Number of events 500 Figure 15 Settings Repo
51. application Via the shortcut Applications Launch the NETASQ REAL TIME MONITOR inthe menu bar on other applications in the Administration Suite Via the menu Start Programs NETASQ Administration Suite 9 0 NETASQ REAL TIME MONITOR If this is your very first time connecting to your product a message will prompt you to confirm the serial number found on the underside of the firewall The Overview window will open upon connection c ju NETASQ REAL TIME MONTORO OV iil File Windows Applications amp x O z Network overview Overview 5 53 vulnerabilities were detected on the monitored networks B Dashboard 21 of the vulnerabilities are critical ga D 47 of the vulnerabilities are remote Events o ms Search Items 2 A xXx D amp Vulnerability Ma 2 Auto connect Read only State Name Address User Model Firmware Active Update Vulnerability M P Antivirus Backup versior Last alarm Vulnerabilities Global filter w Hosts 7 10 2 20 226 10 2 20 226 admin lt v v Connected 10201 10 2 0 1 fwlaboro U450 A 9 0 2 beta 22 N Enabled Enabled Disabled 9 0 2 dev 122 N Major 55 Mino 53 Politique globale jo ry Interfaces 5 en Quality of Service oO w Users Quarantine AS VPN tunnels Active Update o Services g Hardware Filter policy ES VPN policy B D o System Connection logs 10 38 34 Automatic connection failed no firewall named 1
52. ast update successful or failed and the date of the last update JenuelW uonein31juo2 sN The following data will be displayed when you click on the Active Update menu Status Indicates the status of the Active Update 2 options are possible The last update EE failed Updated ssn Name Indicates the update data categories aa ana a eae D a a E a an aaa a a a User Manual NETASQ we secure IT 5 4 This window sets out the services active and inactive on the Firewall and for how long they have been SERVICES active inactive amp X ES Overview Refresh Firewall 10 2 0 1 10 2 0 1 17 Duplicate a Dashboard Search Items 31 31 bahi Ed Status Name CPU Version Last update z Enabled NTP client 22h 49m 1sec m iyi Vulnerability Ma Enabled VPN server 22h 57m 35sec Enabled DHCP server 22h 57m 40sec LE Hosts Enabled SNMP Agent 23h 10m Enabled ASQ monitoring stated 23h 10m 2sec is Interfaces Enabled High availability 23h 10m 4sec 0 9 Enabled Web portal 23h 10m 11sec Quality of Service Enabled Event server 23h 10m 15sec Enabled HTTP proxy server 23h 10m 36sec 21 En Users Enabled SMTP proxy server 23h 10m 36sec 21 Enabled POP3 proxy server 23h 10m 36sec 21 Quarantine AS Enabled FTP proxy server 23h 10m 36sec 21 Enabled SSL proxy server 23h 10m 36sec 21 VPN tunnels Enabled DNS Cache Proxy 23h 10m 39sec
53. ation displayed in this column shows the size of the IPv4 packets value beginning with 45 Packet sizes vary according to the firewall model S 64 bytes U30 to U70 M 128 bytes U120 to U450 L 1500 bytes U1100 to U1500 and NG1000 A XL 1500 bytes U6000 NG5000 A warning To view a packet a software program needs to be installed on your workstation JenueW uONEAINSIJUOI asn NETASQ User Manual we secure IT 4 4 INTERFACES 4 4 1 Introduction O DEFINITION A zone whether real or virtual that separates two elements The interface thus refers to what the other element need to know about the other in order to operate correctly Name Type Address Netmask Throughput in Throughput out Connections Media Bandwidth Stats Bout Mi ethernet 172 30 1 128 255 255 255 0 15 60 Kb s 7 64 Kb s 10 0 Bin M ethernet 172 30 1 128 255 255 255 0 0 0 00 0 E dmzi M ethernet 172 30 1 128 255 256 255 0 0 0 o0 0 v TCP UDP ICMP Packets Packets 2384 Packets 2 Packets 0 Accepted 2386 Bytes in 1 44 MB Bytes in 458 B eee 3 rao Bytes out 1 24MB Bytes out 0 oram 0 Blocked Connections 1 Connections D Bytes out 0 Fragmented 0 Bandwidth Connections Throughput out WB Throughput in WA Throughput out O9 un D tt 5 a D 5 Time elapsed JenuelW uONEAINSIJUOI sN 1O data 172 30 1 128 M Hosts 172 30 1 128 Interfaces 172 30 1 128 Figure 41
54. be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard N O9 Contextual menu in the help zone Right clicking against a help zone will bring you to the contextual menu that will allow you to Copy Allows copying the help text in order to retrieve it later Copy the link Allows copying the hypertext link 2 Select all Allows selecting all the help text JenuelW uONEAINSIJUOI 195N 2 1 5 2 4 Hosts Many contextual menus can be opened in this window When right clicking against a host When right clicking against the Vulnerabilities tab a When right clicking against the Applications tab a When right clicking against the Information tab When right clicking against the Connections tab When right clicking against the Events tab When right clicking against the help zone NETASQ User Manual we secure IT Contextual menu relating to a host Filter by these criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major note Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the destination website consult
55. be grouped in this column Please refer to appendix G Firewall fw Serial number or name of the firewall if known that caused the event ene ners roe OSS ease Gene so a a 7 startime tz Timezone tz Firewall s timezone ee a de ne een _ NG Na cies TN a _ 7 in LL ca CC a groupid a nmnnnunnnnnnnnnsnnnnnnnnninnnnninnnninnnnnnnnneane Source interface Name of the firewall interface on which the event was raised source interface network R srcif srcifname Card nn Source address src IP address of the source host of the packet that set off the event a ga ee ST oT do de srcport srcportname service port of the source host only if TCP UDP Destination interface Network card of the destination interface E dstif dstifname a nn Destination address IP address of the destination host of the packet that set off the event E dst cusmsunninnnnnnsnnininnnnnnninnnnnsnnnnsnnnnnnnnnnnnn Sensitive alarm Indicates whether an alarm is sensitive This alarm is raised whenever the intrusion sensitive prevention system detects a sensitive packet and for which it has been configured in intrusion detection mode If the alarm is sensitive an icon in the form of an exclamation mark followed by Yes will appear Otherwise No will be indicated When the alarm is blocked the icon will be grayed out it is disabled 0 NOTE Only protocol alarms can be described as sensitive For alarms that are not in EE this class t
56. ct the option Read only to conneci to the firewall in read only mode Click on the Connect button The main window will appear 1 2 2 2 Opening the address book Go to the menu File Address book to open the address book Or if Monitor has been configured to open the address book at startup the Address book window will appear 0 NOTE For more information regarding the address book please refer to Parti Chapter2 Address book NETASQ User Manual we secure IT 1 2 2 3 Connecting automatically to the data source If this option has been selected in Startup behavior Application settings Monitor will directly open the Overview main window and the application will automatically connect to the existing firewalls cf for more information regarding connection please refer to the section Part 2 Chapter 3 Startup behavior 1 2 2 4 None If this option has been selected in Startup behavior Application settings Monitor will directly open the Overview main window but no application will be connected to the firewall Only the Overview menu will be enabled The other menus in the directory will be grayed out cf for more information regarding connection please refer to Part 2 Chapter 3 Startup behavior 1 2 3 Address book The address book can be accessed from the menu File Address book 0 REMARK The address book can also be opened automatically upon the startup of the application if you have selected the option in Application setti
57. ct your attention Among these you will find 0 NOTE REMARKS These messages provide a more detailed explanation on a particular point 4 WARNING These messages warn you about the risks involved in performing a certain manipulation or about how not to use your firewall TIP This message gives you ingenious ideas on using the options on your product 0 DEFINITION Describes technical terms relating to NETASQ or networking These terms will also be covered in the glossary 1 1 2 4 Messages Messages that appear in the application are indicated in double quotes Example Delete this entry 11 1 1 2 5 Examples 6 Example Oo S This allows you to have an example of a procedure explained earlier E g gt S 1 1 2 6 Command lines c oO Command lines Indicates a command line for example an entry in the DOS command window 1 1 2 7 Reminders Reminders are indicated as follows Reminder 1 1 2 8 Access to features Access paths to features are indicated as follows Access the menu File Application settings NETASQ User Manual we secure IT 1 1 3 Vocabulary used in this manual Dialup Interface on which the modem is connected a nn CC E NG ZE te re Fee aaa 1 1 4 Getting help To obtain help regarding your product and the different applications in it a Website www netasq com Your secure access area allows you to access a wide range of documentation and other information User man
58. cted tunnel will be cleared new SAs will have to be renegotiated so that the tunnel can be used again Reset all tunnels all tunnels will be deleted 2 1 5 2 10 Active Update Right clicking against a line in the Active Update section will bring you to the contextual menu that will allow you to amp Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard 2 1 5 2 11 Services Right clicking against a line containing a service will bring you to the contextual menu that will allow you to Filter this column by this This option allows restricting the list of results to the selected field For example if criterion the data is filtered by the priority Major the administrator will get all the lines containing Major 0 NOTE Using this option will replace all the current filters on the columns NETASQ User Manual we secure IT this criteria Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lin
59. d in raising the alarm Example 24 Source port srcport srcportname Destination dst dstname Destination port dstport dstportname IP address or name of the object corresponding to the source host of the packet that set off the alarm Source port number of the service or the name of the object corresponding to the service port of the source host only if TCP UDP IP address or name of the object corresponding to the destination host of the packet that set off the event Destination port number of the service or name of the object corresponding to the service port of the destination host if it exists and is requested for this connection Identifier of the authenticated user FTP e mail address of the sender SMTP identifier of the user if authentication has been enabled WEB JenuelW uONnEAINSIJUOI Jas Message Msg Detailed description of the alarm All commands sent by the client are found here se sensitive information such as passwords is removed nan Sent Number of KB sent during the connection Operation op Identified command of the protocol FTP PUT MPUT GET DELETE HTTP GET PUT POST EDONKEY SENDPART POP3 RETR LIST FTP DELETE LIST User Manual NETASQ we secure IT Identifier of the entity that caused the entry to be written This field always takes on the D value firewall Date and time the line was recorded in the log file at the firewall s local time
60. dows 39 4 7 1 Quarantine view 87 595 Applications 39 4 7 2 ASQ Bypass view 87 2 2 4 Help 40 5 NETWORK ACTIVITY 88 2 3 APPLICATION SETTINGS 40 5 1 VPN TUNNELS 88 2 3 1 Behavior at startup 40 5 2 ACTIVE UPDATE 89 2 3 2 External tools 41 5 3 90 2 3 3 Report 42 5 4 SERVICES 91 7 2 3 4 Address book 44 5 5 HARDWARE 92 2 3 5 Miscellaneous 45 90 1 High availability 92 7 kian ra Aak SETTINGS jr 6 POLICIES 93 8 OR 61 FILTERPOLICY 93 a ak A 6 2 VPN POLICY 94 ge 2 4 8 Miscellaneous 48 o 3 INFORMATION ON FIREWALLS 49 f LOGS o S 31 OVERVIEW 49 7 1 STATUS OF USE 96 S 3 1 1 Introduction 49 7 2 LOG TYPES 2 lt sigs 7 2 1 VPN 96 D 3 12 Overview of information on vulnerabilities50 7 3 1 3 List of firewalls 50 7 2 2 System sa 3 1 4 Connection logs 51 APPENDICES 98 3 2 DASHBOARD 51 Appendix A FAQ 98 3 2 1 Introduction 51 Appendix B NETASQ log files 100 3 2 2 Selecting a product 93 Appendix C Session and user privileges 110 32 3 System information 53 Appendix D SA states 111 3 2 4 Memory 94 Appendix E Sort criteria 112 3 25 CPU 54 Appendix F The Details column in the Events menu 3 2 6 Hardware 54 116 3 2 7 Active network policies 59 3 2 8 Alarms 55 3 2 9 VPN Tunnels 56 3 2 10 Active Update 56 3 2 11 Logs 56 3 2 12 Services 56 3 2 13 Interfaces 56 3 2 14 Top 5 interfaces for incoming throughput56 3 2 15 Top 5 interfaces for outgoing throughput56 3 2 16 Top 5hosts for incomin
61. e JenuelW uONEAINSIJUOI 195N a srcif srcifname oo network card ssn Source interface name Name of the source interface only if known a srcifname msn IP ipproto Internet protocol tcp or udp Destination interface dstif dstifname Source port srcport srcportname Destination IP address or name of the object corresponding to the source host of the packet that set off the alarm Source port number of the service or the name of the object corresponding to the service port of the source host only if TCP UDP IP address or name of the object corresponding to the destination host of the packet dst dstname that set off the event Destination port Destination port number of the service or name of the object corresponding to the dstport dstportname service port of the destination host if it exists and is requested for this connection User Manual NETASQ we secure IT Identifier of the entity that caused the entry to be written This field always takes on the D value firewall Date and time the line was recorded in the log file at the firewall s local time Example fri 9 march 15 46 04 2007 Priority pri Determines the alarm level The possible values are QO emergency Ad alert 2 critical 3 error 4 warning 5 notice 6 information 7 debug Rule number Rules are numbered in order This number allows uniquely identifying the rule within the filter slot that was involve
62. e 404 which indicates an error Ai a aa aa aa a Aa aaa ba agan ANAA KAE AGA NGA AAN aa aaa AA AA AE NE AE aaa ANANA aaa KN ANAKAN anaa TANG A AA A AA AANAAN AAN PN AG ANANA AKAN A ANNA AGA ANANE N ANAN SANAN a NA Parameter arg Action obtained example gi bin uploadjs cgi User Manual NETASQ we secure IT Connection Is used for connections made to and from the Firewall and its source is NETASQ s IPS engine ASQ Example The Firewall s ASQ kernel logs the connection from the host 192 168 0 2 and from port 1672 to the host 192 168 1 2 to port 1840 The information saved in this log file is as follows Identifier of the entity that caused the entry to be written This field always takes on Ce Date and time the line was recorded in the log file at the firewall s local time Example fri 9 march 15 46 04 2007 Priority pri Determines the alarm level The possible values are QO emergency 1 alert 2 critical 3 error 4 warning 5 notice 6 information 7 debug Rule number Rules are numbered in order This number allows uniquely identifying the rule within the filter slot that was involved in raising the alarm PR Example 24 User Identifier of the authenticated user FTP e mail address of the sender SMTP identifier of the user if authentication has been enabled WEB Source interface Name of the firewall interface on which the event was raised source interfac
63. e columns Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the destination website consulted the displayed list will es only present the elements containing this destination website um View the host The Hosts menu directory will open to display additional information on the detected host During pre filtering the host concerned will be selected The data will be filtered according to the hostname if available or by its address In the Information tab 3 contextual menus can be opened N N a When right clicking against a line containing information When right clicking against a line detailing a host a When right clicking against the help zone Contextual menu for a line containing information JenuelW uolzesn3iIUOd Jas Filter by these criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major note Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the destination website consulted the displayed list will TS only present the elements containing this destination websi
64. earch us a Firewall Name a Famuly Affected host s ID ulnerabi a pa a af 10 2 0 1 ___ DNS Server is running DNS Server 1 50266 5 ee 10 2 0 1 HTTP Server is running Web Server 34 50257 10 2 0 1 Instant Messenger activity detected Instant Messengers 1 50280 SE ee ESAN 10 2 0 1 Linux OS detected Operating System 7 50293 10 2 0 1 Media Player activity detected Media Players 7 50278 Quality of Service 10 2 0 1 Microsoft MSN Messenger is inst Misc 1 50032 10 2 0 1 Microsoft Windows OS detected Operating System 31 50273 U 10 2 0 1 MySQL Server is running Database 3 50262 sers 410304 r m NC ee ee eee eee A L CS 2 0101 Hosts Quarantine AS Search VPN tunnels 7 T Assigned Name Application Type Detail Operating syst Y Port Internet Protoc Active Update 09 01 2012 12 3 qualif netasq com DNS Server Server FreeBSD 53 udp EJ Services Cd Hardware http www netasq com securitykb us d20372f2322ad0ea html gt Description Make sure this service is really needed and that the server is up to date with security patches Le EJ oe Vulnerable Products a Figure 33 VULNERABILITY MANAGER Events 8 ga 5 The Information tab informs you of your network s activity You can therefore see the programs that S are at risk of generating attacks a gt 5 The window is divided into 3 sections a List of programs List of hosts Help zone NETASQ User Manual we secure IT 4 2 4 1 Informat
65. ection window This may be for one of several reasons Check That the IP address which you have specified in the connection window is that of the Firewall that of the internal interface in advanced mode a That your host has indeed a different IP address from the Firewall but is on the same sub a network 8 That the connections are properly in place use a crossover cable only if you are connecting the a Firewall directly to a host or a router Type arp a in a DOS window under Windows to see if the PC recognizes the NETASQ Firewall s physical address Ethernet If it doesn t check your cables and the physical connections to your hub That you have not changed the Firewall s operating mode transparent or advanced That the Firewall recognizes the IP address see How can check the IP address es really assigned to the Firewall That the access provider for the graphical interface has not been deactivated on the Firewall 2 How can check the IP address es really assigned to the Firewall If you wish to check the IP address es or the operating mode transparent or advanced you need only connect to the Firewall in console mode To do so you can either conduct an SSH session on the Firewall if SSH is active and authorized or connect directly to the firewall by the serial port or by connecting a screen and a keyboard to the firewall Once connected in console mode with the admin login type the
66. ed 11 33 54 fwlaboro 10 2 0 1 Authenticati 11 33 55 fwlaboro 10 2 0 1 Authenticated You have not obtained the required access rights Z Overview Figure 23 Overview NETASQ User Manual we secure IT 3 1 2 Overview of information on vulnerabilities This view indicates the number of vulnerabilities found the number of critical vulnerabilities and the number of vulnerabilities that are remotely accessible on your networks These indications represent links that allowing access to these vulnerabilities VULNERABILITY MANAGER menu Network overview 94 vulnerabilities were detected on the monitored networks I 47 of the vulnerabilities are critical EX 87 of the vulnerabilities are remote Figure 24 Network overview 3 1 3 List of firewalls This view provides the following information on your product s Auto connect Selecting this option allows you to activate automatic reconnection of NETASQ aana REALTIME MONITOR in the event of a disconnection nnn Read only Select this option to activate read only mode m a oon oo A a CC TT Address Firewall s IP address T e ee 3 7 a eter ee eee eee Ge e REV Eee ee ANN O Active Update Indicates the update status of the Active Update module Options OK or x failure 5 en ane S iiuiuuslliusuiiijupjuuusuujjuiiiiiisiuisiise 5 VULNERABILITY MANAGER Indicates the number of vulnerabilities cn A a e a en te eee abe re ie a NG aa gi e e er te ee he es
67. ed the displayed list will only present the elements containing this destination website Remove host from ASQ Enables deleting the host s ASQ information This may be useful especially if a host has been hacked The Monitor modify privilege is necessary A message will appear asking you to confirm this action eee rr se fev a a aa information modify privilege is necessary A message will appear asking you to confirm this action When you perform this reset the host will be deleted from the VULNERABILITY MANAGER database and as well as from data counters detected vulnerabilities software Send to quarantine the quarantined host will be dynamically blocked for a duration to be specified This duration can either be 1 minute 5 minutes 30 minutes or 3 hours The am Monitor modify privilege is necessary You will not be asked to confirm this action Manually set the Operating System Currert Operating System Not detected JenuelW uONEAINSIJUOI Jas Detected Operating System Not detected Restore New Operating System name Name Not detected Not detected A Cisco 105 Free850 IBM AIX Lows MacOS MacOS X Microsoft Windows 2000 SP1 Microsoft Windows 2000 SP2 Microsoft Windows 2000 SP3 Microsoft Windows 2000 SP4 Microsoft Windows 2000 SPS Microsoft Windows 2000 no SP Ca sie de RS PE Figure 8 Manually set the OS NETASQ User Manual we secure IT Current operating sys
68. ed for this connection User Identifier of the authenticated user FTP e mail address of the sender SMTP identifier of EE the user if authentication has been enabled WEB Action action Action associated with the filter rule and applied on the packet Examples Block Pass Message Msg Detailed description of the alarm All commands sent by the client are found here Sensitive en information such as passwords is removed OC aaa S Sent Number of KB sent during the connection 5 Received rcvd Number of KB received during the connection 5 Duration Connection time in seconds Connection group Session identifier link between commands and data transfer 2 groupid ccm Operation op Identified command of the protocol FTP PUT MPUT GET DELETE HTTP GET PUT POST EDONKEY SENDPART POP3 RETR LIST FTP DELETE LIST Virus virus Indicates whether there is a virus in the e mail Some of the possible values are clean and infected User Manual NETASQ we secure IT Identifier of the entity that caused the entry to be written This field always takes on the value firewall Date and time the line was recorded in the log file at the firewall s local time Example fri 9 march 15 46 04 2007 Priority pri Determines the alarm level The possible values are QO emergency Ad alert 2 critical 3 error 4 warning 5 notice 6
69. erfaces QOS and VPN SA will be refreshed The refreshment frequency is set to 30 seconds by default and may be a minimum of 10 seconds Activity data refreshment Specifies in minutes when activity data hosts authenticated users and frequency Vulnerability Manager will be refreshed The refreshment frequency is set to 3 NUS by default and may be a minimum of 1 minute lle System data refreshment Specifies in minutes when system data session data high availability RAID frequency cryptography card quarantine services and Active Update will be refreshed The refreshment frequency is set to 3 minutes by default and may be a minimum er Of minute nmmnnnnnnnnninnunnnninnnannennnnannnnn Log refreshment frequency Specifies in minutes when log data Log space filters VPN system traffic and filter logs will be refreshed The refreshment frequency is set to 5 minutes by E default and may be a minimum of 1 minute eee Configuration data update Specifies in minutes when configuration data Anti spam anti virus proxies SPD frequency and system properties will be refreshed The refreshment frequency is set to 5 minutes by default and may be a minimum of 1 minute f gt nd JEeNueEJA uONEAINSIJUOI asn NETASO User Manual we secure IT 0 REMARK The Default button allows you to reset the parameters to their default values 2 4 2 Memory F wl Monitor 2 S Number of log lines to be downloaded lines Graph period
70. es of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard 2 1 5 2 12 Hardware This is the menu dedicated to high availability Please refer to sections 3 2 6 and 5 5 2 1 5 2 13 Filter policy This menu allows you to view different types of rules Implicit rules Global filtering rules Local filtering rules NAT rules for local For more information please refer to section 6 1 Ww O 2 1 5 2 14 VPN Policy Right clicking against a line containing a VPN policy will bring you to the contextual menu that will allow JenuelW uonein3ijuo2 asn you to Filter this column by this criterion This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major View corresponding tunnels this will openthe VPN Tunnels menu with a filter 2 1 5 2 15 Logs VPN Right clicking against a line containing a VPN policy will bring you to the contextual menu that will allow Filter this column by this criterion This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major O nore Using this option will replace all the current filters on the columns Ww nd JEeNueEJA uONnEAINSIJUOI as
71. et Severity Exploit 2 Name 2 Solution a Affected hosts Release Family ID Machines 2 Name 2 Open ports 2 Address Last vulnerability manager event Users Interface Operating system 2 Incoming bytes Vulnerabilities Outgoing bytes a Applications a Incoming throughput Infos 2 Outgoing throughput Interfaces 2 Name 2 Connections Type amp Media 113 amp Address Mask 2 Bandwidth c 2 Incoming throughput Stats 2 Outgoing throughput a Quality of service 5 amp QID Rejected incoming packets 2 Incoming throughput Rejected outgoing packets a Outgoing throughput Incoming bytes Incoming packets 2 Outgoing bytes 2 Outgoing packets Users Firewall 2 Name Group Address Expiry NETASQ we secure IT User Manual Quarantine ASQ Bypass Addresses 2 Type 2 Expiration VPN Tunnels 2 Source Source address Bytes Destination Destination address Status Lifetime E Active Update Status amp Name 2 Last update License expiry 114 ri 8 Services S Status ga amp Name S Uptime 2 2 2 Version c Last update License expiry VPN Policy Source 2 Source address 2 Source router Src Gateway addr Direction 2 Protocol 2 Destination router 2 Authentication Encryption 2 Spi Out Spi ln Reqid Out 2 Reqid In a Dest Gateway addr amp Destination a Destination address Level Ma
72. fb103c 0x009c7d62 0x184f3e3a3f12 initiator 10 0 0 128 10 2 10 0 24 15 43 11 Information 2 Firewall_bridge gw Phase established 0x026ab14d 0x02f59f11 0x184f3e3a3f12 initiator 10 0 0 128 10 2 45 0 24 15 42 16 Information 2 Firewall_bridge gw Phase established 0x0a046250 Ox0cba71df 0x184f3e3a3f12 initiator 10 0 0 128 10 2 32 0 24 15 40 52 Information 2 Firewall_bridge gw Phase established 0x0249e830 0x03d53f18 0x184f3e3a3f12 initiator 10 0 0 128 10 2 4 0 24 15 40 41 Information 2 Firewall_bridge gw Phase established 0x0835209f 0x0481615d 0x184f3e3a3f12 initiator 10 0 0 128 10 2 31 0 24 15 37 15 Information 2 Firewall_bridge gw Phase established 0x0262c3a4 0x0493b669 0x184f3e3a3f12 initiator 10 0 0 128 10 2 19 0 24 15 36 15 Information 2 Firewall_bridge gw Phase established 0x040b5348 Ox0cf8162b 0x184f3e3a3f12 initiator 10 0 0 128 10 2 17 0 24 15 33 42 Information 2 Firewall_bridge gw Phase established Ox0cc3de81 0x08946367 0x184f3e3a3f12 initiator 10 0 0 128 10 2 28 0 24 15 33 30 Information 2 Firewall_bridge gw Phase established 0x03fcada3 0x07950722 0x184f3e3a3f12 initiator 10 0 0 128 10 2 6 0 24 15 30 26 Information 2 Firewall_bridge gw Phase established 0x05e1 df66 0x04a8491a 0x184f3e3a3f12 initiator 10 0 0 128 10 2 2 0 24 15 19 57 Information 2 Firewall_bridge gw Phase established Ox0cd50ea4 0x0a964c8e 0x184f3e3a3f12 initiator 10 0 0 128 10 2 38 0 24 15 16 55 Information 2 Firewall_bridge gw Phase established Ox0b6fc86c 0x04f94a6a
73. g throughput 56 3 2 17 Top 5 hosts for outgoing throughput 56 NETASQ User Manual we secure IT FOREWORD Copyright Copyright NETASQ 2011 All rights reserved Under copyright law any form of reproduction whatsoever of this user manual without NETASQ s prior written approval is prohibited NETASQ rejects all liability arising from the use of the information contained in these works Liability This manual has undergone several revisions to ensure that the information in it is as accurate as possible The descriptions and procedures herein are correct where NETASQ firewalls are concerned NETASQ rejects all liability directly or indirectly caused by errors or omissions in the manual as well as for inconsistencies between the product and the manual Notice WEEE Directive All NETASQ products that are subject to the WEEE directive will be marked with the mandated crossed out wheeled bin symbol as shown above for items shipped on or after August 13 N 2005 This symbol means that the product meets the requirements laid down by the WEEE GE directive with regards to the destruction and reuse of waste electrical and electronic equipment For further details please refer to NETASQ s website at this address http www netasq com recycling html JenuelW uolzesn3iIjUuod asn License Agreement Introduction The information contained in this document may be changed at any time without prior notification Despite the care taken
74. ge to modify PKI suman modify base pki nn i Objects Privilege to modify Object database a MOdify base object USCS aan Privilege to modify Users ue modify base user Nevo l modify base network jae Routing Privilege to modify routing default route static routes modify base route and trusted NEtWOrKS i Maintenance Privilege to perform maintenance operations backups modify base restorations updates Firewall shutdown and reboot maintenance antivirus update modification of antivirus update frequency High Availability modification and RAID related actions in NETASQ Realtime Monitor JenuelW uONEAINSIJUOI 195N Intrusion Privilege to modify Intrusion prevention IPS modify base asq a prevention Configuration iii Vulnerability Privilege to consult or modify vulnerabilities modify base pvm MANA OE iii Objects global Privilege to access to global objets modify base globalobject Filter global Privilege to access to global filtering policy modify base globalfilter The base privilege is assigned to all users systematically This privilege allows reading the whole configuration except filtering VPN logs and content filtering The modify privilege is assigned to users who have writing privileges The user who has logged on as admin will obtain the admin privilege This is the only privilege that allows giving other users administration privileges or removing them NETASQ User Manual we secure IT Appendi
75. he time would be roughly equal to startime plus one hour Groupid The FTP plugin indicates a number that is found for all FTP child connections Dstif srcif dstifname and srcifname refer to the firewall s source and destination interfaces with their names User in several logs corresponds the names of persons authenticated via authd Icmptype and icmpcode correspond respectively to the ICMP type and code in alarm logs SYSTEM log Proxies also write events particular to their operation in this log Service corresponds to the name of the writing service Msg explains the action of the service that generated this log NETASQ User Manual we secure IT Appendix C Session and user privileges Name Description Assigned privileges Logs R LOGS consultation base log read Filter R Filtering policy consultation base filter read ae VPN R MPN configuration consultation PASE VPN read Logs W aan Privilege to modify logs configuration modify base log Filter W Privilege to modify filtering policy configuration modify base filter E VPN Wh anna Privilege to modify VPN configuration eaaa MODIN DBASE VPN Monitoring Privilege to modify configuration from NETASQ Realtime modify base mon_write re Ol aana Content filtering Privilege for URL filtering Mail SSL and antivirus modify base contenttilter eee eee eee MANAGEMENT niin PKI ee Privile
76. he changes Check the option Display passwords to check the passwords used for each Firewall saved in the address book passwords are displayed in plaintext NETASQ User Manual we secure IT 1 2 3 1 Adding an address Click on the Add button to add an address to the address book Other information to supply Name The name of the firewall ee a TTT ee on a a a AA erat ee m un oni a e TT re 1 2 3 2 Modifying an address The procedure for modifying an address in the address book is as follows ku Select the firewall to be modified Click on the Modify button The following window will appear Harme Firewall 1 Address 16 Login Admin Password eeeneeeeee Confirm PEFR Description JenuelW uONEAINSIJUOI Jas Figure 3 Modifying an address ka Make the necessary changes Click on OK to confirm changes NETASQ User Manual we secure IT 1 2 3 3 Deleting an address The procedure for deleting a firewall from the address book is as follows T Select the firewall to delete Click on the Delete button The following message will appear Confirm deletion of these items Click on Yes or No to confirm deletion or cancel 1 2 3 4 Importing an address book The procedure for importing an existing address book is as follows amp Click on the Import button The following window will appear Regarder dans LD Administration Suite f E Fel O Documents h 4 languages Mes docume
77. he column will be empty Copy repeat Indicates the number of an event s occurrences within a defined period This period is configured in NETASQ UNIFIED MANAGER in the menu Logs Advanced option Write log duplicates every Context class Text indicating the category to which the alarm belongs system protocol filter etc 2 r TT a A a 7 classification summa Caller VoIP Indicates the caller E e aa So cn En NETASQ User Manual we secure IT Operation op Identified command of the protocol FTP PUT MPUT GET DELETE HTTP GET PUT POST EDONKEY SENDPART POP3 RETR LIST FTP DELETE LIST Result Result of the operation in the protocol example 404 which indicates an error oar eran ee as er an an a anan ana ah ete eel ee rm ges ee spamlevel message and the nature of the message could not be determined if antispam has ET enabled a aaaaaaaaaaaaaaaannnnnnnnannananaannaannannnnnnnannannannaannnnnnnnaanaanaaa an Virus virus Indicates whether there is a virus if the antivirus has been enabled Peo er E a aaa a aaa a Na aaa on A NA sees seins eg er ee ai a eee NGGER e e ss A oa F a TE EA Sensitive information such as passwords is removed Packet Indicates the IP packet for which the alarm was raised Right clicking on this packet allows it to be viewed through a packet analyzer The information displayed in this column shows the size of the IPv4 packets value begi
78. he product including lost profit or savings whether actual indirect incidental or consequential irrespective of whether NETASQ has been advised of the possibility of such damages NETASQ s maximum liability for damages shall be limited to the license fees received by NETASQ under this license for the particular product s which caused the damages Any possible legal action relating to the alleged defectiveness of the software will come under the jurisdiction of NETASQ s headquarters French law being the binding authority Q WARNING 1 Certain NETASQ products enable gathering and analyzing logs This log information allows the activity of internal users to be tracked and may provide nominative information The legislation in force in the destination country may impose the application of certain measures namely administrative declarations for example when individuals are subject to such monitoring Ensure that these possible measures have been applied before any use of the product 2 NETASQ products may provide cryptographic mechanisms which are restricted or forbidden by the legislation in force in the destination country Despite the control made by NETASQ before exportation ensure that the legislation in force allows you to use these cryptographic mechanisms before using NETASQ products 3 NETASQ disclaims all liability for any use of the product deemed illegal in the destination country JenuelW uonein3ijuo2 195N NET
79. hen the Action has been set to Pass and packets which have been blocked which are either uneventfully deleted by the Firewall or deleted after a reinitialization has been sent to the packet s source host this information is not available to Firewall administrators when the Action has been set to Block Logs regarding the change of time on firewalls When the Firewall s time is reset a special line will be written in all log files according to the example below id firewall time 2003 12 29 16 35 32 fw U700XXA0Z0899020 tz 0100 startime 2003 12 29 16 30 10 datechange 1 duration 322 The datechange 1 token means that the time was reset and duration refers to the lag in seconds Exceptions on tokens Certain log files do not exactly follow the WELF format These exceptions will be listed in the following section Exceptions that are common to all logs Rule is replaced with ruleid The time token refers to the time firewall s local time at which the line in the log file was saved JenueJA uoneanSIijuo2 asn Tz indicates the time difference from the firewall s time at the moment the log was written Therefore it is possible to find out the time of the log in international time and to analyze attacks launched simultaneously on equipment in different countries Startime states the time at which a connection started If the connection lasts for an hour t
80. his line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard Contextual menu in the Connections tab Right clicking against a line containing a connection will bring you to the contextual menu that will display the following information Filter this column by this criterion This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major O nore Using this option will replace all the current filters on the columns WwW N JenuelW uONnEAINSIJUOI Jas NETASQ User Manual we secure IT Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website View host This option allows you to view only information of the selected host cn A ed ie ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard Contextual menu in the Events tab Right clicking against a line containing an alarm will bring you to the contextual menu that
81. hput To modify the interface on which throughput is viewed click on this interface in the legend at the top right section of the graph The interface currently being viewed will be highlighted in blue JenuelW uONnEAINSIJUOI sN NETASQ User Manual we secure IT 4 5 QUALITY OF SERVICE QoS 0 REMARKS 1 Quality of Service which has a high level of abstraction refers to the ability to provide a network service according to parameters defined in a Service Level Agreement SLA The quality of the service is therefore gauged by its availability latency rate fluctuations throughput and rate of lost packets 2 Where network resources are concerned the Quality of service refers to a network element s ability to provide traffic prioritization services and bandwidth and latency time control QID Throughput in Throughput out Packetsin Packets out Dropsin Dropsout Bytesin Bytes out Bl DEFAULT 0 0 0 0 0 0 0 0 WB Throughput in WA Throughput out Number of bits 13m20s 8m20s 6m40s Time elapsed 0 data 172 30 1 128 w Hosts 172 30 1 128 Interfaces 172 30 1 128 Quality of Service 172 30 1 128 Figure 46 Quality of service This window consists of 2 views A table view A graph view This view shows the incoming and outgoing throughput associated with the different QIDs defined on the firewall s QoS policy NETASQ User Manual we secure IT The following data is displayed when yo
82. ications view displays the following data JenuelW uONEAINSIJUOI 195N Version Name and version of the application es incu lt M un a Ka aa aw Ie Na KATA RAGA m a a ag E nga agan gg EA enn software application provides a service aaa Port Port used by the application if it uses one ae ee EEE NETASQ User Manual we secure IT 4 3 4 Information view This tab describes the information relating to a given host Vulnerabilities Applications 1 Informations 1 Connections Events Search Items 1 1 Name Family v Type Detail v Detected Port w Internet Protocc ID DNS Server DNS Server Server 12 40 01 53 udp 50266 d Ww Figure 38 Hosts Events 0 REMARK The number of events is displayed in the tab s label JenuelW uonein3ijuo2 195N The information provided in the events view is as follows Name Name of the detected OS ail oer ee a a a iis i era a a ee a application provides a service Detail Description of information jo pee ube eer on ee ee eee NG Sn EEE NETASQ User Manual we secure IT 4 3 5 Connections view SSS Yulnerabilities Applications 1 Informations 1 Connections Events Search Items 0 0 Time Protocol Source Source port Destination Destination port Sent 7 Received Duration Operation Argument gt y A Figure 39 Hosts Connections This view allows you to see the connections that the firewall detect
83. ices and their status Enabled Disabled click on the link the Services menu will appear 3 2 13 Interfaces 56 This zone indicates whether there are problems with the interfaces To view information on bandwidth connections and throughput click on the link The Interfaces menu will appear a 5 3 2 14 Top 5 interfaces for incoming throughput 5 This zone displays the list of the 5 interfaces that have registered the most incoming throughput Click on any one of the interfaces to display the Throughput tab graph in the Interfaces menu 3 2 15 Top 5 interfaces for outgoing throughput This zone displays the list of the 5 interfaces that have registered the most incoming throughput Click on any one of the interfaces to display the Throughput tab graph in the Interfaces menu 3 2 16 Top 5 hosts for incoming throughput This zone displays the list of the 5 hosts that have registered the most incoming throughput Click on any one of the interfaces to display the throughput tab graph in the Interfaces menu 3 2 17 Top 5 hosts for outgoing throughput This zone displays the list of the 5 hosts that have registered the most outgoing throughput Click on any one of the interfaces to display the throughput tab graph in the Interfaces menu NETASQ User Manual we secure IT 4 REAL TIME INFORMATION 41 EVENTS The alarms generated by the Firewall will appear in this window iu NETASQ REAL TIME MONITOR 9102 l File Windo
84. ill get all the lines containing Major O nore Using this option will replace all the current filters on the columns This option allows you to restrict the list of the results pointed to by the cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Copies the selected line to the clipboard All the elements as well as the root element will be added to the clipboard Contextual menu in the Events tab Right clicking against a line containing data will bring you to the contextual menu that will display the following information Filter this column by this criterion Filter only this column by this criteria List the hosts that present the same information This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major 0 NOTE Using this option will replace all the current filters on the columns This option allows you to restrict the list of the results pointed to by the cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case t
85. in the administration sessions view is as follows Firewall Serial number or name if known of the firewall 86 ne a wa E a a TE Ka GAGANA AA m ET a TE Ea EEA privileges changes in each session modify and mon_write privileges User privileges Indicates privileges that have been given to the connected user these privileges include adding modifying deleting or reading in different applications Session Number identifying the session JenuelW uONnEAINSIJUOI sN identifier 4 7 QUARANTINE ASQ BYPASS Ei DEFINITIONS 1 Dynamic quarantine the quarantine is manually done and for a set duration 2 Static quarantine the quarantine is automatic and for permanent Static quarantining is configuring in the application NETASQ UNIFIED MANAGER NETASQ User Manual we secure IT Pie Wes Akt m es Fa paih Pies E aTr te F huis re oe San je Ps MT Brh Ta LAN Le LAN See LL ie ur Ry Erig Laine ere fari 1 ga hath gara iT a Eyi eH T Dupre Pande E rema kal EN jek ku na la ad picak LFE LA Lg LFE DO 1 129 L D ele lle TER Figure 48 Quarantine This window comprises 2 views 09 N A Quarantine view An ASQ Bypass view 4 7 1 Quarantine view This window shows the hosts that have been dynamically quarantined Hosts in static quarantine are not reflected in this list JenuelW uONEAINSIJUOI Jas The information provided in the Quarantine view is as follo
86. information 7 debug IP address or name of the object corresponding to the source host of the packet that set off the alarm Source port srcport srcportname Destination dst dstname Destination port dstport dstportname Source port number of the service or the name of the object corresponding to the service port of the source host only if TCP UDP IP address or name of the object corresponding to the destination host of the packet that set off the event Destination port number of the service or name of the object corresponding to the service port of the destination host if it exists and is requested for this connection Identifier of the authenticated user FTP e mail address of the sender SMTP identifier of the user if authentication has been enabled WEB Message Msg Detailed description of the alarm All commands sent by the client are found here ee ere Sensitive information such as passwords is removed Sent Number of KB sent during the connection JenuelW uONEAINSIJUOI Jas Operation op Identified command of the protocol FTP PUT MPUT GET DELETE HTTP GET PUT POST EDONKEY SENDPART POP3 RETR LIST aaa aera eestor ee oo IPA DELETE CEST ee aana Spam level spamlevel Spam level 0 Message not spam 1 2 and 3 spam x error during the treatment of the message and the nature of the message could not be determined if antispam has RES been enabled mma Indicates whether
87. intervals see Receiving alarms via the NETASQ S UNIFIED MANAGER application which can be configured so that whenever an alarm is raised 9 an e mail is sent When several alarms are raised in a short period they will be sent in a collective e mail 2 Finally NETASQ REAL TIME MONITOR displays on the screen the alarms received in real time 6 It is possible to allow protocols other than IP The NETASQ Firewall can only analyze IP based protocols All protocols that the Firewall does not analyze are regarded as suspicious and are blocked However in transparent mode Novell s IPX IPv6 PPPoE AppleTalk and NetBIOS protocols may be allowed through even though they are not analyzed JenueJA uoneanSIjUuo2 asn NETASQ User Manual we secure IT Appendix B NETASQ log files The treatment of traffic passing through Firewalls requires the generation of logs containing descriptions of all events that arose Depending on the type of event encountered these logs will be recorded in specific NETASQ log files There are 17 types of log files available on NETASQ firewalls Alarm Auth Connection Count Filter Monitor Natstat Plugin Filterstat Pop3 Pvm Server Smtp System Vpn Web Xvpn The names used for these log files are rather self explanatory There are 7 in the Monitor section of events Alarm Is used for alarms generated by ASQ in Firewalls filter rules and System even
88. ion view This view allows you to see all the events that the firewall detects Each line represents an event 0 REMARK The number of events is displayed in the tab s label The Information view displays the following data Firewall Serial number or name if known of the firewall ae ee naa aa na KAGAN a ea EEE Example SSH 7 FT GST a NG SEPT EP ary Co 0 REMARK The number of hosts indicated in the column Affected hosts is not always the same as the number of elements indicated in the Hosts zone in this window In fact the same service may use several ports For example the service thhtpd_server_2 25b can listen to 2 different ports thus increasing the number of elements O N 4 2 4 2 Hosts view This view allows you to see all the events for a given host Each line represents a host The information seen in the Hosts view is as follows JenuelW uONEAINSIJUOI 195N Assigned Date and time of the event s occurrence SS anaa aaa aan aaa a aan m a e CCC m co ao od 1 C C C C lt lt C lt C S m a a aga aan ee application provides a service Operating system Detail Details about the operating system m rer S e a e ot a eee ee NETASQ User Manual we secure IT 4 2 4 3 Help zone The help zone allows you to get more details relating to the attack Thus the administrator can correct the vulnerability Click on the Show help button to show or hide
89. ion s view This view allows you to see the applications that the firewall detects Each line represents an application 0 REMARK The number of applications is displayed in the tab s label The Applications tab displays the following data Firewall Serial number or name if known of the firewall gi a a ana ag nga aga T T ES SVSTOIS mune Family The software application s family e g web client es ca ed ene a a application provides a service Operating system Instance Number of software applications detected in the monitored networks For a server the 65 same service may be suggested on several ports E g an Apache http server which provides its services on port 80 and port 8080 web proxy would appear twice 4 2 3 2 Hosts view This view allows you to see all the applications for a given host Each line represents a host JenuelW uONEAINSIJUOI Jas The information seen in the Hosts view is as follows Name Host name a e mi A a eee io mm m ee an a ise nce ee en ea aa nn aan ee ag an aa application provides a service Operating system Operating system Host s operating system een SCS me ee NETASQ User Manual we secure IT 4 2 4 Events tab Ml File Windows Applications Overview O Refresh Filter policy a VPN policy DNS Server is running Dashboard 104 vulnerabilities S3applications 12events 2 S
90. irewall_bridge gw Phase established 0x07753d52 0x0aa5da01 0x184f3e3a3f12 initiator 10 0 0 128 10 2 8 0 24 14 07 09 Information 2 Firewall_bridge gw Phase established 0x01f54c1f Ox0cf53c72 0x184f3e3a3f12 initiator 10 0 0 128 10 2 45 0 24 14 06 14 Information 2 Firewall_bridge gw Phase established 0x0c280568 Ox0bdf493a 0x184f3e3a3f12 initiator 10 0 0 128 10 2 32 0 24 14 04 39 Information 2 Firewall_bridge gw Phase established 0x0a0503ac Ox05cc6da4 0x184f3e3a3f12 initiator 10 0 0 128 10 2 31 0 24 13 43 55 Information 2 Firewall_bridge gw Phase established 0x040d3535 0x0f52ee36 0x184f3e3a3f12 initiator 10 0 0 128 10 2 38 0 24 13 40 52 Information 2 Firewall_bridge gw Phase established 0x053accc3 0x0626ab85 0x184f3e3a3f12 initiator 10 0 0 128 10 2 39 0 24 13 40 33 Information 2 Firewall_bridge gw Phase established 0401776705 0x0a6e00df 0x184f3e3a3f12 initiator 10 0 0 128 10 2 27 0 24 13 37 52 Information 2 Firewall_bridge gw Phase established 0x020338e4 Ox05d8fda5 0x184f3e3a3f12 initiator 10 0 0 128 10 2 40 0 24 13 29 22 Information 2 Firewall_bridge gw Phase established Ox0b712ac0 0x074db963 0x184f3e3a3f12 initiator 10 0 0 128 10 2 47 0 24 13 19 16 Information 2 Firewall_bridge gw Phase established 0x0686b3dc 0x07c26429 0x184f3e3a3f12 initiator 10 0 0 128 10 2 8 0 24 13 19 08 Information 2 Firewall_bridge gw Phase established 0x0c1912ca 0x03b8ae95 0x184f3e3a3f12 initiator 10 0 0 128 10 2 45 0 24 13 18 12 Information 2 Firewall_bridge gw
91. larm Virus Connection Web Mail FTP and Filter lines 2 1 8 1 Search In this zone you will be able to conduct searches through elements in the list Elements are filtered at the same time search criteria are being entered NETASQ User Manual we secure IT 2 2 INTRODUCTION TO MENUS 2 2 1 File The File menu concerns connections to the firewall and the application s general options Address book Configures the firewalls address books Direct connection Opens a new Firewall connection window Enter the IP address of the Firewall and the user password smn Application settings Determines the behavior that Monitor should adopt at startup enables getting a packet analyzer defining a destination folder for reports and the language used in the graphical ee interface Default monitoring Configures memory connection timeout and the frequency with which different E settings _ Parameters Will be refreshed inne Quit Disconnects monitors and shuts down the application 2 2 2 Windows The Windows menu enables managing the display windows of the different connected firewalls 39 Maximize Opens the selected window gh ot as E E pere GF a a A i Pane ee E ae Vee rn 3 Due ee EE wire rch eval NG eee current WindOW JAG aaa 5 Overview IP address of connected firewall s ce Ne A E E E E E E E E E E Ag A E E E E A E aa a E E E E E E an E E E g Firewall The drop do
92. lue expressed in hours minutes and seconds NETASQ User Manual we secure IT The tunnel is made up of two sub tunnels one for each direction of the datagram transmission 0 REMARK The algorithms and limits have been configured in the NETASO UNIFIED MANAGER refer to the Manager user and configuration guide help for further details TIP You will find other information on the parameters in this window in the RFC Further information may be found in RFC 2401 IPSEC http www ietf org rfc rfc2401 txt or on sites such as http www guill net reseaux lpsec html This status is color coded The line containing VPN information will use the color corresponding to the tunnel s status Kanaan DPR PP PR ERP EE PRET EE ee tenet tee ete e eee e tee ee eee eee eee eee eee eee e eee te eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee ee eee eee eee ee eee eee eee eee eee eee eee e eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee eee ee eee eee eee eee eee eee eee eee eee EE eee eee eee eee eee eee EEE 0 Oo Dead the SA has expired and cannot be used the tunnel has not been set up and is therefore no longer Br ACTIVE iui Orphan a problem has arisen in general this status means that the tunnel has been set up in only one direction JenuelW uonein3ijuo2 195N 5 2 ACTIVE UPDATE 0 DEFINITION ACTIVE UPDATE Enables updating the antivirus database ASQ contextual signatures the
93. lue in the column label For more information on the sort criteria please refer to Appendix F Sort criteria Clear column filter Removes the filter that was previously set on the column mM a nn a aaa a i eee this sik ica OO OT aaa m a e aana Adjust column width to Columns will be resized according to the contents fit contents When the menu Filter by this column is selected the following screen will appear F i mil Filter by Auto connect column in _ Hide blank fields Filter by selected values E No equals Remove clear Figure 7 Filter by this column The screen relates to the column that had been selected previously E g Filter by the Details column Hide blank fields option allows displaying only fields that contain data Filter by selected values a value can be entered manually or selected from the suggested list NETASQ User Manual we secure IT To create a filter you only need to select one or several values from the suggested list and add them in order for them to appear in the section to the right of the table You may use the following operators Equals the values found have to be equal to those selected Contains looks for a word in a phrase 2 Begins with looks for a phrase beginning with a string Ends with looks for a phrase ending with a string Joker Wildcard See the table below Regular expression cf http qt nokia com doc 4 5 q
94. n NETASO User Manual we secure IT Filter only this column by this criteria This option allows you to restrict the list of the results pointed to by the cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website System Right clicking against a line in the System section will bring you to the contextual menu that will allow you to a Filter this column by this criterion This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major O note Using this option will replace all the current filters on the columns Filter only this column by this criteria This option allows you to restrict the list of the results pointed to by the cursor Example if your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website Copy to the clipboard Copies the selected line to the clipboard 2 1 6 Status bar 1 x D pixels pw Alarms 172 30 1 128 fe ven tunnels 172 30 1 128 Figure 9 Status bar The status bar contains menus from the menu directory that may have been opened during a session Being able to do so is particularly useful when you are monitoring several firewalls at a time You will be able
95. naaannnannananaanannaananaannaannnannannanananaananaanaanrananannanananaannaanna Rule ruleid Number of the filter rule involved in the raised alarm ee Tr ee ei oo hone See Tarr aetna a a a a C SCS S IH Se EEE EE TETE nr on ae ca 7 de un Se srcif srcifmame ll corresponding to the service port of the source machine if it exists a c Source src IP address or name of the object corresponding to the source host of the 2 packet that set off the event LL _ _ _ _ Source address src IP address of the source host of the packet that set off the event ee ee eae aaa a a a aa E eco ected EEE a Source port srcport Port number of the source only if TCP UDP d D NT de ase S oo fe m KE that set off the event ne Destination address dst IP address of the destination host or name of the object corresponding to the sound address if it exists of the packet that set off the event l Destination port Port requested for this connection E dstport dstportname ummm Details Describes the event relating to the log This description groups together information from other columns in a single column Example if it is an alarm log information such as whether the alarm is sensitive the filter rule number and rule identifier will be indicated in this column or will otherwise be new columns in order to enable filtering ee Please refer to Appendix G lll Sensitive alarm sensitive Indicates whether an alarm is sensiti
96. nat from 10 60 0 5 on sys to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 1 nat from 10 60 0 5 on asq to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 En Te 1 nat from 10 60 05 on ihm to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 1 nat from 10 60 0 5 on hard to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 ri Quarantine AS 1 nat from 10 60 05 on build to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 1 nat from 10 60 0 5 on archi to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 VPN tunnels 1 nat from 10 60 05 on bench to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 1 nat from 10 60 05 on qa to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 port 20000 59999 Active Update 2 nat ipproto icmp from 10 10 0 0 10 10 255 255 on regress to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 3 nat ipproto icmp from 10 60 0 0 10 60 255 255 on virtual to 10 0 0 0 10 0 255 255 gt from 10 2 0 1 EJ a 4 nat ipproto tcp from 10 10 0 0 10 10 255 255 on regress to 10 0 0 0 10 0 255 255 port lt dyn_ports_5 2 gt gt from 10 2 0 1 port 20000 59999 5 nat ipproto tcp from 10 60 0 0 10 60 255 255 on virtual to 10 0 0 0 10 0 255 2355 port lt dyn_ports 6 5 gt gt from 10 2 0 1 port 20000 59999 Cd To WA 6 nat from 192 166 4 0 192 168 7 255 to 10 60 0 0 10 60 255 255 gt from 10 2 46 1 arp port 20000 59999 7 skip 10 from any to HA_Cluster_NAT 2 gt Filter policy 7
97. nat from any on out to lt HA Cluster NAT 2 gt gt from1 2 16 100 1 to lt HA_Cluster 2 gt arp 4 7 natfromany on dmzll to HA_Cluster_NAT 2 gt gt from 1 2 16 100 1 to lt HA Cluster 2 gt arp Fe VPN policy 7 nat from any on sys to lt HA Cluster NAT 2 gt gt from 17216 100 1 to lt HA_Cluster 2 gt arp 7 nat from any on asq to lt HA Cluster NAT 25 gt from 17216 100 1 to lt HA_Cluster 2 gt arp Logs 7 nat from any on ihm to HA_Cluster_NAT 2 gt gt from 172 16 100 1 to lt HA_Cluster 2 gt arp i 7 nat from any on hard to lt HA_Cluster_NAT 2 gt gt from 172 16 100 1 to lt HA_Cluster 2 gt arp VPN 7 nat from any on build to HA Cluster NAT 2 gt gt from 1 2 16 100 1 to lt HA Cluster 2 gt arp 7 nat from any on archi te HA_ClusterNAT 2 gt gt from 172 16 100 1 to lt HA_Cluster 2 gt arp Ee System 7 nat from any on bench to lt HA_Cluster_NAT 2 gt gt from 172 165 100 1 to lt HA_Cluster 2 gt arp 7 natfromany on qa to lt HA Cluster NAT 2 gt gt from 17216 100 1 to lt HA Cluster 2 gt arp Figure 54 Filter policy Each row displayed is set out as follows lt identifier for the rule type gt lt identifier for the rule in the slot gt lt filter rule gt Where 2 lt identifier for the rule type gt can be 0 for implicit rules 1 for global filters and 2 for local filters lt identifier for the rule in the slot gt this identifier is always 0 for implicit rule
98. nd at the top of the graph S Maximum bandwidth represents the theoretical maximum throughput supported by the interface J Example 3 For a 100Mbits s line used in full duplex this maximum is 200 Mbits s and for a 10Mbits s line used in 3 half duplex it is 10 Mbits s 4 4 5 Connections tab The connection graph displays in real time the number of connections on each of the Firewall s interfaces during the defined period NETASQ User Manual we secure IT a Bandwidth Connections Throughput out un gt S pe wu D O w ti a D oO Time elapsed G E nnpeeg eecceoccescsec 8 Figure 44 Interfaces Connections 09 N Each interface is represented by a different color of which the legend may be found at the top of the graph JenueW uONEAINSIJUOI asn NETASQ User Manual we secure IT 4 4 6 Throughput tab The throughput graph represents the real throughput on each of the Firewall s interfaces The throughput scale automatically adapts to the maximum throughput recorded during the period ko u gt La Le D lt id t Bandwidth Connections Throughput out U WB Throughput in WA Throughput out 83 4 z 3 i 3 o n kad Time elapsed c u o u S lt 2 Figure 45 Interfaces Throughput c 2 For each interface the throughput graph indicates the ingoing and outgoing throug
99. ne you will be able to access firewalls in console mode CLI commands When this window is validated a Console menu will be added under the Overview menu directory Dashboard This window gives you a summary of the main information relating to your product s activity Events This window lists events that the firewall has raised Vulnerability Manager This window allows you to view alarms being raised and to get help in the event of vulnerability K N aa ou ee ee gi a e SSS le tn gra eo on nnn m a a an co cee ce oe SCS a eo io a a authentication a aan e ANNA aired eens CCC Bypass a a ii ee IN a 21 and destination ee A aaa oer een Se ery ene m pee eo ET a 7 available 3 m a ee i cc ngan Ejang NA m F been active inactive T RL ee ji a a i aaa aa a ae SE e sn 2 _ F c on NG ee i en apa Tana NA ag ar Ta see 2 The sub menu VPN provides information on VPN logs The sub menu System provides system information N N jenuew uONnEAINSIJUOI asn NETASQ User Manual we secure IT 2 1 5 Result display zone Data and options from the selected menus in the horizontal bar appear in this zone These windows will be explained in further detail in the corresponding sections 2 1 5 1 Contextual menu on columns Right clicking on a column header will display the following options o ng E T E ts a ee e events with a minor protocol When a filter has been applied to a column the icon will appear in b
100. ngs Behaviour at start up See Part 2 Chapter 3 Behaviour at start up It is possible to store connection data on your different Firewalls This information is stored on the same ae client workstation on which the interface has been installed It may be encrypted if you check the option c Address book is encrypted In this case you will be asked to enter an encryption key The e 9 information that is stored for each firewall includes the IP address login name connection password and gt a the serial number of the Firewall to which you wish to connect This password belongs to an authorized 3 user gt 7 By specifying a serial number you will protect yourself from man in the middle attacks If you attempt a connection on an firewall that does not meet the serial number criterion indicated in the address book the monitor will inform you that you are attempting to connect to an unknown firewall You will also be asked if you wish to add this serial number to the list of authorized firewalls Verify the information displayed in the monitor before accepting such a request Once this information has been entered you may save it using the Save button To open a session on one of the Firewalls from the address book click on its name then on the OK button or simply double click on the name of the Firewall 0 WARNING If you modify the Address book is encrypted option the address book has to be saved once more to apply t
101. nning with 45 Packet sizes vary according to the firewall model amp S 64 bytes U30 to U70 M 128 bytes U120 to U450 L 1500 bytes U1100 to U1500 and NG1000 A amp XL 1500 bytes U6000 NG5000 A WARNING To view a packet a software program needs to be installed on your workstation uw O 0 NOTE The logs will now be displayed for models without hard drive JenueW uonein31juo Jas NETASQ User Manual we secure IT 4 2 VULNERABILITY MANAGER 4 2 1 Introduction NETASQ VULNERABILITY MANAGER is a module that allows network administrators to gather information in real time and to analyze it in order to spot possible vulnerabilities that may compromise the security of their networks Among other things it also allows raising alarms generated by ASQ and thus to maintain an optimal security policy NETASQ VULNERABILITY MANAGER collects and archives in particular information relating to the operating system to various active services as well as to the different applications that have been installed As a result descriptive profiles can be made of network elements The following are NETASQ VULNERABILITY MANAGER s aims To configure your company network s security policy To analyze the status of the risk a To optimize the level of security a To report security events The procedure is as follows T NETASQ s intrusion prevention engine ASQ extracts data in real time using network protocols that it
102. ntaining Major note Using this option will replace all the current filters on the columns Indicates the name of the source host If this option is selected the Hosts menu will open Allows quarantining the source host for a fixed period of 1 minute 5 minutes 30 minutes or 3 hours Vulnerability Manager In the Vulnerability tab 3 contextual menus can be opened When right clicking against a line detailing a vulnerability a When right clicking against a line detailing a host When right clicking against the help zone Contextual menu relating to a vulnerability Right clicking against a line containing vulnerability will bring you to the contextual menu that will allow Filter this column by this criterion Filter only this column by this criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major O nore Using this option will replace all the current filters on the columns This option allows you to restrict the list of the results pointed to by the cursor Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website NETASQ User Manual we secure IT Contextual menu relating to a host Right clicking against a line containing a host will bring yo
103. nts SJ irunin dat r cents 17 Bureau 7 i A BY S Mes documerts fo r g Poste de travail v Favors r seau Norn du fichier Fichiers de type Address book file dat Figure 4 Importing the address book Select the file to import 0 REMARK The file to import should be in dat format E Click on Open O9 JenuelW uonein3ijuo2 195N NETASQ User Manual we secure IT 1 2 3 5 Exporting an address book The procedure for exporting an existing address book is as follows la Click on Export The following window will appear Regarder dans Administration Suite Ce Fel Documents a 4 C lanqueges Mes documents SS irunin dat r cents Bureau Mes documents 13 Poste de travail Favons r seau Norm du fichier v Ouvrir Fichiers de type Address book file dat Figure 5 Exporting the address book ra Select the file to export 0 REMARK The file to export should be in dat format ka Click on Save 1 2 3 6 Search The search covers all information found in the columns Information can be filtered on a column and the search can then be refined Examples Filter on the Address column containing 129 a list of results will appear next launch a global search by refining according to address Filter on the Address column beginning with 10 2 then search from the displayed addresses hosts with addresses beginning with 10
104. olumns Filter only this column This option allows you to restrict the list of the results pointed to by the cursor by this criteria Example If your cursor pointed the destination website consulted the displayed list will only ed present the elements containing this destination website lll Remove user from ASQ Enables deleting the user s ASQ information This may be useful especially if a user has been affected by an attack The Monitor modify privilege is necessary A message will D appear asking you to confirm this action Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard NETASQ User Manual we secure IT Contextual menu from right clicking against the administration sessions zone Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard 2 1 5 2 8 Quarantine ASQ Bypass 2 contextual menus can be opened in this window When right clicking against the Quarantine zone a When right clicking against an AS
105. on and authentication algorithm O VI JenueW uonein31juo asn O O JenuelW uonein31ju02 sasn NETASQ we secure IT 7 LOGS 1 1 STATUS OF USE A graph represents the current size of the log file in real time Alarms Authentication Connections Filters ftp Monitor Plugins POP3 VULNERABILITY MANAGER Administration SMTP System IPSec VPN Web SSL VPN in relation to the size allocated on the Firewall for each log type 0 DEFINITION OF LOGS Chronological record of a computer s activity which makes up a journal of events that took place in programs and systems over a given period 7 2 LOG TYPES 7 2 1 VPN User Manual n NETASG REAL TIME MONITOR SR TS ag NNNNNNNNNNNNNN Windows Applications ml File ECS aS SY al 000E De amp Overview Dashboard Events Vulnerability Ma Hosts Interfaces Quality of Service Users Quarantine AS VPN tunnels Active Update Services Hardware Filter policy VPN policy Refresh Firewall Search Date Error level Phase Source Destination Message Peer identity In SPI Out SPI Cookie in out Role Remote netwo Local networl 15 48 28 Information 2 Firewall_bridge gw Phase established 0x04c79e14 0x06a97392 Ox184f3e3a3f12 initiator 10 0 0 128 10 2 5 0 24 15 48 22 Information 2 Firewall_bridge gw Phase established 0x05
106. pplication tab 2 contextual menus can be opened JenuelW uonein3ijuo2 195N When right clicking against a line detailing an application a When right clicking against a line detailing a host Contextual menu for a line containing an application Right clicking against a line containing an application will bring you to the contextual menu that will allow you to A Tonia ee E if the data is filtered by the priority Major the administrator will get all the lines containing Major 0 NOTE Using this option will replace all the current filters on the columns A ee ec TT ee this criteria Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website NETASQ User Manual we secure IT Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard Filter this column by this This option allows restricting the list of results to the selected field For example criterion if the data is filtered by the priority Major the administrator will get all the lines containing Major Caution this is a new filter system note Using this option will replace all the current filters on th
107. r the rule that contains this indication 3 2 8 Alarms This view indicates the number of major and minor alarms during the past 15 minutes that the product has been connected The maximum value indicated is 100 even if the number of alarms exceeds this value To view the alarms click on either link of your choice the Events menu will appear and will set out the list of alarms according to the selected criticality NETASQ User Manual we secure IT 3 2 9 VPN Tunnels This view indicates the number of configured VPN tunnels To view a list of configured VPN tunnels click on the link the VPN Tunnels menu will appear 3 2 10 Active Update This view indicates the status of updates that have been performed success or failure as well as the last time the Active Update module had been launched date and time To view a list of updates and their status click on the link the Active Update menu will appear 3 2 11 Logs This window indicates whether there are problems with the logs To view a graph that represents the current size of the log file in real time Alarms Authentication Connections Filters Monitor Plugins POP3 VULNERABILITY MANAGER Administration SMTP System IPSec VPN Web SSL VPN in relation to the space allocated to each log type on the firewall click on the link The Logs menu will appear 3 2 12 Services This zone indicates whether there are problems with the services To view a list of serv
108. regexp html C E g if c is entered the system will search for all occurrences of c a gan a CC Cs lt i CSC eee ier neo T Fee cz a ee Kan a n Seen ue Gee _ enact acre aie a the search will be conducted for Aor Bor Cor D If A D is entered the search will be for ABCD if A Z is entered the search will be for all capital letters Events can therefore be filtered according to one or several values For example displaying events using the protocol HTTP or https It is also possible to negate a criterion by selecting the option No For example displaying all entries except if the protocol is HTTP N Ww Columns can be resized according to their contents option Adjust columns to fit contents Furthermore the administrator can sort the table by clicking on the column by which he wishes to sort 2 1 5 2 Contextual menu on lines JenuelW uONEAINSIJUOI 1SN Right clicking against a line will display a contextual menu that allows various operations The options offered vary according to the table 2 1 5 2 1 Overview 3 contextual menus can be opened in this window a When right clicking against a firewall When right clicking against an empty zone in the list of firewalls When right clicking against in the Connection logs view Contextual menu relating to a firewall NETASQ User Manual we secure IT report the following information at any given moment system information memory
109. rt A N Destination folder Enables selecting the destination folder for the report ee The Reset button allows you to reset the directory for storing reports l Number of events Allows defining the number of events desired when generating the report By default the value is set to 500 lines 0 REMARK The report can be generated by right clicking on a line in the Overview menu and by selecting JenuelW uONEAINSIJUOI asn the option Generate a web report NETASQ User Manual we secure IT The report contains the following information ss fd cs ns Fe cn J F E A Har Meu ere ee oe ee Bian eee ag BAIT reo et PE Homai Perso kai kara ido Meda a fi Em beet MES LA l a T NETASQ Firewall 10 2 15 251 Hier F T air rite Coe Fi on cebu 1 i iki a ate 1 ques bands pitim phe 5 LE UTE nae heres RIL H i b TE PLE oF n gt ri Sat a iP i ce Pree 1 Ps iir bee a 4 or I Figure 16 Synthesis report It displays information regarding the firewall for which you intended to generate a report By clicking ona link in the list the information will be displayed in table or graph form 43 In the example below information on memory is displayed c Memory Top n O cle Yaleur gt Machine 8 a Fragment 0 ICMP 0 Connexions 1 Suivi de donn e 0 Dynamique 10 gt en v Figure 17 Memory information NETASQ User Manual we secure
110. s lt filter rule gt filter rule created by NETASQ User Manual NETASQ we secure IT 6 2 VPN POLICY LE Definition VPN Virtual Private Network The interconnection of networks in a secure and transparent manner for participating applications and protocols generally used to link private networks to each other through the internet Ml File Windows Applications L O Refresh Firewall 10 2 0 1 10 2 0 1 Overview EWU Dashboard Search Source router Direction Protocel Destination router Destination Level Events Firewall bridge i labo netasq com unique l6429 wr Vulnerability Ma Firewall_bridge i gw labo netasq com unique 16457 Firewall_bridge ns gw labo netasq com unique l6395 ww Hosts Firewall_bridge ns gw labo netasq com unique 16397 Firewall_bridge ns gw labo netasq com unique 16443 JE Interfaces Firewall_bridge i gw labo netasq com unique 16427 Firewall_bridge om gw labo netasq com unique L6453 Quality of Service Firewall_bridge on gw labo netasq com unique l6447 Firewall_bridge om gw labo netasq com unigue 16445 iy Firewall_bridge oo gw labo netasq com unique 16459 TT i Firewall_bridge th gw labo netasq com unique l6413 ee on Firewall_bridge on gw labo netasq com unique 16415 VPN tunnels Frea Sate qw labo netasq com a as Firewall_bridge i gw labo netasq com unique 16393 Active Update Firewall_bridge om gw labo netasq com unique
111. s Each line represents a connection The Connections view displays the following data JenuelW uONEAINSIJUOI 1SN Time Indicates the date and time of the object s connection a lou A m a ete ae a io ee en Ena A ce di aan m sn y a POL a eamaanawanawawanamaaaawawawawawamaawawawawamaawawawaw aaa Sent Number of KB sent during the connection a co aia ica m a CCS NETASQ User Manual we secure IT 4 3 6 Events view eee vulnerabilities Applications 1 Informations 1 Connections Events Search Items 0 0 Date Log date UTC Action P Priority Rule User v Protocol P Source Source address Y Destination inter Y Destination adc lt gt dd VI Figure 40 Hosts Events This view allows you to view all the events that the firewall has detected Each line represents an alarm JenuelW uonein31juo2 asn NETASQ User Manual we secure IT The information provided in the Events view is as follows Date time Date and time the line was recorded in the log file at the firewall s local time ean eee ee aC Ta anan TE a be ee le ee a a a OK PB ananananananananananannanananananaananarananamamnanananaramanananaramamaaanarananamaraanananarananaraanarananararaananarananaan Priority pri Determines the alarm level The possible values are QO emergency 1 alert 2 critical 3 error 4 warning 5 notice 6 information nnn ee GG anawanaaananaaannaaananaa
112. s period begins with effect from the date on which the product is activated b Software 7 NETASQ Software products Software are warranted for a period of 90 days unless otherwise stated at 9 purchase from the date of the product s activation to be free from defects and to operate substantially F according to the manual as it exists at the date of delivery under the operating system versions supported by NETASQ 5 NETASQ does not warrant its software products for use with operating systems not specifically identified c Default NETASQ s entire liability and your exclusive remedy shall be at NETASQ s option either a return of the price paid for this License or Product resulting in termination of the agreement or repair or replacement of the Product or media that does not meet this limited warranty d Warranty Except for the limited warranties set forth in the preceding paragraph this product is provided as is without warranty of any kind either expressed or implied NETASQ does not warrant that the product will meet your requirements or that its operation will be uninterrupted or error free NETASQ disclaims any implied warranties or merchantability or fitness for particular purpose or non infringement Oo JenueW uonein31juo asn NETASQ User Manual we secure IT e Recommendations In no event will NETASQ be liable to you or any third party for any damages arising out of this agreement or the use of t
113. shboard of the desired firewall will appear JenuelW uonein3ijuo2 asn 3 2 3 System information Firewall name Name given to the product when it was registered in the address book a aan aan a ANANE NA A E ET partition aana Active Partition Partition on which the firewall was booted pa agan gga ou e Lama mmm partition iii Model Firewall s model number i aaa ija gt lt GG NETASQ User Manual we secure IT 3 2 4 Memory This refers to the use in percentage of memory reserved for storing information buffer The buffer is linked to the stateful module and corresponds to saving the context Host Host stack oad ai a ne nee ne aaa aa aaa ne ee ne nee aaa aaa aaa aaa ee aaa aaa aana aaa aana m ne a a e e ne orcs ear oe eee a Wiener fo cen eco ees a ee ee Buffer sizes vary according to product type and product version Cleaning algorithms optimize the operation of Hosts Fragmented ICMP and Connections buffers Entries in the Fragmented and ICMP buffers are initialized at fixed intervals each entry has a limited lifetime TTL This illustrates part of the Firewall s activity A high percentage may mean the Firewall is overloaded or that an attack has been launched ui A 3 2 5 CPU DEFINITION Better known as a processor this is the internal firewall resource that performs the necessary JenuelW uONEAINSIJUOI Jas calculations oe e e i ns E anana
114. st a line containing an interface will bring you to the contextual menu that will allow you to Filter by these criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator RES will get all the lines containing Major nn Filter only this column by this This option allows you to restrict the list of the results pointed to by the criteria Cursor Example If your cursor pointed the destination website consulted the displayed eee ee eer list will only present the elements containing this destination website Display hosts associated with this This option allows displaying the list of hosts that have the same interface interface 2 1 5 2 6 Quality of Service Please refer to chapter QUALITY OF SERVICE QoS QUALITY OF SERVICE QoS 2 1 5 2 7 Users 2 contextual menus can be opened in this window WwW W a When right clicking against the users zone When right clicking against an administration sessions zone Contextual menu from right clicking against the users zone JenuelW uONEAINSIJUOI Jas Filter this column by This option allows restricting the list of results to the selected field For example if the this criterion data is filtered by the priority Major the administrator will get all the lines containing Major O nore Using this option will replace all the current filters on the c
115. te l Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard NETASQ User Manual we secure IT Contextual menu for a line containing an event Filter by these criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator will get all the lines containing Major note Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the destination website consulted the displayed list will er only present the elements containing this destination website um View the host The Hosts menu directory will open to display additional information on the detected host During pre filtering the host concerned will be selected The aa a a ma data will be filtered according to the hostname if available or by its address Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will
116. tem Operating System 1 System 10 2 0 Microsoft Windows XP Operating System Operating System 2 Hosts S Ei Search VY Name Application Type Operating syst Y Port Internet Protec S 10 2 7 2 Adobe Update Client lt 10 230 155 Adobe Update Client Microsoft Wind 10 2 50 0 Adobe Update Client D Figure 32 VULNERABILITY MANAGER Application The Applications tab provides information on the application detected within the enterprise Two types of application may be detected Products these are client applications installed on the host e g Firefox 1 5 Services these are server applications that are attached to a port e g OpenSSH 3 5 Using information detected by the ASQ engine NETASQ VULNERABILITY MANAGER generates information about the detected applications The addition of this feature allows grouping applications by family so by pairing such information with the vulnerability database NETASQ VULNERABILITY MANAGER also suggests probable security loopholes linked to these applications NETASQ User Manual we secure IT This tab offers features that include filtering optional column display resizing to fit contents and copying of data to the clipboard It displays information on the detected applications through the columns that can be seen in the window above The window comprises 2 views A view that lists the applications 2 A detailed view that lists the hosts 4 2 3 1 Applicat
117. tem The OS that NETASQ VULNERABILITY MANAGER uses for detecting vulnerabilities ona host The OS of a host may not be detected sometimes Detected operating system OS that NETASQ VULNERABILITY MANAGER detects after performing a traffic scan on a host The Restore button allows removing the OS indicated by the user and reverting to the OS detected by NETASQ VULNERABILITY MANAGER Ee SCC EC CE EE ee ee CA MANAGER it is possible to impose it by selecting it from the suggested list In this case 2 situations may arise You are unable to specify the correct version examples Android Blackberry etc In this case the Version field will remain grayed out Click on OK in order to force the OS to accept this value You are able to specify the version example Linux In this case the Version field will be modifiable and you will be able to enter a version number example 2 6 Next click on Validate If VULNERABILITY MANAGER detects the version a name will appear example Linux 2 6 14 To finish click on OK in order to confirm your selection Imposing the host s OS when it has not been detected will allow in particular viewing the vulnerabilities of services and products according to the system Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two w different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Se
118. the interface The colors allow you to distinguish the interface in the different graphs By default its value is 0 The throughput of a network interface can be configured via NETASQ UNIFIED MANAGER 0 REMARK Inactive interfaces are grayed out You will notice the colors of the visible interfaces at the top of the window These colors are defined in the network parameters of the NETASQ UNIFIED MANAGER for each interface refer to the NETASQ UNIFIED MANAGER user manual 4 4 3 Details view Each chart provides statistical information on throughput for each interface Name IP address subnet mask American format see Appendix for explanations connection type 10 or 100Mbits half duplex or full duplex Instantaneous left and maximum right throughput Number of packets and volume in bytes for TCP UDP and ICMP amp Number of TCP connections Total number of packets accepted blocked and fragmented by the Firewall 4 4 4 Bandwidth tab The bandwidth graph displays the percentage of use of the available bandwidth on each interface in real time NETASQ User Manual we secure IT Nu mms mme aan eee Bandwidth Connections Throughput out TD D un wo on D aL C D w D a a D D Ge co Time elapsed e G r poaa TE0CEUCOLEUSEC 6 Figure 43 Interfaces Bandwidth 81 Each interface is represented by a different color of which the legend may be fou
119. there is a virus in the e mail Some of the possible values are clean and infected JenuelW uONEAINSIJUOI 195N User Manual NETASQ we secure IT Filter Is used for filter generated logs an entry is recorded each time a filter rule set to Log applies to the traffic passing through the Firewall and its source is NETASQ s IPS engine ASQ Example The Firewall s ASQ kernel logs the event of filter rule 3 which has been set to Log being used for the treatment of a packet passing through the Firewall The information saved in this log file is as follows CO nn a ag ap pa ana m EEE the value firewall st Date and time the line was recorded in the log file at the firewall s local time Example fri 9 march 15 46 04 2007 Priority pri Determines the alarm level The possible values are QO emergency 1 alert 2 critical 3 error 4 warning 5 notice 6 information 7 debug Rule number Rules are numbered in order This number allows uniquely identifying the rule within the filter slot that was involved in raising the alarm Example 24 Source interface srcif srcifname Source port srcport srcportname Destination dst dstname Destination port dstport dstportname Identifier of the authenticated user FTP e mail address of the sender SMTP identifier of the user if authentication has been enabled WEB Name of the firewall interface on which
120. tiple Memory Corruption and Information Disclosure 2 Web Client client gt Remote W Yes 04 02 2011 124180 LJ oe Hosts Search Ite c P Assi a e eae z Assigned Name Application Type Detail Operating system Port Internet Protocol 09 01 2012 12 38 00 10 2 5 1 JRE 1 6 0 07 Client FreeBSD 09 01 2012 12 38 00 10 2 27 1 JRE 1 6 0 07 Client FreeBSD gt 09 01 2012 12 38 00 10 2 38 1 JRE 1 6 0 07 Client Unix 09 01 2012 12 38 00 10 2 39 1 JRE 1 6 0 07 Client FreeBSD 09 01 2012 12 38 00 10 2 43 1 JRE 1 6 0 07 Client Unix 09 01 2012 12 38 00 10 2 44 1 JRE 1 6 0 03 Client FreeBSD 09 01 2012 12 38 00 10 2 51 1 JRE 1 6 0 07 Client oO 09 01 2012 12 38 00 10 2 32 2 JRE 1 6 0 07 Client FreeBSD 09 01 2012 12 38 00 10 2 45 2 JRE 1 6 0 07 Client FreeBSD 09 01 2012 12 38 00 10 2 40 3 JRE 1 6 0 07 Client FreeBSD Within the last 15 minutes Vulnerabilities 2 Information 6 New hosts 2 Figure 30 VULNERABILITY MANAGER The window has 3 views A view of the list of vulnerabilities A view of the list of hosts affected by this vulnerability A view allowing the resolution of the selected vulnerability if a solution exists NETASQ User Manual we secure IT 4 2 2 1 Vulnerability ies view This view allows you to view all the vulnerabilities that the firewall has detected Each line represents a vulnerability 0 REMARK The number of vulnerabilities is displayed in the tab s label The information provided in the
121. to get back the same information window for each firewall and thus make simultaneous comparisons 2 1 7 Button bar 2 Show help Firewall a wf Duplicate Figure 10 Button bar This bar appears in most menus in Monitor NETASQ User Manual we secure IT 2 1 7 1 Refresh This button allows you to reinitialize the list displayed Alarms VULNERABILITY MANAGER Hosts Interfaces Quality of Service Users Quarantine VPN Tunnels Active Update Services Hardware Filter Policy VPN Logs 2 1 7 2 Show Hide help This button allows you to show or hide a help screen Subsequently you only need to click on the selected line to get help when necessary 2 1 7 3 Firewall This drop down menu allows you to filter the list of alarms on a selected firewall 2 1 7 4 Duplicate The window can be duplicated using the button found in it This comes in handy especially when you wish to change the target firewall or lt all gt and view 2 1 8 Search engine The search zone is presented in 2 different formats 38 ao 1 format the bar shown below can be seen on all screens except for the Events screen Cc n Search Items 7 7 3 c 3 Figure 11 Search zone gt oO gt c 2 format the bar below appears in the Events menu Search Items 186 186 Figure 12 Search zone Events The Filters button contains the filters defined by the application and allows obtaining only the A
122. tor Products concerned U30 U70 U120 U250 U450 U1100 U1500 and U6000 NG1000 A NG5000 A VS5 VS10 V50 V100 V200 V500 VU NETASQ User Manual we secure IT FOREWORD 7 4 REAL TIME INFORMATION 57 1 INTRODUCTION 10 41 EVENTS 57 1 1 BASIC PRINCIPLES 10 4 2 VULNERABILITY MANAGER 60 1 1 1 Who should read this user guide 10 42 1 Introduction 60 1 1 2 Typographical conventions 10 4 2 2 Vulnerabilities tab 61 1 1 3 Vocabulary used in this manual 12 4 2 3 Application tab 64 1 1 4 Getting help 12 4 2 4 Events tab 66 1 1 5 Introduction to NETASQ REALTIME 4 3 HOSTS 69 MONITOR 12 4 3 1 Host view 70 1 2 CONNECTION 13 4 3 2 Vulnerabilities view 71 1 2 1 Access 13 4 3 3 Applications view 72 1 22 Connection 14 4 3 4 Information view 73 1 2 3 Address book 15 4 3 5 Connections view 74 2 GETTING FAMILIAR WITH NETASQ REAL 4 3 6 Events view 79 TIME MONITOR 19 4 4 INTERFACES 78 2 1 PRESENTATION OF THE INTERFACE 19 i E bh ae 4 4 2 Legend view or tabular view of 2 1 1 Main window 19 interfaces 79 2 1 2 Description of icon 20 443 Details view 80 See aie EN r 4 4 4 Bandwidth tab 80 Oh ee 4 4 5 Connections tab 81 2 1 5 Result display zone 22 4146 Throughput tab 83 2 1 6 Status bar sl 4 5 QUALITY OF SERVICE QoS 84 2 1 7 Button bar 37 46 USERS 85 gelah Search engine ole 4 6 1 Introduction 85 oe OMEN 4 7 QUARANTINE ASQ BYPASS 86 5959 Win
123. ts which have a minor or major attribute are logged in this file and its source is NETASQ s IPS engine ASQ Example The Firewall s ASQ logs an attempted FTP bounce on a server protected by the Firewall this traffic is blocked by default and raises a minor alarm The information saved in this log file is as follows Identifier Id Identifier number of the alarm on the firewall a acid a a Nan aa ee Example fri 9 march 15 46 04 2007 msn Firewall fw Serial number or name of the firewall if known that caused the event ln Ka a a a a E aaa aa m a re one on ai ne He QO emergency 1 alert 2 critical 3 error 4 warning 5 notice 6 information tnt TL EDU j Rule slotlevel Level of the filter rule Local or Global a ee ee es ce tees Te ee er the rule within the filter slot that was involved in raising the alarm P Example 24 itn Source interface Name of the firewall interface on which the event was raised source interface srcif srcifname network card User Manual NETASQ we secure IT Source port srcport srcportname IP address or name of the object corresponding to the source host of the packet that set off the alarm Source port number of the service or the name of the object corresponding to the service port of the source host only if TCP UDP Destination IP address or name of the object corresponding to the destination host of the packet 5 dst dstname
124. u click onthe Quality of service menu QID Name of the policy defined for accepting or rejecting packets ian NT a a Kn SSC C C C lt CSCS m cok eo io ane To roe nee er cee a aaa nn a a ed ES we a eee D aan eo oe eee ZE arr ee TT a7 Aak aana anana aa aana aana pe aaa an aaa a a aan a 4 6 1 Introduction The User menu enables viewing in the capacity of an administrator the users who are currently connected on the Firewall Name Group Address Timeout 0 ul JenuelW uONnEAINSIJUOI 195N Administrative user sessions User Address Session rights User admin 172 30 1 1 base other log filter vpn url pki object user admin network route maintenance asq globalobject globalfilter globalother pym ha modif K3 gt MO data 172 30 1 128 Hosts 172 30 1 128 SE Interfaces 172 30 1 128 F2 Quality of Service 172 30 1 128 LIN Users 172 30 1 128 Figure 47 Users NETASQ User Manual we secure IT This window comprises 2 views A users view An administration session view 4 6 1 1 Users view The information provided in the users view is as follows Firewall Serial number or name if known of the firewall ee aaa a e ee ec 7 anna 7777 m a e duration 4 6 1 2 Administration sessions view This window enables finding out the session privileges of the user connected to the firewall The information provided
125. u to the contextual menu that will allow you to Filter this column by this This option allows restricting the list of results to the selected field For example criterion if the data is filtered by the priority Major the administrator will get all the lines containing Major O nore Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the destination website consulted the displayed list will only present the elements containing this destination website ll View the host The Hosts menu directory will open to display additional information on the detected host During pre filtering the host concerned will be selected The data will be filtered according to the hostname if available or by its address Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard Contextual menu in the help zone Right clicking against a help zone will bring you to the contextual menu that will allow you to N O a Copy Allows copying the help text in order to retrieve it later aa teen on E Nn In the A
126. ual we secure IT 0 REMARK The other windows in the menu directory may contain the following buttons a Refresh o Show Hide help Firewall Duplicate 2 1 2 Description of icon ga Connects via the address book A 5 pa NG aaa Ae B n I A 7 Connectsto the selected firewall SS Af ee ANAA JJ Gai e JA EJ Displays the dashboard ofthe selected firewal La lt D 3 lt amp List of connected hosts IP address interface to which the user is connected amount of data transferred number of connections throughput used List of authenticated users user name IP remaining time on authentication period amp List of alarms raised major and minor amp List of active VPN tunnels List of active services D D N Status of the Active Update module Statistics Vulnerability Manager JenuelW uonein3ijuo2 Jas 2 1 3 Menus The main window contains the following menus File Windows Applications and Help File Allows you to connect to Firewalls and to access the application s general options a ia te CC m A a ee a e NETASQ UNIFIED MANAGER et NETASQ EVENT REPORTER NETASQ User Manual we secure IT 2 1 4 Menu directory Overview This window lists the firewalls Monitor opens in this window once the connection has been established The Console sub menu When the option Enable is selected in the menu Application parameters Miscellaneous in the console zo
127. uals NETASQ UNIFIED MANAGER NETASQ REAL TIME and NETASQ EVENT REPORTER 1 1 5 Introduction to NETASQ REALTIME MONITOR NETASQ REAL TIME MONITOR allows you to visualize your Firewall s activity in real time and provides the information below N Use of the Firewall s internal resources memory CPU etc List of raised alarms when vulnerabilities are detected List of connected hosts and users Real time alarms Number of connections bandwidth use throughput JenuelW uONEAINSIJUOI Jas Information on the status of interfaces and VPN tunnels Last logs generated o 68 Use of disk space allocated to logs With this tool you can connect to several Firewalls and supervise all of them NETASQ User Manual we secure IT NETASQ REAL TIME MONITOR provides a simple display of connections transiting via the Firewall along with any alarms it has generated Monitor can be shut down by clicking on the cross in the top right corner but this does not stop it from operating Clicking on the Monitor icon in the taskbar restores it By default Monitor can only be run on a machine connected to the internal network and must be running permanently in order to avoid missing any alarms You can use it remotely through the internet but you would have to explicitly authorize the service Firewall srv in the filter rules 1 2 CONNECTION 1 2 1 Access There are 2 ways to launch the NETASQ REAL TIME MONITOR
128. umber allows uniquely identifying the rule within the filter slot that was involved in raising the alarm es Example 24 Source interface q i ard nn Source interface name Name of the source interface only if known E srcifname msn IP ipproto Internet protocol tcp or udp Source port srcport srcportname Destination dst dstname Destination port dstport dstportname IP address or name of the object corresponding to the source host of the packet that set off the alarm Source port number of the service or the name of the object corresponding to the service port of the source host only if TCP UDP IP address or name of the object corresponding to the destination host of the packet that set off the event Destination port number of the service or name of the object corresponding to the service port of the destination host if it exists and is requested for this connection Destination interface 2 dstif dstifname Ut User Identifier of the authenticated user FTP e mail address of the sender SMTP identifier _ of the user if authentication has been enabled WEB Sent Number of KB sent during the connection Connection group io sroupid aaa Operation op Identified command of the protocol FTP PUT MPUT GET DELETE 2 HTTP GET PUT POST S EDONKEY SENDPART POP3 RETR LIST Bs FTP DELETE LIST NO Result Result of the operation in the protocol exampl
129. ve This alarm is raised whenever the intrusion prevention system detects a sensitive packet and for which it has been configured in intrusion detection mode If the alarm is sensitive an icon in the form of an exclamation mark followed by Yes will appear Otherwise No will be indicated When the alarm is blocked the icon will be grayed out it is disabled 0 NOTE Only protocol alarms can be described as sensitive For alarms that are not in this class the column will be empty NETASQ User Manual we secure IT Copy repeat Indicates the number of an event s occurrences within a defined period This period is configured in NETASQ UNIFIED MANAGER in the menu Logs Advanced option Write log duplicates every Id alarmid Indicates the number of the alarm se ee ag a PRIE filter etc Alarm type classification Code number indicating the alarm category vin e a an e e D a a e CN cn a a TE a ag a ZE vin Seca NG CCC seed nn ce cee ae T ee a ae aa a a an a aa a a a a a aa ank a aa a a a aaa ag ana aaa kana aia cin ane ee aana z EE ee 1 SS age and the nature of the message could not be determined Virus virus Indicates whether there is a virus D ee EEE oe 7 z a EEE aacnean a w en NGA A ee __ _ _ Poe a M Ce RS RE on Packet Indicates the IP packet for which the alarm was raised Right clicking on this packet allows it to be viewed through a packet analyzer The inform
130. veral lines are selected in this case only these lines will be copied to the clipboard Contextual menu in the Vulnerabilities tab JenuelW uonein3ijuo2 195N Filter this column by this This option allows restricting the list of results to the selected field For example if criterion the data is filtered by the priority Major the administrator will get all the lines containing Major 0 NOTE Using this option will replace all the current filters on the columns Filter only this column by This option allows you to restrict the list of the results pointed to by the cursor this criteria Example If your cursor pointed the destination website consulted the displayed list will DETTE only present the elements containing this destination website ll Copy to the clipboard Copies the selected line to the clipboard Data can be copied in two different ways 1 A single line is selected in this case this line as well as the lines of details will be copied 2 Several lines are selected in this case only these lines will be copied to the clipboard w JenuelW uONnEAINSIJUOI 195N NETASQ we secure IT User Manual Contextual menu in the Applications tab Filter this column by this criterion Filter only this column by this criteria This option allows restricting the list of results to the selected field For example if the data is filtered by the priority Major the administrator w
131. vulnerability view is as follows Firewall Serial number or name if known of the firewall at the source of the vulnerability _ ee been cc ca ee he 0 PE levels Low Moderate High Critical ne Name Indicates the name of the vulnerability E A e a Ga aa a AGA Le hosts aana Family Family to which the vulnerability belongs See Appendix D Sessions and user privileges m 21 in SC e IH e a jaan aa area eee cn aio iste meine cee nnn m en deh ee a Ee EE E ee aa NG GG GG GG 4 WARNING This refers to the date on which the vulnerability was discovered and not the date on which it appeared on the network O N w gt O un o D D D 5 lt O S a O 5 O h ctr D lt 5 D s o 4 2 2 2 Hosts view This view allows you to view all the vulnerabilities for a given host Each line represents a host JenuelW uONEAINSIJUOI 195N The information provided in the Hosts view is as follows Affected Date on which the host was affected w e e ee a a A a ea ET aaa A on neato m i een aa E A a NE ee ee Lee NIH m lt A lo eo moe cr inn NETASQ User Manual we secure IT 4 2 2 3 Help zone The help zone allows you to get more details relating to the attack Thus the administrator can correct the vulnerability Click on the Show help button to show or hide the help zone associated with a vulnerability Typically help comes in the form of a descriptive
132. wn menu indicates the last screens visited and identifies the current screen with a a 2 address oo ticke ah 2 2 3 Applications The Applications menu enables connecting to other applications in the NETASQ Administration Suite Using the two shortcuts provided the added advantage of not having to reauthenticate on both applications PIMWNEASGUNIIED ERD mt MANAGER Launch NETASO EVENT Enables opening the NETASO EVENT REPORTER module from the Administration REPORTER Suite NETASQ User Manual we secure IT 2 2 4 Help Help Opens a page that accesses your secure access area to allow you to obtain nT documentation About Provides information on the monitor in use version number credits 2 3 APPLICATION SETTINGS Certain parameters can be configured in the NETASO REAL TIME MONITOR application 2 Select the menu File Application settings the parameters window will appear 2 3 1 Behavior at startup This tab offers the different options that enable configuring the application s behavior at startup Ml Settings C8 28 Behavior at startup Extern i i Address book Miscellaneous Direct connection Connect automatically to data sources None A JenuelW uonein3ijuo2 asn Figure 13 Behavior at startup Direct connection If this option is selected the direct connection window will open when Monitor starts up It will enable you to enter the IP address of the desired firew
133. ws Addresses IP address of the host s affected by the quarantine on a T r accion ea a Gee EE 4 7 2 ASQ Bypass view The information provided in the ASQ Bypass view is as follows User Manual NETASQ we secure IT 5 NETWORK ACTIVITY 5 1 VPN TUNNELS The following window appears when you click on the VPN Tunnels menu hil 5 X KA FRE AN Refresh Firewall 10 2 0 1 10 2 0 1 Duplicate a Dashboard Search Items 22 22 4 Ba Source Source address W Bytes Destination Status Lifetime Authentication Encryption Firewall_bridge 10 2 0 1 pandeni 686 57 KB gw dying 51m 45sec hmac shal aes cbc wg Vulnerability Ma 591 02 KB Firewall_bridge 10 2 0 1 ds 868 59 KB JW dying 30m 50sec hmac shal aes cbc Hosts y w Firewall_bridge 10 2 0 1 china 915 62 KB gw mature 44m 52sec E hmac shal aes cbc ae kanane Firewall_bridge 10 2 0 1 gak iren 737 63 KB gw mature 40m 37sec hmac shal aes cbc Ss f 2 Quality of Service Firewall bridge 10 2 0 1 PEUR 221 37 GW mature hmac shal aes chc 36 25 KB Ym6 Users Firewall_bridge 10 2 0 1 mm 7 UE mature m 95ec hmac shal aes cbc Quarantine AS Firewall_bridge 10 2 0 1 reached 354 16 KB gw mature 29m 24sec hmac shal aes cbc i i EE 29m 5sec 3 z iii Firewall_bridge 10 2 0 1 ee JW mature hmac shal aes cbc Firewall_bridge 10 2 0 1 a 519 87 KB gw mature 29m 5sec hmac shal aes chc Active Update dE m m d S EE
134. ws Applications i Overview Refresh 2 Show help B Dashboard Filters _Y Search uy Date M Logs Action Priority Config Policy User Source Src port num Destination Dst port Dst port num 14 54 41 Connection Notice Config01 10 2 37 1 57753 Firewall_loopba domain_udp 53 Ea Vulnerability Ma 14 54 41 Connection Notice Config01 102371 40463 Firewall_loopba domain_udp 53 14 54 41 Connection Notice Config01 172 16 100 6 10830 Firewall_HA2 ssh 22 LE Hosts 14 54 41 Connection Notice Config01 fw_marcf 20059 nxtck com http 80 14 54 41 Connection Notice Config01 fw_marcf 20056 nxtck com http 80 Interfaces 14 54 41 Connection Notice Config01 10 2 9 2 62954 Firewall_loopba domain_udp 53 14 54 41 Connection Notice Config01 10 2 9 2 51627 Firewall_loopba domain_udp 53 Quality of Service 14 54 41 Protocol Notice Config01 fw_marcf 20012 csi gstatic com http 80 14 54 41 Web B pass Notice travail 10 2 521 55727 wwwacebook https 443 Users 14 54 41 Web BH pass Notice travail 10 2 52 1 55727 www facebook https 443 kam 14 54 40 Connection Notice Config01 fw_fabient 46098 Firewall_loopba domain_udp 53 Quarantine AS 14 54 40 Connection Notice Config01 fw_marcf 20040 pagead l doubl http 80 14 54 40 Connection Notice Config01 fw_marcf 20042 pagead doubl http 80 VPN tunnels 14 54 40 Connection Notice Config01 fw_marcf 20044 nxtck com http 80 14 54 40 SSL pass Notice journ e 10 2 52 1 55756 2248 e
135. x lifetime 2 Negotiated SAs NETASQ User Manual we secure IT VPN Date Identity of remote peer 2 Error level Spi Out Phase Spi ln Source amp Cookie incoming outgoing 2 Source address a Role 2 Destination a Remote network Destination address a Local network Message System Date Service 2 Message jenue uolesn3iyUuod sasn NETASQ User Manual we secure IT Appendix F The Details column in the Events menu The Details column seen inthe Events menu groups information relating to the type of log The detail may be related to alarm connection VoIP web mail FTP or even filter logs The Details column groups in a single column information visible in other columns Alarm Sensitive alarm sensitive Copy repeat number of copies of the event groups in the event line 2 Slotlevel indicates whether the log had been started by an implicit 0 global 1 or local 2 rule Rule Ruleid identifier of the rule that set off the log Connection 2 Sent amount of data sent a Received rcvd amount of data received 2 Duration duration of the connection O VolP a caller callee Caller Callee Sent amount of data sent a Received rcvd amount of data received a Duration duration of the connection JenuelW uonein3ijuo2 195N WEB Message msg detailed description of the alarm All commands sent by the client are found here Sensitive information such
136. x D SA states Undetermined a KA ie saang saji beled Oe nee ome i CS eee ee S ee sae ee a cone icp ec en neni a re 7 eae ea he anne a ra T EN 7 a PIRE longer active Orphan A problem has arisen in general this status means that the tunnel has been set up in only one direction jenuen uolesn3iyU0d sasn ba NETASQ User Manual we secure IT Appendix E Sort criteria For each menu in NETASQ REAL TIME MONITOR a Column field will enable sorting The sorting criteria vary according to the menu Overview Auto connection 2 Backup version Read only Latest alarms Status a Vulnerabilities 2 Name a Global filter Address a Filter User VPN Model URL Firmware NAT 2 Active Update Uptime VULNERABILITY MANAGER 2 Session 2 Antivirus 2 Comments Event ap 2 Firewall 2 Sensitive alarm Date Copy 3 UTC Date ID e Start date Context UTC Start date Alarm type S Timezone a Caller 5 Logs Callee S Action a Duration a Priority amp Data sent Rule 2 Data received User Operation 2 Protocol Result 2 Connection group Parameter 2 Source interface Category Source 2 Spam level Source address Virus Source port P a Destination interface oa Media 2 Destination Message 2 Destination address ICMP Code 2 Destination port ICMP Type Details NETASQ User Manual we secure IT Vulnerability manager 2 Data source Targ
Download Pdf Manuals
Related Search