User manual

ManualsBrandsBaseWall ManualsComputer equipmentDual WAN VPN Firewall VPN 2000

BaseWall VPN 6000 user manual

version 33 (2005-11-11)

Summary of content (79 pages)

PAGE 1
BaseWall VPN 6000 user manual version 33 (2005-11-11)
PAGE 2
Title: BaseWall VPN 6000 user manual Revision: 33 (05-11-11) All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written consent of the publisher. Microsoft® and Windows® are trademarks of Microsoft Corporation in the United States and other countries. Apple® and Mac OS® are trademarks of Apple Computer, Inc., registered in the U.S.
PAGE 3
- BaseWall VPN 6000 user manual - Table of Contents 1 Installation........................................................................................................6 1.1 Requirements............................................................................................6 1.2 Getting to know your BaseWall VPN 6000.................................................6 1.2.1 Front....................................................................................................6 1.2.2 Back.............
PAGE 4
- BaseWall VPN 6000 user manual 5.1 Manage the Intrusion Prevention System................................................42 5.2 Adding a host or network to the blacklist................................................43 5.3 Removing from blacklist or whitelist........................................................44 6 Wizard: VPN IPSec tunnels..............................................................................45 6.1 VPN IPSec tunnels...............................................................
PAGE 5
- BaseWall VPN 6000 user manual 15 Logs..............................................................................................................68 15.1 External logging.....................................................................................69 16 Statistics.......................................................................................................70 17 Virusscanner status......................................................................................
PAGE 6
- BaseWall VPN 6000 user manual - 1 Installation 1.1 Requirements To insure a smooth installation of your BaseWall VPN 6000, we should make sure to have all the necessary equipment and information ready.
PAGE 7
- BaseWall VPN 6000 user manual ➔ Use an UTP RJ45 cross cable to connect the firewall's FLEX1 port (7) to a network connector on your PC or notebook. It is also possible to create a 2 computer LAN with the use of a UTP hub or switch. ➔ Switch on the PC or notebook. The FLEX1 connection LED above the FLEX1 port (8) should come on. If this LED does not come on, please refer to section 1.13 ( Errors and recovery). 1.
PAGE 8
- BaseWall VPN 6000 user manual ➔ In the “Control panel”, double click the “Network and Dial-up Connections” icon. The window “Network and Dial-up Connections” should open.
PAGE 9
- BaseWall VPN 6000 user manual ➔ In the “Network and Dial-up Connections” window, double click the “Local Area Connection” icon. The “Local Area Connection Status” window should open. ➔ In the “Local Area Connection Status” window, click the “Properties”button. The “Local Area Connection Properties” window should open. ➔ In this window, select “Internet Protocol (TCP/IP)” (the blue line in the example below). ➔ Click the “Properties” button.
PAGE 10
- BaseWall VPN 6000 user manual The window “Internet Protocol (TCP/IP) Properties” should open. ➔ Make sure settings in this window are as specified in the example above (check “Obtain an IP address automatically” and “Obtain DNS server address automatically”. ➔ Click the “OK” button to confirm your changes. ➔ To verify your settings, open a “Command Prompt” (From the “Start” menu, through “Programs”, in the “Accessories” sub menu).
PAGE 11
- BaseWall VPN 6000 user manual ➔ If the “IP Address” line does not list an address starting with 192.168.99, please try typing: ipconfig /renew This should force the PC or Notebook to request a new network address. If you still fail to get an “IP Address” in the correct range, please refer to section 1.13 ( Errors and recovery). Enabling DHCP using Windows® XP ➔ Using the Windows® “Start” menu (and Settings sub menu), open the “Control Panel”.
PAGE 12
- BaseWall VPN 6000 user manual - ➔ In the “Network Connections” window, double click the “Local Area Connection” icon. The “Local Area Connection Properties” window should open. ➔ In the “Local Area Connection Properties” window, select “Internet Protocol (TCP/IP)” (the blue line in the above example). ➔ Then press “Properties”.
PAGE 13
- BaseWall VPN 6000 user manual The “Internet Protocol (TCP/IP) Properties window should open. ➔ In the “Internet Protocol (TCP/IP) Properties” window, make sure settings are as in the above example (“Obtain an IP address automatically” and “Obtain DNS server address automatically”are selected). ➔ Press the “OK” button to confirm your new settings. ➔ To verify your settings, open a “Command Prompt” (From the “Start” menu, through “All Programs”, in the “Accessories” sub menu).
PAGE 14
- BaseWall VPN 6000 user manual This should force the PC or Notebook to request a new network address. If you still fail to get an “IP Address” in the correct range, please refer to section 1.13 ( Errors and recovery). Enabling DHCP using Mac OS® X ➔ From the Apple® menu, choose “System Preferences”, then “Network”. The Network window should open. ➔ In the “Network” window, make sure the “Show” box is set to show “Active Network Ports”. ➔ Drag “Built-in Ethernet” to the top of the list.
PAGE 15
- BaseWall VPN 6000 user manual ➔ Now select the “TCP/IP” tab. ➔ Switch the “Configure” box to “Using DHCP”. ➔ Verify that the “IP address”, “Subnet Mask” and “Router” settings are as shown (192.168.99.101, 255.255.255.0 and 192.168.99.99 respectively). ➔ Click “Apply Now” to confirm your changes. 1.4.2 Log in on the firewall management interface ➔ Open a web browser on the PC or Notebook you have just configured ➔ Enter the address “ https://192.168.99.99:12000”into the address bar.
PAGE 16
- BaseWall VPN 6000 user manual - 1.5 Basic screen layout Once you have logged in to the firewall's management interface, you should see the following welcome screen. The firewall has two modes of operation. One shows the current status of the firewall and one is for configuration. A red area in the upper left-hand corner of the screen indicates we are looking at the “Current Status”(1) of the firewall.
PAGE 17
- BaseWall VPN 6000 user manual - The configuration window has a different layout. The left bar now contains a list of wizards and there are now different tabs “CONFIG”, “NETVIEW”, “MAIL” and “PROXY”. The current windows shows the factory configuration of the firewall. With the current network 192.168.99.0 where the firewall occupies the 192.168.99.99 ip address. There are 2 Internet connections defined but with initial values.
PAGE 18
- BaseWall VPN 6000 user manual settings. However, for a first install, we do not consider this a problem. ➔ Click “next”. 1.6.1 Setting up your LAN connection The first step after starting the wizard is to set up your LAN (Local Area Network) connection. This is the connection between the firewall and your local network. As a firewall, the BaseWall VPN 6000 should serve as a buffer between your Internet connections (WAN or Wide Area Network connections) and your local network (or LAN).
PAGE 19
- BaseWall VPN 6000 user manual already have a local network, then this network address should have a predefined value (if uncertain, contact your network administrator). In this case, please note that BaseWall VPN 6000 displays the net mask as a number of bits, not in the 255.255.255.0 format. If you do not have a local network, then you need to pick an address for your local network first. There are a number of possible network addresses set aside for use in a local network.
PAGE 20
- BaseWall VPN 6000 user manual - 1.6.2 Setting up your default Internet connection The next step in the wizard is to set up your WAN (Wide Area Network) connections. These are your connections to the Internet. The BaseWall VPN 6000 allows for two WAN connections, one default connection and one fall back. The default connection we name WAN1 (and we will eventually connect the modem or router to the WAN1 network port).
PAGE 21
- BaseWall VPN 6000 user manual standard gateway address by your Internet service provider (ISP), please choose “Static/NAT” instead. Be sure to have the connection details provided by your ISP at hand, because you will need these in the next screen. Some Internet providers may have you authenticate before connecting to the Internet, preferring to use PPTP or PPPoE. If you have such a connection, choose “PPTP/PPPoE”.
PAGE 22
- BaseWall VPN 6000 user manual - Setting up WAN1 using a PPTP or PPPoE connection PPTP or PPPoE Internet connections are not identical, but since both require user authentication, the options to enter are much the same. ➔ Enter the type of Internet connection (PPTP or PPPoE) after the text “Please choose the type of connection”. (in the example screen below, we use PPTP. Please remember that this procedure also applies for PPPoE connections).
PAGE 23
- BaseWall VPN 6000 user manual - 1.6.4 Confirming and applying results After we have set up our LAN and our default and fall back Internet connections, the “First Install” wizard is done. ➔ In the final confirmation screen, click “done” to close the wizard. The top left-hand corner of the screen of our firewall's management interface should now show the text “Unapplied changes”. Changes made in the “First install” wizard are only made permanent once you click this text.
PAGE 24
- BaseWall VPN 6000 user manual management interface after applying changes, we will need the firewall's new IP address. ➔ Make sure you have the firewall's new IP address (in the local network) written down. ➔ Click “Apply changes” If you used the “First install” wizard to alter the firewall's IP address on the local network, the we will lose our connection to the firewall after applying changes. The next paragraph deals with re-establishing the connection. 1.6.
PAGE 25
- BaseWall VPN 6000 user manual - 1.7 Backup sets The new settings you've just applied have been stored in the firewall as current configuration, but also as a “backup set”. A “backup set” is a snapshot of the BaseWall VPN 6000's configuration in a single file. These backup sets can be uploaded to the firewall, or downloaded from the firewall. Thus it is possible to send or receive an entire firewall configuration in a single file.
PAGE 26
- BaseWall VPN 6000 user manual Whenever you contact support personnel about a problem with your configuration, they may ask you to send a backup set containing your current firewall settings. 1.8 Advanced configuration The wizards on the firewall are able to handle most of the configuration of the firewall. But when the configuration from the wizards in not enough the advanced configuration can provide access to the underlying rules of the firewall.
PAGE 27
- BaseWall VPN 6000 user manual - 1.10 Setting the firewall's time and date The configuration of your BaseWall VPN 6000 is not fully complete until you have set the correct time and date. It is customary for computers connected to the Internet to use the network time protocol (NTP) to regularly update their date and time. ➔ Click on the red text “Current Status” on the left hand side of the screen to enter the “Current Status” context.
PAGE 28
- BaseWall VPN 6000 user manual - 1.11 (Optionally) disable the firewall's DHCP server Per default, the BaseWall VPN 6000 is set to use a DHCP server to automatically configure network addresses of computers in you local network. This could, potentially, cause problems if you have another DHCP server running in your network. Any local network may only contain one DHCP server at a time.
PAGE 29
- BaseWall VPN 6000 user manual ➔ Power down the firewall (using the power switch on the back of the device). ➔ Power down your notebook or laptop. ➔ Detach the network cables from the PC or notebook and the firewall. ➔ Using one of the bundled RJ45 UTP cables, connect the WAN1 interface to the router or modem used for your primary (default) Internet connection.
PAGE 30
- BaseWall VPN 6000 user manual - 1.13 Errors and recovery Symptom: Check/Solution: I did not hear three beeps. Check power cable and insure wall socket has power. Power off the device. Wait 30 seconds. Switch the device on again. If the device fails to beep again the hardware may be at fault. Contact your sales representative for support. The FLEX1 connection LED doesn't light up when I connect my notebook/PC Check the cable connection.
PAGE 31
- BaseWall VPN 6000 user manual - 2 Wizard: Internet connections The wizard “Internet connections” is intended to help you manage your Internet connection settings. With it you can add a new Internet connection or modify an existing one. You can open the wizard “Internet connections” from the firewall's management interface, by entering the “Configuration” context and clicking the text “Internet connections” right below the “Setup subsystems” heading on the left-hand side of the page.
PAGE 32
- BaseWall VPN 6000 user manual Different types of Internet connections will require different values to be entered in the next screen of the dialog. As a consequence, the next screen in the dialog will look slightly different, based on the choice you make here. If you have an Internet connection by means of an ISDN router or a cable or DSL modem, you will generally be able to choose “DHCP-Client”. Choosing “DHCP-Client” is the easiest possible configuration.
PAGE 33
- BaseWall VPN 6000 user manual ➔ Select your new connection's “Type of failover check” The best way to check if a certain Internet connection is available is try and connect to a machine that is always on. Otherwise our firewall would assume the Internet connection to be unavailable whenever the host we tried to connect to was switched off. The machine we try to connect to should also be located on the other side of our Internet connection.
PAGE 34
- BaseWall VPN 6000 user manual (in the example screen below, we use PPTP. Please remember that this procedure also applies for PPPoE connections). ➔ Enter the user name and password provided by your ISP in the corresponding fields. If you do not know the correct type of connection, user name and/or password, please contact your ISP for these details. Some ISP's also require you request a specific IP address of gateway.
PAGE 35
- BaseWall VPN 6000 user manual - 3 Wizard: Local Area Networks (LAN) The basic configuration we have reached in the prior chapters of this manual allows for one local network (or LAN). While this may be sufficient in many situations there are a number of possible reasons for segregating local networks (or subnets). Some departments may have different information needs or working hours from others. Wireless networks may need a tighter security policy than wired networks do.
PAGE 36
- BaseWall VPN 6000 user manual - You will also be asked to select the network port the Directly Connected Lan will be connected to (FLEX2 in the example) and a device address the firewall will be identified with on this particular LAN. Please note that, since this is a different LAN from the one we created before, it will need it's own, unique network address. The firewall will need it's own unique address on every network it is directly connected to.
PAGE 37
- BaseWall VPN 6000 user manual LAN. To add a “Segmented LAN behind gateway”, in the “Manage LAN segments” window(reached by clicking the “Local Area Networks (LAN)” text under the “Setup Subsystems” heading to the left of the screen in the “Configuration” context), click “Add new”. The “Create new LAN-segment” window appears. For the type of LAN, choose “Segmented LAN behind gateway” and click “Next”. You are asked to provide a label, a network address, a netmask and a gateway for the segmented LAN.
PAGE 38
- BaseWall VPN 6000 user manual To delete a LAN, click the “Remove” button left of the LAN's label in the “Manage LAN-segments” screen. 3.
PAGE 39
- BaseWall VPN 6000 user manual - 4 Wizard: Port forwarders (PNAT) Most Internet connections will only allow one Internet address (IP address) to be assigned to your firewall. This means that no machine on the internal network (LAN) can be reached directly from the Internet. While this provides some measure of safety to the machines on the internal network, it also effectively prevents these machines from functioning as a server for machines on the Internet.
PAGE 40
- BaseWall VPN 6000 user manual - 4.1 Managing Port forwarding (PNAT) To set up port forwarding to a specific machine on your internal network: ➔ Click on the “Port forwarders (PNAT)” text under “Setup subsystems” on the left-hand side of the screen in the “Configuration” context. The “Manage port forwardings” screen should appear. 4.2 Adding a port forwarding To add a port to be forwarded: ➔ Click the “Add new” button in the “Manage Port Forwardings” screen.
PAGE 41
- BaseWall VPN 6000 user manual - 4.3 Editing a port forwarding To edit an existing port forwarding: ➔ Open the “Manage port forwardings” screen (as demonstrated in paragraph 4.1 Managing Port forwarding (PNAT)). ➔ Click the “Edit” button next to the line corresponding to the port forwarding you wish to edit. ➔ Modify the forwarding settings as if you created a new forwarding (as described in paragraph 4.2 Adding a port forwarding).
PAGE 42
- BaseWall VPN 6000 user manual - 5 Wizard: IDS/IPS management The IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are two components of vital importance to the security of your BaseWall VPN 6000. Both are enabled by default. The IDS constantly monitors network traffic toand from your firewall, looking for suspicious network traffic that could be indicative of an (impending) attack.
PAGE 43
- BaseWall VPN 6000 user manual - 5.2 Adding a host or network to the blacklist Adding a host or a network to the blacklist effectively prevents any access from the host or network to your firewall and internal network. Adding a host or network to the whitelist instead prevents that host or network from ever being denied access by the IPS (though of coarse other access restrictions my still apply).
PAGE 44
- BaseWall VPN 6000 user manual - 5.3 Removing from blacklist or whitelist To remove a host or network from the blacklist or whitelist: ➔ Open the “Manage the Intrusion Prevention System” screen as described in paragraph 5.1 Manage the Intrusion Prevention System. ➔ Click “Remove” button next to the blacklist or whitelist entry you wish to remove.
PAGE 45
- BaseWall VPN 6000 user manual - 6 Wizard: VPN IPSec tunnels 6.1 VPN IPSec tunnels VPN (Virtual Private Network) IPSec (Internet Protocol Security) tunnels are used to connect two or more LAN's though the Internet in a secure manner. Usually, whenever a company needs to make a common computing or information resource available on multiple locations, a VPN IPSec tunnel is the best solution. A VPN IPSec tunnel is an encrypted Internet connection between two routers on separate networks.
PAGE 46
- BaseWall VPN 6000 user manual ➔ Choose the type of VPN IPSec tunnel you wish to configure. In this example we will connect to a “Remote network”. ➔ Choose the “authentication method” we will use for the VPN IPSec tunnel. (May be either “Pre-shared key (PSK)” or “Certificate” if you have a valid certificate.) In our example we will use a Pre-shared key. ➔ Click the “Next” button. The “Create IPSec-tunnel” screen will change.
PAGE 47
- BaseWall VPN 6000 user manual - 6.4 Adding a VPN IPSec tunnel to a single dynamic host To add a VPN IPSec tunnel to a remote network: ➔ From the “List IPSec-tunnels” screen, click the “Add new” button. The “List IPSec-tunnels” screen should change tot the “Create IPSec-tunnel” view. ➔ Choose the type of VPN IPSec tunnel you wish to configure. In this example we will connect to a “Single dynamic host (roadwarrior)”. ➔ Choose the “authentication method” we will use for the VPN IPSec tunnel.
PAGE 48
- BaseWall VPN 6000 user manual ➔ Click the “Edit” button next to the line corresponding to the VPN IPSec tunnel you wish to edit. ➔ Depending on the type of tunnel and authentication, modify the VPN IPSec tunnel settings as if you created a new VPN IPSec tunnel (as described in paragraphs 6.3 Adding a VPN IPSec tunnel to a remote network and 6.4 Adding a VPN IPSec tunnel to a single dynamic host). After editing VPN IPSec tunnel, the screen will once again change to “List IPSectunnels” (see above). 6.
PAGE 49
- BaseWall VPN 6000 user manual - 7 Wizard: Certificate management 7.1 Adding Signed Certificate Add a certificate for the authentification of the firewall in tunnels. Other parties can inspect and check this certificate to be sure that no other machine pretends to be this firewall. 7.2 Adding Certificate Authority This is an extra Certificate Authority that can sign certificates. There is a standard set of public authorities like VeriSign already in the firewall.
PAGE 50
- BaseWall VPN 6000 user manual - 8 Wizard: VPN PPTP/L2TP users 8.1 VPN PPTP/L2TP Both PPTP and L2TP allow connection to a corporate network by employers. Microsoft Point-to-Point Tunneling Protocol (PPTP) is a revised and more secure implementation of the original PPTP implementation. Layer 2 Tunneling Protocol (L2TP) is an implementation of L2F developed by Cisco in combination with the user authentication available in PPTP.
PAGE 51
- BaseWall VPN 6000 user manual left-hand side of the screen in the “Configuration” context. The “Setup general VPN parameters” screen should appear. The client PC's get an extra IP address for this connection. These addresses should not double with any IP range of the internal network's of the firewall or any networks connected to by IPSec tunnels. It is better to choose a base number in the local network ranges like '192.168.100.1' or '10.100.0.
PAGE 52
- BaseWall VPN 6000 user manual - 8.4 Rights of PPTP/L2TP users The picture in the “Netview” tab is altered to show the new situation. There is now a group of VPN_clients visible. With a right click with the mouse it is possible to show any individual member of this group. There are 5 more policies added to the policy list. ➢ “VPN_lan”: rights of the VPN users on the network. ➢ “lan_VPN”: what does the lan network(s) see from the VPN users. ➢ “VPN_out”: rights of the VPN users to the Internet.
PAGE 53
- BaseWall VPN 6000 user manual - 9 Wizard: DMZ setup 9.1 DMZ A DMZ network layout stands for a virtual Demilitarized Zone. It is used to connect servers to the Internet with a public IP-address and keep them separated from the internal network. When a server gets comprised the internal network is still save behind the firewall. Ideally the servers in the DMZ get no rights to reach the LAN but there are limited rights of the LAN towards the DMZ servers.
PAGE 54
- BaseWall VPN 6000 user manual - 9.3 Managing DMZ-servers ➔ Click the “Servers” link to access or add servers to a DMZ segment. ➔ Click the “Add new” button in the “Manage DMZ-servers” screen. ➔ Enter a name as label for the server. ➔ Enter the public IP-address for the server. ➔ Choose the protocols that the server needs to provide for both the Internet and the internal network(s). ➔ Click the “Next” button.
PAGE 55
- BaseWall VPN 6000 user manual - 9.4 Netview picture of DMZ servers DMZ servers are directly visible from the Internet. There are 3 new policies created for a DMZ server: ➢ wan-DMZ_server: contains the possible services towards the Internet ➢ DMZ_server-wan: connections from the DMZ servers on the Internet, initially not restricted. ➢ lan-DMZ_server: contains possible services towards the internal networks.
PAGE 56
- BaseWall VPN 6000 user manual - 10 Wizard: Shaping/VoIP 10.1 Shaping The VPN 6000 can divide the Internet traffic in separate parts. For Voice over IP it is necessary to separate the different computers that use VoIP from the rest of the traffic. It is then possible to reserve some traffic for these computers so that other traffic for example big download cannot block the small but steady stream of voice packages.
PAGE 57
- BaseWall VPN 6000 user manual - 10.4 The Netview The computers with VoIP bandwidth reserved for them get their own group inside the “Netview”. Normally the computers are invisible but can be made visible by clicking on the group and select “Show subparts”.
PAGE 58
- BaseWall VPN 6000 user manual - 11 E-mail Normally the firewall is configured to accept all email send to one or more mail domains. This domain is the name behind the '@' of an email address. Every mail is accepted, checked and send on towards an internal mail server. Email send from outside the firewall for unknown domains are automatically dropped and an error notice is send back to the origin of the email. 11.1 First mail domain Click on the “Mail” tab when in the configuration part of the interface.
PAGE 59
- BaseWall VPN 6000 user manual The following sources of system mail are handled by the firewall: ● Postmaster: Basic mail-subsystem notifications. Notifications like overflowing mail boxes or long delivery delays. ● Virus-warning: Notification of blocked mail due to virus content. ● Spam-warning: Notification of blocked mail due to spam content. ● Virus-quarantine: (Optional) This account will receive a copy of the blocked mail, still containing the virus.
PAGE 60
- BaseWall VPN 6000 user manual - 11.4 White and blacklists Enter an email address or an email domain name into the “Whitelist” field to guarantee the delivery of all email from this source. The spam filter is bypassed for these account. The field “Blacklist” can be used to block all mail from a source. This is an effective way to block a mail bomb of spam or virus email or a mail loop from a specific address.
PAGE 61
- BaseWall VPN 6000 user manual When mailboxes are first created but didn't receive any mail yet the firewall will show a message “No valid/Maildir found!”. The mailbox is automatically created after the first email for the box is received.
PAGE 62
- BaseWall VPN 6000 user manual - 12 HTTP Proxy The proxy settings are found in the “Proxy” tab in the “Configuration” part of the firewall. The proxy can be used to lower the amount of traffic used by browsing the web. Normally first the “lan-out” policy should be modified to prevent the use of 'http' (port 80) and 'https' (port 143). The browsers proxy configuration should point to the proxy port and the internal address of the firewall. It is possible to define the used proxy port.
PAGE 63
- BaseWall VPN 6000 user manual - 13 Netview The Netview is the central screen of the BaseWall VPN 6000. It shows all the networks and computers that the firewall knows something about. From this screen it is possible to view and change the rights of all these parts on other parts of this virtual “world”. 13.1 Policies After selecting a policy. Some parts of the network will change color. ➢ Red: This is the source of the policy. ➢ Green: This is the destination of the policy.
PAGE 64
- BaseWall VPN 6000 user manual blank every port is allowed. Allowing ports in specific policies add to rights in more general policies. So when a tunnel is created across the Internet. The network behind this tunnel gains the normal rights of the Internet but normally will have more rights. Ports are deleted the same way as protocols. When a port is preceded with a “!” sign this port is restricted. With only restricted ports the rest of the ports are still free to use.
PAGE 65
- BaseWall VPN 6000 user manual - 13.7 Road warrior(s) authentication When clicking with the mouse on the Internet cloud the “Roadwarrior's Auth.” option can be selected. Roadwarriors are PC's that use IPSec tunnels to connect to the firewall. But it is unknown what IP-address they will use and they can switch to different IPaddresses en reconnect. The first option can be used to select a certificate to use for the connections to Roadwarriors.
PAGE 66
- BaseWall VPN 6000 user manual - 14 IPSec configuration 14.1 Identification options After running the IPSec wizard and after the apply of the configuration the firewall will start the IPSec tunnels when there is traffic towards the remote network or when the remote network tries to connect the tunnel. The tunnels are configured with sane defaults so in a lot of cases the normal configuration will just work.
PAGE 67
- BaseWall VPN 6000 user manual ➔ Dead peer detection: when the tunnel is not connecting directly the dead peer detection closes the tunnel and tries to connect again. This can give less connectivity when the other side doesn't react right. ➔ NAT Traversal: when the tunnel is behind a NAT connection the software detects this and tries to compensate for it. With 'force' it will always assume that it is behind a NAT. This firewall uses the rfc3947 definition.
PAGE 68
- BaseWall VPN 6000 user manual - 15 Logs Select the logs tab to inspect the different logs of the system. Click on “reload” to get fresh data on the screen, sometimes the logs will grow rather quickly. Push the “down” button to move to the next screen of `older` log messages. Enter a search term and push the “search” button to find a specific word or phrase in the logs. There are several different log files on the system: ➢ System Packet blocks, general errors, startup messages of programs.
PAGE 69
- BaseWall VPN 6000 user manual POP-server – show only the sending from internal defined pop boxes. ➢ Intrusion Detection Show the network security messages. ➢ IPSec key manager Show the securty key exchange of the defined IPSec tunnels. ➢ Proxyaccess Internet questions from internal PC's to the proxy. ➢ Proxycache General squid messages. ➢ Proxystore State information of the proxy cache. The logging system supresses some less relevant messages and sometimes shows more readable messages.
PAGE 70
- BaseWall VPN 6000 user manual - 16 Statistics This page shows an analysis of the logs on this machine. This contains totals and rules out the normal messages. The “all” time shows the logs for roughly a month.
PAGE 71
- BaseWall VPN 6000 user manual - 17 Virusscanner status This is a tab that shows the status of the anti-virus software running on the firewall. It is very important that the latest virus data is loaded and every hour the firewall should update to the latest definitions. When the version of the anti-virus software loaded on the firewall gets too old for the latest database or when the license keys of some virus scanners expire the email will not be checked anymore.
PAGE 72
- BaseWall VPN 6000 user manual - 18 Low level device management 18.1 Possible devices To enter device management activate advanced options in the “Config” tab. Then click on the “Devices” tab. The different wizards are normally used to add devices to this list. Here is a description of the devices in use.
PAGE 73
- BaseWall VPN 6000 user manual - 18.3 Bandwidth limits on devices There are a list of bandwidth settings for each device. Upstream-bandwidth Provide the upstream bandwidth. This should be 95% of the total available bandwidth so the firewall can fairly handle all questions without the possible chocking of the bandwidth by the Internet Service Provider. Downstream-bandwidth Provide 95% of the available downstream bandwidth. 18.
PAGE 74
- BaseWall VPN 6000 user manual - 19 Low level route management To enter device management activate advanced options in the “Config” tab. Then click on the “Routes” tab. These are the routes towards the different networks or hosts known by the firewall. All the routes are shown in the “Netview” as elements. Routes do not allow traffic by themselves for this policies should be added in the “Netview”. Most routes are created by various wizards.
PAGE 75
- BaseWall VPN 6000 user manual For both directions you'll have to specify a upper limit and a lower limit. The upper limit prevents traffic to and from this route to receive a higher bandwidth that specified. The lower limit guarantees a minimum available bandwidth for this traffic. It's impossible to guarantee more bandwidth that 100% on all your routes. 19.
PAGE 76
- BaseWall VPN 6000 user manual - 20 Low level policy management 20.1 Policies Policies are the core of the network subsystem. Most advanced features are based on policies, combined with various special options. Therefor this paragraph will describe the design of the policy system. In the following paragraph the options will be discussed. The firewall is designed to block all traffic. It is the function of a policy to allow traffic.
PAGE 77
- BaseWall VPN 6000 user manual possibilities. 20.3 Modify a policy To modify a policy's routes, you can use the following procedure: ➔ Select the policy in the policy selection pulldown menu. ➔ Use the context menu of the relevant routes to select and/or deselect routes. ➔ Use the “update” button to apply these changes to the policy. 20.4 Removing a policy It's possible to remove a policy by selecting the policy in the policy selection pulldown menu and the push the “delete” button.
PAGE 78
- BaseWall VPN 6000 user manual - 20.7 Specials To add more options to a policy you'll have to push the “Add specials” button. This will provide a pulldown menu with the various options that are available. 20.8 DNAT To setup a Destination Network Address Transformation you select the DNAT option. Normally a DNAT policy will need to have the firewall (the old destination) and the new target address (the new destination) as destination routes selected.
PAGE 79
- BaseWall VPN 6000 user manual - 21 Mail handling policies To be able to see and change mail handling policies activate advanced options in the “Config” tab. Then click on the “Mail” tab. 21.1 Set the policy for virus emails Behind the “Virus-quarantine” line is the virus policy pulldown menu. It can be set to the following values: ➢ Bounce: The mail will be blocked and the original sender will receive a nondelivery notification.