Proventia Mseries Userguide 2.3

®
M Series Appliances
User Guide
Release 2.3
Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328-4233
United States
(404) 236-2600
http://www.iss.net
© Internet Security Systems, Inc. 2003-2005. All rights reserved worldwide. Customers may make reasonable numbers of copies
of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by
any other person or entity without the express prior written consent of Internet Security Systems, Inc.
Patent pending.
Internet Security Systems, System Scanner, Wireless Scanner, SiteProtector, Proventia®, Proventia Web Filter, Proventia Mail
Filter, Proventia Filter Reporter, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure Steps, SecurePartner, SecureU,
and X-Press Update are trademarks and service marks, and the Internet Security Systems logo, X-Force, SAFEsuite, Internet
Scanner, Database Scanner, Online Scanner, and RealSecure registered trademarks, of Internet Security Systems, Inc. Network
ICE, the Network ICE logo, and ICEpac are trademarks, BlackICE a licensed trademark, and ICEcap a registered trademark, of
Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark
of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark
and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are
registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks
of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are
registered trademarks of IBM Corporation. InstallShield is a registered trademark and service mark of InstallShield Software
Corporation in the United States and/or other countries. Intel and Pentium are registered trademarks of Intel. Lucent is a
trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are either registered trademarks or
trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered
trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are
trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH
are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo,
Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the
United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks
of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are
trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. UNIX is a registered
trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks
are the property of their respective owners and are used here in an editorial context without intent of infringement.
Specifications are subject to change without notice.
Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if
you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an
“AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force
disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular
purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental,
consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of
the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental
damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems,
Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems,
Inc., and shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet
prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference
contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or
inappropriate link, please send an email with the topic name, link, and its behavior to support@iss.net.
April 18, 2005

Contents
Preface
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
How to Use Proventia M Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Conventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Getting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Part I: Getting Started

Chapter 1: Introduction
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About the Proventia Integrated Security Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Proventia Integrated Security Appliance Functional Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Proventia Integrated Security Appliance Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 2: Getting Started

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Starting Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The Home Page and Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installing the License File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuration Tasks Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 3: Updating the Appliance

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About Updating the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Update Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Automatic Update Settings Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Manually Downloading and Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Manually Updating the Web Filter and Antispam Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring Update Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Updating an Appliance with High Availability Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Using the SiteProtector X-Press Update Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Part II: Configuring the Appliance

Chapter 4: High Availability
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
About High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
High Availability Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
High Availability Access and NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
High Availability Task Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
High Availability Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Viewing High Availability Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Updating the Appliances in High Availability Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
SiteProtector Management of High Availability Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Troubleshooting your High Availability Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Proventia M Series Appliances User Guide Release 2.3 iii

Contents
Chapter 5: Appliance Settings

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Adjusting the Network Configuration Settings in Proventia Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Configuring PPPoE Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Changing the Time and Date in Proventia Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Changing the Time Zone in Proventia Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
The System Tools Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter 6: System Settings

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
About System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Reviewing the Status of System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Changing Appliance Passwords in Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Notification Responses for Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Delivery Notification for System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Setting Response Delivery Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring the SMTP Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring the HTTP Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Chapter 7: Firewall Settings

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
About Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Firewall/VPN Protection Status Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Process Overview for Configuring the Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuring Firewall Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Chapter 8: Access Polices

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
About Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Access Policy Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
About Proxy Redirection Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Configuring Proxy Redirection Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Chapter 9: NAT Polices

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
NAT Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
About NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configuring Source NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configuring Destination NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Setting NAT Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Chapter 10: VPN Settings

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
About Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Process Overview for Configuring VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Configuring a VPN Users List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Configuring an L2TP/IPSEC VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Configuring the L2TP IP Address Pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Overview of VPN Wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Using the SoftRemote VPN Client to M Series Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Using the M Series to M Series Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Using the Windows 2000 and XP to M Series Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configuring the RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
iv
Contents
Chapter 11: Network Objects

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
About Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Configuring Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Configuring Address Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Configuring Dynamic Address Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Configuring Dynamic Address Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Configuring Port Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configuring Port Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Chapter 12: Working with IKE Policies

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
IKE Automatic Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
IKE Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
The Diffie-Hellman Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configuring IKE Network and Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Configuring IKE Remote IDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Configuring IKE Policy XAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Chapter 13: Working with IPSEC

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
IPSEC and IPSEC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
IPSEC Encapsulation Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
IPSEC VPN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Using L2TP and IPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Configuring IPSEC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Chapter 14: Security Gateways

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
About Security Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Configuring an IPSEC Remote Client Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configuring a Manual Key IPSEC Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Configuring an Auto Key IPSEC Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Configuring an L2TP/IPSEC Remote Client Security Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Chapter 15: Managing Certificates

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
About Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
About the Certificate Management Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Installing a Trusted Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Removing a Trusted Certificate Authority Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Requesting a Self Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Installing a Self Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Removing a Self Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Installing a Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Removing a Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Chapter 16: Antivirus Settings

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
About Antivirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Enabling and Configuring the Antivirus Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Quarantine File Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Chapter 17: Intrusion Prevention

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Proventia M Series Appliances User Guide Release 2.3 v

Contents
About Intrusion Prevention Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Reviewing the Status of Prevention Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Enabling Intrusion Protection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Configuring Alert Logging for Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Configuring Event Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Quarantine Rules Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Viewing the Intrusion Prevention Issue List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Chapter 18: Antispam Settings

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Introduction to Antispam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Setting Antispam Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Antispam Logging and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Antispam Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Using the Email Sender Whitelist and Email Sender Blacklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Chapter 19: Using Web Filters

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Introduction to Web Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Setting Web Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Selecting Web Filter Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Using Blacklist and Whitelist Web Filter Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Editing or Removing Blacklist and Whitelist Web Filter Overrides. . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Web Filter Logging and Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Enabling Web Filter Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Web Filter Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Web Filter Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Chapter 20: The Web Filter and Antispam Database

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
How ISS Classifies Web Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
About the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Web Filter and Antispam Database Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Updating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Part III: Managing the Appliance

Chapter 21: Managing Network Settings
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Overview of Network Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Configuring the External Interface in Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Configuring External Interface DNS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Enabling the Internal Interfaces in Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Enabling or Disabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
About DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Configuring the DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
DNS Settings for the DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configuring Static Address Assignments for a DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Configuring WINS Servers for DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Viewing DHCP Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Changing Time Settings in Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Chapter 22: SiteProtector Management

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
vi
Contents
Using SiteProtector Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Considerations for Appliance Updates and Events with SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . 341
Configuring SiteProtector Management Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
SiteProtector Management of High Availability Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Chapter 23: Managing Events and Log Files

Overview . . . . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Accessing the Alert Event Log Page . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Getting More Information About Events . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Refreshing and Searching the Event Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Saving the Current Log File . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Clearing the Alert Event Log File. . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Managing Saved Log Files . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Chapter 24: System Backup and Recovery

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... . . . . . . . . . . . . . . . . . . . . . . . . 361
System Backup and Recovery . . . . . . . . . . . . . . . . . . . . ...... . . . . . . . . . . . . . . . . . . . . . . . . 362
Creating and Managing Snapshot Files . . . . . . . . . . . . . . ...... . . . . . . . . . . . . . . . . . . . . . . . . 364
Creating or Restoring a System Backup . . . . . . . . . . . . . ...... . . . . . . . . . . . . . . . . . . . . . . . . 366
Using System Backups and Snapshots with High Availability Enabled . . . . . . . . . . . . . . . . . . . . . . . . 367
Proventia M10 and M30 Appliance Reinstallation Overview ...... . . . . . . . . . . . . . . . . . . . . . . . . 371
Reinstalling the M10 and M30 Appliances . . . . . . . . . . . ...... . . . . . . . . . . . . . . . . . . . . . . . . 373
M50 Appliance Reinstallation Requirements . . . . . . . . . . ...... . . . . . . . . . . . . . . . . . . . . . . . . 375
Reinstalling the M50 Appliance . . . . . . . . . . . . . . . . . . . ...... . . . . . . . . . . . . . . . . . . . . . . . . 376
Appendix A: Configuring Advanced Parameters

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 377
Configuring Event Notification Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 379
Configuring Intrusion Prevention Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 381
Configuring Firewall or VPN Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 383
Configuring Antivirus Advanced Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 385
Configuring Automatic Update Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 387
Configuring Services Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 389
Configuring Web Filter and Antispam Database Advanced Parameters . . . . . . . . . . . . . . . . . . ... . 391
Configuring Advanced Parameters for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 393
Advanced Parameters for Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 395
Advanced Parameters for the Intrusion Prevention Component. . . . . . . . . . . . . . . . . . . . . . . . ... . 397
Block Rule Keywords for the Intrusion Prevention Component . . . . . . . . . . . . . . . . . . . . . . . . . ... . 404
Protection Response Keywords for the Intrusion Prevention Component . . . . . . . . . . . . . . . . . ... . 406
Advanced Parameters for the Firewall and VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . ... . 408
Advanced Parameters for the Antivirus Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 411
Advanced Parameters for Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 417
Advanced Parameters for Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 418
Advanced Parameters for the Web Filter and Antispam Database . . . . . . . . . . . . . . . . . . . . . ... . 419
Advanced Parameters for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . 420
Appendix B: Appliance Events

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Firewall Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Antivirus Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Intrusion Prevention Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Web Filter Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Antispam Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Update Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
High Availability Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Proventia M Series Appliances User Guide Release 2.3 vii

Contents
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
viii
Preface
Overview
Introduction This user guide contains information and procedures for configuring and managing your
Proventia M Series appliance firewall, VPN, multiple protection modules and a high
availability node.
Scope The Proventia M Series Appliances User Guide Release 2.3 helps you to use and manage your
M Series Integrated Security appliance to meet your specific security needs. This guide
contains information on system settings such as access polices, network objects, security
gateways and virtual private network settings. It provides instruction on adjusting the
available protection modules to suit your needs. Information on enabling high
availability, system event and alert management, backup and recovery, and general
troubleshooting is provided.
Note: Installation procedures are found in the Proventia Mx Appliance Quick Start Guide
associated with your specific appliance model.
Audience This guide is intended for users of the Proventia M Series Integrated Security Appliances.
A fundamental knowledge of network security policies and IP network configuration is
helpful.
What’s new in this This firmware update Version 2.3 includes improvements and bug fixes. The model
update number for your appliance, and the firmware update version that you last installed,
appear in the System Status area of the Proventia Manager Home page.
For the most current information about product issues and updates, see the Proventia M
Series Appliances Readme on the ISS Download Center at http://www.iss.net/
download/.
Proventia M Series Appliances User Guide Release 2.3 ix

How to Use Proventia M Documentation
Introduction Documentation for the Proventia M Series Integrated Security Appliance is available on
the ISS Web site at http://www.iss.net/support/documentation/.
Latest information For the latest appliance documentation, refer to the Help found in Proventia Manager,
and in the Readme files associated with each firmware release.
What’s in this guide This guide explains how to configure the Proventia M appliance using the Proventia
Manager software and the Proventia Setup utility (command line interface).
Information is organized into three main sections as shown in Table 1:
Section Contains
Part I–Getting Started • information about the appliance models and features
• procedures on how to use Proventia Manager to access and
manage the appliance
• information to help you verify your initial appliance configuration
settings
• procedures for updating your appliance
Part II–Configuring the • procedures for verifying and adjusting your appliance settings
Appliance • procedures for enabling high availability
• procedures for configuring proxy servers
• procedures for setting response delivery for system events
• procedures for configuring firewall access policies
• information about using network objects
• information about security gateways
• procedures for configuring the appliance protection modules:
Antivirus, intrusion prevention, Web Filtering, and Antispam
• instructions for Virtual Private Network (VPN) configuration
wizards
• managing certificates
Part III–Managing the • information on managing and maintaining your appliance

Appliance • information on SiteProtector management of your appliance
• information on managing events and log files
• information on system backup and recovery
Appendixes • advanced configuration parameters for advanced configuration

tasks
• information about system events and event messages
Table 1: Guide organization
x
How to Use Proventia M Documentation
Related publications For more information about using the appliance, see the following:
Document Contents
Proventia M10 Appliance Requirements and instructions for installation and initial configuration
Quick Start Guide of the M10 appliance
Quick Start Guide of the M30 (3-port) and M30 (6-port) appliances
Quick Start Guide of the M50 appliance
ISS Proventia Integrated Online help located in Proventia Manager

Security Appliances Help
Proventia Integrated General information about appliance features

Security Appliance Data (http://documents.iss.net/literature/proventia/
Sheet ProventiaMSeries_Datasheet.pdf)
Proventia Integrated Frequently asked questions about the appliance and its functions
Security Appliance (http://documents.iss.net/literature/proventia/
Frequently Asked ProventiaMSeries_FAQ.pdf)
Questions
ReadMe file The most current information about product issues and updates, and
how to contact Technical Support. (http://www.iss.net/
download/)
Table 2: Reference documentation
VPN configuration For information on how to configure a virtual private network (VPN) tunnel from a
Proventia M appliance to another system, see the following:
● Configuring VPN from Proventia Integrated Security Appliance to Cisco PIX 515E (http:/
/documents.iss.net/literature/proventia/vpn_ex_cisco.pdf)
● Configuring VPN from Proventia Integrated Security Appliance to Check Point Systems
(http://documents.iss.net/literature/proventia/vpn_ex_ckpt.pdf)
● Configuring VPN from Proventia Integrated Security Appliance to Proventia Integrated
Security Appliance (http://documents.iss.net/literature/proventia/
vpn_ex_mseries.pdf)
● Configuring VPN from Proventia Integrated Security Appliance to NetScreen Systems
(http://documents.iss.net/literature/proventia/vpn_ex_netscreen.pdf)
● Configuring VPN from Proventia Integrated Security Appliance to SoftRemote Systems
(http://documents.iss.net/literature/proventia/vpn_ex_softremote.pdf)
● Configuring VPN from Proventia Integrated Security Appliance to Symantec Systems
(http://documents.iss.net/literature/proventia/vpn_ex_symantec.pdf)
● Configuring VPN from Proventia Integrated Security Appliance to Windows XP Systems
(http://documents.iss.net/literature/proventia/vpn_ex_winxp.pdf)
● Configuring L2TP/IPSEC VPNConnections from ProventiaM Series Appliance to Windows
XPSystems (http://documents.iss.net/literature/proventia/
vpn_ex_winxp_L2TP.pdf)
Reference: See “Overview of VPN Wizards” on page 153.
Proventia M Series Appliances User Guide Release 2.3 xi

Documentation Your feedback is important to Internet Security Systems. If you have any comments about
feedback or suggestions for improving the technical documentation for ISS products, send an email
to document@iss.net. For questions about what documentation is available or to obtain
copies, refer to the ISS Web site at http://www.iss.net/support/documentation/ or
send an email to support@iss.net
xii
Conventions Used in this Guide
Conventions Used in this Guide

Introduction This topic explains the typographic conventions used in this guide to make information in
procedures and commands easier to recognize.
In procedures The typographic conventions used in procedures are shown in the following table:
Convention What it Indicates Examples
Bold An element on the graphical Type the computer’s

user interface. address in the IP Address
box.
Select the Print check box.
Click OK.
SMALL CAPS A key on the keyboard. Press ENTER.

Press the PLUS SIGN (+).
Constant A file name, folder name, Save the User.txt file in
width path name, or other the Addresses folder.
information that you must Type IUSR__SMA in the
type exactly as shown. Username box.
Constant A file name, folder name, Type Version number in
width path name, or other the Identification
italic information that you must information box.
supply.
Æ A sequence of commands From the taskbar, select

from the taskbar or menu bar. StartÆRun.
On the File menu, select
UtilitiesÆCompare
Documents.
Table 3: Typographic conventions for procedures
Command The typographic conventions used for command lines are shown in the following table:
conventions
Convention What it Indicates Examples
Constant Information to type in exactly md ISS

width bold as shown.
Italic Information that varies md your_folder_name

according to your
circumstances.
[] Optional information. dir [drive:][path]

[filename] [/P][/W]
[/D]
| Two mutually exclusive verify [ON|OFF]

choices.
{} A set of choices from which % chmod {u g o

you must choose one. a}=[r][w][x] file
Table 4: Typographic conventions for commands
Proventia M Series Appliances User Guide Release 2.3 xiii

Getting Technical Support
Introduction ISS provides technical support through its Web site and by email or telephone.
The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (http://www.iss.net/
support/) provides direct access to frequently asked questions (FAQs), white papers,
online user documentation, current versions listings, detailed product literature, and the
Technical Support Knowledgebase (http://www.iss.net/support/knowledgebase/).
Support levels ISS offers three levels of support:
● Standard
● Select
● Premium
Each level provides you with 24-7 telephone and electronic support. Select and Premium
services provide more features and benefits than the Standard service. Contact Client
Services at clientservices@iss.net if you do not know the level of support your
organization has selected.
Hours of support The following table provides hours for Technical Support at the Americas and other
locations:
Location Hours
Americas 24 hours a day
All other Monday through Friday, 9:00 A.M. to 6:00 P.M. during their
locations local time, excluding ISS published holidays
Note: If your local support office is located outside the
Americas, you may call or send an email to the Americas
office for help during off-hours.
Table 5: Hours for technical support
Contact information The following table provides electronic support information and telephone numbers for
technical support requests:
Regional Electronic Support Telephone Number

Office
North America Connect to the MYISS Standard:

section of our Web site: (1) (888) 447-4861 (toll free)
www.iss.net (1) (404) 236-2700
Select and Premium:
Refer to your Welcome Kit or
call your Primary Designated
Contact for this information.
Latin America support@iss.net (1) (888) 447-4861 (toll free)

(1) (404) 236-2700
Table 6: Contact information for technical support
xiv
Getting Technical Support
Regional Electronic Support Telephone Number

Office
Europe, Middle support@iss.net (44) (1753) 845105

East, and Africa
Asia-Pacific, support@iss.net (1) (888) 447-4861 (toll free)

Australia, and (1) (404) 236-2700
the Philippines
Japan support@isskk.co.jp Domestic: (81) (3) 5740-4065
Table 6: Contact information for technical support (Continued)
Proventia M Series Appliances User Guide Release 2.3 xv

xvi
Part I
Getting Started
Chapter 1
Introduction
Overview
Introduction This chapter describes the Proventia Integrated Security Appliance features and models.
The Proventia M Series appliance comes pre-configured with factory default settings that
can protect your system with a minimum of additional configuration. Use Proventia
Manager to perform updates, make adjustments and augment configuration settings.
This chapter contains the following topics:
Topic Page
About the Proventia Integrated Security Appliance 2
Proventia Integrated Security Appliance Functional Overview 3
Proventia Integrated Security Appliance Models 6
Proventia M Series Appliances User Guide Release 2.3 1

About the Proventia Integrated Security Appliance

The Proventia The Proventia M Integrated Security Appliance has the ability to perform multiple
Integrated Security gateway and network-level protection functions. You can choose to enable and configure
Appliance some or all of the available protection functions. These functions include the following:
● stateful packet inspection firewall protection

● gateway antivirus protection
● intrusion detection and prevention
● virtual private network (VPN) capability and protection
● gateway antispam
● Web filters
● high availability failover protection
Deployment Figure 1 shows a typical M series appliance deployment scenario:

scenario diagram
Figure 1: Proventia Integrated Security Appliance deployment example
2
Proventia Integrated Security Appliance Functional Overview

Introduction This topic explains the available Proventia Integrated Security Appliance modules and
their functions.
Firewall module The Stateful Firewall module includes the following:
● traditional allow/deny rules by address/port

● named lists of objects
● DHCP server
● NAT, PAT
● DHCP client
● PPPoE (for DSL/cable connections)
● ICSA (certification pending)
Virtual Private The Proventia Integrated Security Appliance accepts VPN connections from the
Networking module following:
● Remote office and partners (site-to-site)

● Home offices and mobile users (clients)
Antivirus module Use the antivirus module to prevent gateway virus intrusion from all file based viruses
sent through the gateway. With the Antivirus module, your Proventia appliance offers the
following:
● high speed analysis of files in real time from the following:

■ SMTP (email)
■ HTTP (downloads and Web mail)
■ POP3 (personal email)
■ FTP (file download)
● 100% wildlist coverage
Note: The WildList Organization International (http://www.wildlist.org) is a
great source of information about which viruses are spreading in the wild.
● easy, single-point-of-administration
■ all traffic through the gateway is filtered, even if desktop protection is disabled or
out of date
The antivirus module also scans compressed file formats. After you enable and configure,
you should ensure that updates are automatically performed regularly, to obtain the latest
antivirus signature list.
Intrusion Prevention Proventia M offers proven intrusion prevention technology:

module
● high-speed deep traffic analysis
● multiple methods of detection

● automatic updates from the X-Force – the world leader in security research and
vulnerability detection
In addition, the Proventia Integrated Security Appliance has automatic protection

capabilities including X-Force tagging of events such as block or alert, and tuning.
Desktop protection Although the M Series antivirus module can protect users whose desktop virus software
may be out of date, ISS recommends that you use a desktop protection solution to protect
your users from viruses that can be spread internally.
Web Filter module Use the Web Filter module to control which Web sites are available to users on your
network. When you enable Web Filters, the Proventia Integrated Security Appliance
blocks or allows access to Web sites based on filters that you create. You can create Web
Filters using the preexisting categories in the Web Filter and Antispam Database, and you
can add specific URLs or IP addresses to block or allow.
ISS uses fully automated Web crawlers that continuously download and analyze Web
content. The Web crawlers classify this content into 58 categories, and store the
information in the Web Filter and Antispam Database. The Web crawlers add several
million Web pages to the database per day.
Antispam module Use the Antispam module to prevent SPAM on your network. The Proventia Integrated
Security Appliance analyzes the text and attachments in every email. By referencing the
information in the Web Filter and Antispam Database, the appliance does the following:
● analyzes text, URLs, and attachments in all email traffic passing through your
network
● allows harmless email to pass instantly, but responds to inappropriate email by doing
one of the following:
■ labeling the email as SPAM in the subject header
■ deleting the email
Use the email sender whitelist and blacklist to identify known sources of SPAM and avoid
false positives.
High availability Use high availability configuration to support active-passive failover. Two appliances
failover protection connect using a dedicated interface link and virtual IPs. Through this link a heartbeat is
received from the primary appliance to the secondary. If a heartbeat is not received for a
predetermined period of time, the device is considered to have failed. When this occurs
the secondary device takes over all of the virtual IPs for all interfaces and becomes the
primary device. Fore more information, see Chapter 4, "High Availability".
Proventia Setup The Proventia Setup utility is your command line interface for the appliance network
utility settings. Use this tool to configure your initial network connection settings, and
passwords. You must use the Proventia Setup utility to set the initial network settings
before you can log on to the Proventia Manager. You can also use the utility for appliance
settings when a Web browser is not available.
Note: Refer to the Proventia M Appliance Quick Start Guide for your appliance model for
specific Proventia Setup procedures. You can change your appliance settings and
passwords later in Proventia Manager on the Access Control page. Refer to Chapter 6,
"System Settings".
4
Using Proventia Use Proventia Manager to do the following:

Manager
● configure system settings
● enable antivirus protection
● set access policies
● utilize network objects and security gateways
● configure VPN settings and policies using wizards
● manage certificates
● set notification parameters
● manage events and log files
● enable advanced parameters for VPN and firewall settings
● enable antispam protection
● enable Web Filters
● enable high availability

Proventia Integrated Security Appliance Models

Introduction The Proventia Integrated Security Appliance line includes four appliance models:
● M10 (4-port)
● M30 (3-port_
● M30 (6-port)
● M50 (8-port)
Important: Previous models of the M10 and M50 can upgrade to the 2.1 and 2.2 release.
However, be aware that port assignments and interface changes occur with the 2.1 release.
The former DMZ interface is eth2, and is user-defined.
Model differences All models offer the same protection functionality, and can be managed centrally by
SiteProtector or locally by the Web-based Proventia Manager. Key differences in
hardware specifications are outlined in the following table.
Component Proventia M10 Proventia M30 Proventia M30 Proventia M50

(3-port) (6-port)
Form factor 1U 1U / Desktop 1U / Desktop 2U
Interface ports Four (4) 10/100 Three (3) 10/100 Six (6) 10/100 Eight (8) 10/
Mbps Mbps Mbps 100/1000
Mbps
Serial ports 1 1 1 1
(console-only)
Redundant power No No No Yes

supply
High availability Yes Yes Yes Yes
Operating system Proprietary Proprietary Proprietary Proprietary
Table 7: Appliance Specifications
6
Chapter 2
Getting Started
Overview
Introduction This chapter describes how to use Proventia Manager to manage your Proventia
Integrated Security Appliance.
Prerequisite Initial appliance installation and network configuration steps are found in the following
documentation:
● Proventia M10 Appliance Quick Start Guide

In this chapter This chapter contains the following topics:
Topic Page
Before You Begin 8
Starting Proventia Manager 9
The Home Page and Navigation 10
Installing the License File 16
Configuration Tasks Overview 18

Before You Begin

Introduction Before you can access Proventia Manager, you must complete the initial configuration
and setup tasks as described in the Proventia M Quick Start Guide for your appliance:
Initial Requirements Procedures for the following required tasks are provided in the Proventia Appliance Quick
Start Guide for your specific appliance model. The Proventia M Series Appliances Quick Start
Guides are available in your appliance packaging or on the ISS Web site at http://
www.iss.net/support/documentation/.
Use the following checklist to verify completion of initial configuration and setup tasks:
9 Requirement
Properly install the hardware and connect the cables
Create a connection using a VT100 compatible terminal emulation program, with the
recommended settings.
Complete all initial setup configurations using the Proventia Setup Utility
Configure the internal interface(s)
Configure the external interface(s)
Configure the time and date
Configure the command line and Web passwords
Apply the settings
Table 8: Requirements for accessing Proventia Manager
Logging into the You should perform your first-time installation network settings using the Proventia
appliance using the Setup utility (command line interface). After you complete the network configurations,
Proventia Setup use Proventia Manager to manage the appliance. Instructions are located in the Proventia
utility Mx Appliance Quick Start Guide for your appliance model.
See “Adjusting the Network Configuration Settings in Proventia Setup” on page 72.
8
Starting Proventia Manager
Starting Proventia Manager

Introduction Before you configure your appliance, you must log on to the Proventia Manager interface.
Proventia manager is the local management interface or Web-based interface for
Proventia M. This topic explains what steps are required before you can access Proventia
Manager.
Prerequisites After you perform network configurations, you must do the following before you can
access the Proventia Manager:
9 Prerequisite
Verify that you received a valid license from your ISS Operations or Partner personnel.
Download the license, and then save it locally to upload to the appliance. ISS
recommends that you upload the license so that you can download the latest updates
automatically.
See “Installing the License File” on page 16.
Verify that you have Internet Explorer Version 6 or later installed.
Connect a computer or laptop to the internal network.
Verify that your Client TCP/IP settings are properly configured for your network.
Table 9: Prerequisites for accessing Proventia Manager
Reference: For more information about accessing and using the Proventia Manager, see
the Help.
Starting the To start the Proventia Manager interface:

interface
1. Start Internet Explorer 6.0 or later.
2. Type https:// followed by the hostname or IP address of the appliance’s internal
interface you configured during initial setup. Refer to your Proventia Integrated
Security Appliances Quick Start Guide for detailed instructions.
Important: You must use a secure connection to access Proventia Manager. Be sure
you use https:// in the address bar.
3. Log in using the user name admin and the Proventia Manager password that you
configured for the appliance during initial setup.
4. If a message informs you that you do not have Java2 Runtime Environment (JRE)
Version 1.4.2 installed, install it now, and then return to this procedure.
The Welcome screen appears for your appliance model.
5. Do one of the following:
■ Select Yes to access the Getting Started procedures.
■ Select No to skip the Getting Started procedures.
Note: ISS recommends that you use the Getting Started procedures to help you
customize the appliance settings. you can also access these procedures from the Help.
6. Click Launch Proventia Manager.

The Home Page and Navigation

Introduction The Home page provides a snapshot of the current status of the appliance. This page
includes the following navigation, information, and reporting options:
● navigation pane
● device name
● protection status
● system status
● system reports
● important system messages
● alerts for each module
New navigation Proventia Manager includes the following navigation features:

features
● the navigation pane
● ability to open any page in a new window
Viewing the If you log on to Proventia Manager and the navigation pane is not visible, click the
navigation pane following link at the top of the page:
Click here to reload this page with navigation.
Navigation pane The navigation pane contains primary nodes for each module, and subnodes for each
nodes page within that module. To expand or collapse a node, do either of the following:
● click the + sign

● click the module name
● To view the Status page for each module and expand or collapse a node, click the
module name.
The following table describes the module nodes and subnodes in the navigation pane that
allow you to quickly access pages in Proventia Manager:
This node... Includes the following subnodes...
Firewall/VPN • Firewall alerts

• Settings
• Dynamic Addresses
• Network Objects
• VPN Wizards
• Certificate Management
Intrusion Prevention • Intrusion Prevention Alerts

• Settings
• Quarantined Intrusions
• Issues List
Table 10: Navigation pane nodes and subnodes
10
This node... Includes the following subnodes...
Antivirus • Antivirus Alerts

• Settings
• Quarantine
Web Filter • Web Filter Alerts

• Settings
• Categories
Antispam • Antispam Alerts

• Settings
System • System Alerts

• Access
• Notification
• Networking
• High Availability
• Routing
• Services
• Tools
• Time
• Management
• Filter DB
• Licensing
Backup and Recovery • Backup and Recovery page
Updates • Automatic Settings

• Tools
• Available Downloads
• Available Installs
Support • Support
Table 10: Navigation pane nodes and subnodes (Continued)
Viewing the The Protection Status page describes the current status of the following components:
protection status
page ● Firewall/VPN
● Intrusion Prevention
● Antivirus
● Web Filter
● Antispam
● High availability
Each of the component names link to the component status page. The status page includes
statistics that may help you identify a problem in the event of an unexpected component
status.
Note: To view the status for each module from anywhere in the appliance interface, click
the module name in the navigation pane.

Protection status You can determine the current status of a component by glancing at the status icon. The
icons status icons are as follows:
Icon Description
Indicates that the component is active.
Indicates that the component is stopped.
Indicates that the component is in an unknown state. This status may require
immediate attention.
Table 11: Protection status icons
Home page system The system status group box describes the current status of the system. The following
status table describes the data available in the system status area:
Statistic Description
Model Number The model number of the appliance, followed by the number of
ports. Model possibilities are:
• M10
• M30 (3-port)
• M30 (6-port)
• M50
Serial Number The serial number of your appliance
Network Interfaces The number of interfaces on your appliance

Note: The number of interfaces varies by appliance model and the
number of interfaces you have configured. Refer to the Proventia
M Series Appliance Quick Start Guide for your appliance model for
more information about available interfaces.
Base Version Number The base version of the appliance software

Note: The base version is the software version shipped with the
appliance, or the software version of the most recent system
backup.
Uptime The length of time that the appliance has been online. The time is
given in the following format:
x days, x hours, x minutes
Last Restart The time the appliance was last restarted. The time is given in the
following format:
yyyy-mm-dd hh:mm:ss
Example:
2004-05-04 16:24:37
Table 12: System status data
12
Last Firmware Update The time the appliance firmware was last updated. The time is
given in the following format:
yyyy-mm-dd hh:mm:ss - version: x.x
Example:
2004-05-04 16:25:56 - version: 1.7
Last Antivirus Update The time the antivirus module was last updated. The time is given
in the following format:
yyyy-mm-dd hh:mm:ss - version: x.xxx
Example:
2004-05-04 14:52:09 - version: 1.139
Last Intrusion Prevention The time the appliance firmware was last updated. The time is
Update given in the following format:
yyyy-mm-dd hh:mm:ss - version: x.x
Example:
2004-01-25 12:34:36 - version: 1.7
Last System Backup The time the last system backup was created. The time is given in
the following format:
yyyy-mm-dd hh:mm:ss
Example:
2004-05-04 15:49:01
Backup Description The type of backup on the appliance. The backup possibilities are:
• No System Backup
• Full System Backup
Filter Database The type of Web Filter and Antispam Database that the appliance
uses. The possible types are:
• Installed
• Not Installed
Installed Database Version The version of the Web Filter and Antispam Database that is
installed on the appliance. The version is given in the following
format:
x.xxxx
High Availability Mode The status of the HA feature. Options are as follows:
• Enabled
• Disabled
High Availability Active Status The status of the primary appliance. Options are as follows:
• Running
• Stopped
• Not configured
• Not installed
• Unknown
Table 12: System status data (Continued)

High Availability Secondary If the High Availability feature is enabled, then this statistic
Status appears on the primary appliance only. This is the status of the
secondary appliance. Options are as follows:
• Unknown
• Running
• Stopped
• Failure
Table 12: System status data (Continued)
System reports The system reports area provides links to the following items:
● Alerts
● Virus Quarantine
● Quarantined Intrusions
These pages provide information about the firewall/VPN, antivirus activity, and
intrusion prevention.
Accessing the Alert You can access the Alert Event Log page in two ways:
Event Log Page
● click the button
● click the Alerts node for each module
Important system If there are important system messages for your appliance, an Important System
messages Messages area appears. The following table describes the messages that may appear in the
Important System Messages area:
Message Available Links
You have not acquired and uploaded your System License. Updates • Install License
can not be discovered or downloaded until this is complete.
There are updates available to download. • View Details

• Download
There are updates available to install. • View Details
There is a database update available for the Web Filter and • Update Database
Antispam Database.
Your System License has expired. • Renew License
Your Maintenance Agreement has expired. • Renew Maintenance

Agreement
Table 13: Important system messages
14
Navigation Use the following procedures to navigate in the Proventia Manager:

procedures
To... Do this...
Minimize or maximize the Click the icon in the upper right corner of any page.
navigation pane
Open any page in a new Right-click the page in the navigation pane, and then select Open
window in a new window from the menu.
View the alerts for a module

Click at the top of any page for that module.
Example:
If you are on the Firewall/VPN Settings page and want to view
firewall alerts, click at the top of the page to display the

Alert Event Log page. The log displays alerts for the Firewall/VPN
module only.
You can always filter results and view other alerts on the Alert
Event Log page. For more information, see “Refreshing and
Searching the Event Log File” on page 353
Table 14: Navigation procedures
Accessing the To access the Proventia Manager help:

Proventia Manager
Help ● On the Proventia Manager home page, select Help.
The Home Page topic appears.
● Click any icon for additional information or key considerations about a topic.
● Click the text beside the icons for detailed procedures within a topic.
● Click the text beside the icons for detailed procedures outside of a topic, but
related to the process.
● Click any highlighted text for information or term definitions.
● Refer to the See Also links at the bottom of every page for related topics.
● The Page Descriptions topic will list all page topics in the Help.
● Refer to the Glossary for a complete list of terms and their definitions.

Installing the License File

Introduction This topic explains how to install the license file for Proventia Manager. This is necessary
to make your appliance run at full capability. Installation involves saving the license file
information to the appropriate location so that the Proventia Manager software can locate
and acknowledge it.
Each license file is unique to your product license and may require that you provide IP
address range information specific to your network. ISS is bound by its confidentiality
policy not to share your network information with any other organization, except as
required by law.
About the Licensing The Licensing Page displays important information about the current status of your
page license file, including expiration dates. Additionally, this page allows you to access the
License Information page, which includes information about how to acquire a current
license.
Prerequisites To install a license file, you must first do the following:
● generate the license file

● install the license file
You must install licenses to activate the modules:
1. Intrusion Prevention
2. Antivirus
3. Antispam
4. Web Filter
Note: To purchase a license file for your Proventia M Series appliance, contact your ISS
sales representative.
Generating a To generate a license file, you must have the following:

license key file
● Registered End User contact information.
Important: For security reasons, ISS operations personnel will discuss license issues
only with a Registered End User. If there are multiple authorized users at your
organization that must be eligible to receive support, they must register at: https://
www.iss.net/issEn/MYISS/login_help.jhtml
● Maintenance billing contact information
Note: ISS issues a license file once for the duration of the license, and makes changes
only on an exception basis and at a charge per license file. If you are uncertain about
what information is required, contact ISS Customer Support (North America, only) at
1-888-447-4861. If you are uncertain about what IP address ranges define your
network, contact your network administrator.
Registering the Before you install your license files, you must go to the ISS License Registration Center
license key files (https://www1.iss.net/cgi-bin/lrc) to do the following:
● register the license files
16
Installing the License File
● download the license files to a temporary directory on your computer
Note: For status or renewal information about your license files, contact ISS at https://
keys@iss.net.
Installing a license Use the following procedure to install the license files you purchased for your appliance:
file
Important: For the M30 and M50 appliance models, you must install the Intrusion
Prevention Module (IPM) license file before you install other license files.
To install a license file:
1. In the navigation pane, click + to expand the System node.

2. Select Licensing.
3. Click Browse, and then locate the license file that you downloaded.
4. Click OK.
5. Click Upload.
The appliance installs the license file to the appropriate directory.

Configuration Tasks Overview

Introduction The Proventia M appliance is delivered with default settings that protect your system
with a minimum of additional configuration. This topic identifies the required
configuration tasks, and recommends additional tasks to support your security needs and
maintain the appliance.
Note: Do not use spaces in the hostname or any foreign language characters in any entry
fields.
Configuration tasks This topic describes the following tasks:
● required tasks
● recommended tasks
● routine maintenance tasks
Required tasks You must perform the following tasks before your appliance is fully functional:
Task Description
1 Configure the appliance.

Reference: Proventia M Series Quick Start Guides
2 Log on to Proventia Manager.

Reference: Proventia M Series Quick Start Guides
3 Install the license file.

References:
• See “Installing a license file” on page 17.
• Help topic, “Installing the License Key File”
4 Update the firmware.

References:
• See “About Updating the Appliance” on page 22.
• Help topic, “Updating the Firmware”
5 Configure notification responses for events.

References:
• See “Notification Responses for Events” on page 91.
• Help topic, “Notification Responses for Events”
6 Configure the firewall.

References:
• See Chapter 7, "Firewall Settings" on page 103.
• Help topic, “Configuring the Firewall”
7 Update the antivirus definitions and the intrusion prevention signatures.

Reference:
• See “About Updating the Appliance” on page 22.
• Help topic, “Updating the Appliance”
Table 15: Required tasks
18
Configuration Tasks Overview
Recommended ISS recommends that you perform the following tasks to fully utilize the features available
tasks with your Proventia M appliance:
Task Description
1 Configure Web Filters.

References:
• Help topic, “Enabling the Web Filter module”
• See “Setting Web Filter Options” on page 276.
2 Configure Antispam settings.

References:
• Help topic, “Configuring the Antispam Settings”
• See “Setting Antispam Options” on page 265.
3 Configure the antivirus software.

References:
• Help topic, “Configuring the Antivirus Software”
• See “Enabling and Configuring the Antivirus Software” on
page 239.
4 Update the Web Filter and Antispam Database.

References:
• Help topic, “Updating the Database”
• See “Manually Updating the Web Filter and Antispam Database”
on page 33.
5 Configure the SMTP proxy.

Note: ISS recommends this task if you want to use the Antivirus
feature and protect SMTP traffic.
References:
• Help topic, “Configuring the SMTP Proxy Server”
• See “Configuring the SMTP Proxy Server” on page 99.
6 Configure a DHCP relay agent.

References:
• Help topic, “Configuring the DHCP Relay Agent”
• See “Enabling or Disabling SSH” on page 320.
7 Configure a Virtual Private Network (VPN) using Wizards.

References:
• Help topic, “Process Overview for Configuring VPN”
• See “Overview of VPN Wizards” on page 153.
Table 16: Recommended tasks

Routine ISS recommends that you perform the following tasks to properly maintain your
maintenance tasks appliance:
Task Description
1 View your current component statuses and available updates on

the home page.
References:
• Help topic, “Homepage”
• See “The Home Page and Navigation” on page 10.
2 Create a system snapshot, and download it to your local

computer.
References:
• Help topic, “Backup and Recovery”
• See “Creating and Managing Snapshot Files” on page 364.
3 Create a system backup.

References:
• Help topic, “Backup and Recovery”
• See “System Backup and Recovery” on page 362.
Table 17: Routine maintenance tasks
20
Chapter 3
Updating the Appliance
Overview
Introduction This chapter describes how to update your appliance in Proventia Manager. You can
choose to install firmware updates, security updates, and database updates automatically,
or you can configure the appliance to automatically download updates, and then
manually install some of all of the available updates.
You can also use the SiteProtector X-Press Update Server as an alternative update server.
For more information, see “Using the SiteProtector X-Press Update Server” on page 38
Topic Page
About Updating the Appliance 22
Update Status Page 24
Automatic Update Settings Page 26
Configuring Automatic Updates 27
Manually Downloading and Installing Updates 31
Manually Updating the Web Filter and Antispam Database 33
Configuring Update Notification 34
Updating an Appliance with High Availability Enabled 36
Using the SiteProtector X-Press Update Server 38

About Updating the Appliance

Introduction You should always make sure your appliance is running the latest firmware, security
content, and database updates. Your appliance retrieves updates from the ISS Download
Center, accessible over the Internet.
You can update the appliance in two ways:
● configure automatic updates for all or some of the update types

● find, download, and install updates manually
Important: See “Updating an Appliance with High Availability Enabled” on page 36 for
specific information on updating appliances in a high availability configuration.
Types of updates You can install the following updates:
● firmware updates
● security content updates
● database updates
You can find updates from the Updates to Download page, and you can schedule
automatic update downloads and installations from the Automatic Update Settings page.
Note: Some firmware updates require that you reboot your appliance. For more
information about product issues and updates, see the Proventia M Series Readme on the
ISS download center at http://www.iss.net/download/.
How the appliance When you click the button on the Update Status page, the appliance checks for
find updates the following:
● updates that are already downloaded to the appliance and ready to be installed
● updates that are available for download from the ISS download center
If the appliance finds updates to download or install, an alert message displays a link to
the appropriate page (the Download Updates or Install Updates page).
Update process and ISS recommends that you do the following when you schedule updates:
recommendations
● Create a system backup prior to installing any firmware updates.
Note: To ensure that you have a system backup before each automatic firmware
update installation, you can enable the Perform Full System Backup Before
Installation option on the Automatic Update Settings page. If you enable automatic
system backup before firmware installation, then the appliance reboots and creates
the system backup before it installs the firmware update. Your appliance stores only
one system backup, so if you select this option then the appliance overwrites the
previous system backup.
● Schedule automatic database updates to keep your appliance up to date.
22
About Updating the Appliance
● Schedule automatic update checks at least one hour before installing firmware
updates or performing a system backup, to allow time for the updates to download.
Note: See “Configuring Automatic Updates” on page 27 for more information about
coordinating database and firmware updates.
● Schedule firmware updates outside business hours, as the appliance may go offline
for several minutes during the installation process.
Automatic update You can configure the appliance to automatically download and install updates.
process
The following table describes the appliance update process:
Stage Description
1 At 3:00 AM, the appliance checks the ISS download center for
updates.
2 The appliance downloads database, security, and firmware

updates.
3 The appliance installs database and security updates immediately.
4 At 5:05 AM, the appliance does the following:

• reboots, and then creates a system backup
• installs the firmware update, and then reboots if necessary
Table 18: Update process
If you manage your If you manage your appliance with SiteProtector, you can install an update while the
appliance with appliance is registered with the SiteProtector agent manager.
SiteProtector
Note: See “Using the SiteProtector X-Press Update Server” on page 38.

Update Status Page

Introduction The Update Status page allows you to:
● view the status of downloads and installations

● view the history of firmware update installations
● roll back antivirus or intrusion prevention updates
● manually find updates available for download
You can perform the following tasks on the Update Management page:
● finding updates
● rolling back updates
Finding updates When you click the button on the Update Status page, the appliance checks
for the following:
● updates that are already downloaded to the appliance
If the appliance finds updates to download or install, an alert message displays a link to
the appropriate page (the Download Updates or Install Updates page).
Note: This is the first of three tasks to manually update the appliance. To continue,
complete this procedure and go to “Task 2: Downloading updates” on page 31.
To find available updates:
1. In the navigation pane, click Updates.

2. If your appliance model requires it, the Export Administration Regulation window
appears.
If needed, review the Export Agreement, select Yes, and then click Submit.
The Update Status page appears.
3. In the Updates area, click .

To view available downloads or updates, do one of the following:
■ If the appliance displays an available download alert message, click View
Available Downloads to go to the Available Downloads page.
■ If the appliance displays an available install alert message, click View Available
Installs to go to the Available Installs page.
■ Select the Available Downloads or Available Installs node(s) on the navigation
pane.
Rolling back A roll back removes the last intrusion prevention or antivirus update that was installed on
updates the appliance. You cannot roll back firmware updates.
Note: ISS recommends that you perform a full system backup before installing a
firmware update. If you enable automatic firmware updates, you can enable the Perform
Full System Backup Before Installation option.
24
Update Status Page
Update packages After an update is installed, the appliance deletes the update package. Therefore, the
and rollbacks downloaded package is no longer on your appliance. If you roll back the update, then the
update will be found as available for download and installation the next time you find
updates or at the next scheduled automatic update.
Cumulative updates Updates are cumulative. Refer to the following example for a description of the appliance
and rollbacks behavior during a rollback of cumulative updates.
Example: If you install version 1.1, do not install version 1.2, and then install version 1.3,
version 1.2 is installed with version 1.3. However, the appliance does not roll back to
version 1.2. A rollback to the last update takes the appliance back to version 1.1.
To roll back an update:
1. In the navigation pane, select Updates.

The Update Status page displays the status of Intrusion Prevention, Antivirus, and
Firmware updates.
■ To roll back an antivirus update, click the corresponding Rollback Last Update
link, and then click OK.
■ To roll back a intrusion prevention update, click the corresponding Rollback Last
Update link, and then click OK.
■ The page automatically refreshes. If not, you can press F5 to refresh the page and
check the progress of the rollback.
Update Alerts Page The Update Alerts page provides information on an alerts associated with updates. For
information about managing alerts, see“Managing Events and Log Files” on page 347.

Automatic Update Settings Page

Introduction Use the Automatic Update Settings page to configure how the appliance locates,
downloads, and installs updates. For detailed procedures see “Configuring Automatic
Updates” on page 27.
Note: If the icon appears next to a field on this page, it indicates one of the following:
● data is required in the field

● the data in the field is invalid
If the icon appears next to a policy or a tab on this page, then the policy or tab contains
invalid settings or empty fields that require data.
Updates with HA If you are using a high availability configuration, see “Updating the Appliances in High
enabled Availability Mode” on page 68.
Important: Do not enable automatic firmware updates when using high availability.
Tabs on the The following table describes the tabs on the Automatic Update Settings page:
Automatic Update
Settings page Use this tab... To do this...
Update Settings Configure automatic downloads and installations for the

following types of updates:
• antivirus and intrusion prevention
• database
• firmware
Alternate Update Configure the appliance to use the SiteProtector X-Press

Server Update Server as an alternative update download server
Event Notification Configure how the appliance notifies you of update events
Advanced Configure advanced tuning parameters for updates

Parameters
Table 19: Tabs on the Automatic Update Settings page
Troubleshooting If you experience unusual behavior after you apply a firmware update, try the following:
Updates
1. Close your Web browser.
2. Clear your Java cache.
3. Restart your Web browser and log on to Proventia Manager.
Note: For more information about how to clear your Java cache, refer to your PC’s
operating system documentation.
26
Configuring Automatic Updates

Introduction You can configure your Proventia appliance to automatically download and install
updates based on your settings.
You can define the following settings to configure automatic updates for your appliance:
● when the appliance automatically checks for updates

● when to download and install security updates
● when to download database updates
● when to download firmware updates
● how and when to install firmware updates
Important: Do not enable automatic firmware updates if using high availability.
● which firmware update version(s) to install
● set up the HTTP proxy (if required for your network Internet connection)
Automatic Update You can set up the following automatic options:

Options
Option Description
Automatically Check for Updates These options automatically check for new updates
that are available for download and installation.
Automatically Download Security, These options automatically download intrusion

Database and Firmware Updates prevention, antivirus, and firmware updates based
on your settings
Automatically Install Firmware Updates This option automatically installs firmware updates
based on your settings. You can also enable the
option to automatically perform a full system backup
the appliance installs firmware updates.
Automatically Update Web Filter and This option downloads and applies updates to the
Antispam Database Web Filter and Antispam Database.
Table 20: Automatic update options
Prerequisite You must install the Intrusion Prevention license first before you can configure automatic
updates. See “Installing the License File” on page 16.
Automatic update Configuring automatic updates is a six-task process. You can set the following on the
task overview Automatic Update Settings page:
Task Option Description
1 Automatically check for Updates Configure this option to automatically check for
any available updates.
2 Security updates Configure this option to automatically

download available security updates.
Table 21: Automatic update task overview

Task Option Description
3 Web Filter and Antispam Configure this option to automatically update

database updates the Web Filter and Antispam database.
4 Firmware updates Configure this option to automatically

download firmware updates.
5 Install options Configure this option to automatically backup

your system and install updates.
Table 21: Automatic update task overview
Task 1: Specify To specify when the appliance checks for updates:

when to check for
updates 1. In the navigation pane, click + to expand the Updates node.
2. Select Automatic Settings.
If your appliance model requires it, the Export Administration Regulation window
appears.
3. If needed, review the Export Agreement, select Yes, and then click Submit.
The Automatic Update Settings page appears.
4. Select the Update Settings tab.
5. Does your network use an HTTP proxy to get to the Internet?
■ If yes, click Configure HTTP Proxy. See “Configuring the HTTP Proxy Server” on
page 102.
■ If no, go to Step 6.
■ To check for updates daily or weekly, select Check for updates daily or weekly,
select the day to check for updates from the Day of Week list, and then select a time
from the Time of Day list.
Note: Make sure that the time of day that your appliance checks for updates is at least
one hour before the appliance performs automatic installations. This ensures that the
appliance has sufficient time to download the firmware updates before the automatic
installation occurs.
■ To check for updates more often than daily, select Check for updates at given
intervals, and then use the slider bar to select a value or type a value in the Interval
(minutes) field.The minimum interval is 60 minutes.
■ The maximum interval is 1440 minutes.
Task 2: Configure To specify whether the appliance automatically downloads and installs security updates:
automatic security
updates 1. To automatically download security updates, select the Automatically Download
check box.
2. To automatically install security updates, select the Automatically Install check box.
Task 3: Configure To automatically download updates to the Web Filter and Antispam Database:
automatic database
updates ■ Select the Automatically Update Web Filter and Antispam Database check box.
The database will receive updates from the ISS database server automatically.
28
Task 4: Configure To configure firmware updates, select options from the following table:
automatic firmware
updates If you want to... Then do this...
Automatically download • Select the Automatically Download check box.

firmware updates Note: The appliance will automatically download firmware
updates each time it checks for updates. You can specify how
often the appliance checks for updates in the Automatically
Check for Updates area.
Perform a full system • Select Perform Full System Backup Before Installation.
backup before the Important: This option is enabled by default. ISS recommends
appliance installs the that you perform a full system backup before installing a
firmware update firmware update. Your appliance stores only one system
backup, so if you select this option, then the appliance
overwrites the previous system backup.
Download firmware • Select Do Not Install.

updates but not install Note: This option allows you to install updates manually. See
them “Manually Downloading and Installing Updates” on page 31.
Automatically install • Select Automatically Install Updates.

firmware updates important: If you select this option, the appliance may go
offline for several minutes during the installation process.
Do Not select this option if running in high availability mode.
Table 22: Configure firmware updates
Task 5: Specify To specify when to install firmware updates, select one of the options described in the
when to install following table:
firmware updates
If you want to... Then select this option... And then do this...
Install updates at a Delayed • Select what day you

specific date and time Note: You must configure the want the installation to
automatic installation to occur at least occur from the Day of
1 minute after automatic update Week list.
downloads end. • Select what time you
want the installation to
occur from the Time of
Day list.
Install new updates as Immediate N/A

soon as they are Note: ISS does not recommend this
automatically option because the installation process
downloaded takes the system offline for several
minutes.
Table 23: Specify when to install firmware updates

If you want to... Then select this option... And then do this...
Install one instance of Schedule One-Time Install • Type the date you want
updates at a specific date the installation to occur
and time from the Date field.
Note: The date must be
in the following format:
yyyy-mm-dd
• Type the time you want
the installation to occur
from the Time field.
Note: The date must be
in the following military
time format:
hh:m
Table 23: Specify when to install firmware updates
Task 6: Specify To specify which firmware update versions to install:

firmware update
versions to install 1. In the Which version to Install area, select one of the following:
■ To install all versions up to the most recent version, select All Available Updates.
■ To install all versions up to a specific version number, select Up To Specific
Version, and then type the version in the Version field.
■ In the Proventia Manager interface, click Save Changes.
■ In the SiteProtector interface, click OK.
30
Manually Downloading and Installing Updates
Manually Downloading and Installing Updates

Introduction If you do not have automatic updates configured for the appliance, or if you want to
install an update off schedule, you can find and manually install updates. This topic
describes how to download and install updates manually. When updates are available, a
message appears on the Update Management page.
Manual updates You must complete the following tasks to manually update the appliance:
task overview
Task Description
1 Find available updates.
2 Download updates.
3 Install updates.
Table 24: Manual updates task overview
Task 1: Finding The appliance first checks for updates locally, then connects to the ISS download center
available updates for updates that have not been downloaded.
When you click the button on the Update Status page, the appliance checks for
the following:
● updates that are already downloaded to the appliance

Note: If the appliance finds updates to download or install, an alert message displays a
link to the appropriate page.
To find available updates:
1. In the navigation pane, click Updates.

appears.
The Update Status page appears.
3. In the Updates area, click .

4. Do the following to view the available updates:
■ Click the View Available Downloads link in the alert message.
■ From the navigation pane, click UpdatesÆ Available Downloads.
Task 2: To download available updates.

Downloading
updates Download updates one of the following ways:
● download updates from the “Update to Install” message prompt

● download updates directly from the Updates to Download page

To download updates from the Updates to Install message prompt, do the following:
1. If updates are available to download, the following message appears on the Updates
to Install page:
“There are updates available. Click here to see details.”
2. Click the link in the message.
The Updates to Download page appears.
3. Click Download Updates.
The Downloading Alert page displays while the appliance downloads the updates.
After the download is complete, the available updates message is cleared from the
Updates to Install page.
To download updates directly from the Updates to Download page:
1. In the navigation pane, click + to expand the Updates node.

2. Select Available Downloads.
appears.
The Available Downloads page appears, and available updates to download are
displayed in the Updates to Download table.
4. Click Download Updates.
Installing updates To install updates manually:

manually
2. Select Available Installs.
appears.
The Available Installs page appears, and available updates to install are displayed in
the Updates to Install table.
5. Select the updates you want to install, and then click Install Updates.
Note: Some firmware updates require that you reboot your appliance. For more
information about product issues and updates, see the Proventia M Series Readme
located on the ISS download center page at http://www.iss.net/download/. You
can view the status of the installation in the Update History table on the Update
Status page.
32
Manually Updating the Web Filter and Antispam Database
Manually Updating the Web Filter and Antispam Database

Introduction ISS recommends that you update your local Web Filter and Antispam database
automatically at least once daily to keep it up to date. However, you can choose to
manually update the database.
Note: To schedule automatic database updates, see “Task 3: Configure automatic

database updates” on page 28.
Updating or If you have a database locally installed on your appliance, ISS recommends that you
overwriting the update the database rather than overwrite it. Although Web Filter and Antispam
database functionality is unaffected while you overwrite the database, the download could take
several hours. To update an existing local database, use the Web Filter and Antispam
Database page.
When to update You can keep your database fresh by downloading updates frequently. If you enable
automatic updates for the appliance, then the updates are automatically downloaded and
installed. ISS updates the database six times daily, and recommends that you schedule
automatic database updates that occur no less than once daily.
Note: Database update files can be large. ISS recommends that you schedule automatic
database updates during non-peak or off hours.
Manually updating To manually update the database:

the database
2. Select FilterDB.
The Web Filter and Antispam Database page appears.
■ Click to download the latest database and overwrite your current

database.
■ Click the link Click here to update an existing database.
■ Click to refresh the status of obtaining the current local database

Configuring Update Notification

Introduction You can specify how the appliance notifies you of the following:
● available updates
● available installations
● update errors
Prerequisites Consider the following prerequisites before you use the update notification feature:
● You must first configure Simple Network Management Protocol (SMTP). See
“Configuring SNMP” on page 97.
● Be sure that the email notification options you select are compatible with your SMTP
configuration. To check email notification settings, expand the Services node, select
Notification, and then select the Delivery Setup tab.
Configuring To configure notification for available updates:

notification for
available updates 1. In the navigation pane, click + to expand the Updates node.
appears.
The Automatic Settings page appears.
5. Select the Notification tab.
6. To enable alert logging for available updates, select the Enable Alert Logging for
Available Updates check box.
7. Select how the appliance notifies you about available updates:
■ To receive email notifications, select Email Enabled, and then select the email
account name from the Email Name drop-down list.
■ To configure another email account, click Configure Email.
Important: If you use email notification, leave the default setting for the
attack.log_one_attack_every advanced parameter. The default setting is 100.
Example: If 100 of the same type of event occur, only 1 log event record will be
written. Therefore, you will receive only one email notification, rather than 100.
■ To receive SNMP traps on UDP port 162, select SNMP Trap Enabled.
■ To configure SNMP Get or SNMP Traps, click Configure SNMP.
■ To send alerts to the SiteProtector desktop controller, select SiteProtector Enabled.
34
Configuring Update Notification
Configuring To configure notification for available installations:

notification for
available 1. In the navigation pane, click + to expand the Updates node.
installations 2. Select Automatic Settings.
appears.
6. To enable alert logging for available installs, select the Alert Logging for Update
Installation check box.
7. Select how the appliance notifies you about available installs. Refer to Step 7 in
“Configuring notification for available updates” on page 34.
Configuring To configure notification for update errors:

notification for
update errors 1. In the navigation pane, click + to expand the Updates node.
appears.
5. To enable alert logging for update errors, select the Alert Logging for Update Errors
check box.
6. Select how the appliance notifies you about update errors. Refer to Step 7 in
“Configuring notification for available updates” on page 34.

Updating an Appliance with High Availability Enabled

Introduction This topic describes how to update an appliance if high availability is enabled.
Note: You can use the SiteProtector X-Press Update Server as an alternative update
server. For more information, see “Using the SiteProtector X-Press Update Server” on
page 38.
Update The following update requirements apply to all appliances with the HA feature enabled:
requirements
● You can enable automatic update downloads, but you must install firmware updates
manually.
Important: Do not enable the automatic firmware update installation option.
● You must apply the same firmware version to both the primary and the secondary
appliances. The HA feature will not function properly if the primary and secondary
appliances run different versions of firmware.
Important: ISS recommends that you install firmware updates on the secondary
appliance first, and then force a failover before installing firmware updates on the
other appliance in the cluster.
● In a standard high availability environment (using a single external IP), a firmware
update installation to the primary appliance forces a failover to the secondary
appliance. The primary appliance becomes the secondary appliance in the cluster. To
force a failover and return an appliance to primary status, connect to the unique IP
address of the current primary appliance, go to the System Tools page, and then click
Force Failover.
Caution: Applying firmware updates to an HA appliances requires a failover. ISS
recommends that you install firmware updates during off hours.
● If your appliances are registered with SiteProtector, you should unregister each
appliance after enabling the HA feature. You must perform firmware updates
individually in Proventia Manager for each appliance.
Recommendations Consider the following recommendations before you apply updates to an appliance with
the HA feature enabled:
● To maintain up-to-date security and database content, enable automatic scheduled

security and database updates.
Important: Do not enable automatic firmware updates.
● Open two browser windows so that you can more easily access both appliances
during the update process.
Tasks to update the To update the firmware for an HA deployment, perform the following tasks:
firmware for an HA
deployment Task Description
1 Use the Unit A (primary appliance) unique internal IP address to connect to the Unit
A Proventia Manager interface.
Note: Do not use the virtual IP address
Table 25: Tasks to update the firmware for an HA deployment
36
Updating an Appliance with High Availability Enabled
Task Description
2 Do one of the following:

• If you enabled automatic update downloads, check the Updates to Install page
on Unit A to verify that updates are available for installation.
• If you did not enable automatic update downloads, manually download update(s)
to Unit A.
3 In the Unit A Proventia Manager, expand the System node, and select Tools, and
then click .
Note: This forces a failover, so that Unit B becomes the primary appliance. After the
failover completes, the Secondary Appliance banner appears on Unit A.
4 To verify that the failover was successful, use the Unit B unique internal IP address
to connect to the Unit B Proventia Manager interface. Go to the Home Page of Unit
B and make sure that the High Availability Operating As is Primary.
5 Use the Unit A unique internal IP address to connect to the Unit A Proventia
Manager interface.
Note: Do not use the virtual IP address
6 Manually perform a system backup on Unit A.
7 Manually install firmware updates on Unit A.
8 View the Installation History table on the Update Status page to verify that the
installation was successful.
9 Use the Unit B unique internal IP address to connect to the Unit B Proventia
Manager interface.
Note: Do not use the virtual IP address.
10 Do one of the following:

• If you enabled automatic update downloads, check the Updates to Install page
on the Unit B to verify that updates are available for installation.
• If you did not enable automatic update downloads, manually download firmware
update(s) to Unit B.
11 In the Unit B Proventia Manager, expand the System node and select Tools, and
then click .
Note: This forces a failover, so that Unit A becomes the primary appliance. After the
failover completes, the Secondary Appliance banner appears on Unit B.
12 To verify that the failover was successful, use the Unit A unique internal IP address
to connect to the Unit A Proventia Manager interface. Go to the Home Page of Unit
A and make sure that the High Availability Operating As is Primary.
13 Use the Unit B unique internal IP address to connect to the Unit B Proventia
Manager interface.
14 Manually perform a system backup on Unit B.
15 Manually install firmware updates on Unit B.
16 View the Installation History table on the Update Status page to verify that the
installation was successful.
Table 25: Tasks to update the firmware for an HA deployment

Using the SiteProtector X-Press Update Server

Introduction By default, the appliance receives updates from the ISS Download Center. If you use
SiteProtector to manage your appliance, you can configure the appliance to use the
SiteProtector X-Press Update Server as an alternate update server. Configure the
appliance to use the SiteProtector X-Press Update Server on the Automatic Update
Settings page.
Why use the If you use SiteProtector to manage your appliance, you may want to use the SiteProtector
SiteProtector X-Press Update Server as an alternate update server for the following reasons:
alternative update
server? ● If you have a large deployment of appliances, you can save bandwidth on your
Internet connection. Your appliances can request updates from one SiteProtector
update server, rather than each appliance that uses bandwidth to download the same
updates from the default ISS Download Center.
● If you want to download updates in a more secure environment and don't want every
appliance to have access to the Internet for update downloads, the appliances can
request updates from the SiteProtector update server. In this scenario, only the
SiteProtector update server requires an Internet connection.
Fields on the The following table describes the fields on the Update Server tab:
Update Server tab
Field Description
Use Alternate Update Server Enables the appliance to request and receive updates from the
SiteProtector X-Press Update Server.
Host or IP The DNS name or IP address of the SiteProtector update server

that provides update downloads to the appliance.
Port The port that the appliance uses to communicate with the
SiteProtector update server. The SiteProtector X-Press Update
Server listens for update requests on this port.
Note: By default, the appliance uses port 443 to communicate
with the ISS download center at www.iss.net. The SiteProtector
server uses port 3994 by default. For more information about
configuring ports on the SiteProtector server, see your
SiteProtector documentation.
Trust Level The authentication level for communications with the SiteProtector
update server. Authentication level options for the SiteProtector
update server are as follows:
• trust-all:The appliance trusts the SiteProtector update server,
and does not use SSL certificates for authentication. This is
the easiest way to set up the connection to the SiteProtector
update server.
• explicit-trust:The appliance uses the local certificate to
authenticate the connection to the SiteProtector update server.
This is a more secure connection, but you must first copy the
update server's certificate to the correct location on the
appliance. See “Configuring explicit-trust authentication” on
page 40.
Table 26: Fields on the Update server tab
38
Using the SiteProtector X-Press Update Server
Using the To use the SiteProtector X-Press Update Server for downloading updates:
SiteProtector
alternate update 1. In the navigation pane, click + to expand the Updates node.
server 2. Select Automatic Settings.
appears.
The Automatic Update Settings window appears.
4. Select the Alternate Update Server tab.
5. Select the Use Alternate Update Server check box.
6. In the Host or IP field, type DNS name or IP address of the SiteProtector update
server that provides update downloads to the appliance.
7. In the Port field, type the port that the appliance uses to communicate with the
SiteProtector update server.
Note: The SiteProtector X-Press Update Server uses port 3994 by default.
8. Select one of the following from the Trust Level list:
■ trust-all
■ explicit-trust
9. If you selected explicit-trust authentication, type the fully-qualified path of the
update server's certificate in the CA Certificate field.
Note: This is the fully qualified directory path to the certificate file you copied to the
appliance in the corresponding field.
Example: /etc/server-rsa.crt
Important: To use explicit-trust authentication, you must copy this certificate file to
the appliance as described in “Configuring explicit-trust authentication” on page 40.
About trust levels The appliance can do either of the following to establish an SSL connection to the
SiteProtector X-Press Update Server:
● trust the connection (a trust-all authentication)

● use a certificate to authenticate the connection (an explicit-trust authentication)
When the appliance connects to the default ISS update server, the appliance uses explicit-
trust authentication. This means that the public certificate of the ISS update server's
Certificate Authority must be on the appliance to verify the site and establish the SSL
connection.
If you want to easily set up the connection to the SiteProtector X-Press Update Server,
select the trust-all authentication option. If you want to use the more secure explicit-trust
connection to the SiteProtector X-Press Update Server, you must copy the update server's
certificate file to the correct location on the appliance. See “Configuring explicit-trust
authentication” on page 40.

Configuring explicit- To configure the appliance to use explicit-trust authentication with the SiteProtector X-
trust authentication Press Update Server:
1. Locate the following certificate file on the SiteProtector X-Press Update Server:
server-rsa.crt
Note: The default location of this file on the SiteProtector update server is:
Program Files\ISS\RealSecure SiteProtector\X-Press Update
Server\webserver\Apache2\conf\ssl.crt
2. Use a migration utility such as Windows Secure Copy to copy the server-rsa.crt
certificate file, and then paste it in the following directory on the appliance:
/etc
Note: For information about using your migration utility, see your utility product
documentation.
40
Part II
Configuring the
Appliance
Chapter 4
High Availability
Overview
Introduction This chapter explains how to configure and enable two Proventia M appliances for use in
a high availability (HA) environment. Detailed information about physical connectivity
and installation requirements is located in the Proventia M Integrated Security Appliance
Addendum document which is in your appliance packaging, and posted on the ISS Web
site at http://www.iss.net/support/documentation/.
Topic Page
About High Availability 44
High Availability Deployment 47
High Availability Task Overview 52
High Availability Access and NAT Policies 49
High Availability Configuration 56
Viewing High Availability Status 67
Updating the Appliances in High Availability Mode 68
SiteProtector Management of High Availability Appliances 69
Troubleshooting your High Availability Configuration 70
Proventia M Series Appliances User Guide Release 2.3

43
About High Availability

Introduction The Proventia M Integrated Security Appliance offers active-passive high availability
(HA) by using virtual IPs shared between a primary appliance and a secondary appliance
linked together as a “cluster”.
The secondary appliance waits in passive mode ready to operate as the primary
appliance, if the designated primary appliance fails. The two appliances connect using a
dedicated interface link between the primary and secondary. If no heartbeat is received
from the primary appliance for a predetermined period of time, the device is considered
to have failed. When this occurs the secondary device takes over all of the virtual IPs for
all interfaces and becomes the primary device.
VPN policy Consider the following if you enable the High Availability (HA) feature on your
considerations and appliance:
other restrictions
● When you enable or disable the high availability feature, the appliance uses the
virtual IP addresses to route traffic. If you have created firewall policies or rules that
use a static IP address, then you must revise those policies or rules.
● In the case of access policies, IPSEC policies, NAT policies, or proxy redirection rules,
change any IP address information that references a static interface address to one of
the virtual IP addresses, or disable the policy, as appropriate. You must remove and
then re-add conflicting security gateways.
Caution: If Source or Destination NAT Rules reference a static IP address (physical
interface), you must change the IP address for the rule to match the virtual IP address
of that interface. The Hide NAT Source Rule is enabled by default. This Many-to-One
configuration translates all non-routable IP addresses to the IP address of the eth1
interface. If you use the high availability feature, you must edit the Hide NAT Source
Rule. On the Translated Address tab, change the IP address entry to the virtual IP
address for the HA cluster.
● If you run the Proventia Setup Utility when the HA feature is enabled, you cannot
modify network settings.
● After you enable HA, you cannot change network settings for either appliance in the
cluster. This restriction also applies to HA clusters that you may manage with
SiteProtector.
Note: If you use SiteProtector to manage your HA cluster, SiteProtector views the HA
cluster as a single entity or sensor. If your secondary appliance is already registered
with a SiteProtector Agent Manager, the appliance becomes redundant and will
appear as "offline" in the SiteProtector console after you enable the HA feature. ISS
recommends that you unregister the secondary appliance before you enable the HA
feature. For more information, see “SiteProtector Management of High Availability
Appliances” on page 69.
● If the primary appliance fails, it loses all existing connections. This is known as
“warm” failover. The primary appliance loses FTP, VPN and other TCP persistent
connections, and you must reconnect them on the secondary appliance. For HTTP
connections, refresh your browser or press F5 to regain the ability to create an Internet
connection.
● When you enable or disable the HA feature, the appliance uses the virtual IP address
to route traffic. The virtual IP address replaces the Local ID data (such as the local IP
address) for each appliance.
44
About High Availability
● When you set up a security gateway with an IP address as the Local ID, you must use
the first virtual IP address for the interface as the Local ID value. Do not use any of
the following:
■ an alias
■ an IP address using a proxy ARP
■ the second or later virtual IP address
● If you have created NAT rules, IPSEC policies, security gateways, or other policies
that use this Local ID data, then those policies or rules are invalidated.
Caution: If you reboot the appliance before you edit these policies, your VPN connections
will not function.
Prerequisites To use the high availability feature you must do the following:
Requirement Description
Acquire Licenses Licenses are not synchronized between M appliances. Each

appliance must have its own unique license.
Edit existing policies and You must edit existing policies as follows:
configurations • You must configure all firewall access polices, VPN
configurations and external DNS entries to use the virtual IP
addresses.
• If you have created firewall policies or rules that use a static IP
address, then you must revise those policies or rules.
CAUTION: When you enable or disable the high availability
feature, the appliance uses the virtual IP addresses to route
traffic. In the case of access policies, IPSEC policies, NAT
policies, or proxy redirection rules, change any IP address
information that references a static interface address to one of
the virtual IP addresses, or disable the policy, as appropriate.
You must remove and then re-add conflicting security
gateways. If Source or Destination NAT Rules reference a static
IP address (physical interface), you must change the IP address
for the rule to match the virtual IP address of that interface.
• The Hide NAT Source Rule is enabled by default. This Many-to-
One configuration translates all non-routable IP addresses to the
IP address of the eth1 interface. If you use the high availability
feature, you must edit the Hide NAT Source Rule. On the
Translated Address tab, change the IP address entry to the
virtual IP address for the HA cluster.
• When you set up a security gateway with an IP address as the
Local ID, you must use the first virtual IP address for the
interface as the Local ID value. Do not use any of the following:
- an alias
- an IP address using a proxy ARP
- the second or later virtual IP address
Add required access You must add three new firewall access policies and a Source NAT
policies and Source NAT Rule before you begin HA configuration. See “High Availability
Rule Access and NAT Policies” on page 49.
Table 27: HA prerequisites

45
Requirement Description
Select Dedicated HA IMPORTANT: Each appliance must dedicate the same HA interface.
Interface Match any of the available interfaces eth2 through eth7; the number
of available interfaces varies depending on your appliance model. Do
not use INT0 (eth0) or EXT1 (eth1) for your high availability interface.
This simplifies use of HA functionality, and provides good throughput
when the appliances share state information.
• Use the same appliance model for both the primary and
secondary device.
Example
M30 to M30
• The HA interface must be on a dedicated private network to
prevent attacks from entering the network via the HA interfaces.
• Do not route user network traffic across the dedicated HA
interfaces.
Table 27: HA prerequisites (Continued)
46
High Availability Deployment
High Availability Deployment

Introduction This topic describes a typical high availability deployment scenario for the Proventia M
Series appliances. It includes the following:
● a logical diagram for HA deployment

● a physical network diagram for HA deployment
Logical HA The example below shows a logical network diagram of a standard high availability
deployment cluster deployment. In this example, there is only one external IP address: 10.10.100.1. The
diagram appliances use non-routable IP addresses for their external interface:
Figure 2: Logical HA diagram for standard deployment

47
Physical HA A physical network diagram of a typical HA deployment scenario is shown in Figure 3:

deployment network
diagram
Figure 3: HA physical network diagram
48
High Availability Access and NAT Policies

Introduction Before you enable the high availability feature, you must create three firewall access
policies and one Source Network Address Translation (NAT) policy to allow the HA
appliances to communicate and receive updates.
Caution: When you enable or disable the HA feature, the appliance uses the virtual IP
addresses to route traffic. If you have created firewall policies, NAT policies, or rules that
use a static IP address, then you must revise those policies or rules. In the case of access
policies, IPSEC policies, NAT policies and proxy redirection rules, change any IP address
information that references a static interface address to one of the virtual IP addresses, or
disable the policy, as appropriate. You must remove and then re-add conflicting Security
Gateways. If you reboot the appliance before you edit these policies, your VPN
connections will not function.
Important: The Hide NAT Source Rule is enabled by default. This Many-to-One
configuration translates all non-routable IP addresses to the IP address of the eth1
interface. If you use the high availability feature, you must edit the Hide NAT Source
Rule. On the Translated Address tab, change the IP address entry to the virtual IP address
for the HA cluster.
HA Requirements Consider the following requirements for the high availability access policies and Source
NAT Rule:
● Before you create the HA policies, you must create the following Address Name
network objects:
■ an Address Name network object for the IP address ranges of all enabled interfaces,
including the HA interface and virtual IP addresses
■ an Address Name network object for the static IP address range of the HA interface
only
Example
In this example, you have configured your network as shown in the Logical Network
Diagram shown in Figure 2 on page 47.
Create an Address Name network object called ClusterIPAddresses for the IP address
ranges of all enabled interfaces in the HA cluster, including the HA interface and
virtual IP addresses:
10.10.100.1
192.168.200.1-192.168.200.2
172.16.100.2-172.16.100.3
192.168.100.1-192.168.100.2
172.10.100.1
Create an Address Name network object called HANetIPAddresses for the static IP
address range of the HA interface only, as follows:
192.168.100.1-192.168.100.2
● The access policies and Source NAT Rule must work on both appliances in the cluster.
● You must add the access policies and Source NAT Rule before you enable the HA
feature.

49
High availability The required access policies are described in the following table:
access policy
descriptions Policy Description
1 This policy allows TCP communication though the HA interface (eth2) to the
destination port, so that the appliances can communicate policy and state
information. For the Source Address, you must use an Address Name network
object for the static IP address range of the HA interface only (the
HANetIPAddresses Address Name object in the example found in “HA
Requirements” on page 49.
Example:
Name: Allow policy synchronization over HA network
Action: Allow
Protocol: TCP
Source Address: HANetIPAddresses (Address Name network object)
Source Port: Any
Destination Address: Self
Destination Port: 2998
2 This policy allows UDP heartbeat packets from M appliances on all interfaces. For the
Source Address, you must use an Address Name network object for the static IP
address ranges of all enabled interfaces, including the HA interface (the
ClusterIPAddresses Address Name object in the example found in “HA
Requirements” on page 49.
Example:
Name: Allow UDP heartbeat on all enabled interfaces
Action: Allow
Protocol: UDP
Source Address: ClusterIPAddresses (Address Name network object)
Source Port: Any
Destination Address: Self
Destination Port: 694
3 This policy allows the secondary appliance to receive updates. For the Source
Address, you must use an Address Name network object for the static IP address
range of the HA interface only (the HANetIPAddresses Address Name object in the
example shown in “HA Requirements” on page 49).
Example:
Name: Allow secondary appliance updates over HA network
Action: Allow
Protocol: TCP
Source Address: HANetIPAddresses (Address Name network object)
Source Port: Any
Destination Address: Any
Destination Port: Any
Note: When you configure the secondary appliance, you are not required to add this
access policy, because the first two access policies allow HA functionality. The
secondary appliance can receive the third access policy to allow updates from the
primary appliance after you enable HA.
Table 28: Required access polices for HA
50
NAT Source Rule The NAT Source Rule specifies the source NAT address for the secondary appliance so
description that it can receive updates.
Note: For the Source Address, you must use an Address Name network object for the
static IP address range of the HA interface only. See “Configuring Address Names” on
page 171.
Example:
Entry Setting
Protocol Any
Source Address HANetIPAddresses (Address Name network object)
Source Port: None
Destination Address Any
Destination Port Any
Translated Address Single IP Address - use the external virtual IP address
Table 29: Source NAT rule example
Note: See the example in the Logical HA diagram for standard deployment shown in
Figure 2 on page 47, where the external virtual IP address is 10.10.100.1.
Note: For the secondary appliance, you are not required to add this Source NAT Rule,
because the first two access policies allow HA functionality. The secondary appliance can
receive the Source NAT Rule from the primary appliance after you enable HA.
Upgrading existing You can upgrade existing Proventia appliances for use in a high availability cluster by
devices to use HA assigning new unique IP addresses to all static IP interfaces on both the designated
primary and secondary M appliances. Use the existing static IP addresses as the HA
virtual IP addresses. Some additional configuration may be required.
Note: If you are using SiteProtector, you should unregister the secondary appliance after
you enable HA.
Important: For more information about updating appliances, see “Updating the
Appliances in High Availability Mode” on page 68.
Force Failover page This page appears when you have enabled the High Availability feature, and force the
primary high availability appliance to fail over to the secondary appliance.

51
High Availability Task Overview

Introduction This topic provides an overview of the tasks you must perform to use the high availability
feature. Use the Proventia Setup Utility to configure appliance network settings on each
appliance. Use Proventia Manager to create required policies, network objects and NAT
policies on each appliance before you configure and enable the high availability feature on
the primary appliance.
Editing firewall and When you enable or disable the HA feature, the appliance uses the virtual IP address to
VPN policies when route traffic. The virtual IP address replaces the Local ID data (such as the local IP
you enable or address) for each appliance.
disable HA
● If you have created NAT rules, IPSEC policies, security gateways, or other policies
that use this Local ID data, then those policies or rules are invalidated.
● When you enable or disable the HA feature, the appliance uses the virtual IP
addresses to route traffic. If you have created firewall policies or rules that use a static
IP address, then those policies or rules must be revised. In the case of access policies,
IPSEC policies, NAT policies and proxy redirection rules, change any IP address
information that references a static interface address to one of the virtual IP addresses,
or disable the policy, as appropriate. Conflicting Security Gateways should be
removed and re-added.
● You must edit the default Hide eth1 NAT Source Rule. On the Translated Address
tab, change the IP address entry to the virtual IP address for the HA cluster. See
“Setting NAT Configurations” on page 136.
Tip: Open two browser windows so that you can easily access both appliances during
the initial configuration process.
Task Overview: To configure the primary appliance, perform the following tasks:
Configuring the
primary HA Task Description
appliance
1 On the primary appliance, perform initial network connection settings using Proventia
Setup Utility.
IMPORTANT: Configure only your internal (INT0) and external (EXT1) interfaces.
When you configure the external interface, use the external virtual IP address of the
alternate node in the static IP address Gateway field.
2 Access Proventia Manager.
3 Assign all unique IP addresses to the appliance.

Note: ISS recommends that you use the HA interface of the alternate node as the
gateway. You can also add and configure any additional external interfaces or internal
interfaces, such as a DMZ interface.
4 Create the Address Name network objects, as described in “High Availability Access
and NAT Policies” on page 49, and “Configuring Address Names” on page 171
5 Add required HA access polices:

• Allow policy synchronization over HA network
• Allow UDP heartbeat on all enabled interfaces
• Allow updates
Table 30: HA primary appliance configuration tasks
52
Task Description
6 Add the required Source NAT Rule to provide source NAT address for the secondary
appliance. See “NAT Source Rule description” on page 51.
7 If you have created firewall policies or rules that use a static IP address, then you
must revise those policies or rules to use the HA virtual IP addresses.
In the case of access policies, IPSEC policies, NAT policies, or proxy redirection
rules, change any IP address information that references a static interface address to
one of the virtual IP addresses, or disable the policy, as appropriate. You must remove
and then re-add conflicting security gateways.
Note: If Source or Destination NAT Rules reference a static IP address (physical
interface), you must change the IP address for the rule to match the virtual IP address
of that interface.
Table 30: HA primary appliance configuration tasks (Continued)
Task Overview: To configure the secondary appliance, perform the following tasks:
Configuring the
secondary HA Task Description
appliance
1 On the secondary appliance, perform initial network connection settings using the
Proventia Setup Utility.
IMPORTANT: Configure only your internal (INT0) and external (EXT1) interfaces.
2 Connect network connections for the secondary appliance to your internal and
external network interfaces.
Connect both appliances using a crossover cable to each HA interface (eth2 or
greater). This is your heartbeat communication connection. You must use the same
port on the same appliance model.
3 Access the Proventia Manager.
4 Assign all unique IP addresses to the appliance.

You can also add and configure any additional external interfaces or internal
interfaces, such as a DMZ interface.
5 Create the Address Name network objects, as described in “High Availability Access
and NAT Policies” on page 49.
6 Add the first two required HA access policies:

• Allow policy synchronization over the HA network
• Allow UDP heartbeat on all enabled interfaces
For the secondary appliance, you are not required to add the access policy to allow
updates or the Source NAT Rule, because the first two access policies allow HA
functionality. The secondary appliance can receive the third access policy to allow
updates and the Source NAT Rule from the primary appliance after you enable HA.
7 Add the required Source NAT Rule to provide source NAT address for the secondary
appliance.
Table 31: Tasks for configuring the secondary appliance

53
Task Description
8 If you have created firewall policies or rules that use a static IP address, then you must
revise those policies or rules to use the HA virtual IP addresses.
• In the case of access policies, IPSEC policies, NAT policies, or proxy redirection
rules, change any IP address information that references a static interface address
to one of the virtual IP addresses, or disable the policy, as appropriate. You must
remove and then re-add conflicting security gateways.
• If Source or Destination NAT Rules reference a static IP address (physical
interface), you must change the IP address for the rule to match the virtual IP
address of that interface. The Hide NAT Source Rule is enabled by default. This
Many-to-One configuration translates all non-routable IP addresses to the IP
address of the eth1 interface. If you use the high availability feature, you must edit
the Hide NAT Source Rule. On the Translated Address tab, change the IP address
entry to the virtual IP address for the HA cluster.
9 Log out of the secondary appliance.
Table 31: Tasks for configuring the secondary appliance (Continued)
Task Overview: To enable HA, perform the following tasks:

Enabling HA
Task Description
1 Use the primary appliance unique internal IP address to connect to the Proventia
Manager interface.
Important: Do not use the virtual IP address. Enable and configure HA only on the
primary appliance.
2 Expand System node, select High Availability, select the Base Configuration tab,
Select the HA Enabled check box.
3 Complete the required settings on the Base Configuration tab, provide the virtual IP
address, provide the static IP addresses of the secondary appliance on the Alternate
Node Interface tab
4 Configure Monitor IP Addresses, and click Save Changes.
5 Go to the System Status area on the Home Page and make sure that the High
Availability Active Status is Running.
6 If your secondary appliance is already registered with SiteProtector Agent Manager,

unregister the secondary appliance from the SiteProtector Agent Manager.
7 Configure SiteProtector management (optional).
Table 32: Enabling HA
Task Overview: To disable HA, complete the following tasks:

Disabling HA
Task Description
1 Use the one of the following to connect to the Proventia Manager interface on the
primary appliance:
• the static IP address of the primary appliance
• the virtual IP address of the cluster
2 Expand System node, select High Availability, select the Base Configuration tab.
Table 33: Task Overview: Disabling HA
54
Task Description
3 Clear the HA Enabled check box, and then click Save Changes.
4 Go to the System Status area on the Home Page and make sure that the High
Availability Active Status is Stopped.
Table 33: Task Overview: Disabling HA

55
High Availability Configuration

Introduction This topic provides information about each tab on the HA configuration page and the
procedures you must perform to configure your high availability node. You must use the
Proventia Setup Utility and Proventia Manager to perform the initial configuration steps
and create firewall access policies on each appliance as described in “High Availability
Task Overview” on page 52. After you complete the initial configuration steps, you
configure high availability on the designated primary appliance only.
You can find additional information about physical connectivity and installation in the
Proventia M Integrated Security Appliance Addendum document shipped with your
appliance packaging, and posted on the ISS Web site at http://www.iss.net/support/
documentation/.
The HA You cannot save changes on the High Availability Configuration Page until you have
configuration page completed all settings, as follows:
■ the Base Configuration

■ Virtual IP Addresses
■ Monitor IP Addresses (optional)
■ Alternate Node IP Addresses
If you need to add new entries after configuration, HA must be disabled, then re-enabled
after making the changes. See “Task Overview: Disabling HA” on page 54.
Base configuration The base configuration must be specified for your high availability feature to function
properly. The following table describes the required fields:
Option Definition
Enabled Check to enable high availability.

IMPORTANT: The default setting is unchecked. Complete the
configuration procedures, required access policies, and required NAT
Source Rule for HA on both appliances before you select the Enabled
check box.
HA Interface Name The interface for HA state communication.

Note: The default is eth2.
Dead Timeout The dead timeout or failure timeout is the amount of time that the
secondary appliance waits for a heartbeat message or ICMP reply
message from the primary appliance. The default value is 30000
milliseconds (30 seconds). A smaller dead timeout value causes a faster
failover to the secondary appliance.
Note: To help determine the timeout value, ISS recommends you monitor
the system logs for warning messages from the heartbeat module, to see
if heartbeats arrive late. The heartbeat message indicates how late the
message is. Double this time and use that value as a new failure timeout.
Continue to monitor the system logs for more heartbeat warning
messages. You should not see more than one or two heartbeat warning
messages per day.
Table 34: Base configuration tab fields
56
Option Definition
Shared Secret The secret text string shared between the primary and secondary
appliances.
Note: The text string must contain no spaces, and must be between 16
and 64 characters.
Virtual Gateway The IP address of the default external gateway for the HA cluster.
Example
10.10.100.1
Table 34: Base configuration tab fields
Enabling the base To enable the base configuration on the primary appliance:
configuration on the
primary appliance 1. In the navigation pane, click + to expand the System node.
2. Select High Availability.
3. Select the Base Configuration tab.
4. Select Enabled.
5. Select the HA interface.
Note: ISS recommends you use the eth2 interface. You must use the same interface on
the primary and secondary appliances. Do not use the INT0 (eth0) or EXT1 (eth1)
interfaces.
6. Enter the Dead Timeout in milliseconds. (Default is 30 seconds, 30000 ms)
Caution: By decreasing the default value, you can reduce the amount of time between
when a problem occurs, and when the HA module triggers a failover. Entering too
small of a value in the Dead Timeout field can cause unnecessary failover during
periods of high network use. The default value has been tested and found to work on
all appliances, in most situations. It is recommended that you adjust the default
setting in by small increments.
7. Type a text string in the Shared Secret field.
Note: This string is shared between appliances. This field is required.
8. Type the IP address of the default external gateway for the HA cluster in the Virtual
Gateway field.
Important: After you enable the Base Configuration, you must configure the virtual
IP addresses. Do not click Save Changes until you complete all tabs.
Virtual IP address Virtual IP addresses are configured on both HA appliances, but are enabled only on the
primary appliance so that only the primary appliance is routing network traffic. All
external clients use these addresses to communicate with the primary appliance.
Each of the appliances within the HA cluster must have a static IP address on all enabled
interfaces. DHCP and PPPoE are not supported on the external interface when in High
Availability mode. Each enabled interface must also have at least one virtual IP address
specified in the High Availability settings. The Virtual IP addresses must not exist on any
other interface on the appliances or on the network.

57
Example:
A common configuration contains two appliances with the following assigned IP

addresses:
● one static internal interface address

● one static external interface address
● one static high availability interface address
● one virtual internal address
● one virtual external address
Note: This address is also your Virtual Gateway IP address
The primary appliance owns the virtual IP addresses until a failover occurs. When a
failover occurs, the secondary appliance takes ownership of the virtual IP addresses, and
becomes primary.
Note: Refer to the Network Configuration page on each appliance to view your currently
configured static IP interfaces.
Important: Do not specify a virtual IP address for the dedicated HA interface (eth2).
When to use Virtual Perform HA management only using the virtual IP addresses, except when you must
IP addresses connect to each appliance individually to do the following:
● install firmware updates

● perform a system backup
● restore from a system backup
● you are directed to do so by ISS Technical Support personnel
You can connect to individual appliances by using the unique IP address of the appliance,
or with a serial connection. You must perform all other HA cluster management tasks
using the virtual IP addresses.
Virtual IP field Virtual IP field entries are described in Table 35 as follows:

descriptions
Field Description
Enabled Virtual IP address is enabled. The default is checked
Interface Name Network interface name. The default is none
IP Address Virtual IP address. Also known as virtual IP address. The

default is none. The external VIP is also used as your
Virtual Gateway IP address, on the Base Configuration
page.
Table 35: Virtual IP field descriptions
Adding the Virtual To add the virtual IP addresses:

IPs addresses
58

4. Select the Virtual IP Addresses tab.
5. Click Add.
6. Accept the default setting, Enabled.
7. Select the Interface Name from the drop-down list.
8. Enter the IP address.
9. Select OK.
10. Repeat Step 5 through Step 10 for each interface.
Important: After you configure the Virtual IP addresses, you must configure the
alternate IP addresses. Do not click Save Changes until you complete all tabs.
Editing a Virtual IP To edit an entry in the Virtual IP Address List:

Address List entry
5. Click Edit.
The Edit Virtual IP Address window appears.
6. Make your changes in the Name box.
7. Click OK.
8. Repeat Steps 5 through 8 for each entry you want to edit.
9. Click Save Changes.
Copying and pasting You can copy and paste a Virtual IP Address List entry before editing it. This is useful if
Virtual IP Address you want to add an entry that is similar to an entry already in the list.
List entries
To copy and paste a Virtual IP Address List entry:

5. Select a Virtual IP Address List entry.
6. Click the Copy icon.
7. Click the Paste icon.

The appliance copies the item to the end of the list.
8. Make your changes to the entry.

59
Removing a Virtual To delete an entry in the Virtual IP Address List:

IP Address List
entry 1. In the navigation pane, click + to expand the System node.
5. Select a Virtual IP Address List entry.
6. Click Remove.
The appliance removes the entry from the list.
Alternate Node The Alternate Node Interface tab is where IP information about the other appliance in the
Interface tab HA cluster is entered. You must enter IP information for all active interfaces on the
alternate node, including the HA interface. See “Adding the alternate node interfaces” on
page 60.
Alternate Node interface entries are described in Table 36 as follows:
Field Description
Interface Name Network interface name (default: none)
IP Address IP Address (default: none)
Table 36: Alternate node interface field descriptions
Adding the To configure the alternate node interfaces:

alternate node
interfaces 1. In the navigation pane, click + to expand the System node.
4. Select the Alternate Node Interfaces tab.
5. Click Add.
6. Enter the Interface Name of the secondary appliance internal interface.
7. Enter the IP address.
8. Select OK.
9. Repeat Step 5 through Step 8 for additional interfaces.
Important: After you configure the alternate IP addresses, you can configure the
monitor IP addresses. Do not click Save Changes until you complete all tabs.
Editing an Alternate To edit an entry in the Alternate Node interface address list:
Node interface
address list entry 1. In the navigation pane, click + to expand the System node.
60
5. Click Edit.
The Edit Alternate Node Interfaces window appears.
7. Click OK.
Copying and pasting You can copy and paste a Alternate Node Interfaces Address List entry before editing it.
Alternate Node This is useful if you want to add an entry that is similar to an entry already in the list.
Interfaces Address
List entries To copy and paste a Alternate Node Interfaces Address List entry:

5. Select a Alternate Node Interfaces Address List entry.

Removing an To delete an entry in the Alternate Node Interfaces Address List:

Alternate Node
Interfaces Address 1. In the navigation pane, click + to expand the System node.
List entry 2. Select High Availability.
5. Select an Alternate Node Interfaces Address List entry.
6. Click Remove.
Monitor IP Monitor IP addresses are an optional feature that you can use to periodically determine if
Addresses tab the network is healthy. You can specify the IP address of another network device, outside
(optional) of the HA cluster, to send ICMP echo request packets and wait for replies. If the
appliances do not reply within the dead timeout period, then the connection is considered
down. The primary HA appliance polls the secondary appliance to determine which
appliance has the highest number of reachable network devices. If the primary appliance
does not have the highest count, then a failover occurs.

61
Important: To add or remove Monitor IP Addresses after enabling HA, you must disable
HA before you make any changes. ISS recommends that you carefully select devices such
as an email server or Web server that are highly available, reliable, and maintain average
traffic. See “Monitor IP physical deployment example diagram” on page 63.
If you use Monitor IP addresses, the dead timeout value should be set to accommodate
peak traffic.
Monitoring internal You can use Monitor IP Addresses to monitor both external and internal connections. To
and external monitor the external connections, choose a device on the EXT1 (eth1) side of the Proventia
connections cluster, such as your router, or other IP addressable device. To monitor an internal
connection, choose a device on the connected network, such as a file server or domain
controller, that is reliable and maintains average network traffic.
Use careful planning and consideration when you choose an IP address to monitor. You
may experience problems when using web servers, email servers, or other devices which
are frequently subjected to high traffic loads. Hardware devices such as routers and
managed switches make excellent candidates, since they are less likely to become
unresponsive during times of heavy network usage.
Important: To add or remove Monitor IP Addresses after enabling HA, you must disable
HA before you make any changes. It is important to choose devices which are known to
be reliable before enabling HA to avoid unnecessary downtime.
62
Monitor IP physical The following physical network diagram shows a typical HA deployment scenario that
deployment includes a Monitor IP device:
example diagram
Figure 4: Monitor IP physical deployment example

63
Monitor IP logical The example below shows a logical network diagram of a standard high availability
network diagram cluster using monitor IPs.
Figure 5: Monitor IP logical network diagram
Monitor IP field Monitor IP entries are described in Table 37 as follows:

descriptions
Field Description
Enabled Monitor IP Address usage is enabled. The default is

checked.
IP Address IP address to send ICMP requests. The default is none.
Table 37: Monitor IP field descriptions
Adding a Monitoring Important: To add or remove Monitor IP Addresses AFTER enabling HA, you must
IP address disable HA before you make any changes. It is important to choose devices which are
known to be reliable before enabling HA to avoid unnecessary downtime.
To add a monitor IP address (optional):

64

4. Select the Monitor IP Addresses tab.
5. Click Add.
Accept the default setting of Enabled.
6. Type the IP address of the device you want to use to monitor the network activity in
the IP Address field.
7. Click OK.
8. Repeat Step 4 through Step 8 for each Monitor IP address.
Editing a Monitor IP Important: To add or remove Monitor IP Addresses after enabling HA, you must disable
Address List entry HA before you make any changes. It is important to choose devices which are known to
be reliable before enabling HA to avoid unnecessary downtime.
To edit an entry in the Monitor IP Address List:

5. Click Edit.
The Edit Monitor IP Address window appears.
7. Click OK.
Copying and pasting You can copy and paste a Monitor IP Address List entry before editing it. This is useful if
Monitor IP Address you want to add an entry that is similar to an entry already in the list.
List entries
To copy and paste a Monitor IP Address List entry:

5. Select a Monitor IP Address List entry.


65
Removing a Monitor To delete an entry in the Monitor IP Address List:

IP Address List
entry 1. In the navigation pane, click + to expand the System node.
5. Select a Monitor IP Address List entry.
6. Click Remove.
66
Viewing High Availability Status
Viewing High Availability Status

Introduction The appliance displays high availability status on the Proventia Manager Home page in
the System Status box. A message appears in the “Important System Messages” area on
the Proventia Manager home page if an HA appliance is in a failure state, and not
responding to requests.
Status information The status information options are described in Table 38 as follows:
HA State Description
High Availability Mode The status of the HA feature. Options are as follows:
• Enabled
• Disabled
High Availability Node Name The node name of the appliance, in the following
format as follows:
hostname.ipaddress
High Availability Operating As The HA role of the appliance. Options are as follows:
• Unknown
• Primary
• Secondary
High Availability Active Status The status of the primary appliance. Options are as
follows:
• Running
• Stopped
• Not configured
• Not installed
• Unknown
High Availability Secondary Status If the High Availability feature is enabled, then this
statistic appears on the primary appliance only. This is
the status of the secondary appliance. Options are as
follows:
• Unknown
• Running
• Stopped
• Failure
Table 38: HA state

67
Updating the Appliances in High Availability Mode

Introduction You can use the SiteProtector X-Press Update Server as an alternative update server. See
“Using the SiteProtector X-Press Update Server” on page 38.
For more information on updating HA appliances, also see “Updating an Appliance with
High Availability Enabled” on page 36.
HA Update The following update requirements apply to all appliances with the HA feature enabled:
requirements
● You can enable automatic update downloads, and automatic security update
installation, but you must apply firmware updates manually in the Proventia
Manager for each appliance.
Important: Do not enable the automatic firmware update installation option.
● You must apply the same firmware version to both the primary and the secondary
appliances. The HA feature will not function properly if the primary and secondary
appliances run different versions of firmware.
● In a standard IP high availability environment, as shown in Figure 2 on page 47, a
firmware update installation to the primary appliance forces a failover to the
secondary appliance. The primary appliance becomes the secondary appliance in the
cluster. To force a failover and return an appliance to primary status, connect to the
unique IP address of the current primary appliance, go to the System Tools page and
then click .
Caution: Applying firmware updates to an HA appliances requires a failover. ISS
recommends that you install firmware updates during off hours.
● If your secondary appliance is already registered with a SiteProtector Agent Manager,
you must unregister the secondary appliance from SiteProtector after you enable HA.
After you enable HA, the appliance becomes redundant and will appear as "offline" in
the SiteProtector console. in the Proventia Manager for each appliance.
Recommendations Consider the following recommendations before you apply updates to an appliance with
the HA feature enabled:
● To maintain up-to-date security and database content, enable automatic scheduled

security and database updates.
Important: Do not enable automatic firmware updates.
● Open two browser windows so that you can more easily access both appliances
during the update process.
68
SiteProtector Management of High Availability Appliances

Introduction You can manage the HA appliance cluster through the SiteProtector Agent Manager using
the virtual IP addresses. SiteProtector views the HA cluster as a single entity or sensor.
Consider the following:
● Configuration of the HA cluster in the SiteProtector interface uses the same CPE and
policy components as the Proventia Manager interface.
● SiteProtector receives events from the HA cluster with the HA virtual IP address as
the source.
● Do not make changes to the HA cluster network settings. If you make a change in
SiteProtector, you must undo those changes in SiteProtector to avoid error messages.
● SiteProtector sees the HA cluster as a single appliance, identified with the virtual IP
address. SiteProtector is not aware of a failover from one appliance to the other.
● Enable SiteProtector management for the HA appliance cluster after you apply all
network settings and HA settings on the appliances.
● If your secondary appliance is already registered with a SiteProtector Agent Manager,
you must unregister the secondary appliance from SiteProtector after you enable HA.
After you enable HA, the appliance becomes redundant and will appear as "offline" in
the SiteProtector console. For more information, see “Using SiteProtector
Management” on page 338.
Note: For more information about managing your appliance in the SiteProtector
interface, see your SiteProtector documentation.

69
Troubleshooting your High Availability Configuration

Introduction Use the information in this topic to troubleshooting your HA configuration
Replacing a failed The following table describes when you may need to replace an appliance in an HA
HA appliance cluster:
If you experience this problem... Then you must do this...
The appliance hard drive or other hardware • replace and configure a new appliance
component is damaged or fails. • connect the cables
• use the button on the

System Tools page to reinitialize HA settings
See “Getting Technical Support” on page xiv.
The appliance software is operating • disconnect the appliance cables

incorrectly. • use a Proventia M Appliance Recovery CD to
reinstall the appliance software
• reconfigure the appliance
• connect the cables
• use the button on the

System Tools page to reinitialize HA settings
See “Getting Technical Support” on page xiv.
Table 39: Replacing a failed appliance
Reinitializing an HA When the appliance software is operating correctly but you experience problems with the
appliance HA configuration, you may need to reinitialize the HA settings on the appliance.
To reinitialize HA appliance settings:
1. Disconnect the crossover cable between the appliances.

2. Reconnect the cable.
3. Use the button on the System Tools page to reinitialize HA settings.
70
Chapter 5
Appliance Settings
Overview
Introduction Use the information in this chapter to adjust the appliance settings from the Proventia
Setup utility command line tool, and perform common system administration tasks.
Note: ISS recommends that you use Proventia Manager to make most of your changes.
However, if you do not have Web browser access, use the Proventia Setup utility
command line tool procedures found in this chapter.
For instructions about how to adjust most of these settings in Proventia Manager, refer to
Chapter 21, "Managing Network Settings".
Topic Page
Adjusting the Network Configuration Settings in Proventia Setup 72
Configuring PPPoE Authentication 77
Changing the Time and Date in Proventia Setup 79
Changing the Time Zone in Proventia Setup 80
The System Tools Page 81

Adjusting the Network Configuration Settings in Proventia

Setup
Introduction This topic provides the procedures for configuring network settings in the Proventia
Setup utility (command line tool). These procedures are also in the Proventia M Appliance
Quick Start Guide for your appliance model. ISS recommends that after initial
configuration, you perform appliance network changes in Proventia Manager. Refer to
“Managing Network Settings” on page 309.
You may need to adjust the network configuration settings for the following reasons:
● your company’s network policy has changed

● your company has relocated
● you have changed your Internet Service Provider
● you have changed addresses
Changing network Table 40 describes the options available for adjusting network configuration settings.
configuration
settings To do this... Use this procedure...
configure or change the Gateway Protection “Configuring the hostname” on page 72

Hostname
configure an IP address and DNS name for the “Configuring the nameservers” on page 75
primary, secondary, or tertiary nameservers used
by the computer
configure an IP address for the internal interfaces “Configuring an internal interface” on

page 73
configuring an IP address for the external “Configuring external interfaces” on page 73

interface
configure appliances for high availability See “High Availability Configuration” on

page 56.
deactivate all network interface cards so that the “Deactivating all interfaces” on page 76
interface is disabled when the appliance is
rebooted
activate network interface cards “Activating all interfaces on startup” on

page 76
restart all interfaces “Restarting interfaces” on page 76
Table 40: Network configuration options
Configuring the To configure the hostname:

hostname
1. From the Proventia Setup utility Main menu, select Network Configuration.
2. Select Run Tool, and then press ENTER.
The Network Configuration menu appears.
3. Select Configure Computer Hostname.
4. Select Run Command, and then press ENTER.
72
Adjusting the Network Configuration Settings in Proventia Setup
5. Type the Gateway Protection Hostname, using the format gateway1.example.com.

Note: Do not use spaces or foreign language characters.
6. Select OK, and then press ENTER.
Note: This process takes a minute to activate. The Proventia Setup utility does not
respond to commands while it is applying the new host name.
7. If you want to configure another hostname, repeat steps as above, select Run
Command, and then press ENTER.
8. To return to the Main menu, select Back to Main Menu, and then press ENTER.
Configuring an To configure an internal interface:

internal interface
3. Select Configure Individual Network Interfaces.
5. Select Internal.
The Configure Internal Interface screen appears.
7. Accept the default Activate Interface on boot.
8. Press TAB to go to the IP address.
9. Type the IP address of the internal interface, and then press ENTER.
10. Type the Netmask (network mask) value, and then press ENTER.
12. If you want to configure another internal interface, repeat steps as above, select Run
Configuring external To configure the external interface:

interfaces
3. Select Configure Individual Network Interfaces.
5. Select External.

6. On the Configure External Interface screen, select one of the External Interface IP
Types as described in the following table:
IP Type Action
Option
Static IP To use static IP:

1. Press the SPACE BAR to select Static IP.
2. Select OK.
3. Go to Step 7.
DHCP To use DHCP (Dynamic Host Configuration Protocol):

1. Press TAB, and then press the SPACE BAR to select
DHCP.
2. Accept the default setting, Activate Interface on boot.
3. Press TAB and then the SPACE BAR to select one of the
following:
■ Select Dynamic nameserver assignment, and
then go to “Changing the time zone” on page 80 to
complete the external interface configuration.
■ Select User assigned nameservers, and then go
to“Configuring the nameservers” on page 75 to
complete the external interface configuration.
PPPoE To use PPPoE (Point-to-point over Ethernet):

PPPoE.
3. Select OK.
The PPPoE Configuration and Setup screen
appears.
4. Go to “Configuring PPPoE Authentication” on page 77,
to complete the external interface configuration.
Note: You will need information from your Internet
Service provider to complete the PPPoE configuration
steps.
Disabled To disable the external interface:

Disabled.
3. Select Back to Main Menu, and then press ENTER.

8. Type the IP address of the External Interface, and then press ENTER.
9. Type the Netmask (subnet mask) value, and then press ENTER.
10. Type the Default gateway IP address.
74
Adjusting the Network Configuration Settings in Proventia Setup
Configuring the To configure a primary, secondary, or tertiary nameserver:

nameservers
3. Select Configure Available Nameserver(s).
5. Type the IP addresses for at least one nameserver, using decimal notation. To move
from field to field, press TAB.
Note: You must enter at least one valid IP address.
The Configure DNS Search Path(s) screen appears.
7. Type the DNS search path list name (required).
9. If you want to configure another nameserver, repeat steps as above, select Run
Changing the root To change the root and Proventia Manager passwords:
and Proventia
Manager 1. From the Proventia Setup utility Main menu, select Configure Users and Passwords.
passwords 2. Select Run Tool, and then press ENTER.
3. Select one of the following:
■ Change root password
■ Change Proventia Manager password
■ Change user admin password
■ Enable or disable use of bootloader password
■ if you want to change the root, Proventia Manager or user admin password, go to
Step 6.
■ to enable or disable the bootloader password, see “Enabling the bootloader
password” on page 75
6. Type a root, Proventia Manager or user admin password.
7. Type the password again to confirm it, and then press ENTER.
Enabling the To enable the bootloader password:

bootloader
password 1. On the Enable Bootloader Password screen, select Enable.
Note: The bootloader password protects the appliance from unauthorized changes
during the boot process. When you enable the bootloader password, you must then
enter the root password to use a boot option other than the default.
2. Press ENTER.

Deactivating all To deactivate network interface cards on startup:

interfaces
1. From the Proventia Setup Utility Main menu, select Network Configuration.
3. Select Deactivate All Interfaces on Bootup.
Note: Selecting this command does not dynamically stop the interfaces. You must
restart the appliance to disable the interfaces.
Activating all To activate all network interface cards on startup:

interfaces on
startup 1. From the Proventia Setup Utility, on the Main menu, select Network Configuration.
3. Select Activate All Interfaces on Bootup.
Note: Selecting this command does not dynamically start the interfaces. You must
restart the appliance to activate new interfaces.
Restarting To restart interfaces and apply settings:

interfaces
3. Select Restart All Interfaces.
The appliance restarts and applies your configuration settings.
76
Configuring PPPoE Authentication
Configuring PPPoE Authentication

Introduction This topic explains how to configure the appliance to use Point-to-Point Protocol over
Ethernet (PPPoE) authentication. Some Internet Service Providers (ISPs) use this
technology to connect users on an ethernet connection to the Internet through a common
broadband medium, such as a single DSL line, wireless device, or cable modem. If you are
unsure whether to use PPPoE authentication, consult your ISP.
Note: For information about reconnecting the PPPoE connection on the external interface,
see the “The System Tools Page” on page 81.
Configuring PPPoE To configure PPPoE authentication:

authentication
1. In the Proventia Setup utility, select PPPoE as your external interface IP type. See
“Configuring external interfaces” on page 73.
2. On the PPPoE Configuration and Setup screen, select Continue, and then press ENTER.
3. Type the login name provided by your Internet Service Provider.
5. Type the password.
6. Type the password again to confirm it, and then press ENTER.
7. Type the Service name.
Note: You should leave this field blank if the service name is not required by your ISP.
The Configure PPPoE Options screen appears.
Configuring PPPoE To configure PPPoE options:

options
1. On the Configure PPPoE Options screen, accept the default setting, Interface Active
at Boot Time.
2. To dynamically assign a Domain Name Server (DNS) for the interface, press the SPACE
BAR to select Use Server Assigned DNS, and then select Continue.
3. Accept the enabled setting (default) for ClampMSS to decrease the maximum
segment size so that the appliance does not send too much data at one time. See
“What is ClampMSS?” on page 78.
4. Press the SPACE BAR to select a Link Activation type, as follows:
■ On Demand, which disconnects the DSL an hour after the last access
■ Continuous, which keeps the DSL connected
Note: ISS recommends you select Continuous.
5. Select Continue, and then press ENTER.
The Configure Nameservers screen appears.
6. Perform the procedure “Changing the root and Proventia Manager passwords” on
page 75.
7. Select Continue, and then press ENTER.

What is The ClampMSS option causes PPPoE to “clamp” or control the TCP maximum segment
ClampMSS? size. ClampMSS resolves ICMP-related connectivity problems with TCP traffic for
Internet access, FTP, and email. The default value for the appliance ClampMSS option is
1260. ClampMSS is enabled by default. The ClampMSS option addresses the following:
● if you use a DSL connection and experience sporadic timeouts

● a Web browser connects, then hangs with no data received
● attempts to download either files or email larger than 1K hang indefinitely
● SSH hangs after the initial handshake authentication
Why use Tunneled connections, such as PPPoE, typically lower the maximum transmission unit
ClampMSS? (MTU) because a packet must be fragmented in order to fit the narrower pipe of the
tunneled connection. Because of PPPoE overhead, the maximum segment size is smaller
than for normal Ethernet encapsulation. Many hosts use an algorithm called “path MTU
discovery”, or PMTU. This algorithm relies heavily on reporting dropped packets using
an ICMP message. If any firewall along the path blocks ICMP traffic, then large packets
are repeatedly sent, repeatedly dropped, and the ICMP messages that report these drops
are dropped as well. This adversely affects both the firewall and the computers behind the
firewall.
If you want non-TCP traffic to work properly from behind the firewall with PPPoE
enabled (for example, if users on your network run a VPN client), you may have to
decrease the MTU on the client itself.
Note: For more information about adjusting the MTU on Windows computers, see the
following helpful link: http://www.dslreports.com/drtcp.
78
Changing the Time and Date in Proventia Setup
Changing the Time and Date in Proventia Setup

Introduction Use the Proventia Setup utility command line access to adjust the time and date settings.
Time Set Issues - GMT + 0 is the official central point for timekeeping. The computer clock and time zone
GMT must be set for GMT. Otherwise, the syslog may not have correct date/time entries, which
may cause problems when you troubleshoot errors.
Changing the time To change the time and date:

and date
1. From the Proventia Setup utility Main menu, select Set Time and Date.
3. Select Configure System Time and Date.
5. Edit the month, day, year, hour, and minutes, or accept the default time if it is correct.

Changing the Time Zone in Proventia Setup

Introduction Use the Proventia Setup utility command line access to adjust the time zone settings.
Changing the time To change the time zone:

zone
1. From the Proventia Setup utility Main menu, select Set Date and Time.
3. Select Configure Time Zones.
5. Select the region in which the appliance is located.
Note: The default is America/New_York. Time zones are listed by major city.
7. Select Back to Main Menu, and then press ENTER.
80
The System Tools Page

Introduction The new Systems Tools page offers several common system administration tools. Use the
System Tools page to do the following:
● reboot or shut down the appliance

● reset all existing firewall connections, and reload all Firewall/VPN policies
● use the traceroute utility to provide a list of all the routers along the path to a
computer or destination
● ping a computer on your network to determine whether it is reachable
● reconnect the PPPoE on the external interface
● release and renew a DHCP lease for the external interface
● force a failover to a secondary appliance in a High Availability cluster
Important: The features on this page are available only in Proventia Manager; you cannot
perform these tasks from the SiteProtector interface.
Traceroute You can use two types of protocols for the traceroute utility:
protocols
Traceroute Description
protocol
UDP The UNIX “traceroute” command. When you select a UDP traceroute
protocol, the appliance sends a UDP packet to a random port on the target
host. The Time to Live (TTL) field and the destination port field are
incremental for each “ICMP Port Unreachable” message that is returned, or
until 30 hops are reached.
ICMP The Windows “tracery” command. When you select an ICMP traceroute
protocol, the TTL field and the destination port field are incremental for
each “ICMP Echo Request” message that is returned, or until 30 hops are
reached.
Table 41: Traceroute protocols
Rebooting the To reboot the appliance:

appliance
2. Select Tools.
The System Tools page appears.
3. In the System area, click .

The Reboot in Progress page appears, and then the appliance reboots.
Shutting down the To shut down the appliance:

appliance
2. Select Tools.

3. In the System area, click .

The Shutdown in Progress page appears, and then the appliance shuts down.
Important: After the appliance shuts down, you must press the power button to restart
the appliance.
Resetting all To reset existing firewall connections and reload all Firewall/VPN policies:
existing firewall
connections 1. In the navigation pane, click + to expand the System node.
2. Select Tools.
3. In the Firewall/VPN area, click the button next to Reload Firewall/VPN

Policies.
The appliance resets all firewall connections.
Pinging a computer To ping a computer:

2. Select Tools.
3. In the Diagnostics area, in the Ping field, type the IP address of the computer you
want to test.
4. Click Submit.
The ping results appear in the Diagnostics area.
Using the To use the traceroute utility:

traceroute utility
2. Select Tools.
3. In the Diagnostics area, type the IP address you want to trace in the Traceroute field.
4. Select a protocol in the Protocol area. Options are:
● UDP (User Datagram Protocol)
● ICMP (Internet Control message Protocol)
5. Click Submit.
The traceroute results appear in the Diagnostics area.
Reconnecting an To reconnect the PPPoE connection on the external interface:

external PPPoE
interface 1. In the navigation pane, click + to expand the System node.
2. Select Tools.
3. In the Network Connection area, click the button next to Reconnect PPPoE
Connection.
Note: You can view network connections on the Network Configuration page.
82
Releasing and To release and renew the DHCP lease for the external interface:
renewing a DHCP
lease 1. In the navigation pane, click + to expand the System node.
2. Select Tools.
3. In the Network Connection area, click the button next to Renew DHCP lease.
4. The appliance renews the DHCP lease for the external interface.
Note: You can view the DHCP Lease History on the Service Configuration page. For
more information about DHCP leases, see “Configuring the DHCP Server” on
page 326.
Forcing a failover To force a failover for an appliance with High Availability enabled:
for an appliance
with High 1. In the navigation pane, click + to expand the System node.
Availability enabled 2. Select Tools.
3. In the Network Connection area, click .

After the failover completes, the Secondary Appliance banner appears on the
appliance. The other appliance in the cluster becomes the primary appliance.
Note: You can verify the failover by going to the Home Page of the other appliance to
make sure that the High Availability Operating As is Primary. For more
information, see “About High Availability” on page 44.
Force Failover page This page appears when you have enabled the High Availability feature, and force the
primary high availability appliance to fail over to the secondary appliance.
Reinitializing a You may need to replace or reinitialize an appliance in an HA cluster. Use the
replaced or button to reinitialize a secondary appliance after you replace it. For
reconnected High more information about replacing a failed appliance, see “Troubleshooting your High
Availability Availability Configuration” on page 70.
appliance
To reinitialize an appliance in an HA cluster:

2. Select Tools.
3. In the Network Connection area, click .

The appliance is reinitialized with the HA cluster as the secondary appliance, and
accepts current HA settings from the primary appliance.

84
Chapter 6
System Settings
Overview
Introduction This chapter describes how to view and manage system settings, backup and recovery
settings, and set alert and response notifications. Additional system configuration
information is located in Chapter 21, "Managing Network Settings"
Topic Page
About System Settings 86
Reviewing the Status of System Settings 87
Changing Appliance Passwords in Proventia Manager 89
Notification Responses for Events 91
Delivery Notification for System Events 92
Setting Response Delivery Options 94
Configuring SNMP 97
Configuring the SMTP Proxy Server 99
Configuring the HTTP Proxy Server 102

About System Settings

Introduction This topic summarizes basic system settings. Most of these settings were configured when
you installed the Proventia appliance. However, you may occasionally need to perform
maintenance tasks to keep the appliance properly configured. See also Chapter 21,
"Managing Network Settings".
Available options Table 42 describes the options available for managing your system settings:
If you want to… Then see…
Review the status of system settings “Reviewing the Status of System Settings” on page 87
Change passwords for root, Admin, and “Changing Appliance Passwords in Proventia Manager”
Proventia Manager user accounts on page 89
Set up email notification and SNMP “Setting Response Delivery Options” on page 94
responses
Enable email and SNMP so that you “Notification Responses for Events” on page 91
can receive responses
Tune response settings “Configuring Advanced Parameters” on page 377
Configure an IP address for an external “Configuring the External Interface in Proventia

interface Manager” on page 311
Configure the HTTP proxy “Configuring the HTTP Proxy Server” on page 102
Configure IP addresses for internal “Enabling the Internal Interfaces in Proventia Manager”
interfaces on page 317
Configure an interface “Enabling the Internal Interfaces in Proventia Manager”

on page 317
Add routing to an interface “Routing” on page 318
Change network services “Enabling or Disabling SSH” on page 320
Change settings for the DHCP server “Configuring the DHCP Server” on page 326
Configure default or static IP addresses “DNS Settings for the DHCP Server” on page 329
for DNS settings
Configure static IP addresses for a “Configuring Static Address Assignments for a DHCP
DHCP server Server” on page 332
Review active DHCP leases “Viewing DHCP Leases” on page 335
Change the time or date “Changing Time Settings in Proventia Manager” on

page 336
Table 42: System settings options
86
Reviewing the Status of System Settings
Reviewing the Status of System Settings

Introduction This topic describes the System Status page. The System Status page displays the
following data:
● memory usage
● CPU usage
● external and internal interfaces
To view the System Status page, click System in the navigation pane.
Memory usage The following table describes memory usage statistics:
Total memory Amount of memory installed on the appliance
Used memory Amount of memory currently used by running processes
Free memory Amount of unused memory on the appliance
Table 43: Memory usage
CPU usage The following table describes CPU usage statistics:
User Percentage of CPU resources used by user-level processes
System Percentage of system resources used by the kernel
Idle Percentage of CPU resources currently not used
Table 44: CPU usage statistics
Internal interface The following table describes internal interface statistics:

statistics
IP Address The IP address of the interface
Netmask The netmask of the interface
Link Speed The link speed of the interface, in Mbps
Link Duplex The link duplex status of the interface. Options are:
• Half
• Full
Bytes In Number of bytes received by the interface
Bytes Out Number of bytes sent by the interface
Packets In Number of packets received by the interface
Packets Out Number of packets sent by the interface
Table 45: Internal interface statistics

Send Errors Number of errors that have occurred while sending from the
interface
Receive Errors Number of errors that have occurred while receiving on the
interface
Table 45: Internal interface statistics (Continued)
External interface The following table describes external interface statistics:

statistics
Connection Type The connection type of the interface. Options are:

• Static
• DHCP
• PPPoE (use for broadband connections, such as DSL and cable)
If the connection type is DHCP, then the appliance displays the date the
DHCP lease will expire.
IP Address The IP address of the interface
Netmask The netmask of the interface
DNS Server The IP address of a configured DNS server

The appliance displays this statistic for each configured DNS server.
Link Speed The link speed of the interface, in Mbps
Link Duplex The link duplex status of the interface. Options are:
• Half
• Full
Bytes In Number of bytes received by the interface
Bytes Out Number of bytes sent by the interface
Packets In Number of packets received by the interface
Packets Out Number of packets sent by the interface
Send Errors Number of errors that have occurred while sending from the interface
Receive Errors Number of errors that have occurred while receiving on the interface
Table 46: External interface statistics
Recommendation ISS recommends that you monitor the statistics and note whether Send Errors, Receive
for monitoring Errors, or CPU usage have consistently high levels.
statistic types
Refreshing the To refresh the statistics on the page:

statistics
● Select an option from the Refresh Data list.
88
Changing Appliance Passwords in Proventia Manager
Changing Appliance Passwords in Proventia Manager

Introduction You can change the following passwords in your Proventia Manager interface:
● root password for the command line

● Web administrative password for the Proventia Manager
● administrative (admin) password for the Proventia appliance
You can also enable or disable the bootloader (root) password that protects the appliance
boot process.
Caution: Record and protect your passwords. If you lose a password, you must reinstall
the appliance and reconfigure your network settings.
Changing the root To change the root password:

password
2. Select Access.
3. In the root section, type the Current Password.
4. Click Set Password located next to the New Password.
5. Type your new password, and then type it again to confirm.
6. Click OK.
Changing the To change the appliance administrative password:

appliance
administrative 1. In the navigation pane, click + to expand the System node.
password
2. Select Access.
3. In the Admin section, type the Current Password.
4. Click Set Password located next to the New Password.
5. Type the new password, and then type it again to confirm.
6. Click OK.
Changing the To change the Proventia Manager User (Web administration) password:
Proventia Manager
User password 1. In the navigation pane, click + to expand the System node.
2. Select Access.
3. In the Proventia Manager User section, type the Current Password.
4. Click Set Password, located next to the New Password.

5. Type the new password, and then type it again to confirm.

6. Click OK.
Enabling or The bootloader password protects the appliance from unauthorized users during the boot
disabling the process. When you enable the bootloader password, you must enter the root password to
bootloader use a boot option other than the default. The option to boot the SNMP kernel is the default
password boot option. When you enable the bootloader password, you must enter the root
password to use a kernel boot option other than the default.
Tip: The bootloader password is the root password.
To enable the bootloader password:

2. Select Access.
3. In the Boot Loader section, select the Enable bootloader password box.
90
Notification Responses for Events
Notification Responses for Events

Introduction You can configure how the appliance sends notification responses for events. The
following types of responses are available:
Response Type Description
Email responses Sends alerts to an individual address or to a group. You can define
multiple email notifications for these responses and configure the data
sent.
SNMP responses Sends SNMP traps to a consolidated SNMP server.
Alert delivery to Sends alerts to the SiteProtector agent manager.

Siteprotector
Table 47: Notification responses for events
Prerequisite Before you configure delivery notification, you must first set up email and SNMP
responses for events.
Reference: For more information, see “Setting Response Delivery Options” on page 94.
Types of events When you configure delivery notification, the system sends an alert message for system
events to the log file. Alert messages notify you of security-related events. There are three
types of alerts for system events:
● error events
● warning events
● information events

Delivery Notification for System Events

Introduction This topic describes how to configure delivery notification for system events. It includes
procedures for the following tasks:
● enabling alert logging and message notification options, including email and Simple
Network Management Protocol (SNMP) traps
● disabling alert logging
● disabling message notification
Tip: If you enable email notification for System Informative Events, the appliance
notifies you via email when updates are available for download or install. See “About
Updating the Appliance” on page 22.
Important: You can send alerts to the SiteProtector Agent Manager if you register your
appliance with SiteProtector. Use caution when you enable alerts to SiteProtector. For
more information, see “Considerations for Appliance Updates and Events with
SiteProtector” on page 341.
Enabling alert To enable alert logging and message notification options:

logging and
message 1. In the navigation pane, click + to expand the System node.
notification 2. Select Notification.
3. Select the Event Notification tab.
4. Select Alert Logging for System Error Events.
5. Select how you want to be notified of errors. Specify message notification as follows:
account name from the Email Name list.
■ To receive SNMP traps on UDP port 162, select SNMP Trap Enabled.
■ To send alerts to the SiteProtector Agent Manager, select SiteProtector Enabled.
6. Select Alert Logging for System Warning Events.
7. Select how you want to be notified of warnings.
8. Select Alert Logging for System Informative Events.
9. Select how you want to be notified of information events.
Disabling alert To disable alert logging:

logging
2. Select Notification.
4. Clear the check box(es) for the alert messages you want to disable.
92
Delivery Notification for System Events

Disabling message To disable message notification:

notification

Setting Response Delivery Options

Introduction This topic describes how to set notification responses for events. It includes procedures
for the following tasks:
● configuring email responses

● configuring the Simple Network Management Protocol (SNMP) response
Important: After you configure the email and SNMP responses, you must enable email
and SNMP notification options.
Note: You can configure your M Series appliance to deliver alerts to SiteProtector. For
more information, see “Using SiteProtector Management” on page 338.
Configuring an You can configure the appliance to notify you when events occur. You can configure the
email response appliance to send an email notification to an individual address, or to a group. To send
email notification to a group, create an email distribution list on your corporate server.
Note: After you configure the email response, you must enable the email notification
option. For more information, see “Delivery Notification for System Events” on page 92.
Note: If you want to receive event message information in the email, type the <Message>
tag in the Subject Format or Body Format fields.
Adding an email To add an email response:

response
3. Select the Delivery Setup tab.
4. In the Email Configuration section, click Add.
5. Type a meaningful name in the Name field.
6. Type the mail server (as a fully qualified domain name or IP address) in the SMTP
Host field.
Note: The SMTP Host must be accessible to the appliance to send email notifications.
7. Type an individual recipient or email group in the To field.
8. Click the Subject arrow to see a list of subject formats, and then select a subject.
9. Click the Body Format arrow to see a list of message body formats, select a format and
then click OK.
Tip: You can customize the Subject and Body by typing your own text and
embedding values from lists. If you leave the Body field blank, the email response
includes all available values.
94
Setting Response Delivery Options
Editing an email To edit an email response:

response
4. In the Email Configuration section, click Edit.
5. If needed, edit the name in the Name field.
6. If needed, change the mail server in the SMTP Host field.
7. If needed, change the recipient in the To field.
8. Click the Subject arrow to see a list of subject formats, and then select a subject.
9. Click the Body Format arrow to see a list of message body formats, select a format,
and then click OK.
Copying an email To add another entry with the same values, you can copy an email response, and then
response change the email address.
To copy an email response:

4. In the Email Configuration section, select the response to copy.

The email response is copied to the response list.
7. If needed, edit the email response.
Removing an email To remove an email response:

response
4. In the Email Configuration section, select the response to remove, and then click
Remove.
The email response is removed from the response list.


96
Configuring SNMP
Configuring SNMP
Introduction This topic describes how to configure the Simple Network Management Protocol (SNMP)
notification responses for events.
You can configure two SNMP functions:
● SNMP Get
● SNMP Traps
Important: After you configure the SNMP function, you must enable the SNMP
notification option. “Notification Responses for Events” on page 91.
Displaying the ISS- To display the ISS-assigned Event Name in SNMP trap messages, you can import or
assigned Event compile the ISS MIB file (iss.mib) into an SNMP management application such as
Name in SNMP Hewlett-Packard OpenView. The ISS MIB file defines the format of ISS SNMP traps, and
trap messages is used by your management application to provide translations of the numeric Object
Identifiers (OIDs) contained in the trap messages. You can download the iss.mib file from
the ISS download center at http://www.iss.net/download/.
For more information about using your SNMP management application, refer to your
SNMP management application software documentation.
Configuring the To configure SNMP Get:

SNMP Get
response 1. In the navigation pane, click + to expand the System node.
2. Select Services.
3. Select the SNMP tab.
4. Select SNMP Get Enabled.
5. Type a name in the System Name field.
6. Type a location in the System Location field.
7. Type relevant information in the Contact Information field.
8. Type the appropriate community name in the Get Community field.
Configuring the To configure SNMP Trap:

SNMP Trap
response 1. In the navigation pane, click + to expand the System node.
2. Select Services.
3. Select the SNMP tab.
4. Select SNMP Traps Enabled.
5. Type the IP address in the Trap Receiver field.
Note: This IP address is the server address where the SNMP Manager is running. The
SNMP host must be accessible to the appliance to send email notifications.

6. Type the appropriate community name (public or private) in the Trap Community
field.
7. Select a trap version from the Trap Version list.
98
Configuring the SMTP Proxy Server

Introduction Configure Simple Mail Transfer Protocol (SMTP) for transparent proxy to scan files for
viruses and to prevent the use of your email server in sending SPAM to others. You must
configure the SMTP proxy server to use the Antivirus and Antispam modules.
You can use relay IPs to control which computers in your network can send email outside
your domain (outside your network), and which domains can send email to users in your
network. Configure SMTP on the Service Configuration page.
For more information about proxies, see “About Firewalls” on page 104.
How transparent A transparent proxy is invisible to users on your network. You can configure the proxy
proxy works server to use specified ports, and then configure the firewall to allow email traffic on those
port numbers. The proxy server passes data between the email sender and the email
receiver, but remains invisible to the users. The users appear to be talking directly to each
other.
Example: You can set up an email server on the DMZ segment of your network, and then
create an access policy on your appliance that allows the email server to receive email on
port 25. When a sender outside the network sends an email to a user inside the network,
the email goes through the appliance, where the SMTP proxy server intercepts the email.
The SMTP proxy server disassembles and scans the email for viruses.
If the email is not infected, the SMTP proxy server routes the email to the destination
email server. There is no indication to either user that the email was intercepted or
scanned.
If the email is infected, then one of the following occurs:
● If you have selected the Quarantine Infected Files option, the appliance quarantines
the portion of the email that is infected, deletes the remainder of the file, and returns a
reject message to the sender.
● If you have not selected the Quarantine Infected Files option, the appliance deletes
the entire file and returns a reject message to the sender.If the email is infected, then
one of the following occurs:
How Relay IPs work The SMTP proxy server configuration includes two components:
● the Relay IP list

● the Local Domain list
The Relay IP list defines the users in your network that can send and receive email. If you
add a range of IP addresses to the list of Relay IPs, then the appliance allows any
computer in the range to send email to another domain. The Local Domain list defines the
domains in your network that can receive email from users in your network. If you add a
domain to the list of Local Domains, then the appliance allows all email from that domain.
If you have more than one domain, you must include all domains in the Local Domain list
for the appliance to allow email to pass between them.
When a user in your domain sends an email to another domain, the antivirus software
compares the source IP address of the email sender to the list of relay IP addresses. The
appliance does one of the following:

● If the source IP address is on the relay IP list, then the appliance relays the email to the
destination domain.
● If the source IP address is not on the list, and the destination domain is not listed in
the local domains, then the appliance notifies the sender that the system is not
authorized to relay the email.
Enabling SMTP You must complete the following tasks to configure the SMTP proxy on your network:
proxy on your
network Task Action
1 Add IP address ranges to the Relay IP list to define users that can send email
outside your domain.
2 Add any additional corporate domains to the Local Domain list to define the
domains that can receive email.
Table 48: Tasks to enable SMTP proxy
Adding relay IPs To add relay IPs and local domains:

and local domains
2. Select Services.
3. Select the SMTP tab.
4. Type the corporate domain name in the My Domain field.
Example: mybiz.com
Note: This is the primary domain for which the email server is responsible. Any email
from a user at this domain is local and will not be relayed to the relay IP addresses.
5. Click Add in the Relay IPs area.
6. Type the IP address and network mask of the Relay IP in the IP Address/Mask fields,
and then click OK.
Tip: The valid range for network address masks in the Relay IP area is /16 to /32.
7. Click Add in the Local Domains area.
8. Type additional corporate domain names in Domain Name field, and then click OK.
Note: If the sender's IP address is not in the relay IP list, then only the domains
included in the local domains are allowed to receive email.
Editing relay IPs To edit Relay IPs:

2. Select Services.
4. Select an IP address in the Relay IPs area, and then click Edit.
5. Type the IP address and network mask of the Relay IP in the IP Address/Mask fields,
and then click OK.
100

Editing local To edit local domains:

domains
2. Select Services.
4. Select a domain in the Local Domains area, and then click Edit.
5. Click Edit in the Local Domains area.
6. Type additional corporate domain names in Domain Name field, and then click OK.

Configuring the HTTP Proxy Server

Introduction If your network uses an HTTP proxy to get to the Internet, you must configure the proxy
settings on your appliance to use Web Filters and configure updates.
Important: For the appliance to correctly route HTTP proxy traffic, make sure that you
enable the relevant proxy redirection rules when you enable the HTTP proxy option.
Configuring HTTP To configure the HTTP proxy:

Proxy
2. Select Services.
3. Select the HTTP Proxy tab.
4. Select the Enable HTTP Proxy box.
5. Type a valid IP address in the Address field.
6. Type the port value in the Port field.
7. Do you want to enable authentication?
■ If yes, select the Enable Authentication box, and go to Step 8.
8. Type a user identification value in the User ID field.
9. Type a password in the Password field.
10. Click OK.
102
Chapter 7
Firewall Settings
Overview
Introduction This chapter includes information about the firewall configuration process, the protection
status page and explains how to configure notification of firewall alerts and general
events.
Topic Page
About Firewalls 104
Firewall/VPN Protection Status Page 106
Process Overview for Configuring the Firewall 108
Configuring Firewall Messages 109

About Firewalls
Introduction Firewalls control the traffic coming into and leaving your network. The appliance firewall
examines network packets and determines whether to accept or deny them based on
predefined rules called access policies.
Packet filtering A traditional firewall consists of a computer or group of computers behind a routing
device. The routing device uses packet filtering to control traffic at the packet level,
allowing or denying packets based on information in the packets' TCP and IP headers.
This packet information includes the following:
● source address
● destination address
● protocol
● source port number
● destination port number
Proxies A host can control traffic at the application layer, providing access control based on a more
detailed and protocol-dependent examination of the traffic. The process that examines
and forwards packet traffic is called a proxy.
The appliance uses the following proxies:
This proxy... Is used to... And is configured on

this page...
SMTP proxy Transparently scan files for the Antivirus Service Configuration
and Antispam modules. This proxy page
blocks viruses and SPAM.
Important: You must configure the
SMTP proxy server to use the Antivirus
module.
HTTP proxy Connect your network to the Internet in Service Configuration

order to access the ISS download page
center and the ISS database server.
You must configure the HTTP proxy to
do any of the following:
• receive appliance updates
• use Web Filters
• use Antispam
FTP proxy Inspect network traffic for viruses Firewall/VPN Settings

(Proxy Redirection tab)
POP3 proxy Inspect email traffic for viruses Firewall/VPN Settings

(Proxy Redirection tab)
Table 49: Appliance proxies
104
About Firewalls
Appliance firewall The following table describes the firewall components you can configure on your
components appliance:
Component Description
Access policies Define firewall rules that prevent unwanted traffic from
coming into and leaving your network
NAT policies Define how the firewall translates IP addresses for inbound
and outbound network traffic when you enable NAT
Event notification Define how the appliance notifies you of events
Proxy redirection Defines the direction and data streams the firewall will
rules redirect to the proxies for analysis
Advanced Includes firewall and VPN advanced parameters

parameters
Table 50: Firewall components
Use the Firewall/VPN Settings page to configure your appliance's firewall component.
Note: For more information, see “IKE SA information” on page 106 and “Firewall/VPN
Protection Status Page” on page 106.
For information about access polices in an HA configuration, see “High Availability

Access and NAT Policies” on page 49.

Firewall/VPN Protection Status Page

Introduction The Firewall/VPN Protection Status page displays data for the following statistics types:
● current connections
● IKE SA information
● SA information
Current Current connections statistics are included in the Current Connections area. Current
connections connection statistics are described in the following table:
Internal The current connections to the internal interface
External The current connections to the external interface
Self The current connections to the Proventia Manager
External to Self The current connections from an external network (the Internet) to
Proventia Manager
Table 51: Connection statistics
IKE SA information IKE policy states are included by policy name in the IKE SA Information area. IKE SA
information statistics are described in Table 52:
Policy Name The name of the policy in use in one or more VPN connections
State The current state of the policy. The possible states are as follows:
• Unused states (indicate that the policy is not in use)
- INIT_IDLE
- RESP_IDLE
• Transient states (indicate that IKE negotiations are occurring)
Note: These states may last for a few seconds only.
- MM_SA_WAIT
- AM_SA_WAIT
- RESP_KE_WAIT
- INIT_KE_WAIT
- RESP_ID_WAIT
- INIT_ID_WAIT
- HASH_WAIT
• Established state (indicates that IKE SA is established)
- SA_MATURE
Table 52: IKE SA information
106
Firewall/VPN Protection Status Page
SA information Security Associations (SA) statistics are included in the SA Information area. SA
information statistics are described in Table 53:
IPSEC SA count The total number of SAin and SAout
Table 53: Security Associations (SA) statistics
Reference: For more information, see “Security Associations” on page 198.
Refreshing the You can refresh the statistics on the System Status page manually or automatically at
statistics certain intervals. The refresh data options are as follows:
● Refresh Now (manually refreshes the page)

● every 10 seconds
● every 1 minute
● every 2 minutes
● Auto Off (disables automatic refreshing)
To refresh the statistics on the Firewall/VPN Status page:
● Select one of the options from the Refresh Data list.

The Firewall/VPN page displays the latest statistics.

Process Overview for Configuring the Firewall

Introduction This topic describes the tasks required to configure the firewall on your appliance.
Note: You must configure the Dynamic Address List before you can use the list in firewall
components.
Configuring the Configuring the firewall is a four-task process:

firewall tasks
Task Description Reference
1 Create access policies See “About Access Policies” on page 112.
2 Create a Dynamic Address List See “Configuring Dynamic Address Lists” on

page 173.
3 Configure firewall messages See “Configuring Firewall Messages” on

page 109.
4 Create NAT policies (optional) See “About NAT Policies” on page 129.
Table 54: Tasks for configuring the firewall
108
Configuring Firewall Messages
Configuring Firewall Messages

Introduction You can configure the following types of firewall messages:
● Alert – Notifies you of security-related events

● General – Notifies you of events that are related to the following aspects of your
network, such as:
■ firewall status
■ system activity
■ user activity
■ detail of messages written to log files
Note: You can configure your M Series appliance to deliver alerts to SiteProtector. For
more information, see “How the appliance delivers alerts to SiteProtector” on page 341.
Tasks for To configure alert and general firewall messages, you must do the following:
configuring firewall
messages Task Description
1 Specify which alert events the appliance logs
2 Specify how the appliance notifies you about alert event
3 Configure general event logs and notification
Table 55: Tasks for configuring firewall messages
Task 1: Select To select which alert events the appliance logs:

which alert events
the appliance logs 1. In the navigation pane, click + to expand the Firewall/VPN node.
2. Select Settings.
4. Select the Alert Logging for Alert Events tab.
5. Select any of the following events for which the firewall writes alert messages to the
log file:
■ Syn Flooding
■ Ping of Death
■ IP Spoofing
■ Invalid Packets
■ General Attacks
Task 2: Select how To select how the appliance notifies you about alert events:
the appliance
notifies you about 1. Select the Alert Event Notification Delivery tab.
alert events
2. Select how the appliance notifies you about alert events.
account name from the Email Name drop-down list.

■ To configure another email account, click Configure Email.

If you use email notification, leave the default setting for the
attack.log_one_attack_every advanced parameter. The default setting is 100, which
means that if 100 of the same type of event occur only 1 log event record will be
written. Therefore, you will receive only one email notification, rather than 100.
■ To receive Simple Network Management Protocol (SNMP) traps on UDP port 162,
select SNMP Trap Enabled.
■ To configure SNMP Get or SNMP Traps, click Configure SNMP.
Task 3: Configure To select which general events the appliance logs and how the appliance notifies you of
general event logs general events:
and notification
1. Select the Alert Logging for General Events tab.
2. Select the general messages that the firewall writes to the log file. General messages
are as follows:
Message type Description
Resource errors Errors that occur with the firewall, or with traffic going
through the firewall, are written to the log file.
Deny rule messages If you have a deny rule with logging enabled in a
firewall policy, and traffic is blocked on that rule, then
an event is written to the log file.
Allow Rule Messages If you have an allow rule with logging enabled in a
firewall policy, and traffic is accepted on that rule, then
Rule Not Found Messages If a packet comes across your network and is dropped
because there are no matching firewall policy rules, an
event is written to the log file.
Configuration Changes Any time a firewall rule, list, or any other configurable
firewall setting is modified, an event is written to the log
file.
Note: The event does not indicate which user made
the change.
Access Statistics A log entry describing the current network activity will
be made at certain intervals.
VPN Messages Every time a user accesses your network through one
of the IPSEC policies, an event is written to the log file.
DNS and ICMP Messages For all ICMP messages and all DNS query and reply
messages, an event is written to the log file.
3. Select the General Event Notification Delivery tab.

4. Select how the appliance notifies you about general events.
110
Chapter 8
Access Polices
Overview
Introduction This chapter explains how to configure access policies for firewall settings.
Note: Address Lists and Port lists are Network Objects. You can configure the address
names and address groups, and port names and groups on the Firewall/VPN Network
Objects page. For more information, see “About Network Objects” on page 166.
Topic Page
About Access Polices 112
Access Policy Page 113
Configuring Access Policies 116
About Proxy Redirection Rules 121
Configuring Proxy Redirection Rules 122

About Access Policies

Introduction The appliance firewall uses access policies to prevent unwanted traffic from coming into
and leaving your network. Access policies contain the firewall rules that define how your
firewall responds to network traffic. An access policy applies to both inbound and
outbound traffic on your network. You can use access policies together with NAT policies
or port forwarding to customize the way your firewall handles network traffic. See
“About Firewalls” on page 104.
Firewall policies are In earlier firmware versions, you configured three different types of policies:
now combined in an
Access Policy ● Self policies to regulate traffic to the appliance
● Internal policies to regulate traffic on your local network
● DMZ policies to regulate traffic on the DMZ segment of your network
You can now use access policies to regulate all network traffic for internal and external
interfaces. An access policy applies to both inbound and outbound traffic.
Order of rules in the The access policies are set up to accept or deny a network packet based on criteria defined
policy in the policy. The appliance firewall compares network packets against each policy in
descending order until it finds a rule that accepts or denies the packet.
Important: If no policy accepts or denies the packet, then the appliance denies the packet.
Access policies and When you enable or disable the high availability feature, the appliance uses the virtual IP
high availability addresses to route traffic. If you have created firewall policies or rules that use a static IP
address, then you must revise those policies or rules.
In the case of access policies, IPSEC policies, NAT policies and proxy redirection rules,
change any IP address information that references a static interface address to one of the
virtual IP addresses, or disable the policy, as appropriate. You must remove and then re-
add conflicting Security Gateways. See “High Availability Access and NAT Policies” on
page 49.
112
Access Policy Page
Access Policy Page

Introduction Use the Access Policy Page to configure access policies for your firewall.
The Access Policy The Access Policy Table contains the following columns:
Table
Column Description
Rule Order A value that represents the placement of an access policy in the
Access Policy table. If you move an access policy up or down in
the table, the Rule ID value will increase or decrease. This value is
useful for troubleshooting firewall alerts and corresponding access
policies.
Enabled Select this checkbox to activate the module.
Action In an access policy, an action is the response that the firewall

takes to a network packet. Actions are as follows:
• Accept - the firewall allows the packet to pass
• Reject - the firewall discards the packet, and sends a Reset/
ICMP packet to notify the source that the packet is discarded
Log Enabled Select this checkbox on the Add Access Policy page to write an
event to the System Log file for each firewall action (Allow, Drop,
or Reject) applied to a packet.
Comment Type a meaningful description of the item in this field.
Protocol Agreed-upon methods of communications used by computers. A

specification that describes the rules and procedures that
products should follow to perform activities on a network, such as
transmitting data. If they use the same protocols, products from
different vendors should be able to communicate on the same
network.
Source Address The IP address of the computer that sends the network packet.
Source Port The source port that the originating computer assigned to a
network packet.
Destination Address The IP address of the computer that receives the network packet.
Destination Port The port number that the originating computer asks the receiving
computer to open.
Deprecated A setting or feature that is obsolete or replaced with new

functionality.
Table 56: Access policy table column descriptions
These settings appear for each Access Policy entry in the Access Policy table.

Tabs on the Access The following table describes the tabs that appear on the Access Policy page.
Policy page
Note: You can also access the edit screen by double-clicking the policy entry.
This tab... Allows you to...
Protocol specify a protocol name or number for the policy
Source Address specify a source address for the policy
Source Port specify a source port for the policy
Destination Address specify a destination address for the policy
Destination Port specify a destination port for the policy
Deprecated view settings in the policy that the appliance could not migrate
successfully from the previous firmware version. You cannot edit
the fields on this tab. If the Deprecated check box is selected, then
this tab displays Direction or NAT policy settings that did not
migrate successfully.
Table 57: Access policy page tabs
About the The Deprecated tab displays firewall rule settings from firmware version 1.11 that you
Deprecated tab may want to migrate manually, to fully use the new functionality in the new firmware.
Firmware version 2.1 contains enhanced functionality for firewall rules (now Access
policies) and NAT Lists (now NAT policies). When you update your appliance to the
current firmware version, the appliance automatically migrate existing firewall settings.
After the appliance migrates firewall settings, some firewall rules contain settings that are
deprecated, or replaced by the new functionality. The deprecated settings continue
functioning, but may conflict with future policies. If an access policy has deprecated
settings, a check mark appears for that policy in the Deprecated column of the Access
Policy table, and the settings are indicated on the Deprecated tab.
Example: When your appliance ran firmware update 1.11, the appliance had a firewall
rule with a Direction setting of Outbound and an associated NAT List. When you update
the appliance to firmware version 1.12, the appliance migrates the firewall rule to an
access policy. The appliance continues to apply the access policy and NAT to outbound
traffic. However, access policies are bidirectional by default, so the Outbound and NAT
settings are now deprecated.
When to manually If you want to use new features of this release, such as NAT policies, or if you create new
migrate policy access policies, deprecated settings may conflict with the new policies. ISS recommends
settings that you review existing access policies to insure that your new access policies work
properly, and migrate deprecated settings as necessary.
Removing Fields on the Deprecated tab are read-only. If you want to remove deprecated settings,
deprecated settings you must do the following:
1. Remove the access policy and create a new policy with equivalent settings
2. Create a new NAT policy with equivalent NAT settings
114
Access Policy Page
Deprecated tab The following table describes the settings on the Deprecated tab:
settings
Setting Description
Deprecated • If this check box is selected, then the policy contains

deprecated settings.
• If this check box is cleared, then no policy changes are
recommended.
Direction An access policy direction setting is deprecated if this field

displays one of the following settings:
• Inbound
• Outbound
By default, an access policy applies to both inbound and outbound
traffic on your network. This setting is deprecated if the migrated
firewall rule previously applied only to inbound or outbound
network traffic.
NAT Enabled • If this check box is selected, then the access policy is
associated with a NAT policy.
• If this check box is cleared, then no NAT policy changes are
recommended.
IMPORTANT: NAT policies are now global, and are not
associated with individual access policies. This setting is
deprecated if the migrated firewall rule was associated with a
NAT List.
Name This field displays the name of the NAT List associated with this
access policy.
Table 58: Deprecated settings
Tips about icons The following table describes icons that may appear on this page:
Icon Description
If this icon appears next to a field on this page, it indicates one of the following:
• data is required in the field
• the data in the field is invalid
If the icon appears next to a policy or a tab on this page, then the policy or tab
contains invalid settings or empty fields that require data.
If this icon appears at the top of a list, you can select an item in the list, and
click the icon to move the item toward the top of the list.
click the icon to move the item toward the bottom of the list.
click the icon to copy the item to the clipboard.
If this icon appears at the top of a list, you can click the icon to paste a copied
item from the clipboard into a list. After you paste the item, you can edit it.
Table 59: Access policy page icons

Configuring Access Policies

Introduction Configure access policies on the Access Policy Page. An access policy applies to both
inbound and outbound traffic on your network.
Important: You can add an access policy to the list without enabling it, but the policy is
not active. You must enable the policy before the appliance applies it to traffic on your
network.
Task overview You must complete the following six tasks to configure an access policy:
Task Description
1 Define general settings.
2 Select a protocol.
3 Select a source address.
4 Select a source port.
5 Select a destination address.
6 Select a destination port.
Table 60: Access policy task overview
Tips about editing You can edit all fields in an Access Policy in the Edit Access Policy window, or you can
entries in the edit selected fields directly in the policy table.
Access Policy table
To edit all fields in an Access Policy table entry:
● Select the entry, and then click Edit to display the Edit Access Policy window.
● Double-click the entry to display the Edit Access Policy window.
You can do the following directly in the policy table:
● Select or clear the Enabled checkbox

● Select an action from the Action list
● Type text in the Comment field
Important: If you add an access policy, ISS recommends that you review existing policies
for deprecated settings that might conflict with the new policy. See “About the
Deprecated tab” on page 114.
Task 1: Define To define general settings:

general settings
1. In the navigation pane, click + to expand the Firewall/VPN node.
2. Select Settings.
3. Select the Access Policy tab.
116
4. Click Add.
Note: If you select a rule before clicking Add, the new rule that you create is added
above the selected rule. If no rule is selected, the new rule is added to the bottom of
the list.
5. To enable the policy, select the Enabled checkbox.
6. Select an action from the Action list.
7. To write events to the System Log file, select the Log Enabled check box.
Note: If you want to receive events about an access rule, you must do both of the
following:
■ Select Log Enabled
■ Enable event notification for the appropriate alert type on the Firewall/VPN
SettingsÆ Event Notification tab.
8. Type a meaningful description in the Comment field.
Task 2: Select a To select a protocol:

protocol
2. Select Settings.
3. Select the Protocol tab.
4. Select a protocol for the network packet as follows:
■ To apply the policy to a network packet sent on any protocol, select Any.
■ To apply the policy to a network packet sent on a specific protocol by name, select
the protocol from the Protocol Name drop-down list.
■ To apply the policy to a network packet sent on a specific protocol by number, type
the number in the Protocol Number field, or use the slider to select the number.
■ If you specify a port value in the policy, then you must select either the TCP or UDP
protocol.
Task 3: Select a To select a source address:

source address
2. Select Settings.
1. Select the Source Address tab.
2. Specify the source IP address as follows:
■ To apply the policy to any IP address, select Any.
■ To apply the policy to one IP address, select Single IP Address, and then type the
IP address in the IP Address field. Use the dotted decimal format.
■ To apply the policy to a range of IP addresses, select Address Range, and then type
the first and last IP addresses in the range in the IP Address Range fields.
■ To apply the policy to an IP address on a subnet, select Network Address /
#NetworkBits (CIDR), and then type the IP address and mask. The mask is the
network identifier, and is a number from 1 to 32.
Example: 128.8.27.18 / 16

■ To apply the policy to an Address Name, Address Group, or Dynamic Address

Name, select Specify Network Object, click Add, and then select an item from the
appropriate list.
Note: Click Configure on the Add window to create a new address Network Object.
Task 4: Select a To select a source port:

source port
2. Select Settings.
3. Select the Source Port tab.
4. Specify the source port as follows:
■ To apply the policy to apply to any port or service, select Any.
■ To apply the policy to one port or service, select Single Port, and then type the port
number in the Port Number field.
■ To apply the policy to a range of ports or services, select Port Range, and then type
the range of port numbers in the Port Range fields.
Task 5: Select a To select a destination address:

destination address
2. Select Settings.
3. Select the Destination Address tab.
4. Specify the destination IP address as follows:
■ To apply the policy to any IP address, select Any.
■ To apply the policy to one IP address, select Single IP Address, and then type the
IP address in the IP Address field. Use the dotted decimal format.
■ To apply the policy to a range of IP addresses, select Address Range, and then type
■ To apply the policy to an IP address on a subnet, select Network Address /
Example: 128.8.27.18 / 16
■ To apply the policy to an Address Name, Address Group, or Dynamic Address
Name, select Specify Network Object, click Add, and then select an item from the
appropriate list.
Note: Click Configure on the Add window to create a new Address Name, Address
Group, or Dynamic Address Name.
Task 6: Select a To select a destination port:

destination port
2. Select Settings.
3. Select the Destination Port tab.
4. Specify the destination port as follows:
■ To apply the policy to any port or service, select Any.
118
■ To apply the policy to one port or service, select Single Port, and then type the port
number in the Port Number field.
■ To apply the policy to a range of ports or services, select Port Range, and then type
the range of port numbers in the Port Range fields.
■ To apply the policy to a Port Name or Port Group, select Specify Network Object,
click Add, and then select a Port Name or Port Group from the appropriate list.
■ Click Configure on the Add window to create a new Port Name or Port Group.
5. Click OK.
Editing an access To edit an access policy:

policy
2. Select Settings.
4. Select the rule you want to edit.
5. Click Edit.
6. Make your changes.
7. Click OK.
Copying and pasting You can copy and paste an access policy before editing it. This is useful if you want to add
an access policy an policy that is similar to a policy already in the list. You can also copy and paste multiple
policies.
To copy and paste an access policy:

2. Select Settings.
4. Select the access policy you want to copy.
Note: To select multiple policies, press the CTRL key, and then select each policy. To
select a range of policies, press the SHIFT key, and then select the first and last policies
in the range.

The appliance copies the policy to the end of the list.
7. If necessary, edit the policy, and then click OK.


Removing an To remove an access policy:

access policy
2. Select Settings.
4. Select the policy you want to remove, and then click Remove.
120
About Proxy Redirection Rules
About Proxy Redirection Rules

Introduction Proxy redirection rules control which direction the appliance scans network traffic for
viruses and SPAM email. Some proxy redirection rules are included by default. See
“Default proxy redirection rules” on page 121. Use proxy redirection rules to do the
following:
● add new proxy redirection rules

● edit or remove default proxy redirection rules
You can enable or disable protocols when you configure the antivirus software, but you
can use proxy redirection rules to specify the direction of the network traffic that the
appliance inspects on those protocols.
Prerequisites You must do the following to successfully use proxy redirection rules:
● enable proxy redirection rules for enabled proxy settings

● enable proxy settings for enabled proxy redirection rules
Proxies you can You can use proxy redirection rules to configure the following proxies to inspect network
configure traffic that is inbound or outbound:
● HTTP
● SMTP
● POP3
● FTP
For more information about proxies, see “Proxies” on page 104.
Default proxy The following table describes the proxy redirection rules enabled by default:
redirection rules
This proxy redirection Inspects this network traffic...
rule...
POP3OUTBOUND Outbound POP3 traffic
SMTPINBOUND Inbound SMTP traffic
SMTPOUTBOUND Outbound SMTP traffic
FTPOUTBOUND Outbound FTP traffic
FTPINBOUND Inbound FTP traffic
HTTPOUTBOUND Outbound HTTP traffic
Table 61: Default proxy redirection rules

Configuring Proxy Redirection Rules

Introduction This topic contains procedures for configuring proxy redirection rules. For more
information about proxy redirection rules, see “About Proxy Redirection Rules” on
page 121.
Tips about editing You can edit all fields in an Proxy Redirection Rule in the Edit Proxy Redirection Rules
entries in the Proxy window, or you can edit selected fields directly in the rules table.
Redirection Rules
table To edit all fields in a table entry:
1. Select the rule

2. Click Edit to display the Edit Proxy Redirection Rule window.
You can do the following directly in the in the policy table:
● Select or clear the Enabled checkbox.

● Select a direction from the Direction list.
● Select a proxy from the Proxy list.
Adding a proxy To add a proxy redirection rule:

redirection rule
2. Select Settings.
3. Select the Proxy Redirection Rules tab.
4. Click Add.
5. Type a meaningful name for this entry in the Name field.
the list.
6. To enable the rule, select the Enabled checkbox.
7. Choose one of the following directions for the proxy rule:
■ Inbound
■ Outbound
8. Type a meaningful description of the policy in the Comment field.
9. Select one of the following proxy types from the Proxy list:
■ HTTP
■ FTP
■ SMTP
■ POP3
10. Select the Source Address tab, and then select a source address or addresses.
11. Select the Destination Address tab, and then select a destination address or
addresses.
12. Select the Destination Port tab, and then type a port value in the Destination Port
field.
122
Configuring Proxy Redirection Rules
13. Click OK.

Editing proxy You can edit some fields in the Proxy Redirection Rules table directly in the table. See
redirection settings “Tips about editing entries in the Proxy Redirection Rules table” on page 122.
To edit a proxy redirection rule:

2. Select Settings.
5. Click Edit.
Note: You can select or clear the Enabled checkbox directly in the policy table.
7. Click OK.
Copying and pasting You can copy and paste a proxy redirection rule before editing it. This is useful if you want
a proxy redirection to add a rule that is similar to a rule already in the list. You can also copy and paste
rule multiple rules.
To copy and paste a proxy redirection rule:

2. Select Settings.
4. Select the rule you want to copy.
Note: To select multiple rules, press the CTRL key, and then select each rule. To select a
range of rules, press the SHIFT key, and then select the first and last rules in the range.

The appliance copies the rule to the end of the list.
7. If necessary, edit the rule, and then click OK.

Removing a proxy To remove a proxy redirection rule:

redirection rule
2. Select Settings.
4. Select the rule you want to remove.
5. Click Remove.
124
Chapter 9
NAT Polices
Overview
Introduction This topic describes Network Address Translation (NAT), and provides procedures for
configuring NAT polices with your appliance.
Topic Page
NAT Overview 126
About NAT Policies 129
Configuring Source NAT Rules 130
Configuring Destination NAT Rules 133
Setting NAT Configurations 136
Port Forwarding 141

NAT Overview
Why use NAT? Network Address Translation (NAT) policies specify how the firewall translates IP
addresses for inbound and outbound network traffic when you enable NAT. With the
explosion of the Internet and the increasing number of home and business networks, there
are not enough public IP addresses for all the networks that need them.
● Public IP addresses can route traffic over the public network, and are assigned by
your ISP from an allocation pool distributed by Internet Assigned Numbers Authority
(IANA). See “IANA” on page 440.
● Private IP addresses can only route traffic on an internal network.
The device can “translate” public and private IP addresses so that one public IP address
can represent an entire group of computers with private IP addresses.
Note: You can also use routing to add, edit, or remove a static route for networks behind a
firewall. See “Routing” on page 318. See “About NAT Policies” on page 129.
About IP packets An IP packet contains the information sent from one computer to another. When a
computer inside your network with a non-routable address sends a packet to a computer
outside your network, the IP packet header contains the following information:
● the source address

● the source port
● the destination address
● the destination port
The addresses specify the two computers at each end, and the port numbers ensure that
the connection between the two computers has a unique identifier. The combination of
these four numbers defines a single TCP/IP connection.
When you set up NAT, you specify the address and port values that the appliance uses to
identify which packets to translate and how to translate them.
Routable and non- NAT uses routable and non-routable addresses to translate and deliver network packets.
routable IP The following table describes routable and non-routable IP addresses:
addresses
IP Address Type Description
Routable • also known as public or “registered” addresses

• assigned to your company by your ISP
• are unique
• used to route network traffic over the Internet
Table 62: IP address types
126
NAT Overview
IP Address Type Description
Non-routable • also known as private or “unregistered” addresses

• are not assigned to your company, but are determined
by you
• are not unique
• cannot be used to route traffic over the Internet
• can be used by computers on your network to
communicate with each other inside the network
• may belong to one of the IP address classes commonly
used for networking
Table 62: IP address types
NAT allows the appliance to translate your non-routable IP addresses to routable ones, so
that computers inside your network can use the Internet to communicate with outside
computers and servers.
Note: For more information about commonly used non-routable IP addresses (private IP
addresses), see the “Address Allocation for Private Internets” document at http://
www.ietf.org/rfc/rfc1918.txt?number=1918.
What can I do with You can use NAT to:

NAT?
● hide your internal network IP addresses from the external public network (Internet)
● maximize the number of routable (registered) IP addresses on your network
● easily administer IP address changes on your network without physically changing
each IP address
How does NAT The following table describes how the appliance uses NAT when a computer inside your
work? network attempts to connect with a computer outside your network.
Stage Description
1 Set up an internal network (or stub domain) with non-routable IP addresses.

These addresses are non-routable because they are not unique.
2 Place a Proventia appliance on your network.
3 Set up NAT, and use the routable IP addresses allocated to you by your ISP as
the local addresses on your appliance. These are the external addresses visible
to the public network.
4 A computer on your network attempts to communicate outside the network, and

the appliance intercepts the packet.
5 The appliance checks the address translation table for the destination address.
Note: In a NAT policy, you can define which destination addresses the appliance
accepts. You can specify single addresses, groups or ranges of addresses, or all
addresses.
Table 63: Stages of NAT

Stage Description
6 The appliance does one of the following:

• If the appliance finds an entry for the destination address, then it translates
the original IP address in the packet to a routable IP address, and forwards
the packet to its destination outside the network.
• If the appliance does not find an entry for the destination address, it drops
the packet.
7 When a packet comes back from the destination computer, the appliance checks
the address translation table for the incoming address on the packet to
determine which computer inside the network should receive the packet. The
appliance does one of the following:
• If the appliance finds a match in the table, it translates the incoming address
to the non-routable internal address, and forwards the packet to the
computer inside the network.
• If the appliance does not find a match, it drops the packet.
8 The process repeats as long as the internal computer is communicating outside

the network.
Table 63: Stages of NAT (Continued)
What about reverse Reverse NAT translates routable IP addresses to internal, non-routable IP addresses for
NAT? inbound network traffic. You can configure reverse NAT, or inbound NAT, by creating
Destination NAT Rules. See “Configuring Destination NAT Rules” on page 133.
Static and dynamic The following table describes static and dynamic NAT:
NAT
NAT Type Description
Static Static NAT maps a non-routable IP address to a routable IP

address on a one-to-one basis. A computer's non-routable
IP address will always translate to the same routable IP
address.
Dynamic Dynamic NAT maps a non-routable IP address to a

routable IP address from a group or range of routable IP
addresses. The appliance translates the computer's non-
routable IP address to the first available routable IP
address in the assigned group or range. Dynamic NAT has
several variations, and can operate on a many-to-one or a
many-to-many basis.
Table 64: Static and dynamic NAT
Dynamic NAT and Dynamic NAT is often used with DHCP. You can select a range of non-routable IP
DHCP addresses for your internal network, and use DHCP to distribute them as necessary.
DHCP allows you to accommodate growth on your network by increasing the number of
non-routable IP addresses.
Note: You can configure DHCP on the Service Configuration page. See “About DHCP”
on page 321.
128
About NAT Policies
About NAT Policies

Introduction NAT policies specify how the firewall translates IP addresses for inbound and outbound
network traffic when you enable NAT.
firewall. See “Routing” on page 318.
About reverse NAT In previous firmware versions, you could configure reverse NAT to hide non-routable IP
addresses behind routable IP addresses for unsolicited inbound traffic. In this firmware
version, you can use Destination NAT Rules to configure NAT for inbound network
traffic. See “Configuring Destination NAT Rules” on page 133.
Recommendations Be careful when you configure NAT, because an incorrect NAT configuration could cause
network communication to fail. ISS recommends the following when you use NAT:
● When you create a One-to-One NAT Configuration, the non-routable IP addresses

and NAT addresses must be equivalent in number.
Note: If you have ten hosts on your corporate network, but set up only two translated
IP addresses for NAT, then only two users can access the Internet at the same time.
● Do not use address groups with One-to-One NAT.
● Port translation is not supported for One-to-One NAT Configurations.
● You cannot use a Many-to-Many NAT Configuration with a Destination NAT Rule.
● You cannot use a dynamic interface with a Destination NAT Rule. If you create a
Many-to-One NAT configuration and select a dynamic interface, that NAT entry will
not appear as an option in the NAT Configuration Item list in the Translated Address
area of the Destination NAT Rule window.

Configuring Source NAT Rules

Introduction This topic describes the procedures for configuring Source NAT Rules. Source NAT rules
translate internal, non-routable IP addresses to unique, routable IP addresses for
outbound network traffic. Source NAT Rules let computers inside your network
communicate with computers on the public network.
Adding a Source To add a Source NAT Rule:

NAT Rule
2. Select Settings.
3. Select the NAT Policy tab.
4. Select the Source NAT Rules tab.
5. Click Add.
the list.
7. To enable the rule, select the Enabled check box.
9. Select the Protocol tab, and then select a protocol.
Note: If you specify a port value in the rule, then you must select either TCP or UDP.
10. Select the Source Address tab, and then select a source IP address or addresses.
11. Select the Destination Address tab, and then select a destination IP address or
addresses.
12. Select the Destination Port tab, and then select a destination port.
13. Select the Translated Address tab.
■ To translate the Local Address to a NAT Configuration, select NAT Configuration
Item, and then select a configuration from the Item Name list.
■ To translate the Local Address to an IP address, select Single IP Address, and then
type the address in the Single IP Address field.
■ To translate the Local Address to the IP address of an appliance interface, select IP
Address of a Specific Interface, and then select an interface from the list.
15. Click OK.
Editing a Source To edit a Source NAT Rule:

NAT Rule
2. Select Settings.
130
Configuring Source NAT Rules

6. Click Edit.
7. Make your changes to the rule and then click OK.
Copying and pasting You can copy and paste a Source NAT rule before editing it. This is useful if you want to
a Source NAT Rule add a rule that is similar to a rule already in the list. You can also copy and paste multiple
rules.
To copy and paste a Source NAT Rule:

2. Select Settings.

The appliance copies the rule to the end of the list.
Removing a Source To remove a Source NAT Rule:

NAT Rule
2. Select Settings.
6. Click Remove, and then click OK.


132
Configuring Destination NAT Rules

Introduction This topic describes the procedure for configuring Destination NAT Rules. Destination
NAT rules translate routable IP addresses to internal, non-routable IP addresses for
inbound network traffic. They can also translate the destination port of a TCP or UDP
packet to another port. Destination NAT rules prevent non-routable IP addresses in your
network from appearing to users outside the network.
Recommendations Be careful when you configure NAT, because an incorrect NAT configuration could cause
network communication to fail. ISS recommends the following when you use NAT:
● You cannot use a Many-to-Many NAT Configuration with a Destination NAT Rule.
● You cannot use a dynamic interface with a Destination NAT Rule. If you create a
Many to One NAT Configuration and select a Dynamic Interface, that NAT entry will
not appear as an option in the NAT Configuration Item list in the Translated Address
area of the Destination NAT Rule wind
Adding a To add a Destination NAT Rule:

Destination NAT
Rule 1. In the navigation pane, click + to expand the Firewall/VPN node.
2. Select Settings.
4. Select the Destination NAT Rules tab.
5. Click Add.
the list.
7. To enable the rule, select the Enabled check box.
9. Select the Protocol tab, and then select a protocol in the Protocol area.
Note: If you specify a port value in the rule, then you must select either TCP or UDP.
10. Select the Source Address tab, and then select a source IP address or addresses.
11. Select the Destination Address tab, and then select a destination IP address or
addresses.
12. Select the Destination Port tab, and then select a destination port.
13. Select the Translated Address tab.
■ To translate the Local Address to a NAT Configuration, select a NAT Configuration
item, and then select a configuration from the Item Name list.
■ To translate the Local Address to an IP address, select Single IP Address, and then
type the address in the Single IP Address field.
15. Select the Translated Port tab.
■ To leave the port number as is, select Same As Incoming Port.

■ To translate the Incoming Port to a different port, select Single Port, and then type
the port value in the Single Port field.
17. Click OK.
Editing a To edit a Destination NAT Rule:

Destination NAT
2. Select Settings.
6. Click Edit.
7. Make your changes to the rule and then click OK.
Copying and pasting You can copy and paste a Destination NAT rule before editing it. This is useful if you want
a Destination NAT to add a rule that is similar to a rule already in the list. You can also copy and paste
Rule multiple rules.
To copy and paste a Destination NAT Rule:

2. Select Settings.

The appliance pastes the rule to the end of the list.
134
Removing a To remove a Destination NAT Rule:

Destination NAT
2. Select Settings.
6. Click Remove, and the click OK.

Setting NAT Configurations

Introduction This topic explains how to configure the NAT policy. Create, edit, or remove NAT
configurations on the NAT Policy tab. This topic includes procedures for the following
tasks:
● creating a many-to-one NAT configuration

● creating a one-to-one NAT configuration
● creating a many-to-many NAT configuration
● editing a NAT configuration
● removing a NAT configuration
Reference: For more information, see “About Access Policies” on page 112 and “Firewall/
VPN Protection Status Page” on page 106.
Default NAT The HideasEth1 NAT configuration is enabled by default. This Many-to-One
Configuration configuration translates all non-routable IP addresses to the IP address of the eth1
interface.
Caution: If you use the high availability feature, you must edit the HideasEth1 NAT
Source Rule. On the Translated Address tab, change the IP address entry to the virtual IP
address for the HA cluster.
Creating a Many-to- To create a NAT Configuration to translate one external IP address for many non-routable
One NAT original addresses:
configuration
2. Select Settings.
4. Select the NAT Configuration tab.
5. Click Add.
7. Select Many To One NAT.
8. Do you want to translate to a static IP address?
■ If yes, select Static IP Address, and then type the IP address in the NAT IP Address
field.
Note: The static IP address does not have to correspond to a computer in your
network. However, your Internet Service Provider (ISP) must have a route to your
network for that IP address.
■ If no, select Dynamic Interface, and then select the interface name from the list.
9. Click OK.
136
Creating a One-to- To create a NAT Configuration to translate one external IP address for each non-routable
One NAT original address:
configuration
2. Select Settings.
5. Click Add.
7. Select One To One / Many To Many NAT.
8. Select the type of One To One from the list.
If you want to... Then do this...
Use IP address ranges 1. In the Original Address Range area, select IP Address
Range.
2. Type the first non-routable address in the first IP
Address Range field, and then type the second non-
routable address in the second IP Address Range
field.
3. In the Translated Address Range area, select IP
Address Range.
4. Type the first translated address in the first IP Address
Range field, and then type the second translated
address in the second IP Address Range field.
Use Address Name network 1. In the Original Address Range area, select Address
objects Range List Entry, and then select a non-routable
address entry from the list.
2. In the Translated Address Range area, select Address
Range List Entry, and then select a translated
Note: The Address Name entries must be for a single
address only. A range of addresses does not work for
One To One NAT.
3. Click Configure to add or edit an Address Name
network object.
Use Address Group 1. In the Original Address Range area, select Address
Network Objects Group, and then select a non-routable address entry
from the list.
Group, and then select a translated address entry
from the list.
3. Click Configure to add or edit an Address Group
network object.

Use Dynamic Address 1. In the Original Address Range area, select Dynamic
Names Address Name, and then select a non-routable
2. In the Translated Address Range area, select
Dynamic Address Name, and then select a translated
3. Click Configure to add or edit an Address Name
network object.
10. Click OK.

Creating a many-to- To create a NAT Configuration to translate a range of external IP addresses for a range of
many NAT non-routable original addresses:
Configuration
2. Select Settings.
5. In the NAT Configuration area, click Add.
7. Select One To One / Many To Many NAT.
8. Select the type Many To Many from the list.
Use IP address ranges 1. In the Original Address Range area, select IP Address
Range.
2. Type the first non-routable address in the first IP Address
Range field, and then type the second non-routable
address in the second IP Address Range field.
3. In the Translated Address Range area, select IP
Address Range.
4. Type the first translated address in the first IP Address
Range field, and then type the second translated address
in the second IP Address Range field.
138
Use Address Name network 1. In the Original Address Range area, select Address
objects Range List Entry, and then select a non-routable
Range List Entry, and then select a translated address
entry from the list.
3. The non-routable IP addresses and NAT addresses must
be equivalent in number. Click Configure to add or edit
an Address Name network object.
Example: If you have ten hosts on your corporate

network, but set up only two translated IP addresses for
NAT, then only two users can access the Internet at the
same time.
Use Address Group network 1. In the Original Address Range area, select Address
objects Group, and then select a non-routable address entry
from the list.
Group, and then select a translated address entry from
the list.
3. Click Configure to add or edit an Address Group network
object.
Use Dynamic Address 1. In the Original Address Range area, select Dynamic
Names Address Name, and then select a non-routable address
2. In the Translated Address Range area, select Dynamic
Address Name, and then select a translated address
3. Click Configure to add or edit an Address Name network
object.
10. Click OK.

Editing a NAT To edit a NAT Configuration entry:

Configuration
2. Select Settings.
5. In the NAT Configuration area, select an entry from the list.
6. Click Edit.
8. Click OK.


Removing a NAT To remove a NAT Configuration entry:

Configuration
2. Select Settings.
5. Select the entry you want to remove.
6. Click Remove.
7. Click OK.
140
Port Forwarding
Port Forwarding
Introduction You can configure your appliance to redirect all packets on a particular protocol or port to
a specific IP address. This is known as port forwarding.
How is port Port forwarding is similar to NAT, except that the appliance routes network traffic to an
forwarding different alternate port or port range instead of an alternate IP address or address range. Port
than NAT? forwarding works together with NAT, so that the appliance sends and receives network
traffic using the firewall's public IP address, but redirects traffic to alternate services
(ports) on your network.
Why use port You can use port forwarding to do the following:
forwarding?
● disguise a service (such as Telnet) from potential intruders outside your network, but
still make the service available to users in your network
● make a Web server or other device available to remote users, without the added
expense of obtaining extra IP addresses from your Internet Service Provider (ISP)
Example 1 Place an email server and a Web server behind an appliance firewall. The email server
uses port 25, and the Web server uses port 80. Both servers use the same IP address of the
appliance firewall. You configure the firewall to route traffic on port 80 to the Web server,
and route traffic on port 25 to the email server. One server can run a web server (port 80)
while another server can run an FTP server (port 25), but both use the appliance firewall
IP address.
Example 2 The Telnet service normally listens on port 23. You want users on your network to be able
to use Telnet on an internal server, but you don't want outsiders who might exploit the
Telnet service to know that the appliance firewall accepts traffic on port 23. You identify
an available port, such as 888, as a decoy port. You configure the appliance firewall to
route traffic on port 888 to port 23 on the internal server. Users who want to use Telnet
must know to use port 888 to access the internal server's Telnet service.
Requirements Consider the following requirements when you use port forwarding:
● You must use a static IP address.

● To implement port forwarding, you must know the following information:
■ the IP address of the computer you will use as a server on your local network
■ the inbound port number, private port number, and protocol that correspond to the
type of data that your server handles
Note: If you use DHCP, you can determine the server IP address by checking the
DHCP information.
Recommendations Consider the following recommendations when you use port forwarding:
● Do not use well-known port numbers, such as 1-1023, to avoid a conflict with a
service running on the firewall.
● Check with the IANA before choosing a port number, to avoid selecting a common
backdoor or trojan port, or a port for obscure services.

Configuring Port To configure port forwarding:

Forwarding
1. Create a Many-to-One NAT Configuration with the following settings:
■ Select Static IP Address
■ Type the NAT IP Address
Note: This is the non-routable IP address, such as 192.16.100.6, to which the incoming
packet is sent using NAT. If you are running a service such as HTTP, use the internal
IP address of the Web server as the NAT IP address.
2. Create a Destination NAT Rule with the settings described in the following table:
For this setting... Do this...
Protocol Name Select the Protocol for the service you are configuring.
For the HTTP service in our example, the protocol is
TCP.
Source Address Select Any.
Destination Address Select Single IP Address, and then type the routable
external IP address, such as the IP address of your Web
server as listed in DNS.
Destination Port Select Port Name, and then select the service you are
configuring, such as HTTP.
Translated Address Select the Many to One NAT Configuration that you
configured in Step 1.
Translated Port Select Same as Incoming Port.
3. Create an access policy with the settings described in the following table:
For this setting... Do this...
Action Select Allow.
Protocol Name Select Protocol Name, and then select the

service you are configuring. For the HTTP
service in our example, the protocol is TCP.
Source Address Select Any.
Source Port Select Any.
Destination Address Select Single IP Address, and then type the

routable external IP address, such as the IP
address of your Web server as listed in DNS.
Destination Port Select Port Name, and then select the service
you are configuring, such as HTTP.
4. Repeat Steps 1 through 3 for each service that you want to configure.
142
Chapter 10
VPN Settings
Overview
Introduction This chapter provides information on how and when to use Virtual Private Networks
(VPN), the configuration tasks associated with configuring VPN, and procedures for
using the new VPN Wizards to configure your VPN for use with the following:
● SoftRemote VPN Client to M Series Appliance

● M Series to M Series Appliance
● Windows 2000 and XP to M Series Appliance
Topic Page
About Virtual Private Networks 144
Process Overview for Configuring VPN 147
Configuring a VPN Users List 148
Configuring an L2TP/IPSEC VPN Connection 150
Configuring the L2TP IP Address Pool 152
Overview of VPN Wizards 153
Using the SoftRemote VPN Client to M Series Wizard 154
Using the M Series to M Series Wizard 156
Using the Windows 2000 and XP to M Series Wizard 159
Configuring the RADIUS Client 161

About Virtual Private Networks

Introduction A Virtual Private Network (VPN) can provide network connectivity over great physical
distance. In this respect, a VPN is a form of Wide Area Network (WAN).
The key feature of a VPN is its ability to use public networks, such as the Internet, rather
than privately leased lines. VPN technologies implement restricted-access networks that
utilize the same cabling and routers as a public network, and they do so without
sacrificing features or basic security.
Using VPN You can use a VPN to facilitate the following:
● remote access client connections

● LAN-to-LAN connections
● controlled access within an intranet
Note: For information about how to configure a VPN on your appliance, see “Process
Overview for Configuring VPN” on page 147
Note: When you create a VPN connection, remember that both peers must have the same
settings to negotiate the VPN tunnel.
VPN Protocols Several network protocols are popular as a result of VPN developments.
The VPN protocol defines the following:
● how the peers encapsulate the data packet

● how the peers authenticate each other
● how the peers exchange public and private encryption keys
● how the peers negotiate the VPN tunnel
● how the peers encrypt the data
Your Proventia M appliance supports a number of VPN protocols to connect one peer to
another. The following protocols emphasize authentication and encryption in VPNs:
Protocol Definition
PPTP Point-to-Point Tunneling Protocol. A new technology for creating Virtual

Private Networks (VPNs). Since the Internet is essentially an open
network, the Point-to-Point Tunneling Protocol (PPTP) is used to ensure
that messages transmitted from one VPN node to another are secure.
L2TP Layer 2 Tunneling Protocol. An extension of the Point-to-Point Tunneling

Protocol (PPTP) used by an Internet service provider to enable the
operation of a virtual private network over the Internet. L2TP does not
include encryption, but defaults to using IPSec in order to provide VPN
connections from remote users to the corporate LAN. L2TP is included with
most new Microsoft operating systems.
IPSEC IPSEC is a set of extensions to the IP protocol. It combines a number of

technologies into a complete service, including ways to manage
cryptographic keys and authenticate VPN peers on various levels.
Table 65: Network protocols for VPN
144
About Virtual Private Networks
Appliance VPN The following table describes the VPN components you can configure on your appliance:
components
Security gateways Defines a group of VPN settings to use when you establish IPSEC
VPN connections
VPN advanced settings Includes the RADIUS client configuration and VPN Users list
Network Objects Defines shared network objects, including IP Address Groups and
Names, Port Groups and Names, Dynamic Addresses and Names
Advanced parameters Includes firewall and VPN advanced parameters
Table 66: Appliance VPN components
Tunneling Tunneling is the process of wrapping the original packet inside a new secure packet,
routing over a secure connection between two peers, and then unwrapping the packet at
its destination. The tunnel itself is the secure path through which the wrapped, or
encapsulated, packets travel.
When a packet is encapsulated inside a new packet, the new packet is encrypted and has
new addressing and routing information, which enables it to travel through a network.
The new packet travels through the network from one peer to another over a secure
connection inside the tunnel. After the encapsulated packet reaches its destination, the
receiving peer removes the outer packet, decrypts the original packet, and uses the
original packet header to route the packet to its final destination.
To the original source and destination peer, the tunnel is transparent and appears as just
another point-to-point connection in the network path. The peers are unaware of any
routers, switches, proxy servers, or gateway devices between the tunnel's beginning point
and end point.
When you combine tunneling with data encryption and authentication, third parties
listening on the network cannot read the original packet data, the original source, or the
destination.
VPN and IPSEC Two types of tunnels use IPSEC to encapsulate network traffic over a VPN:
tunnels
● IPSEC, which provides encapsulation for IP traffic only
● The more secure combination of L2TP over IPSEC. L2TP tunnels the data across a
shared or public network such as the Internet, and IPSEC Encapsulating Security
Payload (ESP) encrypts the data. L2TP over IPSEC can be used to tunnel IP or
Internetwork Packet Exchange (IPX) traffic.
Security gateways A VPN connects a remote peer to a gateway on your network. A gateway defines the
security, protocol, and other VPN information required to establish the VPN tunnel. For
your appliance, these gateways are called security gateways.A gateway can be a router,
firewall, proxy server, or a security device such as your appliance. In this case, your
appliance is the gateway device that stands between the outside Internet and the private
network. Two gateways can be used inside the private network to protect traffic across
untrusted parts of the network (such as a DMZ).You can choose from four appliance
security gateways, depending on the type of key management you want to use. For more
information, see About Security Gateways.

VPN and high Consider the following restrictions before you enable the high availability feature on your
availability appliance:
considerations
● If you run the Proventia Setup Utility when the HA feature is enabled, you cannot
modify network settings.
● After you enable HA, you cannot change network settings for either appliance in the
cluster. This restriction also applies to HA clusters that you may manage with
SiteProtector.
● If the primary appliance fails, it loses all existing connections. This is known as
"warm" failover. The primary appliance loses FTP, VPN and other TCP persistent
connections, and you must reconnect them on the secondary appliance. For HTTP
connections, refresh your browser or press F5 to regain the ability to create an Internet
connection.
● When you set up a security gateway with an IP address as the Local ID, you must use
the first virtual IP address for the interface as the Local ID value. Do not use any of the
following:
■ an alias
■ an IP address using a proxy ARP
■ the second or later virtual IP address
● If you use SiteProtector to manage your appliances and your secondary appliance is
already registered with a SiteProtector Agent Manager, you must unregister the
secondary appliance from SiteProtector after you enable HA.
146
Process Overview for Configuring VPN
Process Overview for Configuring VPN

Introduction This topic describes the process for configuring VPN connections on your M Series
appliance. You can configure your appliance as follows:
● using the VPN wizards

● creating the IPSEC and access polices manually
Prerequisite If you plan to use certificates, install your certificates before configuring VPN.
For more information, see “About Certificates” on page 224.
VPN task overview Configuring a VPN connection is a six-task process as described in Table 67:
1 Configure your certificates, if needed “About Certificates” on page 224
2 Configure your security gateway “About Security Gateways” on

page 204
3 Configure the Access policies “Configuring Access Policies” on

page 116
4 Configure the IPSEC policies “Configuring IPSEC Policies” on

page 200
5 Configure the VPN User List “Configuring a VPN Users List” on

page 148
6 Configure your RADIUS client, if needed “Configuring the RADIUS Client” on

page 161
Table 67: VPN configuration tasks

Configuring a VPN Users List

Introduction Configure the VPN users list by creating, editing, or removing entries on the VPN
Advanced tab. The VPN users list is used to authenticate users when XAuth is enabled
and configured to use generic authentication on the following security gateways:
● IPSEC Remote Client Security Gateway

● Auto Key IPSEC Security Gateway
Creating a VPN To create a VPN users list entry:

users entry
2. Select Settings.
3. Select the VPN Advanced tab.
4. Select the VPN Users tab.
5. Click Add.
6. Type the VPN user's name in the User Name field.
7. To set the user's password, click Set Password, and type the user's password.
8. Type the user's password in the Confirm Password field, and then click OK.
Editing a VPN users To edit a VPN users entry:

entry
2. Select Settings.
5. Select the VPN user entry you want to edit.
6. Click Edit.
7. Continue as described in Steps 6 through 9 of the “Creating a VPN user entry”
procedure.
Copying and pasting You can copy and paste a VPN users entry before editing it. This is useful if you want to
a VPN users entry add an entry that is similar to an entry already in the list. You can also copy and paste
multiple user entries.
To copy and paste a VPN users entry:

2. Select Settings.
148
Configuring a VPN Users List
5. Select the entry you want to copy.

Note: To select multiple entries, press the CTRL key, and then select each entry. To
select a range of entries, press the SHIFT key, and then select the first and last entries in
the range.

The appliance copies the entry to the end of the list.
Removing a VPN To remove a VPN Users list entry:

users entry
2. Select Settings.
5. Select the VPN user entry to remove.
6. Click Remove.

Configuring an L2TP/IPSEC VPN Connection

Introduction You can configure an L2TP/IPSEC VPN connection between the appliance and a
Windows 2000 or XP VPN client. The combination of L2TP for packet encapsulation and
IPSEC for encryption, known as L2TP/IPSEC, is a highly secure technology for creating
remote access VPN connections across public networks, such as the Internet.
Requirements To configure an L2TP/IPSEC connection with a Windows 2000 or XP client, you must do
the following:
● have a RADIUS server that supports account authentication and can provide FRAME
configuration commands
● use either RSA or DSS signed certificates (you cannot use a Pre-Shared Secret)
● use a certificate that does not contain an entry for the User_FQDN PKI parameter
(email address)
● install one of the following:
■ the Microsoft hotfix at http://support.microsoft.com/?kbid=818043
■ Windows XP Service Pack 2
Important: This Windows hotfix is included with Windows XP Service Pack 2. You
must install this hotfix for a Windows 2000 or Windows XP client behind a NAT
device that attempts to connect to the appliance.
150
Configuring an L2TP/IPSEC VPN Connection
Tasks to configure Complete the following tasks to configure an L2TP/IPSEC VPN connection to a Windows
an L2TP/IPSEC 2000 or XP client as described in Table 68:
VPN connection
1 Install a certificate on your appliance from See “Installing a Trusted Certificate

the Trusted Certificate Authority that the Authority” on page 227.
client will obtain certificates from.
2 Request a certificate from a Certificate See “Requesting a Self Certificate” on

Authority and install it. page 229.
3 Configure the L2TP/IPSEC Remote Client See “Configuring an L2TP/IPSEC

Security Gateway. Remote Client Security Gateway” on
page 218.
4 Configure the connection to the RADIUS See “Enabling the RADIUS client and
server. server” on page 162.
5 Configure L2TP IP Address Pool. See “Configuring the L2TP IP Address

Pool” on page 152.
6 Configure the RADIUS server to perform See “Enabling the RADIUS client and
user validation and return an IP address to server” on page 162.
assign to the remote end of the PPTP
adapter.
Note: For more information about
configuring the RADIUS server commands,
see your RADIUS software documentation.
Table 68: tasks to configure L2TP/IPSEC VPM connection
Reference: See “Configuring an L2TP/IPSEC Remote Client Security Gateway” on

page 218. and See “About Virtual Private Networks” on page 144.

Configuring the L2TP IP Address Pool

Introduction Configure the L2TP IP address pool on the VPN Advanced page. Use these IP addresses
when you create an L2TP/IPSEC VPN connection.
Configuring L2TP To configure L2TP global settings:

global settings
2. Select Settings.
4. Select the L2TP IP Pool tab.
5. Click Add.
6. Type the IP address range for the L2TP end points in the IP Range field.
152
Overview of VPN Wizards
Overview of VPN Wizards

Introduction VPN wizards simplify the task of creating VPNs between your M Series appliance and
various VPN clients. The wizard uses the information you provide to automatically create
required firewall rules and other settings.
Note: The wizards contain default settings that are optimized for most networks. ISS
recommends that you accept the default settings.
Types of wizards The following table describes each VPN wizard:
Wizard Name Description
SoftRemote VPN Client to M Series Creates a VPN connection to the M Series appliance for
Wizard users who connect remotely using a SoftRemote VPN
client.
M Series to M Series Wizard Creates a VPN connection to the M Series appliance for
another M Series appliance.
This wizard only creates the VPN connection for its
appliance. You must use each appliance's wizard to
establish the VPN connection.
W2K and XP to M Series Wizard Creates a VPN connection for users who connect
remotely using a Windows 2000 or XP VPN client.
Table 69: Types of VPN wizards
Rules for using VPN Remember the following rules when you use the VPN wizards:
wizards
● You must save your changes before the appliance can create the VPN tunnel.
● Use the wizards to create a VPN connection. After you click Save Changes to
complete the wizard, the wizard creates the necessary access policies and other
settings.
● After the wizard creates the VPN connection, you must go the corresponding tab on
the Firewall/VPN Settings page to edit or remove individual access policies, Security
Gateways, or Network Objects that the wizard created.
Note: See the topic for each wizard for a summary of access policies and other
settings it creates.
Note: If you use SiteProtector to manage your appliance, the same rules apply; after
you click OK to complete the wizard, the wizard creates the necessary access policies
and other settings. After the wizard creates the VPN connection, you must go to the
corresponding tab in SiteProtector to edit or remove individual access policies,
Security Gateways, or Network Objects that the wizard created.
Example
You use the Firewall/VPN M Series to M Series Wizard to create a VPN connection.
The wizard creates the necessary access policies and other settings. After you
complete the wizard, you want to edit an access policy that the wizard created. You
must go to the Access Policy tab on the Firewall/VPN Settings page to edit the access
policy.

Using the SoftRemote VPN Client to M Series Wizard

Introduction This topic describes how to establish a VPN connection between an M Series appliance
and a SoftRemote IPSEC VPN client using the VPN Wizard.
Note: The wizard contains default settings that are optimized for most networks. ISS
What this wizard After you complete the wizard and save your changes, the wizard creates Access and
generates IPSEC policies for the VPN connection. To remove the connection, you must use Proventia
Manager to remove each rule or policy individually. This wizard creates the following:
● one IPSEC policy

● two access policies
Note: After you click Save Changes to complete the wizard, the wizard creates the access
and IPSEC policies for the VPN connection. After the wizard creates the VPN connection,
you must go the corresponding tab on the Firewall/VPN Settings page to edit or remove
the individual access policies or IPSEC policy that the wizard created.
Note: If you use SiteProtector to manage your appliance, the same rules apply; after you
click OK to complete the wizard, the wizard creates the access and IPSEC policy for the
VPN connection. After the wizard creates the VPN connection, you must go to the
corresponding tab in SiteProtector to edit or remove the individual access policies or
IPSEC policy that the wizard created. For more information, see your SiteProtector
documentation.
Procedures for the To complete the Firewall/VPN SoftRemote VPN Client to M Series Wizard:
SoftRemote VPN
wizard 1. In the navigation pane, click + to expand the Firewall/VPN node.
2. Click + to expand the VPN Wizards node.
3. Select SoftRemote VPN Client.
The Firewall/VPN SoftRemote VPN Client to M Series Wizard page appears.
4. Type a description of the policy in the Comment field.
5. In the Local Network Settings area, type the IP address and mask in the Local
Network IP Address/#Network Bits field. The mask is the network identifier, and is a
number from 1 to 32.
Example: 128.8.27.18 / 16
6. In the Remote User Authentication area, select the Authenticate Peer Users checkbox
to authenticate users on the remote peer.
7. In the IPSEC Remote Client Security Gateway Setting, New Security Gateway Name
area, type a meaningful name in the Name field.
8. In the VPN Address Pool area, specify up to three ranges of IP addresses, in dotted
decimal format, in the following fields:
■ Address Range 1 (specify the starting and ending IP addresses)
154
Using the SoftRemote VPN Client to M Series Wizard

Note: The appliance uses these addresses to assign IP address ranges to SoftRemote
clients when establishing the VPN tunnel. These IP addresses cannot overlap any
existing IP addresses in your network.
9. In the Local ID area, type an IP address to use for authentication in the Local IP
Address field.
10. In the Remote ID area, type a fully qualified domain name in the FQDN (Fully
Qualified Domain Name) field.
Example: ima.user@iss.net
11. In the Authentication Method area, select the authentication mode from the
Authentication Mode list.
12. If you select a Pre-Shared Key as your authentication mode in the Pre-Shared Key
field.
Note: Type a minimum of 8 alphanumeric characters in this field. Do not use
symbols. You must share this Pre-Shared Key with the VPN peers before they can
establish a VPN connection. Pre-Shared Key is not supported in Main mode.

Using the M Series to M Series Wizard

Introduction This topic describes how to establish a VPN connection between two M Series appliances
using the Firewall/VPN M Series to M Series Wizard.
Tasks for the M to You must complete the following tasks to complete the M Series to M Series Wizard:
M VPN wizard
Task Description
1 Configure general settings
2 Configure local network settings
3 Configure remote network settings
4 Configure the VPN/Security Gateway settings
Table 70: M to M wizard tasks
What this wizard After you complete the wizard and save your changes, the wizard creates Access and

● two access policies
documentation.
Task 1: Configure To configure the general settings:

general settings
3. Select M Series to M Series.
4. Select the General tab.
5. Type a meaningful name for the policy in the Name field.
7. Check the Log Enabled checkbox to enable logging.
156
Using the M Series to M Series Wizard
Task 2: Configure To configure local network settings:

local network
settings 1. In the navigation pane, click + to expand the Firewall/VPN node.
4. Select the Local Network tab.
To define the local network address, do one of the following:
■ To use one IP address, select Single IP Address, and then type the IP address in the
IP Address field. Use the dotted decimal format.
■ To use an IP address on a subnet, select Network Address / #NetworkBits (CIDR),
and then type the IP address and mask. The mask is the network identifier, and is a
Example: 128.8.27.18 / 16
■ To use an Address Name, select Address Name, and then select an item from the
list.
■ To use a Dynamic Address Name, select Dynamic Address Name, and then select
an item from the list.
Task 3: Configure To configure remote network settings:

remote network
settings 1. In the navigation pane, click + to expand the Firewall/VPN node.
4. Select the Remote Network tab.
To define the remote network address, do one of the following:
■ To use one IP address, select Single IP Address, and then type the IP address in the
IP Address field. Use the dotted decimal format.
■ To use an IP address on a subnet, select Network Address / #NetworkBits (CIDR),
Example: 128.8.27.18 / 16
■ To use an Address Name, select Address Name, and then select an item from the
list.
■ To use a Dynamic Address Name, select Dynamic Address Name, and then select
an item from the list.
Task 4: Configure To configure Security Gateway settings:

VPN Security
Gateway settings 1. In the navigation pane, click + to expand the Firewall/VPN node.
4. Select the VPN tab.
5. Do you want to use an existing Security Gateway?
■ If yes, select Use Existing Auto Key IPSEC Security Gateway, and then select an
item from the Existing Security Gateway Name list.

■ If no, then go to Step 6.

6. Select Create New Auto Key IPSEC Security Gateway.
7. In the New Security Gateway Name area, type a meaningful name in the Name field.
8. In the Addresses area, type the local peer IP address in the Local IP Address field.
9. Type the remote peer IP address in the Remote IP Address field.
10. To select the type of data that the remote host sends to the local host for
authentication, select an item from the Remote ID Type list.
Options are shown in the following table:
ID Type Description Example
IP Address Dotted decimal format 172.16.106.34
FQDN Fully Qualified Domain Name mycomputer.qatest.iss.net
User FQDN User Fully Qualified Domain Name ima.user@iss.net
DER ASN1 DN /C (country) /C=US /S=GA /L=Atlanta /O=ISS

/S (state or province) /OU=QA /CN=mycomputer
/L (locality or city)
/O (organization or business)
/OU (organizational unit or
department)
/CN (common name)
11. In the Remote ID field, type the remote certificate information that corresponds to the
Remote ID Type you selected in Step 10.
12. In the Authentication Method area, select the authentication mode from the
Authentication Mode list. The options are as follows:
■ Pre-Shared Key
■ DSS Signed
■ RSA Signed
13. If you selected the Pre-Shared Key authentication mode, type a text string in the
Pre-Shared Key field.
158
Using the Windows 2000 and XP to M Series Wizard
Using the Windows 2000 and XP to M Series Wizard

Introduction This topic describes how to establish a VPN connection between an M Series appliance
and a Windows 2000 or XP VPN client using the VPN Wizard.
What this wizard After you complete the wizard and click Save Changes, the wizard creates Access and

● two Access policies
documentation.
Procedures for the To complete the Firewall/VPN W2K and XP to M Series Wizard:
Windows 2000 and
XP VPN wizard 1. In the navigation pane, click + to expand the Firewall/VPN node.
3. Select W2k/XP to M Series.
4. Select the General tab.
5. In the General Settings area, type a meaningful name in the Name field.
Note: You can type up to 32 alphanumeric characters in this field.
7. Type the IP address that the appliance assigns to the local L2TP tunnel endpoint in the
L2TP End Point IP Address field.
Important: The L2TP End Point IP Address is the IP address for the appliance side of
the L2TP VPN tunnel. This IP address is the endpoint of the local VPN connection.
The L2TP endpoint IP address for the appliance must be a fixed, globally unique IP
address, and should not be in the L2TP IP Address Pool or used for any other
interface on the appliance.
Examples:
■ L2TP End Point IP Address: 192.168.2.1
■ L2TP IP Address Pool: 192.168.2.2-192.168.2.254.

8. Select an option from the Local Network ID Type list as shown in the following table:

Important: Use this option for
most Windows L2TP/IPSEC
clients.
FQDN Fully Qualified Domain Name companyserver.iss.net

department)
/CN (common name)
9. In the Local Network ID field, type the local certificate information that corresponds
to the Local ID Type you selected from the table in Step 8.
Important: For most Windows L2TP/IPSEC clients, type the external IP address of
the appliance in this field.
10. In the Remote Client Settings area, select an option from the Remote ID Type list.
Important: For Windows L2TP/IPSEC clients that use dynamic IP addresses, select IP
Address from this list.
Note: Local ID Type and Remote ID Type have the same options. See table in Step 8.
11. In the Remote Client ID field, type the remote certificate information that
corresponds to the Remote ID Type you selected in Step 10.
Important: For Windows L2TP/IPSEC clients that use dynamic IP addresses, type
0.0.0.0 in this field. This Remote ID entry allows any IP address as the originating
peer of the IPSEC component of the VPN tunnel.
12. In the Authentication Settings area, select the authentication mode from the
Authentication Mode list.
Note: The authentication mode defines how the local peer identifies itself to the
remote peer. The options are as follows:
■ Pre-Shared Key
■ DSS Signed
■ RSA Signed
13. If you selected the Pre-Shared Key authentication mode, type a text string in the
Pre-Shared Key field.
160
Configuring the RADIUS Client

Introduction If you configured an IPSEC Remote Client Security Gateway to use a RADIUS server for
authenticating user name/password pairs, then you must configure the RADIUS client to
allow the appliance to communicate with the RADIUS server. This topic describes how to
enable the Remote Authentication Dial-In User Service (RADIUS) client so that remote
users who require access to the network can authenticate themselves to the appliance. It
includes procedures for the following tasks:
● enabling the RADIUS client and configuring the primary server

● configuring a backup server
References: For more information about Firewall/VPN settings and authentication

policies, see “IKE SA information” on page 106, and “IKE Automatic Key Management”
on page 182.
How RADIUS works During the IKE/Xauth process, user-specific attributes can be retrieved if the user
credentials are validated by the RADIUS server/client. When you configure an IKE policy
to use a RADIUS server for authenticating user name/password pairs, then you must
configure the RADIUS client and server accordingly. Configuring the RADIUS client
allows the appliance to communicate with the RADIUS server.
Important: Your IKE XAuth authentication settings in Proventia Manager must be set to
Generic in order for PAP authentication to function properly.
Important: The RADIUS server must have “RADIUS_accept” enabled insure that the
IKE/Xauth messages are accepted and returned. Refer to your RADIUS server
documentation for specific instructions.
Requirements To enable RADIUS-based user authentication, you must do the following:
● Identify and configure the RADIUS server(s) to be used with Proventia M.

● Within the RADIUS server, configure which users will be authenticated.
● Configure the RADIUS Client available in Proventia M.
● Configure the IKE policy that will use Xauth to authenticate remote users via
RADIUS.
Note: The Proventia Integrated Security Appliance supports three methods for Xauth:
■ generic XAuth with local database

■ generic XAuth (PAP) with RADIUS
■ CHAP with RADIUS
Note: Refer to your RADIUS server documentation for specific configuration procedures.
Typical settings can be found in Configuring VPN from Proventia Integrated Security
Appliance to SoftRemote Systems or Configuring VPN from Proventia Integrated Security
Appliance to Proventia Integrated Security Appliance at http://www.iss.net/support/
documentation/proventia/fwvpn/.

Enabling the This procedure describes how to enable the RADIUS client and configure your primary
RADIUS client and RADIUS server.
server
2. Select Settings.
4. Select the Radius Client Configuration tab.
5. Select Enabled.
6. Type the IP address of the primary RADIUS server in the Primary Server IP Address
field.
7. Type the subnet mask of the primary RADIUS server in the Primary Server Subnet
Mask field.
8. Select the authentication port of the primary RADIUS server from the Primary Server
Auth Port list.
9. Select the user account port of the primary RADIUS server from the Primary Server
Acct Port list.
Note: ISS recommends that you use the default port numbers, but the standard port
number from earlier versions is available in each list, if needed.
10. In the Secret with Primary Server field, specify a shared secret for the appliance to
use as a client when communicating to the RADIUS server.
Definition: A shared secret is proof of identity, which can be a certificate or a
pre-shared secret key.
11. Does your backup RADIUS server require an NAS ID?
■ If yes, type the NAS ID in the Backup Server NAS ID field.
■ If no, type 1 or 0 in the Backup Server NAS ID field.
Definition: Network Access Server (NAS) is a device providing temporary, on-
demand network access to users. This access is point-to-point using Public Switched
Telephone Network (PSTN) or Integrated Services Digital Network (ISDN) lines. A
NAS operates as a client of RADIUS. The client is responsible for passing user
information to designated RADIUS servers.
■ In the Site Protector interface, click OK.
Configuring a This procedure describes how to configure a RADIUS backup server:

RADIUS backup
server 1. In the navigation pane, click + to expand the Firewall/VPN node.
2. Select Settings.
4. Select the Radius Client Configuration tab.
5. Select Use Backup Server.
6. Type the IP address of the backup RADIUS server in the Backup Server IP Address
field.
7. Type the subnet mask of the backup RADIUS server in the Backup Server Subnet
Mask field.
162
8. Select the authentication port of the backup RADIUS server from the Backup Server
Auth Port list.
9. Select the user account port of the backup RADIUS server from the Backup Server
Acct Port list.
Note: ISS recommends that you use the default port numbers. However, the standard
port number from earlier versions is available in each list, if needed.
10. In the Secret with Backup Server field, specify a shared secret for the appliance to use
as a client when communicating to the RADIUS server.
11. Does your backup RADIUS server require an NAS ID?
■ If yes, type the NAS ID in the Backup Server NAS ID field.
■ If no, type 1 or 0 in the Backup Server NAS ID field.

164
Chapter 11
Network Objects
Overview
Introduction This chapter provides information about and procedures for creating and using network
objects. Network objects allow you to manage data using categories of names, lists, and
groups. Configuration of Dynamic Address Lists is part of the firewall configuration
process. See “Process Overview for Configuring the Firewall” on page 108.
Topic Page
About Network Objects 166
Configuring Address Groups 169
Configuring Address Names 171
Configuring Dynamic Address Lists 173
Configuring Dynamic Address Names 175
Configuring Port Groups 177
Configuring Port Names 179

About Network Objects

Introduction Your appliance uses the same information, such as IP addresses and ports, for several
firewall access policies and VPN components. Previously, you entered this same data over
and over again for different components. Network objects allow you to create object
containers to share this data across multiple components, rather than entering the data
repeatedly. Configure network objects on the Firewall/VPN Network Objects page.
Caution: If you create an access policy that refers to dynamic settings (Dynamic Address
List and Dynamic Address Name), you must configure the Dynamic Address List. If you
do not configure this list, then appliance cannot apply the access policy that references the
list.
Advantages of using The advantages of using network objects include the following:
network objects
● centralizes data entry to one location, so you can make changes only to the network
object instead of each instance of the data
● allows you to give an easily recognized name to an object
Example: 192.168.5.34 becomes Sales Web Server
192.168.5.35 - 192.168.5.45 becomes Atlanta Web Servers
Types of network There are five types of Network Objects:

objects
■ Address Name
■ Address Group
■ Port Name
■ Port Group
■ Dynamic Address Name
■ Dynamic Address List
Name and Group The following table describes the two categories of network objects.
network object
categories Network Object Description Examples
Category
Name Contains one or more firewall or • an Address Name that contains a

VPN elements single IP address
• a Port Name that contains multiple
port ranges
Group Can contain any of the following: • an Address Group that contains a
• one or more Name objects single Address Name
• one or more Group objects • a Port Group that contains multiple
Port Names and a nested Port Group
Table 71: Network object categories
Note: A network object can contain only elements of its type. For example, a Port Group
can contain only Port Names or other Port Groups.
166
About Network Objects
Network object Remember the following conventions when you use network objects:
conventions
● The name of a network object cannot contain blank spaces.
● The name of a network object has a limit of 16 characters.
● Editing the name of a network object after saving it, breaks any links to other network
objects or policies. You must go back and re-establish the connections using the new
name.
● You can nest Groups; so that a Group can contain other Groups or Names.
Network Objects You can use network objects to quickly manage firewall rules for multiple appliances
and SiteProtector registered with SiteProtector. Refer to the SiteProtector documentation.
Dynamic network You can create or change dynamic network object settings for both appliances in a group
objects in SiteProtector, or in Proventia Manager.
Caution: You must configure the Dynamic Address Lists for each appliance for the
firewall to function properly. Dynamic Addresses and Dynamic Address Names are
primarily used to manage an appliance registered with SiteProtector.
Default Dynamic The following table describes the two default Dynamic Address Names:
Address Names
Dynamic Address Name Description
CORP The CORP dynamic address name is automatically configured

with the IP address and subnet mask for your appliance internal
interface:
• If you have upgraded your appliance firmware, this information
is migrated from the earlier firmware version.
• If you have purchased a new appliance, you must enter this
information during the appliance setup process.
DMZ This dynamic name is not configured for a new appliance

installation. If you have upgraded your appliance firmware, this
information is migrated from the earlier firmware version.
Table 72: Default dynamic address names
Example of using a The following example describes how you might use Dynamic Address Lists in
Dynamic Address SiteProtector to manage a group of two appliances on your network.
List in
SiteProtector Important: Remember that if you use access policies that reference a Dynamic Address
List, you have already configured that list on the appliance (in the Proventia Manager
interface). In our example, you will create all dynamic settings in the SiteProtector
interface.
You have two appliances in the group:
● Appliance1
● Appliance2

The following table describes the stages involved in an example of using Dynamic
Address Lists:
Stage Description
1 In the SiteProtector interface, you create a Dynamic Address Name called

APPLIANCE_GROUP1.
Note: This name is the shared container for the Dynamic Address Lists for both
appliances.
2 In the SiteProtector interface, you create a Dynamic Address List for Appliance1,
called Dyn_List1. This list contains the IP address ranges for Appliance1. When you
create the list, you associate the list with the name object APPLIANCE_GROUP1.
3 In the SiteProtector interface, you create a Dynamic Address List for Appliance2,
called Dyn_List2. This list contains the IP address ranges for Appliance2. When you
create the list, you associate the list with the name object APPLIANCE_GROUP1.
4 You decide to change a policy setting for both of the appliances in the group. In the
SiteProtector interface, you change the Access Policy associated with the Dynamic
Address Name APPLIANCE_GROUP1.
5 You push the updated access policy from SiteProtector to both appliances, using the
Dynamic Address Name APPLIANCE_GROUP1.
6 Both appliances receive the update, and respond as follows:

• Appliance1 applies the changes to its firewall based on values in the Dyn_List1.
• Appliance2 applies the changes to its firewall based on values in the Dyn_List2.
Table 73: Stages of using dynamic address lists in SiteProtector
168
Configuring Address Groups
Configuring Address Groups

Introduction Address Groups are network objects that include either of the following:
● one or more Address Names

● one or more Address Groups
Configure Address Groups on the Firewall/VPN Network Objects page.
Adding an Address To add an address group:

Group
2. Select Network Objects.
3. Select the Address Groups tab.
4. Click Add.
5. Type a descriptive name in the Name field.
6. Type a description of the list in the Comment field.
7. In the Addresses area, click Add.
■ Select Address Name, and then select an entry from the Name list.
■ Click Address Names to create or select a new Address Name.
■ Select Address Group, and then select an entry from the Group list.
9. Click OK to close the Add Addresses window.
10. Click OK to close the Add Address Groups window.
Editing an Address If you edit an Address Group that is associated with other firewall components, those
Group associations are removed. To restore those associations, you must manually associate
those network objects with a new Address Group.
To edit an Address Group:

4. Select the group you want to edit.
5. Click Edit.
6. Make your changes, and then click OK.

Copying and pasting You can copy and paste an Address Group before editing it. This is useful if you want to
an Address Group add an entry that is similar to an entry already in the list.
To copy and paste an Address Group:

4. Select the group you want to copy.

Removing an If you remove an Address Group that is associated with other firewall components, those
Address Group associations are removed. To restore those associations, you must manually associate
those network objects with a new Address Group.
To remove an Address Group:

4. Select the group you want to remove.
5. Click Remove.
The appliance removes the group.
170
Configuring Address Names
Configuring Address Names

Introduction This topic includes procedures for configuring address names. Configure Address Names
on the Firewall/VPN Network Objects page.
Address names are network objects that include one of the following:
● any IP address
● a single IP address
● a single IP address range
● a single IP address and CIDR mask
● a single address list
Note: An address list can contain more than one IP address range.
Adding an address To add an address name:

name
3. Select the Address Names tab.
4. Click Add.
7. Click Add.
8. Select one of the following:
■ To add any IP address, select Any.
■ To add one IP address, select Single IP Address, and then type the IP address in
the IP Address field. Use the dotted decimal format.
■ To add a range of IP addresses, select Address Range, and then type the first and
last IP addresses in the range in the IP Address Range fields.
■ To add an IP address on a subnet, select Network Address / #NetworkBits (CIDR),
Example: 128.8.27.18 / 16
■ To add an address list, select IP Address List, and then select an entry from the
Address Range list.
9. Click OK.
Editing an Address If you edit an Address Name that is associated with other firewall components, those
Name associations are removed. To restore those associations, you must manually associate
those network objects with a new Address Name.

To edit an Address Name:

4. Select the entry you want to edit.
5. Click Edit.
Copying and pasting You can copy and paste an Address Name before editing it. This is useful if you want to
an Address Name add an entry that is similar to an entry already in the list.
To copy and paste an Address Name:


Removing an If you remove an Address Name that is associated with other firewall components, those
Address Name associations are removed. To restore those associations, you must manually associate
those network objects with a new Address Name.
To remove an Address Name:

5. Click Remove.
The appliance removes the entry.
172
Configuring Dynamic Address Lists
Configuring Dynamic Address Lists

Introduction Dynamic Address Lists contain the addresses that are associated with a shared Dynamic
Address Name specific to an appliance. You create the Dynamic Address Name object,
and then define the addresses for each appliance in a Dynamic Address List. Dynamic
Address Lists are required for configuring the your firewall. See “Process Overview for
Configuring the Firewall” on page 108.
You can share a Dynamic Address Name among appliances, but associate individual
addresses for each appliance in its Dynamic Address Lists. When you use the Dynamic
Address Name to define a policy change in SiteProtector for a group of M appliances,
each appliance implements the change using the values in its individual Dynamic
Address List associated with that name. Configure Dynamic Address Lists on the
Firewall/VPN Dynamic Addresses page.
Adding a dynamic To add a Dynamic Address List:

address list
2. Select Dynamic Addresses.
3. In the Dynamic Address List area, click Add.
4. Select a Dynamic Address Name from the Name list.
5. Click Configure to create a new Dynamic Address Name.
7. In the Dynamic Address area, do one of the following:
■ For the list to include one IP address, select Single IP Address, and then type the IP
address in the IP Address field. Use the dotted decimal format.
■ For the list to include a range of IP addresses, select Address Range, and then type
■ For the list to include an IP address on a subnet, select Network Address /
Example: 128.8.27.18 / 16
■ For the list to include a network IP address on a subnet, select Network Address /
Subnet Mask, and then type the IP address and subnet mask.
8. Click OK.
Editing a Dynamic To edit a Dynamic Address List:

Address List
3. In the Dynamic Address List area, select the Dynamic Address Name you want to
edit.
4. Click Edit and make your changes.

5. Click OK.
Copying and pasting You can copy and paste a Dynamic Address List before editing it. This is useful if you
a Dynamic Address want to add an entry that is similar to an entry already in the list.
List
To copy and paste a Dynamic Address List:

3. In the Dynamic Address List area, select the entry you want to copy.

Removing a If you remove a Dynamic Address List that is associated with other firewall components,
Dynamic Address those associations are also removed. To restore those associations, you must manually
List associate those network objects with another Dynamic Address List or other network
object.
To remove a Dynamic Address List:

3. In the Dynamic Address List area, select the entry you want to remove.
4. Click Remove.
174
Configuring Dynamic Address Names
Configuring Dynamic Address Names

Introduction Dynamic Address Names can be shared among many appliance with different Dynamic
Address Lists. Each appliance has one or more Dynamic Address Lists that contain
addresses specific to that appliance. You can associate the Dynamic Address Lists from
many appliances with one Dynamic Address Name network object.
When you use the Dynamic Address Name to define a policy change in SiteProtector for a
group of appliances, each appliance implements the change using the values in its
individual Dynamic Address List associated with that name.
Two Dynamic Address Names are configured by default:
● CORP
● DMZ
Note: The DMZ dynamic name is not configured for a new appliance installation. If you
have upgraded your appliance firmware, this information is migrated from the earlier
firmware version.
Adding a Dynamic To add a Dynamic Address Name:

Address Name
3. Select the Dynamic Address Names tab.
4. Click Add.
7. Click OK.
Editing a Dynamic If you edit a Dynamic Address Name that is associated with other firewall components,
Address Name those associations are removed. To restore those associations, you must manually
associate those network objects with a new Dynamic Address Name.
To edit a Dynamic Address Name:

4. Select the Dynamic Address Name you want to edit.
5. Click Edit.
7. Click OK.


Copying and Pasting You can copy and paste a Dynamic Address Name before editing it. This is useful if you
a Dynamic Address want to add an entry that is similar to an entry already in the list.
Name
To copy and paste a Dynamic Address Name:

4. Select the Dynamic Address Name you want to copy.

Removing a If you remove a Dynamic Address Name that is associated with other firewall
dynamic address components, those associations are removed. To restore those associations, you must
name manually associate those network objects with a new Dynamic Address Name.NaTo
remove a Dynamic Address Name:

4. Select the Dynamic Address Name you want to remove.
5. Click Remove.
6. Click OK.
176
Configuring Port Groups
Configuring Port Groups

Introduction A port group is a network object that includes any of the following:
● one or more Port Names

● one or more Port Groups
Configure Port Groups on the Firewall/VPN Network Objects page.
Adding a Port To add a Port Group:

Group
3. Select the Port Groups tab.
4. Click Add.
7. In the Ports area, click Add.
■ Select Port Name, and then select an entry from the Port list.
Tip: Click Port Names to create or select a new Port Name.
■ Select Port Group, and then select an entry from the Group list.
9. Click OK to close the Add Ports window.
10. Click OK to close the Add Port Groups window.
Editing a Port If you edit a Port Group that is associated with other firewall components, those
those network objects with a new Port Group.
To edit a Port Group:

5. Click Edit.

Copying and pasting You can copy and paste a Port Group before editing it. This is useful if you want to add an
a Port Group entry that is similar to an entry already in the list.


Removing a Port If you remove a Port Group that is associated with other firewall components, those
those network objects with a new Port Group.
To remove a Port Group:

5. Click Remove.
178
Configuring Port Names
Configuring Port Names

Introduction A port name is a network object that includes either a single port, one or more port ranges.
Configure Port Names on the Firewall/VPN Network Objects page.
Adding a Port To add a Port Name:

Name
3. Select the Port Names tab, and then click Add.
6. Click Add.
7. Select a protocol from the Protocol list. Options are:
■ TCP
■ UDP
8. In the Port area, do one of the following, and then click OK.
■ Select Single Port, and then type a port value in the Single Port field.
■ Select Port Range, and then select a port range from the Range list
Editing a Port If you edit a Port Name that is associated with other firewall components, those
those network objects with a new Port Name.
To edit a Port Name:

3. Select the Port Names tab.
5. Click Edit.
Copying and pasting You can copy and paste a Port Name before editing it. This is useful if you want to add an
a Port Name entry that is similar to an entry already in the list.

To copy and paste a Port Name:


The appliance pastes the entry at the end of the list.
Removing a Port If you remove a Port Name that is associated with other firewall components, those
those network objects with a new Port Name.
To remove a Port Name:

5. Click Remove.
180
Chapter 12
Working with IKE Policies
Overview
Introduction This chapter explains how to use Internet Key Exchange (IKE) polices to create security
associations with Internet Protocol Security (IPSEC). IKE enhances IPSEC by providing
additional features, flexibility, and ease of configuration. IKE automatically negotiates
IPSEC security associations and enables IPSEC secure communications without manual
preconfiguration.
Topic Page
IKE Automatic Key Management 182
IKE Modes 185
The Diffie-Hellman Exchange 186
Configuring IKE Network and Security Settings 187
Configuring IKE Remote IDs 189
Configuring IKE Policy XAuth 191

IKE Automatic Key Management

Introduction Internet Key Exchange (IKE) provides a dynamic method for creating Security
Associations (SAs) and exchanging keys for use by IPSEC. IKE, also called dynamic key
exchange, automatic key exchange, or AutoIKE, enables the keys and SAs to be exchanged
in a multi-stage process.
Note: Automatic key management is required to facilitate deployment of multiple VPN

tunnels.
IKE automatic key management can be used in two ways:
● with pre-shared keys

● with certificates
The IKE tunnel negotiation process is divided into two phases:
Phase Description
Phase 1 The peers exchange proposals for how to authenticate and secure
the channel.
Phase 2 IPSEC SAs are negotiated to allow encrypted and authenticated

exchange of data.
Table 74: IKE tunnel negotiation process
IKE with pre-shared When both peers in a session are configured with the same pre-shared key, they can use it
keys to authenticate themselves to each other. The peers do not actually send the key to each
other, but use it in combination with a Diffie-Hellman group to create a session key as
part of the security negotiation process. The peers use the session key for encryption and
authentication. IKE automatically regenerates the session key during the communication
session.
Note: ISS recommends that you use pre-shared keys with automatic key management.
IKE with certificates This method of key management requires the participation of a trusted third party, the
certificate authority (CA). Each peer in a VPN must first generate a set of keys, called a
public/private key pair. The CA signs the public key for each peer, creating a signed
digital certificate. Each peer contacts the CA to get its own certificate and a certificate from
the CA itself. After you upload the certificates to the appliance, and configure the
appropriate IPSEC tunnels and policies, then the peers can communicate. During this
communication, IKE manages the exchange of certificates by transmitting signed digital
certificates from one peer to another. The signed digital certificates are validated by the
presence of the CA certificate at each end. When this authentication is complete, the
IPSEC tunnel is established.
Note: Typically, certificates are easier to manage than manual keys or pre-shared keys,
and are best suited for large networks.
Phase 1 Phase 1 begins with an exchange of proposals on how to protect the secure channel. This
exchange uses one of the two Phase 1 IKE modes:
● Aggressive
182
IKE Automatic Key Management
● Main
When either Phase 1 mode is used, the two peers exchange the following information:
● Encryption Algorithms and Authentication Algorithms

● A Diffie-Hellman Group and nonce (pseudo-random number)
● A preshared key or a certificate that proves their identity
The IKE Phase 1 session results in an encrypted channel over which Phase 2 can take
place.
Encryption The encryption algorithm is a mathematical algorithm for encrypting and decrypting
Algorithm or ESP binary coded information. Encryption converts data to an unintelligible form called
Algorithm ciphertext; decrypting the ciphertext converts the data back into its original form, called
plaintext. Encryption methods are described in the following table:
Method Description
DES The Data Encryption Standard (DES) algorithm is designed to

encrypt blocks of data consisting of 64 bits under control of a 64-
bit key. Decrypting is accomplished by using the same key as for
encrypting, but with the schedule of addressing the key bits
altered so that the decrypting process is the reverse of the
encrypting process.
Important: Key length must be three characters.
3DES The secret Triple-Data Encryption Standard (3DES) key shared

between the communicating parties is a simple variant on the
DES-CBC algorithm. The DES function is replaced by three
rounds of that function, an encryption followed by a decryption
followed by an encryption, each with independent keys: k1, k2,
and k3.
Important: Key length must be 24 characters.
AES The Advanced Encryption Standard (AES) is a symmetric block

cipher that can process data blocks of 128 bits.
Important: Key length must be 128, 192, or 256 bits.
Table 75: Encryption methods
Authentication Supported authentication algorithms are as follows:

algorithms
Algorithms Description
MD5 Message Digest 5 (MD5) is an algorithm that is used to create

digital signatures. It is intended for use with 32-bit machines. MD5
is a one-way hash function, meaning that it takes a message and
converts it into a fixed string of digits, also called a message
digest.
When using a one-way hash function, one can compare a
calculated message digest against the message digest that is
decrypted with a public key to verify that the message hasn't been
tampered with. This comparison is called a hashcheck.
Key length must be 16 characters.
Table 76: Supported authentication algorithms

Algorithms Description
SHA1 Secure Hash Algorithm (SHA1) produces a condensed

representation of the message called a message digest. The
message digest is used during generation of a signature for the
message. SHA1 is also used to compute a message digest for the
received version of the message during the process of verifying
the signature. Any change to the message in transit will result in a
different message digest, and the signature will fail to verify. SHA1
is used by both the transmitter and intended receiver of a
message in computing and verifying a digital signature.
Key length must be 20 characters.
Table 76: Supported authentication algorithms
Diffie-Hellman Diffie-Hellman consists of five groups. This appliance supports three of the five. The
Group groups are as follows:
● Group 1 - MODP group with a 768-bit modulus (supported)

● Group 2 - MODP group with a 1024-bit modulus (supported)
● Group 3 - EC2N group with 155-bit field size (not supported)
● Group 4 - EC2N group with 185-bit field size (not supported)
● Group 5 - MODP group with 1536-bit modulus (supported)
Note: The higher the group number, the more difficult it is for a third-party to guess the
session key value.
Note: Not all the supported groups listed here are available for every Diffie-Hellman
Group setting in the Proventia Manager.
Phase 2 After the peers establish a secure and authenticated channel, the negotiation process
continues with Phase 2. During this phase, the peers negotiate the SAs for encrypting and
authenticating data within the VPN tunnel. The peers exchange IPSEC proposals to
determine which security parameters to use in the SA. The peers can use up to three
messages to decide on the proposal and to determine the SAs. The peers use the following
items in a proposal:
● Security protocol: AH, or ESP, or both

● If ESP is used, an encryption method (DES, 3DES, or AES)
● If AH is involved, an Authentication algorithm (MD5 or SHA1)
● If Perfect Forward Secrecy is used, a Diffie-Hellman group
The Phase 2 session establishes an IPSEC tunnel that provides secure communications
between the hosts.
184
IKE Modes
IKE Modes
Introduction IKE can use one of two modes:
● Main
● Aggressive
Main mode In main mode, the initiator (client) and responder (server) exchange six messages, as
follows:
1. The initiator sends an IKE proposal to the responder that contains the encryption and
the authentication algorithms for the Phase 1 negotiation.
2. The responder accepts the proposal.
3. The initiator sends a Diffie-Hellman proposal and a nonce value (random number).
4. The responder accepts the Diffie-Hellman proposal, and then sends its own nonce
value.
5. The initiator sends its proof of identity, which is a certificate or a pre-shared secret
key.
6. The responder sends its proof of identity, which is a certificate or a pre-shared secret
key.
Advantage Because the encryption method is established in exchanges 1 and 2, the Diffie-Hellman
exchange, the two nonce values, and the identity proofs are all protected from third-party
interception.
Restriction To use main mode, the IP address of each party must be known. Therefore, static IP
addresses must be used on both the responder and the initiator.
Note: Only one main mode tunnel (respond only) is allowed when using a preshared key.
Aggressive mode With aggressive mode connections, the Initiator and Responder exchange only three
messages, as follows:
1. The initiator sends the IKE proposal for encryption and authentication, starts the
Diffie-Hellman exchange, and then sends its nonce value and proof of identity.
2. The responder accepts the security proposal, and then sends its own nonce value and
proof of identity.
3. The initiator confirms the identity and the exchange.
Note: You do not need to know the IP address of the peer.
Aggressive vs. Main Aggressive mode is not as safe as main mode, because the nonce value, Diffie-Hellman
mode exchange, and identity proofs are all sent before encryption begins.
Dynamic IP address If the initiator has a dynamic IP address, Aggressive mode is the only method that can be
restriction used.

The Diffie-Hellman Exchange

Introduction A Diffie-Hellman (DH) Exchange is used to securely transfer a shared secret across an
unsecured communication channel, such as the Internet. The Diffie-Hellman Exchange
uses a discrete one-way function to produce key material to be used in the exchange.
DH Exchange The DH Exchange is a two-stage process, as follows:

process
Stage Description
1 Each peer picks a random number, and then uses that number in the calculation
of the Diffie-Hellman algorithm, also called Group, that the peers agreed to use.
This calculation creates the public key for each peer.
2 The peers exchange the public keys. Each peer then uses the key in another
calculation, based on the DH group, to create the shared secret.
Table 77: DH Exchange process
Note: The public keys are transferred in clear text over the Internet, and the calculation is
well known, but without the secret random number generated by each peer, a third party
cannot guess the shared secret.
186
Configuring IKE Network and Security Settings
Configuring IKE Network and Security Settings

Introduction Configure the Internet Key Exchange (IKE) security settings for a security gateway. Use
the following procedures to configure IKE security settings.
Configuring IKE To configure IKE policy network settings:

network settings
2. Select Settings.
3. Select the Security Gateways tab.
4. Select one of the following tabs:
■ IPSEC Remote Client Security Gateway tab
■ Auto Key IPSEC Security Gateway tab
5. Click Add.
6. Select the IKE configuration tab.
7. In the Direction list, select how the peers will use the VPN tunnel.
8. Select the IKE mode from the Exchange Type list. The options are as follows:
■ Main Mode
■ Aggressive Mode
9. From the Local ID Type list, select the type of data that the local host sends to the
remote host for authentication.
10. In the Local ID Data field, type the local certificate information that corresponds to
the Local ID Type you selected in Step 3.
11. Type the local peer IP address in the Local IP Address field.
Configuring IKE To configure IKE policy security settings:

security settings
2. Select Settings.
4. Select one of the following tabs:
■ IPSEC Remote Client Security Gateway tab
■ Auto Key IPSEC Security Gateway tab
5. Click Add.
6. Select the IKE configuration tab.
7. Select the encryption method from the Encryption Algorithm list.
8. Did you select the encryption method AES?
■ If yes, select the AES key length from the AES Key Length list.
■ If no, go to the next step.
9. Select the authentication method from the Authentication Algorithm list.
10. Select the authentication mode from the Authentication Mode list.

11. Did you select the Pre-Shared Key authentication mode?

■ If yes, type a text string in the Pre-Shared Key field.
12. Type the number of seconds for which the encryption and authentication settings for
phase I of IKE are valid in the Life Time Secs field.
13. Type the number of transmitted kilobytes for which the encryption and
authentication settings for phase I of IKE are valid in the Life Time KBytes field.
14. Select the Diffie-Hellman group from the DH Group list.
Reference: See “Configuring an IPSEC Remote Client Security Gateway” on
page 207.
Reference: See “Configuring an IPSEC Remote Client Security Gateway” on
page 207.
188
Configuring IKE Remote IDs
Configuring IKE Remote IDs

Introduction You can configure IKE remote IDs for the following security gateways:

What this task Each remote ID represents an end point of a VPN connection. Configuring the remote IDs
accomplishes for a security gateway allows you to enter up to 10 different endpoints for the VPN
tunnel. This allows up to 10 different users to connect on the same VPN session.
Restriction Each security gateway is allowed a maximum of 10 remote IDs.
Adding a remote ID To add a remote ID:

2. Select Settings.
4. Select the IPSEC Remote Client Security Gateway tab or the Auto Key IPSEC
Security Gateway tab.
5. Locate the Remote ID area, and then click Add.
6. From the Remote ID Type list, select the type of data that the remote peer sends to the
local peer for authentication.
7. In the Remote ID field, type the remote certificate information that corresponds to the
Remote ID Type you selected in Step 5.
8. Click OK.
Editing a remote ID To edit a remote ID:

2. Select Settings.
5. In the Auto Key IPSEC or IPSEC Remote Client gateway, locate the Remote ID area,
and then select the Remote ID you want to edit.
6. Click Edit.
7. Continue as described in Steps 6 through 9 of the “Adding a remote ID” procedure.
Copying and pasting You can copy and paste a Remote ID entry before editing it. This is useful if you want to
a Remote ID entry add an entry that is similar to an entry already in the list. You can also copy and paste
multiple entries.

To copy and paste a Remote ID entry:

2. Select Settings.
5. Locate the Remote ID area, and then select the Remote ID entry you want to copy.
Note: To select multiple entries, press the CTRL key, and then select each entry. To
select a range of entries, press the SHIFT key, and then select the first and last entries in
the range.

8. If needed, edit the entry, and then click OK.
Removing a remote To remove a remote ID:

ID
2. Select Settings.
5. Locate the Remote ID area, and then select the Remote ID entry you want to remove.
6. Click Remove.
The appliance removes the remote ID entry from the list.
190
Configuring IKE Policy XAuth
Configuring IKE Policy XAuth

Introduction You can configure XAuth for the following security gateways:

If you enable XAuth for a security gateway, you must configure the IKE XAuth settings.
What is XAuth? XAuth, which is short for Extended Authentication, provides secondary user name and
password authentication for the IKE session. After IKE Phase I is completed, an extra
session occurs, in which the remote VPN and peer send a message requesting a user name
and password. The local peer prompts the user for it or finds it in a policy, and then
forwards it to the remote peer. The remote peer validates the user name and password
pair.
Methods of name/ There are two methods for authenticating the pair:
password
authentication ● Generic - uses a built-in local database. Use generic authentication if you use a
SoftRemote VPN peer, or if you use PAP authentication.
● RADIUS - passes the information to a RADIUS server. You can use RADIUS
authentication if your VPN client supports CHAP authentication.
Note: See “Configuring the RADIUS Client” on page 161..
Configuring IKE To configure IKE policy XAuth:

XAuth
2. Select Settings.
5. In the Auto Key IPSEC or IPSEC Remote Client gateway, locate the XAuth area, and
then select Enabled.
6. Will the remote peer provide the user name and password to the local peer for
authentication?
■ If yes, select Edge Device from the Device Type list, and then go to Step 7. The Pass
Phrase field is not currently used.
■ If no, select IP Sec Host from the Device Type list, and then go to Step 11.
7. Type the user name in the User Name field.
8. Click Set Password.
9. Type the user password in the Password field, and again in the Confirm Password
field.
10. Click OK.
11. Select the method of authentication from the Authentication Type list. The options are
as follows:

■ Generic
Important: Use the Generic setting if you are using Safenet Soft Remote as the VPN
peer or PAP (Password Authentication Protocol) authentication.
■ RADIUS
Important: Use the RADIUS setting only if your VPN client supports CHAP
(Challenge Handshake Authentication Protocol) based authorization.
12. If you selected RADIUS, you must configure your RADIUS client. See “Configuring
the RADIUS Client” on page 161.
192
Chapter 13
Working with IPSEC
Overview
Introduction This chapter explains how to use Internet Protocol Security (IPSEC) policies to create
secure VPN connections.
Topic Page
IPSEC and IPSEC Policies 194
IPSEC Encapsulation Modes 195
IPSEC VPN Protocols 196
Using L2TP and IPSEC 197
Security Associations 198
Key Management 199
Configuring IPSEC Policies 200

IPSEC and IPSEC Policies

Introduction Internet Protocol Security (IPSEC) is a suite of protocols that enables secure
communication over an unsecured network, such as the Internet. IPSEC is used to create a
VPN session, and uses cryptography to provide secure transmission of the Internet
Protocol (IP) packet over the public network. IPSEC policies define the following:
● IPSEC VPN security protocol

● key exchange method (key management)
● Security Association (SA)
IPSEC provides the following protection to data:
● data integrity
● anti-replay protection
● data privacy
● origination authentication
Data integrity IPSEC protects data by discarding a packet if the packet was modified by an unknown
third party. This technique is sometimes called data authentication or content integrity.
Anti-replay IPSEC protects packets from being captured and replayed. If a third party intercepts a
protection packet or a series of packets, and then attempts to replay the packets with the intention of
either compromising the host or performing a denial of service attack, then the receiving
host determines that the packets have already been received, and the packets are
discarded.
Data privacy IPSEC protects data being transferred in IP datagrams by encrypting the IP packet. IPSEC
encryption prevents third parties from listening on the public, unsecured network and
obtaining private information from the packets. If a third party intercepts the IPSEC
packets, the third party is unable to decrypt the data.
Origination The IPSEC packet always contains information that uniquely identifies the host that sent
authentication the packet. This feature is called origination authentication. It is also called sender
authentication or non-repudiation.
IPSEC initiators and IPSEC is a peer-to-peer standard. The initiator is the VPN peer that begins the
responders negotiations. The responder is the VPN peer that replies to the negotiations. You can
configure the appliance as the initiator, responder, or both, for peer-to-peer VPN
connections.
When to use IPSEC The primary reason for using IPSEC in tunnel mode is interoperability with other routers,
in tunnel mode gateways, or end-systems that do not support L2TP/IPSEC or PPTP VPN tunneling. Do
not use IPSEC tunnel mode for remote access VPN connections. Use L2TP/IPSEC or PPTP
for remote access VPN connections.
194
IPSEC Encapsulation Modes
IPSEC Encapsulation Modes

Supported modes IPSEC supports the following encapsulation modes:
● tunnel (system default)

● transport
Tunnel mode Tunnel mode is the most used encapsulation method. In tunnel mode, the entire IP
datagram is protected. Tunnel mode allows a packet to be delivered to a host that is not
the cryptographic endpoint, such as a Gateway device. Tunnel mode is the default option
for the IPSEC encapsulation mode.
An IPSEC packet in tunnel mode has two IP headers. The outer IP header contains the
information for delivering the entire packet to the Gateway device. The inner IP header is
encrypted and contains only the original information intended for the targeted host on the
other side of the VPN tunnel.
Transport mode Transport mode should only be used for to host-to-host tunnels. Transport mode is used
to protect only the upper layer of protocols; the original IP header is not encrypted.
Transport mode can only be used when the cryptographic endpoint is the same as the
communication endpoint.

IPSEC VPN Protocols

Supported IPSEC uses the following protocols for data encryption and authentication:
protocols
● Encapsulating Security Protocol (ESP)
● Authentication Header (AH)
Encapsulating ESP is used to ensure data integrity, anti-replay protection, data privacy, and origination
Security Protocol authentication. ESP uses symmetric key encryption to encrypt the entire IP packet—
header and payload. It then appends a new header and an ESP trailer to the packet.
Note: Portions of the trailer are not encrypted, because enough data must be in clear text
format to be able to authenticate the packet before it is decrypted.
Note: ESP uses both encryption algorithms and authentication algorithms.
Authentication AH is used to ensure data integrity, origination authentication, and limited anti-replay
Header protection. AH does not encrypt the IP datagram, so it does not need to use an encryption
algorithm. AH adds a header, which is in clear text, before the protected data, which is the
original packet. AH uses authentication algorithms.
196
Using L2TP and IPSEC
Using L2TP and IPSEC

Introduction The combination of L2TP and IPSEC, known as L2TP/IPSEC, is a highly secure
technology for making remote access VPN connections across public networks, such as
the Internet. L2TP/IPSEC is more secure than IPSEC alone, but it uses IPSEC to provide
mutual authentication between the user's computer and the VPN server, and strong
encryption for all of the data exchanged between the client and the server. L2TP and
IPSEC are combined to provide both tunneling and security for IP, IPX, and other protocol
packets across any IP network. Use the L2TP/IPSEC Remote Client Security Gateway to
configure L2TP/IPSEC VPN connections on your appliance.
Note: You can use IPSEC for VPN tunneling without L2TP, but ISS only recommends this
for interoperability, when one of the gateways does not support L2TP or PPTP.
How does L2TP L2TP is an extension of PPTP. L2TP encapsulates original packets first inside a PPP frame
work? (performing compression when possible) and then inside a UDP message using port 1701.
Because the UDP message is an IP payload, L2TP uses IPSEC to secure the tunnel. IPSEC
uses the following protocols:
● the IKE protocol to negotiate security for the L2TP tunnel, using certificate-based or
preshared key authentication
● ESP to encrypt the packet
If IPSEC main mode and quick mode security associations are successfully established,
L2TP negotiates the tunnel, including compression and user authentication options, and
performs PPP-based user authentication.
What's different The L2TP/IPSEC protocol is different from using IPSEC alone in the following ways:
when I use L2TP?
● L2TP requires certificates for authentication
● L2TP is more secure, because it uses both certificate authentication and user-level
authentication

Security Associations
What security A Security Association (SA) defines how two hosts communicate with each other using
associations define IPSEC. An SA defines which protocol to use, which encapsulation mode to use, the keys
involved, and how long the keys are valid.
Where maintained SAs are maintained in an SA database (SADB) for the lifetime of the IPSEC connection,
which can be defined in seconds or in bytes transferred. Each host creates a minimum of
two SAs: SAin and SAout.
Protocols If the hosts use more than one protocol, such as ESP and AH, then additional pairs of SAs
are created for each protocol. SAs are created either manually and off-line, such as in
manual keying IPSEC, or by a key management protocol, such as IKE.
SAs are deleted when one of the following events occurs:
● the SA lifetime has expired

● keys are compromised
● SA byte transfer limit is reached
● a host requests that the SA be deleted
198
Key Management
Key Management
Introduction There are three basic elements in any encryption system:
● an algorithm that translates information into code

● a cryptographic key that is a secret starting point for the algorithm
● a management system to control the key
Modes supported IPSEC uses public and private keys to encrypt and authenticate traffic, and supports two
by IPSEC modes of key exchange:
● manual
● automatic
Manual key In manual key management, the key information is input manually by the administrators.
management The administrators configure the protocols, supply the key information for each protocol,
and manually input the Security Parameter Index (SPI) values. The key information and
SPI values never expire and are susceptible to compromise by a third party.
The shared secret key values must be shared among hosts that may be separated
geographically, so the key information most likely passes over an unsecured medium,
such as email, public mail, or verbally. This type of exchange can be intercepted, allowing
a third party to collect information that is needed to intercept the traffic on the Internet.
Reference: For configuration procedures, see “Configuring a Manual Key IPSEC Security
Gateway” on page 210
Security The Security Parameter Index (SPI) is a 32-bit field that uniquely identifies the Security
Parameters Index Association (SA) to which a packet belongs. The SPI is included with all packets so that
(SPI) the receiving host can match it to an entry in its Security Parameters Database (SPDB) and
retrieve the SA to check the security of the received packet.
SPI values remain the same throughout the IPSEC connection. When the connection is
terminated, the SPI values are reclaimed and may be used again in a new IPSEC
connection.
Automatic key Automatic key management uses the Internet Key Exchange (IKE) method.
management
Reference: For configuration procedures, see “Configuring an Auto Key IPSEC Security
Gateway” on page 214.

Configuring IPSEC Policies

Introduction This topic describes how to configure IPSEC policies. It includes procedures for the
following tasks:
● adding an IPSEC policy

● editing an IPSEC policy
● removing an IPSEC policy
Configure IPSEC policies on the IPSEC Policy tab.
Reference: See also “IPSEC and IPSEC Policies” on page 194.
Editing firewall and When you enable or disable the HA feature, the appliance uses the virtual IP addresses to
VPN policies when route traffic. The virtual IP address replaces the Local ID data (such as the local IP
you enable or address) for each appliance.
disable HA
If you have created NAT rules, IPSEC policies, security gateways, or other policies that
use this Local ID data, then those policies or rules are invalidated.
When you enable or disable HA, the appliance generates alerts that describe the
invalidated policy. You must edit these policies to include the new IP address
information. Use the alerts on the Alert Event Log page to identify the firewall or VPN
policies that you must edit after you enable or disable the HA feature.
Caution: If you reboot the appliance before you edit these policies, your VPN connections
will not function.
Where configured Configure IPSEC policies on the IPSEC Policy tab in the Proventia Manager.
Adding an IPSEC To add an IPSEC policy:

policy
2. Select Settings.
3. Select the IPSEC Policy tab.
4. Click Add.
5. Type a meaningful name for the policy in the Name field.
■ To enable the policy, select Enabled.
■ To disable the policy, clear the Enabled check box.
Note: The default setting is Enabled if you are adding an IPSEC policy.
7. If needed, type a description of the policy in the Comment field.
8. From the Security Process list, select the security action option for packets on IPSEC
connections that use this policy. The options are as follows:
■ Apply - routes packets through the VPN tunnel
■ Bypass - does not route packets through the VPN tunnel
■ Discard - drops packets
200
Configuring IPSEC Policies
9. Select the IPSEC protocol in the Protocol field. The options are as follows:
Protocol Description
TCP Transmission Control Protocol (TCP) applies to connections between

two hosts that exchange streams of data.
UDP User Datagram Protocol (UDP) applies to a connection-less protocol

that allows direct sending and receiving of datagrams over an IP
network.
ICMP Internet Control Message Protocol (ICMP) applies to packets

containing error, control, and informational messages.
AH The Authentication Header (AH) provides data integrity, origin

authentication, and optional replay resistance. Its primary function is to
provide authentication services. It does not provide any confidentiality.
ESP Encapsulating Security Payload (ESP) provides several security

services, including data confidentiality, integrity, origin authentication,
and optional anti-replay services, as well as limited traffic flow
confidentiality.
All You cannot specify multiple protocols per policy unless you apply all
protocols to the policy. Select All.
Note: Select the encapsulation mode from the Encapsulation Mode list. The default is
Tunnel.
Note: To learn more about encapsulation modes, see “IPSEC Encapsulation Modes”
on page 195.
10. Configure the following information for the policy:
■ source and destination addresses and ports
■ manual key management or automatic key management
11. Click OK.
Editing an IPSEC To edit an IPSEC policy:

policy
2. Select Settings.
4. Click Edit.
5. Continue as described in Steps 3 through 10 of the “Adding an IPSEC policy”
procedure.
Removing an IPSEC To remove an IPSEC policy:

policy
2. Select Settings.


4. Select the policy to remove.
5. Click Remove.
202
Chapter 14
Security Gateways
Overview
Introduction This chapter provides information about and procedures for creating and using security
gateways as network objects to configure VPN.
Topic Page
About Security Gateways 204
Configuring an IPSEC Remote Client Security Gateway 207
Configuring a Manual Key IPSEC Security Gateway 210
Configuring an Auto Key IPSEC Security Gateway 214
Configuring an L2TP/IPSEC Remote Client Security Gateway 218

About Security Gateways

Introduction Use security gateways to define a group of VPN settings. A security gateway is a network
object that you can reuse when configuring VPNs. There are four types of security
gateways on your appliance:
● IPSEC Remote Client

● Auto Key IPSEC
● Manual Key IPSEC
● L2TP/IPSEC Remote Client
Considerations for Make choices about the security level of the VPN connection based on the type of
selecting information that will be transmitted over the connection. More secure encryption and
authentication and authentication algorithm options can require more time and CPU usage to complete.
encryption methods
Consider the following:
● If your information needs to be highly secure, choose more secure methods.

● If your information does not require the highest level of security over the VPN
connection, consider faster options to save time and system resources.
The following examples illustrate this principle:
● A DES encryption algorithm is faster, but less secure, than a 3DES encryption
algorithm.
● An MD5 authentication algorithm is faster, but less secure, than a SHA1
authentication algorithm.
● A pre-shared key authentication mode is faster, but less secure, than an RSA signed
mode; in turn, a DSS-signed mode is slower, but more secure than an RSA signed
mode.
firewall. See “Routing” on page 318.
VPN and high When you enable or disable the HA feature, the appliance uses the virtual IP address to
availability route traffic. The virtual IP address replaces the Local ID data (such as the local IP
considerations address) for each appliance. If you have created NAT rules, IPSEC policies, security
gateways, or other policies that use this Local ID data, then those policies or rules are
invalidated. When you enable or disable HA, the appliance generates alerts that describe
the invalidated policy. You must edit these policies to include the new IP address
information. Use the alerts on the Alert Event Log page to identify the firewall or VPN
policies that you must edit after you enable or disable the high availability feature.
Important: If you reboot the appliance before you edit these policies, your VPN
connections will not function.
204
About Security Gateways
Settings for each The following table describes the security settings for each gateway type:
gateway type
This security gateway... Contains these areas... That include these settings...
Auto Key IPSEC IKE Configuration • IKE Network Settings

• IKE Security Settings
• IKE Remote IDs
• IKE XAuth
• IKE OSCP
IPSEC Policy • Encapsulation Mode

• Perfect Forward Secrecy
• Security Proposal
• Advanced Settings
IPSEC Remote Client IKE Configuration • IKE Network Settings

• IKE Remote IDs
• IKE XAuth
• IKE OSCP
IPSEC Policy • IP ranges for remote peers to

use
• IPSEC template proposal
L2TP/IPSEC Remote L2TP Settings • Local and remote ID type

Client • Local and remote ID data
• IKE Authentication Method
• L2TP End Point IP Address
• Pre-Shared Key
IKE Configuration • Exchange Type (IKE mode)

IPSEC Policy • Encapsulation Mode

• Security Protocol
Manual Key IPSEC Manual key settings • Encapsulation Mode

• Peer Security Gateway
Local Security Gateway • Static or Dynamic Local

Gateway settings
AH Configuration • Authentication Algorithm

• Inbound and outbound session
key values
• SPI values
ESP Configuration • Encryption method (Security

Protocol - ESP or ESP with
Auth)
• SPI values
Advanced • Initialization Vector
Table 78: Settings for each gateway type

IKE configuration The following table describes the types of IKE settings to configure for VPN connections:
settings
This IKE setting Defines these VPN components...
type...
Network settings • the direction of the local peer's communication

• the IKE mode (main or aggressive)
• the type of data used for authentication
• the local peer and remote peer IP addresses
Security settings • the encryption method

• the authentication method
• the authentication mode
• the lifetime of the encryption and authentication settings
• the Diffie-Hellman group associated with the policy
XAuth settings • secondary user name and password authentication for the IKE
session
• XAuth uses the following methods for authenticating the pair:
—Generic, which uses a built-in local database
—RADIUS, which passes the information to a RADIUS server
Reference: See “Configuring IKE XAuth” on page 191, and “Configuring
the RADIUS Client” on page 161.
Remote IDs • up to ten different endpoints for the VPN tunnel

• ten endpoints allow up to 10 different users to connect on the same
VPN session.
Reference: See “Configuring IKE Remote IDs” on page 189.
Table 79: IKE configuration settings
206
Configuring an IPSEC Remote Client Security Gateway

Introduction This topic describes how to configure an IPSEC Remote Client Security Gateway. This
gateway includes VPN addresses, IKE settings, and IPSEC settings.
Tasks for You must complete the following tasks to configure an IPSEC Remote Client Security
configuring IPSEC Gateway:
Remote Client
Security Gateway Task Description
2 Define the IKE configuration.
3 Define the IPSEC policies.
Table 80: Configuration tasks for IPSEC remote client security gateway

general settings
2. Select Settings.
4. Select the IPSEC Remote Client Security Gateway tab.
5. Click Add.
Note: You can type up to 32 characters in this field.
7. Type a description of the gateway in the Comment field.
Task 2: Define the To define the IKE Configuration:

IKE Configuration
1. Select the IKE Configuration tab.
■ Main Mode
■ Aggressive Mode
Reference: See “IKE Modes” on page 185.
3. From the Local ID Type list, select the type of data that the local host sends to the
remote host for authentication.
the Local ID Type you selected in Step 3.
5. Type the local peer IP address in the Local IP Address field.
7. Configure the IKE network and security settings.
Reference: See “Configuring IKE Network and Security Settings” on page 187.
8. Configure the Remote IDs. See“Configuring IKE Remote IDs” on page 189.

9. In the XAuth area, configure IKE XAuth.

Reference: See “Configuring IKE Policy XAuth” on page 191.
Task 3: Defining the To define the IPSEC Policy:

IPSEC Policy
2. Specify up to three ranges of IP addresses in dotted decimal format in the following
fields:
■ First IP Range (specify the starting and ending IP addresses)
■ Second IP Range (specify the starting and ending IP addresses)
■ Third IP Range (specify the starting and ending IP addresses)
Important: The IP address ranges cannot overlap any existing IP addresses in your
network.
3. Do you want to specify one or two Windows Internet Name Service (WINS) servers to
resolve host names?
■ If yes, type the IP addresses for the first and second WINS servers in the Primary
WINS IP and Secondary WINS IP fields.
4. Do you want to specify one or two Domain Name System (DNS) servers to resolve
host names?
■ If yes, type the IP addresses for the first and second DNS servers in the Primary
DNS IP and Secondary DNS IP fields.
5. In the Source Address/Mask field, type the IP address and subnet mask on the local
network to which the remote client will have access.
6. Select a Diffie-Hellman group from the PFS Group ID list.
7. Select a security protocol from the Security Protocol list.
8. Select an authentication algorithm from the Authentication Alg list.
9. Select the encryption algorithm from the ESP Alg list.
10. If you selected the encryption method AES, select the AES key length from the AES
Key Length list.
11. Type the number of seconds for which the security proposal is valid in the Life Time
Secs field.
12. Type the number of transmitted kilobytes for which the security proposal is valid in
the Life Time KBytes field.
13. Click OK.
Cutting and pasting You can copy and paste a gateway before editing it. This is useful if you want to add a
an IPSEC Remote gateway that is similar to a gateway already in the list. You can also copy and paste
Client Security multiple gateways.
Gateway
208
To copy and paste a gateway:

2. Select Settings.
5. Select the gateway you want to copy.
Note: To select multiple gateways, press the CTRL key, and then select each gateway.
To select a range of gateways, press the SHIFT key, and then select the first and last
gateways in the range.

The appliance copies the gateway to the end of the list.
8. If needed, edit the gateway, and then click OK.
Removing an IPSEC To remove a gateway:

Remote Client
Security Gateway 1. In the navigation pane, click + to expand the Firewall/VPN node.
2. Select Settings.
5. Select the gateway you want to remove.
6. Click Remove.

Configuring a Manual Key IPSEC Security Gateway

Introduction This topic describes manual key management, and provides the procedure for configuring
a Manual Key IPSEC Security Gateway. This gateway allows you to manage encryption
keys manually.
Manual key In manual key management, the administrator manually inputs the key information. The
management administrator does the following:
● configures the protocols

● supplies the key information for each protocol
● manually inputs the Security Parameter Index (SPI) values
The key information and SPI values never expire and are susceptible to compromise by a
third party.
The keys must be shared among hosts that may be separated geographically, so the key
information most likely passes over an unsecured medium, such as email, public mail, or
verbally. This type of exchange can be intercepted, allowing a third party to collect
information that is needed to intercept the traffic on the Internet.
Required and You must complete the following tasks to create a manual key gateway:
optional tasks for
gateway Task Description
configuration
2 Define local security gateway settings.
3 Define the AH Configuration (optional).
4 Define the ESP Configuration.
5 Define the Initialization Vector (advanced settings).
Table 81: Required and optional tasks for gateway configuration

general settings
2. Select Settings.
4. Select the Manual Key IPSEC Security Gateways tab.
5. Click Add.
8. Select the encapsulation mode from the Encapsulation Mode list.
Note: See “IPSEC Encapsulation Modes” on page 195.
210
9. Type the remote gateway IP address in the Peer Security Gateway field.
Note: To use a wildcard IP address, type 0.0.0.0.
Task 2: Define the To define the local security gateway settings:

local security
gateway settings 1. Select the Local Security Gateway tab.
2. Are you using a dynamic interface?
■ If yes, select Dynamic Local Gateway, and then type eth1 in the Dynamic Interface
field.
■ If no, select Static Local Gateway, and then type the local gateway IP address in the
Local Security Gateway field.
3. Click OK.
Optional: Define the To define the AH Configuration:

AH Configuration
1. Select the AH Configuration tab.
2. Select the Authentication Enabled checkbox.
3. Select the authentication algorithm from the Auth Algorithm list.
4. In the IN Key field, type the string to be used as the inbound session key.
5. In the OUT Key field, type the string to be used as the outbound session key.
6. In the IN SPI field, type the security parameter index to be used for each session.
7. In the OUT SPI field, type the security parameter index to be used for each session.
Note: The SPI values for each policy must be unique.
8. Click OK.
Optional: Defining To define the ESP Configuration:

the ESP
Configuration 1. Select the ESP Configuration tab.
2. Select the Enabled checkbox.
3. Select the encryption method from the Encryption list. The options are as follows:
■ ESP
■ ESP With Auth
4. If you selected the encryption method ESP With Auth, select the authentication
algorithm from the Auth Algorithm list.
5. In the IN Auth Key field, type the string to be used as the inbound session key.
6. In the OUT Auth Key field, type the string to be used as the outbound session key.

7. Select the encryption algorithm from the ESP Algorithm list.

8. In the IN SPI field, type the security parameter index to be used for each session.
9. In the OUT SPI field, type the security parameter index to be used for each session.
Note: The SPI values for each policy must be unique.
10. In the IN ESP Key field, type the string to be used as the inbound session key.
11. In the OUT ESP Key field, type the string to be used as the outbound session key.
12. Click OK.
Optional: Define the To define the Initialization Vector:

Initialization Vector
(advanced settings) 1. Select the Advanced tab.
2. Type the string to be used in the Initialization Vector field.
3. Click OK.
Editing a Manual To edit a gateway:

Key IPSEC Security
Gateway 1. In the navigation pane, click + to expand the Firewall/VPN node.
2. Select Settings.
5. Select the gateway you want to edit.
6. Click Edit.
Copying and pasting You can copy and paste a gateway before editing it. This is useful if you want to add a
a Manual Key IPSEC gateway that is similar to a gateway already in the list. You can also copy and paste
Security Gateway multiple gateways.

2. Select Settings.
212


8. Edit the entry, and then click OK.
Removing a Manual To remove a gateway:

Key IPSEC Security
2. Select Settings.
6. Click Remove.

Configuring an Auto Key IPSEC Security Gateway

Introduction This topic describes how to add, edit, remove, or copy and paste an Auto Key IPSEC
Security Gateway.
Note: To configure an Auto Key IPSEC Security Gateway, you must configure IKE and
IPSEC settings. Security proposals and advanced settings are optional.
Auto key Automatic key management uses the Internet Key Exchange (IKE) method. ISS
management recommends that you start with Pre-Shared Secrets when you use auto keys. See “IKE
Automatic Key Management” on page 182.
Auto Key IPSEC Complete the following tasks to configure an IPSEC Remote Client Security Gateway:
configuration tasks
Task Description
1 Define general settings
2 Define the IKE Configuration
3 Define the IPSEC Policy
Table 82: Auto Key IPSEC configuration tasks

general settings
2. Select Settings.
4. Select the Auto Key IPSEC Security Gateways tab.
5. Click Add.

IKE Configuration
2. Configure the IKE network and security settings.
Reference: See “Configuring IKE Network and Security Settings” on page 187.
3. Configure the Remote IDs.
Reference: See“Configuring IKE Remote IDs” on page 189.
4. In the XAuth area, configure IKE XAuth.
Reference: See “Configuring IKE Policy XAuth” on page 191.
214
Task 3: Define the To define the IPSEC Policy:

IPSEC Policy
3. Do you want to use Perfect Forward Secrecy?
■ If yes, select the Diffie-Hellman group from the Perfect Forward Secrecy list.
■ If no, select None.
Note: See “The Diffie-Hellman Exchange” on page 186.
4. Do you want to add a security proposal?
■ If yes, go to Configuring the security proposal” next in this topic.
■ If no, click OK.
5. Do you want to configure advanced settings?
■ If yes, go to “Configuring advanced settings” in this topic.
Optional: Configure To configure the security proposal:

the security
proposal 1. Select the IPSEC Policy tab.
2. In the Security Proposals area, do one of the following:
■ To configure an existing security proposal, select a proposal from the Security
Proposals table, and then click Edit.
■ To create a new proposal, click Add.
4. Select an authentication algorithm from the Auth Algorithm list.
5. Select the encryption algorithm from the ESP Algorithm list.
6. If you selected the encryption method AES, then select the AES key length from the
AES Key Length list.
7. If you selected the ESP With Auth and AH security protocol, select an authentication
algorithm from the Auth Algorithm (for ESP With Auth and AH) list.
Secs field.
Note: If Perfect Forward Secrecy is enabled, a new key is generated when either the
Life Time Secs or Life Time KBytes expires. If Perfect Forward Secrecy is not enabled,
the existing session key remains in use, but a new SA is created.
10. Click OK.

Optional: Configure To configure advanced settings:

advanced settings
2. In the Advanced Settings area, select Enabled.
3. Do you want to create security associations based on packet values?
■ If yes, select PKT_VAL for the desired security association selectors.
4. Do you want to create security associations based on security policy database values?
■ If yes, select SPD_VAL for the desired security association parameters.
Copying and pasting You can copy and paste a gateway before editing it. This is useful if you want to add a
an Auto Key IPSEC gateway that is similar to a gateway already in the list. You can also copy and paste
Security Gateway multiple gateways.

2. Select Settings.

8. Edit the entry, and then click OK.
Copying and pasting You can copy and paste a security proposal before editing it. This is useful if you want to
a security proposal add a proposal that is similar to a proposal already in the list. You can also copy and paste
multiple proposals.
To copy and paste a security proposal:

2. In the Security Proposals area, select the proposal you want to copy.
Note: To select multiple proposals, press the CTRL key, and then select each proposal.
To select a range of proposals, press the SHIFT key, and then select the first and last
proposals in the range.
216

The appliance copies the proposal to the end of the list.
5. If needed, edit the proposal, and then click OK.
Removing an Auto To remove a gateway:

Key IPSEC Security
2. Select Settings.
6. Click Remove.

Configuring an L2TP/IPSEC Remote Client Security Gateway

Introduction This topic describes how to configure an L2TP/IPSEC Remote Client Security Gateway.
This gateway includes IKE and IPSEC information.
Tasks You must complete the following tasks to configure an IPSEC Remote Client Security
Gateway:
● Configure general settings.

● Define the IKE Configuration.
● Define the IPSEC Policy.
Note: You can configure only one L2TP/IPSEC Remote Client Security Gateway.

general settings
2. Select Settings.
4. Select the L2TP/IPSEC Remote Client Security Gateway tab.
5. Click Add.
Note: You can type up to 256 alphanumeric characters in this field
8. Type the IP address that the appliance will assign to the local L2TP tunnel endpoint in
the L2TP End Point IP Address field.
Important: The L2TP End Point IP Address is the IP address for the appliance side of
the L2TP VPN tunnel. This IP address is the endpoint of the local VPN connection.
The L2TP endpoint IP address for the appliance must be a fixed, globally unique IP
address, and should not be in the L2TP IP Address Pool or used for any other
interface on the appliance.
Examples:
L2TP End Point IP Address: 192.168.2.1
L2TP IP Address Pool: 192.168.2.2-192.168.2.254.
9. To enable L2TP tunnel authentication, check the Disable L2TP Tunnel
Authentication checkbox.
Note: ISS recommends that you maintain the default setting of Disabled.
10. Type the host name of the appliance in the L2TP Host Name field.
Note: When you configure the L2TP Host Name for an L2TP/IPSEC Remote Client
Security Gateway, this value is the host name of the appliance. You configured this
host name when you configured the appliance, and you can view this Device Name in
the top right corner of the Home Page in Proventia Manager.
Example: Device Name: myappliance.mycompany.com
11. Go to Task 2: Define the IKE Configuration.
218

IKE Configuration
■ Main Mode
■ Aggressive Mode
Note: See “IKE Modes” on page 185.
3. Select an option from the Local ID Type list as shown in the following table:

Important: Use this option for
most Windows L2TP/IPSEC
clients.
FQDN Fully Qualified Domain Name mycomputer.test.iss.net

department)
/CN (common name)
the Local ID Type you selected in Step 3
Important: For most Windows L2TP/IPSEC clients, type the external IP address of
the appliance in this field.
5. Select an option from the Remote ID Type list.
Important: For Windows L2TP/IPSEC clients that use dynamic IP addresses, select IP
Address from this list.
Note: Local ID Type and Remote ID Type have the same options. See table in Step 3.
6. In the Remote ID Data field, type the remote certificate information that corresponds
to the Remote ID Type you selected previously.
Important: For Windows L2TP/IPSEC clients that use dynamic IP addresses, type
0.0.0.0 in this field. This Remote ID entry allows any IP address as the originating
peer of the IPSEC component of the VPN tunnel.
7. Select the encryption method from the Encryption Algorithm list.
9. Select the authentication method from the Authentication Algorithm list.
10. Select the authentication mode from the Authentication Mode list.
Note: The authentication mode defines how the local peer will identify itself to the
remote peer. The options are as follows:
■ Pre-Shared Key

■ DSS Signed
■ RSA Signed
11. Did you select the Pre-Shared Key authentication mode?
■ If yes, type a text string in the Pre-Shared Key field.
establish a VPN connection. Pre-Shared Key is not supported in Main mode. See “IKE
Modes” on page 185.
12. Type the number of seconds for which the encryption and authentication settings for
phase I of IKE are valid in the Life Time Secs field.
Tip: For more information about phases in IKE, See “IKE Automatic Key
13. Select the Diffie-Hellman group from the DH Group Descriptor list.
14. Configure IPSEC settings, next in this topic.
Task 3: Define the To define the IPSEC Policy:

IPSEC Policy
4. Select an authentication algorithm from the Authentication Algorithm list.
5. Select an encryption algorithm from the Encryption Algorithm list.
Secs field.
9. Click OK.
Editing an L2TP/ To edit a gateway:

IPSEC Security
2. Select Settings.
4. Select the L2TP/IPSEC Security Gateways tab.
5. Select the gateway.
6. Click Edit.
220

Removing an L2TP/ To remove a gateway:

IPSEC Security
2. Select Settings.
4. Select the L2TP/IPSEC Security Gateways tab.
5. Select the gateway.
6. Click Remove.

222
Chapter 15
Managing Certificates
Overview
Introduction This chapter describes how to manage certificates on the appliance.
Topic Page
About Certificates 224
About the Certificate Management Page 226
Installing a Trusted Certificate Authority 227
Removing a Trusted Certificate Authority Certificate 228
Requesting a Self Certificate 229
Installing a Self Certificate 230
Installing a Certificate Revocation List 232
Removing a Certificate Revocation List 233

About Certificates
Introduction A security certificate, whether it is a personal certificate or a Web site certificate, associates
an identity with a “public key.” Only the owner of the certificate knows the
corresponding “private key.” The “private key” allows the owner to make a “digital
signature” or decrypt information encrypted with the corresponding “public key.” When
you send your certificate to other people, you are actually giving them your public key, so
they can send you encrypted information that only you can decrypt and read with your
private key.
The digital signature component of a security certificate is your electronic identity card.
This topic describes the certificate terminology and processes.
Before you can start sending encrypted or digitally signed information, you must obtain a
certificate and set up Internet Explorer to use it. When you visit a secure Web site (one
whose address starts with “https:”), the site automatically sends you its certificate.
Security certificates are issued by independent certification authorities. There are different
classes of security certificates, each one providing a different level of credibility. You can
obtain your personal security certificate from certification authorities (CA).
DSA certificate All DSA certificate requests must be signed by a CA that uses DSA to sign certificates. If a
requirement DSA certificate is signed by an RSA CA, then the certificate will fail to insert into the
certificate repository.
Terminology The following table describes some certificate abbreviations:
Term Definition
Digital Signature Algorithm (DSA) An asymmetric cryptographic algorithm that produces a

digital signature in the form of a pair of large numbers. The
signature is computed using rules and parameters such that
the identity of the signer and the integrity of the signed data
can be verified.
Rivest-Shamir-Adleman (RSA) An algorithm for asymmetric cryptography, invented in 1977

by Ron Rivest, Adi Shamir, and Leonard Adleman.
Table 83: Certificate terminology
Process overview Table 84 describes the tasks required to install and manage certificates on the appliance:
Install a certificate on the appliance “Installing a Trusted Certificate Authority” on

page 227
Remove a certificate from the appliance “Removing a Trusted Certificate Authority

Certificate” on page 228
Request a self certificate from a “Requesting a Self Certificate” on page 229

Certificate Authority
Install self certificates “Installing a Self Certificate” on page 230
Table 84: Certificate tasks
224
About Certificates
Remove self certificates “Removing a Self Certificate” on page 231
Install a certificate revocation list “Installing a Certificate Revocation List” on

page 232
Remove a certificate revocation list “Removing a Certificate Revocation List” on

page 233
Table 84: Certificate tasks

About the Certificate Management Page

Introduction Use the Certificate Management page to access subpages to:
● install certificates
● request certificates
● remove certificates
● view information about certificates
Certificate Table 85 describes icons that may appear on the certificate pages:
Management Page
icons Icon Description
If this icon appears next to a field on this page, then data is required in the
field or the data in the field is invalid. If the icon appears next to a policy or
a tab on this page, then the policy or tab contains invalid settings or empty
fields that require data.
If this icon appears at the top of a list, you can select an item in the list and
If this icon appears at the top of a list, you can paste select an item in the
list and click the icon to paste the item from the clipboard into a list. Then,
you can edit the pasted item.
Table 85: Self certificates icons
226
Installing a Trusted Certificate Authority
Installing a Trusted Certificate Authority

Introduction To use certificates from your trusted certificate authority, you must install the certificate
on the appliance. Installing the certificate on the appliance adds the authority to the
trusted certificate authority list.
Install trusted certificate authority certificates using the Trusted Certificate Authority
Certificates page.
Prerequisite Before you install a trusted certificate authority certificate, you must download the
certificate file from your chosen certificate authority.
Installing a trusted To install a trusted certificate authority certificate:

certificate authority
2. Select Certificate Management.
3. Select Trusted Certificate Authority.
The Trusted Certificate Authority Certificates page appears.
4. Click Browse, and locate the certificate you received from your trusted certificate
authority.
5. Click Open.
6. Click Upload.
The file is added to the list of Trusted Certificates.

Removing a Trusted Certificate Authority Certificate

Introduction Remove a trusted certificate authority certificate using the Trusted Certificate Authority
Certificates page.
Removing a trusted To remove a trusted certificate authority certificate:

certificate authority
certificate 1. In the navigation pane, click + to expand the Firewall/VPN node.
3. Select Manage Trusted Certificate Authorities.
4. In the Trusted Certificates list, select the certificate to remove.
5. Click Remove.
The file is removed from the list of Trusted Certificates.
228
Requesting a Self Certificate
Requesting a Self Certificate

Introduction A self certificate is a public key certificate that you request from your Certificate Authority
(CA). This topic describes how to request a self certificate.
Process overview The following stages describe the process of creating self certificate:
Stage Description
1 Generate a certificate request.
2 Send the private key to your CA.
3 Your CA sends the public certificate file to you.
4 You upload the public certificate file to the appliance.
Table 86: Process for creating a self certificate
Prerequisite Before you create a Self certificate, you must have a trusted certificate authority certificate
installed.
Reference: For more information, see “Installing a Trusted Certificate Authority” on

page 227. For information on supported authentication algorithms, see “Authentication
algorithms” on page 183.
Generating a To generate a certificate request:

certificate request
3. Select Create Self Certificates.
4. Click Generate Certificate Request.
5. Type one or more alphanumeric characters in the Key ID field to help you identify
the certificate request.
6. Type a meaningful description for the request in the Subject field.
7. Type your department name or number in the Department field.
8. Type your company or organization name in the Organization field.
9. Type your City, State, Postal Code, and Country Code in the appropriate fields.
Note: The Country Code is 2-digit. For example, US is the country code for the United
States of America.
10. Type the email address you wish the certification to go to in the E-mail field.
11. Type your company domain name in the Domain Name field.
12. Type the external IP address of the appliance in the IP Address field.
13. Select an authentication algorithm from the Algorithm list.
14. Select a key length from the Key Length list.
15. Click Submit Request.
The request is added to the Certificate Requests list and is arranged by the Key ID
(Private Key Name).

Installing a Self Certificate

Introduction You must install (or upload) self certificates on the appliance before they appear in the
Self Certificate Certificates page.
Prerequisite Before you can install a self certificate, you must have downloaded your certificate file
from your Certificate Authority.
Reference: For more information, see “Requesting a Self Certificate” on page 229.
Uploading your To upload your public certificate:

public certificate
3. Select Create Self Certificates.
4. Type the Private Key Name (Key ID) in the Private Key Number field.
5. Click Browse.
6. Locate the certificate, and then click Open.
7. Click Upload.
The certificate is installed on the appliance, and the Self Certificate Certificates page
appears.
230
Removing a Self Certificate
Removing a Self Certificate

Introduction Remove self certificates using the Self Certificates page.
Removing a self To remove a self certificate:

certificate
3. Select Manage Self Certificates.
4. In the Self Certificates list, select the certificate to remove.
5. Click Remove.

Installing a Certificate Revocation List

Introduction The appliance uses the certificate revocation list to validate certificates.
Note: The appliance does not require a certificate revocation list. Therefore, not installing
a certificate revocation list will not affect the functionality of the appliance.
How the appliance When the appliance receives a certificate from a remote peer on a VPN tunnel, it verifies
uses the certificate that a known CA issued the certificate. Then, the appliance compares the certificate to the
revocation list certificate revocation list that is locally installed. If the certificate list indicates that the
certificate is still valid, then the appliance accepts the connection. If the certificate is
invalid, then the appliance rejects the connection.
If the CA is unknown, the appliance assumes that the certificate is valid and accepts the
connection.
Prerequisite Before you can install a certificate revocation list, you must download it from your CA's
Web site.
Installing a To install a certificate revocation list:

certificate
revocation list 1. In the navigation pane, click + to expand the Firewall/VPN node.
3. Select Manage Certificate Revocation List.
4. Click Browse.
5. Locate the certificate revocation list, and then click Open.
6. Click Upload.
The list is added to the Certificate Revocation List.
232
Removing a Certificate Revocation List
Removing a Certificate Revocation List

Introduction Use the Trusted Certificate Authority Certificates page to remove a certificate revocation
list.
Removing a To remove a certificate revocation list:

certificate
revocation list 1. In the navigation pane, click + to expand the Firewall/VPN node.
3. Select Manage Certificate Revocation List.
4. In the Certification Revocation List, select the list to remove.
5. Click Remove.

234
Chapter 16
Antivirus Settings
Overview
Introduction This chapter explains how to enable and configure the Proventia Integrated Security
Appliance antivirus module. Antivirus software provides protection against viruses sent
in emails on POP3 and SMTP protocols. It also provides protection against viruses on the
HTTP and FTP protocols. The antivirus software checks all email traffic passing through
your network, protecting you from the mass mailing of viruses. The antivirus software
quarantines infected email and attachments at the gateway, protecting WANs and LANs
from viruses before they enter or leave your network.
Important: The antivirus software does not scan encrypted files. Users may inadvertently
download viruses sent in emails when they check their personal email over secure Web
interfaces.
Topic Page
About Antivirus Settings 236
Enabling and Configuring the Antivirus Software 239
Quarantine File Management 243

About Antivirus Settings

Introduction Antivirus provides protection against the threat of email-borne viruses on POP3 and
SMTP protocols. It also provides protection against viruses on the HTTP and FTP
protocols. The antivirus software checks all email traffic passing through your network,
providing protection against mass mailing viruses. The antivirus software quarantines
infected email and attachments at the gateway, protecting WANs and LANs from viruses
before they enter or leave your network.
General exceptions The antivirus software does not scan encrypted or password-protected files.
Available options Table 87 describes the options available for configuring antivirus settings:
Review the status of antivirus settings “About Antivirus Settings” on page 236
Enable or disable antivirus software, set “Enabling and Configuring the Antivirus Software”
protocols, and configure alert on page 239
messages
Add and edit relay IP addresses “Configuring the SMTP Proxy Server” on page 99
Edit local domains “Configuring the SMTP Proxy Server” on page 99
Table 87: Antivirus settings options
Antivirus status The Antivirus Status page displays data for antivirus software status and statistics.
page Table 88 defines the data included on the antivirus status page:
Statistic Definition
Antivirus Cache Status of the antivirus cache daemon. The antivirus cache daemon is
Daemon Enabled enabled when the antivirus software is enabled. The antivirus cache
daemon runs in the background and improves file scanning speed.
Antivirus Cache Current state of the antivirus cache daemon

Daemon State The possible statuses for all items involving a “State” are:
• active
• stopped
• unknown
Antivirus Quarantine Status of the antivirus quarantine daemon. The antivirus quarantine
Daemon Enabled daemon runs in the background and periodically deletes files from the
quarantine directory.
The default setting for the antivirus quarantine daemon is enabled. You can
change the default setting with a tuning parameter. See “Configuring
Antivirus Advanced Parameters” on page 385.
Antivirus Quarantine Current state of the antivirus quarantine daemon

Daemon State
HTTP Enabled Whether the antivirus software is monitoring for HTTP-transmitted viruses
See “Configuring Antivirus Advanced Parameters” on page 385.
Table 88: Antivirus status
236
About Antivirus Settings
HTTP State Current state of HTTP monitoring
FTP Enabled Whether the antivirus software is monitoring for FTP-transmitted viruses
FTP State Current state of FTP monitoring
SMTP Enabled Whether the antivirus software is monitoring for SMTP-transmitted viruses
SMTP State Current state of SMTP monitoring
POP3 Enabled Whether the antivirus software is monitoring for POP3-transmitted viruses
POP3 State Current state of POP3 monitoring
Table 88: Antivirus status (Continued)
Antivirus statistics Table 89 defines antivirus statistics:
Virus Signatures Number of viruses that the current version of antivirus software detects
Poll Time Date and time that the appliance last polled the ISS Web site for antivirus
signature updates
Signature Date Date and time of the last antivirus signature update
Total Blocked Total number of viruses blocked on all enabled protocols since the antivirus
software was last enabled
FTP Blocked Number of FTP-transmitted viruses blocked since the antivirus software
was last enabled
HTTP Blocked Number of HTTP-transmitted viruses blocked since the antivirus software
was last enabled
SMTP Blocked Number of SMTP-transmitted viruses blocked since the antivirus software
was last enabled
POP3 Blocked Number of POP3-transmitted viruses blocked since the antivirus software
was last enabled
Unknown Blocked Number of unknown types of viruses blocked since the antivirus software
was last enabled
Last Detect Date and time the last virus was detected
Total Checked Total number of files checked for viruses since the antivirus software was
last enabled
Last Check Date and time the last file was checked for viruses
Table 89: Antivirus statistics
Note: If the antivirus software is not enabled, antivirus statistics do not appear on this
page.
Refreshing the You can refresh the statistics on the Antivirus Status page manually or automatically at
statistics certain intervals. The refresh data options are as follows:
● Refresh Now (manually refreshes the page)

● every 1 minute
● every 2 minutes
● Auto Off (disables automatic refreshing.)
To refresh the statistics on the Antivirus Status page:

The Antivirus Status page displays the latest statistics.
238
Enabling and Configuring the Antivirus Software

Introduction This topic describes how to do the following:
● Enable or disable the antivirus software.

● Select the proxy protocols it protects.
● Configure alert messages.
Proxies The process that examines and forwards packet traffic for a protocol is called a proxy. You
can enable or disable proxy protocols when you configure the antivirus software, but you
can use proxy redirection rules to specify the direction of the network traffic that the
appliance inspects on those protocols. See “About Proxy Redirection Rules” on page 121.
Caution: If these protocols are set up in your network on non-standard ports, then the
protocols are not protected.
The following table describes the proxy protocols that the antivirus software protects set
up on standard ports:
This proxy... Is used to... And is configured

on this page...
SMTP Transparently scan files for the Antivirus and Service Configuration
Antispam modules. This proxy blocks viruses and
spam.
You must configure the SMTP proxy server to use
the Antivirus module.
HTTP Connect your network to the Internet in order to Service Configuration

access the ISS download center and the ISS
database server. You must configure the HTTP
proxy to do any of the following:
• receive appliance updates
• use Web Filters
• use Antispam
FTP Inspect network traffic for viruses Firewall/VPN Settings

(Proxy Redirection
tab)
POP3 Inspect email traffic for viruses Firewall/VPN Settings

(Proxy Redirection
tab)
Table 90:
Important protocol Consider the following when you configure the antivirus software:
considerations
● When you enable a protocol, you must enable the proxy redirection rules for that
protocol. Some proxy redirection rules are included by default. See “About Proxy
Redirection Rules” on page 121.
● If protocols are set up in your network on non-standard ports, then you must
configure proxy redirection rules to control inbound or outbound traffic for those
ports.

HTTP file extensions The antivirus software does not scan image files with specific extensions on the HTTP
to exclude from the protocol. These extensions are listed in the File Extensions Excluded from HTTP Antivirus
HTTP Antivirus List list on the Antivirus Protection Settings page. When you exclude a file extension from the
antivirus list, then files of this type are not scanned by the antivirus software. The default
list includes common file types such as images, music files, or other files. You can add,
edit, or remove file extensions from the list.
Prerequisites Consider the following prerequisites:
● If you plan to receive Simple Network Management Protocol (SNMP) traps on UDP
port 162, configure the manager and community as described in “Configuring
SNMP” on page 97.
● To protect the SMTP service, you must configure the SMTP proxy.“Configuring the
SMTP Proxy Server” on page 99.
● To successfully implement proxy settings, you must enable proxy redirection rules for
any protocols you select (HTTP, SMTP, POP3, or FTP).
Enabling the To enable the antivirus software:

antivirus software
1. In the navigation pane, click + to expand the Antivirus node.
2. Select Settings.
3. Select the Basic Configuration tab.
4. Select the Antivirus Module Enabled check box.
Tasks for Configuring the antivirus software is a four-task process:

configuring
Antivirus Task Description
1 Enable the antivirus software and configure quarantine

management.
2 Select the protocols to protect.
3 Configure antivirus event notification.
4 Review the File Extensions Excluded from HTTP Antivirus list.
Table 91: Tasks for configuring Antivirus
Task 1: Enable the If a virus is found on any protocol, the infected file is deleted. Deleted files do not appear
antivirus software on the Antivirus Quarantine page. For more information about quarantined files, see
and configure “Quarantine File Management” on page 243.
quarantine
management To enable the antivirus software and quarantine file management:

2. Select Settings.
The Antivirus Protection Settings page appears.
3. Select the Basic Configuration tab.
4. Select the Antivirus Module Enabled check box.
240
5. To quarantine infected files, select the Quarantine Infected Files check box on the
General Settings tab.
Task 2: Select the You can select which protocols to scan for viruses. To successfully implement proxy
protocols to protect settings, you must enable proxy redirection rules for any protocols you select. If you select
the SMTP protocol, you must configure the SMTP proxy server.
To select the protocols to protect:
1. Select the Protocols to Protect tab.

2. Select the check box(es) for the protocols on which you want to scan for viruses.
Note: Protocol options are as follows:
■ HTTP
■ SMTP
■ POP3
■ FTP
Task 3: Configure To configure how the appliance notifies you of an antivirus event:
antivirus event
notification 1. Select the Event Notification tab.
2. To receive an alert message when the appliance detects a virus and takes action, select
the Alert Logging for Antivirus Events check box.
3. Select how the appliance notifies you of the event in the Antivirus Event Notification
Delivery area.
Task 4: Review the The File Extensions Excluded from HTTP Antivirus list includes the file extensions that
File Extensions users typically want to exclude from virus scanning, such as image or music files. You can
Excluded from HTTP add, edit, or remove extensions from this list.
Antivirus list
Review the file extensions in this list to ensure that they are appropriate for your network.
To review the File Extensions Excluded from HTTP Antivirus list:

2. Select Settings.
3. Select the File Extensions to Exclude from HTTP Antivirus tab.
4. Review the extensions in the File Extensions to Exclude from HTTP Antivirus table.
5. Make any necessary changes to the list.
6. Click OK.

Copying and pasting You can copy and paste a file extension before editing it. This is useful if you want to add
file extensions in a file extension that is similar to a file extension already in the list. You can also copy and
the HTTP Antivirus paste multiple file extensions.
List
To copy and paste a file extension:

2. Select Settings.
3. Select the File Extensions Excluded from HTTP Antivirus tab.
4. In the File Extension table, select the file extension you want to copy.
Note: To select multiple extensions, press the CTRL key, and then select each
extension. To select a range of extensions, press the SHIFT key, and then select the first
and last extensions in the range.

The appliance copies the extension to the end of the list.
7. If necessary, edit the extension, and then click OK.
Removing a file To remove a file extension from the File Extensions Excluded from HTTP Antivirus list:
extension in the
HTTP Antivirus List 1. In the navigation pane, click + to expand the Antivirus node.
2. Select Settings.
3. Select the File Extensions Excluded from HTTP Antivirus tab.
4. Select the file extension you want to remove.
5. Click Remove.
The appliance removes the file extension.
6. Click OK.
242
Quarantine File Management
Quarantine File Management

Introduction There are two areas designed to support the quarantine of files and the rules for
quarantine intrusion management, generated for intruder prevention. Links are provided
on the Proventia Manager Home page in the System Reports area.
● Virus Quarantine (quarantine file management)

● Quarantined Intrusions (quarantined rules management) See “Quarantine Rules
Quarantine file The antivirus quarantine file management page lists files that have been quarantined. The
management files listed here are suspected of containing, or are known to contain a virus. Only the
infected portion of the file is quarantined. The remainder of the file is deleted.
Caution: ISS recommends that you use this page for forensic purposes only. If you use this
page for other purposes, such as attempting to recover quarantined files, use extreme
caution.
To remove quarantined files from the system, do one of the following:
● Select the filename from the list, and then click Delete.
● To remove all quarantined files, click Delete All.
Quarantine rules The Quarantine Rules Management page is part of the Intrusion Prevention module. The
management table displays dynamically generated rules in response to detected intruder events. These
rules prevent worms from spreading and deny access to systems that are infected with
backdoors or trojans. See “Quarantine Rules Management” on page 256.

244
Chapter 17
Intrusion Prevention
Overview
Introduction This chapter describes how to enable intrusion prevention settings.
Topic Page
About Intrusion Prevention Settings 246
Reviewing the Status of Prevention Settings 247
Enabling Intrusion Protection Settings 249
Configuring Alert Logging for Events 250
Configuring Event Filters 252
Quarantine Rules Management 256
Viewing the Intrusion Prevention Issue List 258

About Intrusion Prevention Settings

Introduction This topic summarizes the prevention settings available in the Proventia Manager. These
settings seldom change. However, you may occasionally need to perform maintenance
tasks to keep the appliance properly configured.
What intrusion Intrusion prevention settings monitor network traffic and block attacks. You can protect
prevention settings local applications and servers, or protect client computers on a router or firewall.
protect
Available options Table 92 describes the options available for configuring prevention settings:
review the status of prevention settings “Reviewing the Status of Prevention Settings” on
page 247
enable intrusion prevention settings, “Enabling Intrusion Protection Settings” on page 249
including attack detection, audit
detection, and blocking response
configure the appliance to detect and “Enabling alert logging” on page 250
respond to attacks
configure the appliance to block attacks “Enabling alert logging” on page 250
enable message notification for blocked “Enabling alert logging” on page 250
and non-blocked attack messages
enable SNMP traps “Enabling alert logging” on page 250
configure the appliance to detect and “Configuring alert logging for general events” on
respond to audits page 251
configure the appliance to record audit “Configuring alert logging for general events” on
messages page 251
enable audit detection “Enabling Intrusion Protection Settings” on page 249
add filters to events “Adding an event filter” on page 252
edit event filters “Editing an event filter” on page 253
edit a rule for an event filter “Editing an event filter rule” on page 253
Table 92: Prevention settings options
246
Reviewing the Status of Prevention Settings
Reviewing the Status of Prevention Settings

Introduction This topic describes the Intrusion Prevention status page. The Intrusion Prevention Status
page displays data for the following:
● IPM (Intrusion Prevention Module) statistics

● PAM (Protocol Analysis Module) statistics
IPM Statistics Table 93 describes the IPM statistic types:

types
IPM Version Indicates the Intrusion Prevention Module (IPM) version number. IPM
is a module that controls intrusion prevention technology.
PAM Version Indicates the Protocol Analysis Module (PAM) version number. PAM is
a protocol anomaly detection module that detects attacks at all layers
of the protocol stack.
Start Time Time that the IPM was started
Time of Last Reload Time of last attack engine update
Time of Last Attack Time of last attack
Attack Checks Total number of attacks detected or blocked
Attacks Detected Total number of attacks detected by the appliance
Attacks Blocked Total number of attacks blocked by the appliance
Quarantine Rules Indicates the number of active Quarantine Rules. This table tracks all
quarantine rules that intrusion prevention creates and uses to block
traffic, based on an issue being detected. You can view and remove
entries from this table on the Quarantine tab.
Dropped Packets Number of packets dropped by IPM
Table 93: IPM statistics types
PAM Statistics Table 94 describes the PAM statistic types:

types
IPv4 Bytes Total number of bytes in all IP version 4 packets
IPv4 Packets Total number of IP version 4 packets
IPv4 Fragments Total number of fragmented IP version 4 packets
IPv4 Checksum Errors Total number of IP version 4 packets with checksum errors
ICMP Bytes Total number of bytes in all ICMP packets
ICMP Packets Total number of ICMP packets
ICMP Checksum Errors Total number of ICMP packets with checksum errors
TCP Bytes Total number of bytes in all TCP packets
Table 94: PAM statistics types

TCP Packets Total number of TCP packets
TCP Checksum Errors Total number of TCP packets with checksum errors
TCP Connections Total number of TCP connections
Active TCP Connections Number of active TCP connections
UDP Bytes Total number of bytes in all UDP packets
UDP Packets Total number of UDP packets
UDP Checksum Errors Total number of UDP packets with checksum errors
Table 94: PAM statistics types (Continued)
Refreshing the You can refresh the Intrusion Prevention status page manually, or automatically at certain
statistics intervals. The refresh data options are:
● Refresh Now (Use this option to manually refresh the page.)

● every 1 minute
● every 2 minutes
● Auto Off (Use this option to disable automatic refresh.)
To refresh the statistics on the Intrusion Prevention status page:

The Intrusion Prevention status page displays the latest statistics.
248
Enabling Intrusion Protection Settings
Enabling Intrusion Protection Settings

Introduction This topic describes how to enable or disable intrusion prevention settings, including
attack detection, audit detection, and the blocking response.
The two types of detection provide:
● Attack detection
■ enabled by default
■ buffer overflows, remote vulnerabilities, and DOS attacks
■ contains some default blocking
● Audit detection
■ disabled by default
■ contains informational data
■ can be configured to block
■ can be enabled globally or one at time, e.g. HTTP_Get, POST.
Enabling or To enable or disable intrusion prevention settings:

disabling intrusion
prevention settings 1. In the navigation pane, click + to expand the Intrusion Prevention node.
2. Select Settings.
3. Select the Protection Settings tab.
4. Select Intrusion Prevention Module Enabled.
5. Specify intrusion prevention settings as follows:
■ To configure the appliance to detect and respond to attacks, select Attack Detection
Enabled.
■ To configure the appliance to detect and respond to audits, select Audit Detection
Enabled.
■ To configure the appliance to enable protection responses as specified by the
X-Force, select X-Force Protection Responses Enabled.

Configuring Alert Logging for Events

Introduction This topic describes how to configure delivery notification for attack and audit events. It
● enabling alert logging options, including email and SNMP traps

● disabling alert logging for blocked and non-blocked events
● configuring alert logging for general events
● configuring message notification for general events
Enabling alert To enable alert logging and message notification options:

logging
1. In the navigation pane, click + to expand the Intrusion Prevention node.
2. Select Settings.
4. Select Alert Logging for Blocked Events.
5. Select how to be notified in the Blocked Attacks/Audits Event Notification Delivery
area. Specify message notification as follows:
■ To configure how the appliance sends notification responses for events, click
Configure Email. For more information, see “Notification Responses for Events”
on page 91.
■ To send alerts to the SiteProtector agent manager, select SiteProtector Enabled.
6. Select Alert Logging for Non-Blocked Attack Events.
7. Select how to be notified in the Non-Blocked Attack Event Notification Delivery area.
8. Select Alert Logging for Non-Blocked Audit Events.
9. Select how to be notified in the Non-Blocked Audit Event Notification Delivery area.
Disabling alert To disable alert logging and message notification options:

logging
2. Select Settings.
4. Clear the check box(es) for the alert types you want to disable.
250
Configuring Alert Logging for Events
Disabling message To disable message notification:

notification
2. Select Settings.
Configuring alert To configure alert logging for general events:

logging for general
events 1. In the navigation pane, click + to expand the Intrusion Prevention node.
2. Select Settings.
4. In Alert Logging for General Events, specify logging settings as follows:
■ To receive an alert when a dynamic rule is added, select Dynamic Rule Added.
■ To receive an alert when a dynamic rule is removed, select Dynamic Rule
Removed.
■ To receive an alert when a dynamic rule expires, select Dynamic Rule Expired.
■ To receive an alert when a packet is dropped, select Packet Dropped.
Configuring To configure message notification for general events:

message
notification for 1. In the navigation pane, click + to expand the Intrusion Prevention node.
general events
2. Select Settings.
4. Select how to be notified in the General Event Notification Delivery area. Specify
message notification as follows:
■ To configure how the appliance sends notification responses for events, click
Configure Email. For more information, see “Notification Responses for Events”
on page 91.

Configuring Event Filters

Introduction This topic describes how to configure event filters and edit event filter rules. It includes
● adding and editing event filters

● editing event filter rules
● copying event filters
● removing event filters
Event filters Event filters can control the events that the appliance generates. Use event filters when
you want to ignore events for certain hosts or traffic.
Tips about editing You can edit all fields in an event filter in the Edit Event Filter window, or you can edit
entries in the Event selected fields directly in the event filter table.
Filter table
To edit all fields in an Event Filter table entry, do either of the following:
■ Select the entry, and then click Edit.

■ Double-click the entry.
You can do the following directly in the policy table:
■ select or clear the Enabled checkbox

■ type text in the Description field
Adding an event To add filters to events:

filter
2. Select Settings.
3. Select the Event Filters tab.
4. Click Add.
5. Type a meaningful name in the Description field.
Note: The description identifies the filter in events and responses.
6. Select Enabled to enable the event filter.
7. Select an issue from the Issue Id list.
Note: To add rules for this issue, see “Editing an event filter rule” on page 253
8. Click OK.
The event filter is added to the Event Filter table.
252
Adding an event To add a rule to an event filter:

filter rule to an
event filter 1. In the navigation pane, click + to expand the Intrusion Prevention node.
2. Select Settings.
4. Select an event filter entry, and then double-click it.
5. Select an issue from the Issue Id list.
6. In the Event Filter area, click Add.
The rule is added to the Event Filter table.
7. To add other rules, repeat Steps 5 and 6.
8. Click OK.
The event filter is added to the list.
Editing an event To edit an event filter:

filter
2. Select Settings.
4. Select an event filter entry, and then double-click it.
Note: For information about editing event filter rules, including IP addresses and
protocols, see the “Editing an event filter rule” on page 253.
6. Click OK.
Editing an event To edit an event filter rule:

filter rule
2. Select Settings.
4. In the Event Filters section, select an entry, and then double-click it.
5. Click Not.
6. Double-click the Addresses field.
The IP Clause Editor window appears.
7. In the Intruder or Victim Addresses sections, click Edit or Add.
The IP Address Expression Editor window appears.
8. Select one of the following options, and then type the IP addresses as appropriate:

■ Any Address
■ Single IP Address
■ IP Address Range
■ IP Address/Mask
9. Click OK.
10. Double-click the Datagram field.
The Datagram Clause Editor window appears.
11. Click the Protocol arrow to see a list of protocols, and then select a protocol.
12. In the Intruder Ports or Victim Ports sections, click Edit or Add.
The Port Expression Editor window appears.
13. Select one of the following options, and then type the port number as appropriate:
■ Any Port
■ Single Port
■ Port Range
14. Select or clear Not.
15. Click OK.
The Port Expression Editor window closes.
16. Click OK.
Copying and pasting You can copy and paste an event filter before editing it. This is useful if you want to add a
an event filter filter that is similar to a filter already in the list. You can also copy and paste multiple
filters.
To copy an event filter:

2. Select Settings.
4. Select the event filter you want to copy.
Note: To select multiple filters, press the CTRL key, and then select each filter. To
select a range of filters, press the SHIFT key, and then select the first and last filters in
the range.

The appliance copies the filter to the end of the list.
7. If necessary, edit the filter, and then click OK.
Note: For more information, see “Editing an event filter” on page 253.
254

Removing an event To remove an event filter:

filter
2. Select Settings.
4. Select the event filter to remove, and then click Remove.

Quarantine Rules Management

Introduction Quarantine rules are dynamically generated in response to detected intruder events.
These rules prevent worms from spreading and deny access to systems that are infected
with backdoors or trojans. This topic describes how to manage quarantine rules used to
detect intruder events. It includes procedures for the following tasks:
● viewing a quarantine rule

● removing a quarantine rule
● copying a quarantine rule
About quarantine The appliance creates quarantine rules in response to events, and stores the rules in the
rules quarantine rules table. Quarantine rules specify the packets to block and the length of
time to block them.
Quarantine rules Table 95 lists the fields available in the quarantine rules table.
table
Note: An asterisk * in a field means that the rule is ignoring that part of the rule.
Field Description
Source IP The source IP address of packets to block
Source Port The source port number of packets (if protocol is 6 or 17) to block
Dest IP The destination IP address of packets to block
Dest Port The destination port number of packets (if protocol is 6 or 17) to block
ICMP Type The ICMP type number of packets (if protocol is 1) to block
ICMP Code The ICMP code number of packets (if protocol is 1) to block
Protocol The IP protocol of the rule (ICMP=1, TCP=6, UDP=17)
Expiration Time The expiration time of the rule
Block Percentage The percentage of packets that will be dropped. Values less than 100%
can be used to lessen the impact of some denial-of-service attacks.
Table 95: Quarantine Rules table fields
Viewing quarantine To view quarantine rules:

rules
2. Select Quarantined Intrusions.
The Quarantine Rules Management page appears.
3. Select the rule from the Rules table, and then click Display.
256
Quarantine Rules Management
Removing a rule To remove a quarantine rule:

3. Select the quarantine rule, and then click Remove.
Copying a rule To copy a quarantine rule:

3. Select the rule, and then click Copy.
The rule is copied to the list.
4. If needed, edit the rule.

Viewing the Intrusion Prevention Issue List

Introduction This topic describes the intrusion prevention issue list. It includes procedures for the
following tasks:
● viewing the list

● displaying a specific issue
● copying an issue
Issue list fields Table 96 lists the fields that are displayed in the list:
Field Description
Name The name of the security check (issue)
Issue ID The issue's unique identifier
Type The issue’s type (attack or audit)
Protocol The issue's application protocol (Examples: http, ftp, smtp, dns)
Priority The issue's risk level (high, medium, or low)
Status The issue’s detection status (enabled or disabled)
Protection Response The issue's protection response specified by the X-Force
Table 96: Issue list fields
Viewing the list To view the intrusion prevention list:

2. Select Issue List.
3. Review the security risk definitions in the list.
Displaying a specific To display a specific issue:

issue
3. Select an issue from the list.
4. Click Display.
5. Review the details about the issue.
6. Click OK.
Copying an issue You can copy an issue to the clipboard and paste it into a text or HTML file.
To copy an issue:

3. Select an issue from the list.
258
Viewing the Intrusion Prevention Issue List
4. Click Copy.
5. Paste the information into a file.

260
Chapter 18
Antispam Settings
Overview
Introduction This chapter provides information about and instructions for setting and managing
Antispam options.
Topic Page
Introduction to Antispam 262
Setting Antispam Options 265
Antispam Logging and Events 267
Antispam Statistics 268
Using the Email Sender Whitelist and Email Sender Blacklist 269

Introduction to Antispam
Introduction Antispam software prevents undesired advertisement or offensive emails from entering
your network undetected. The antispam software analyzes text, URLs, and attachments in
all email traffic passing through your network. The appliance allows harmless email to
pass instantly, but responds to inappropriate email by doing one of the following:
● labeling the email as spam by adding [SPAM] or [SPAM+] to the subject line
● deleting the email
What is spam? Spam is email that contains unsolicited advertisements or offensive content. The
appliance uses the following to determine whether email is spam:
● information in the Web Filter and Antispam Database

● email addresses and domains in the Email Whitelist and Email Blacklist
Ham is legitimate email that does not contain advertising or inappropriate content.
How the appliance The M Series appliance filters spam email by doing the following:
filters spam
● analyzing the text and attachments in every email
● referencing the list of known spam sources in the Web Filter and Antispam Database
Prerequisite You can enable the Web Filter or Antispam Modules if your appliance has an active
Internet connection.
Before you enable the Web Filter or Antispam modules, do the following:
● Make sure that the appliance has an active Internet connection. If the database cannot
authenticate, the appliance may incorrectly indicate that the database is not installed.
This can prevent the Web Filter or Antispam Modules from starting.
● Make sure the you have configured HTTP Proxy settings, if required for your
environment.
Reference: For more information, see the Proventia M Series Appliances Readme on the
ISS Download Center at http://www.iss.net/download/.
The Web Filter and Spam is often linked with senders or domains that ISS has included in the Web Filter and
Antispam Database Antispam Database. ISS uses fully automated Web crawlers that continuously download
and analyze Web content. The Web crawlers classify this content into 58 categories and
store the information in the database. The Web crawlers add several million Web pages to
the database per day.
Reference: For more information, see “About the Database” on page 302.
How ISS identifies The Proventia antispam software uses a variety of analysis techniques to identify spam
spam without blocking legitimate email. The antispam software uses the following technologies
to scan email traffic passing through your network:
● text recognition
262
Introduction to Antispam
● text classification
● object recognition
● pornography and nudity detection
● keyword detection
● URL detection
Reference: For more information, see “How ISS Classifies Web Content” on page 300 and
“About the Database” on page 302.
How antispam The following table describes the Antispam process:

works
Stage Description
1 Enable the Antispam Module on the appliance and set the options. Choose the
following:
• set tag or delete emails to be identified as spam
• set the threshold of spam content in a spam email that results in tagging or
deleting
• set how the appliance responds to Antispam events
2 To control access to specific email addresses or domains, add these entries to the
Email Sender Whitelist or the Email Sender Blacklist.
The appliance evaluates all incoming email for sender information and spam
content.
3 The appliance references the Web Filter and Antispam Database to identify known
spam sources or URLs linked to inappropriate Web sites.
4 If the appliance identifies an email as spam, the appliance assigns a numerical

value to the email based on the amount of spam content. A higher value
corresponds to a higher amount of spam content.
5 The appliance tags or deletes the spam email, based on the spam sensitivity
settings.
Reference: For more information about Spam Tagging Sensitivity settings, see
“Setting Antispam Options” on page 265.
Table 97: Antispam process description
Tips about icons The following table describes the icons that may appear on the Antispam Settings page:
Icon Description
If this icon appears next to a field on this page, then data is required in the field or the
data in the field is invalid. If the icon appears next to a policy or a tab on this page,
then the policy or tab contains invalid settings or empty fields that require data.
If this icon appears at the top of a list, you can select an item in the list and click the
icon to copy the item to the clipboard.
If this icon appears at the top of a list, you can click the icon to paste an item from the
clipboard to the end of the list. You can then edit the pasted item.
Table 98: Antispam Settings page icons

If you already own If you own an M Series appliance with a Base Version of 1.7 or earlier, you can use the
an M Series Web Filter and Antispam modules if you do the following:
appliance
● Download Firmware Update version 1.8 from the ISS Web site.
● Download the Web Filter and Antispam Database from the ISS Web site.
Reference: You can view the Base Version on the Home page. For more information about
downloading firmware updates, see the Help. For more information about downloading
the database, see “Web Filter and Antispam Database Page” on page 304.
264
Setting Antispam Options
Setting Antispam Options

Introduction This topic describes the following:
● Antispam options
● how to enable the Antispam Module
● how to set spam tagging sensitivity settings
Antispam options The following table describes the Antispam options you can configure:
To... See...
change the spam tagging sensitivity “Spam tagging sensitivity settings” on page 265
settings
add, edit, or delete entries in the “Using the Email Sender Whitelist and Email Sender
Email Sender Whitelist or Email Blacklist” on page 269
Sender Blacklist
enable or disable any of the “Antispam Logging and Events” on page 267
following:
• event logging
• SNMP traps
• SiteProtector notification
Table 99: Antispam options
Spam tagging Spam tagging sensitivity settings determine how the appliance treats spam email, based
sensitivity settings on the amount of spam content. When the appliance identifies an email as spam, the
appliance assigns a numerical value to the email based on the amount of spam content. A
higher value corresponds to a higher amount of spam content, and the spam email rates
higher on the delete threshold. A lower value corresponds to less spam content, and the
spam email rates lower on the threshold.
The spam tagging sensitivity settings are as follows:
● Delete Threshold
● Learning Mode
● Delete Mode
Setting spam To set spam tagging sensitivity:

tagging sensitivity
1. In the navigation pane, click + to expand the Antispam node.
2. Select Settings.
4. In the Spam Tagging Sensitivity area, move the Delete Threshold slider to choose the
spam sensitivity level.
5. Choose one of the following options:
■ Learning Mode
■ Delete Mode


The Delete The Delete Threshold slider allows you to set the level of spam content that the appliance
Threshold uses as the baseline to tag or delete spam email. This setting determines the way the
appliance responds to a spam email:
● tagging it as [SPAM]
● tagging it as [SPAM+]
● deleting it
If you want to delete all email that might be spam, even if some email might be legitimate,
then you can set the slider to the minimum delete threshold. If you want to delete only the
email with high spam content, you can set the slider to the maximum delete threshold.
Learning Mode In Learning Mode, the appliance tags spam emails according to the Delete Threshold
level you select.
■ If the email contains less spam content than the threshold, the appliance adds a
[SPAM] header to the email subject line.
■ If the email contains more spam content than the threshold, the appliance adds a
[SPAM+] header to the email subject line.
Note: Learning Mode is useful if you want to see which emails the appliance
identifies as [SPAM] and [SPAM+]. You can adjust the Delete Threshold setting to get
the best performance for your network before you begin deleting spam emails.
Delete Mode In Delete Mode, the appliance deletes spam emails according to the delete threshold level
you select.
■ If the email contains less spam content than the threshold, the appliance adds a
[SPAM] header to the email subject line.
■ If the email contains more spam content than the threshold, the appliance deletes
the email.
Enabling the To enable the Antispam Module:

Antispam Module
2. Select Settings.
4. Select the Spam Detection Enabled box.
266
Antispam Logging and Events
Antispam Logging and Events

Introduction If you enable Antispam Event Logging, you can choose the following:
● which Antispam events to log on the Alert Event Log page

● how the appliance responds to Antispam events
Antispam event You can choose how the appliance responds to Antispam events. You can select the
notification following Antispam notification delivery options:
● SNMP Trap—sends an SNMP trap for each email identified as spam. The trap
contains the sender's email address, the target email address, and the corresponding
category in the Web Filter and Antispam Database.
● SiteProtector Enabled—sends the alert to the SiteProtector desktop controller
Caution: If you send alerts to SiteProtector for events that occur frequently, the appliance
can generate a large number of alerts to SiteProtector. For more information, see “Using
SiteProtector Management” on page 338.
Prerequisite You must configure the SNMP response before you can use the SNMP Trap option. For
more information, see “Setting Response Delivery Options” on page 94.
Enabling antispam To enable antispam event notification:

event notification
2. Select Settings.
4. Select the Enable Event Logging box.
5. In the Event Logging Type area, do one of the following:
■ Select Log Only Email Tagged As Spam to log only the requests that the appliance
identifies as spam.
■ Select Log All Email to log all emails that the appliance processes.
Important: If you select Log All Email when SiteProtector event notification is
enabled, the appliance may send a large number of alerts to SiteProtector.
6. To enable the SNMP response, select the SNMP Trap Enabled box.
7. To enable alerts to SiteProtector, select the SiteProtector Enabled box.

Antispam Statistics
Introduction Use the Antispam Status Page to view statistics for your antispam configuration.
Antispam statistics For each Antispam statistic, the number of URLs is followed by its percentage of the total.
Example If the Allowed statistic is 70 (82.5%), the appliance allowed 70 emails. These 70 emails
account for 82.5% of all emails processed.
Statistics The following table describes the Antispam statistics:

descriptions
Total emails The total number of emails that the appliance processed
Ham The number of legitimate emails that the appliance processed
Spam The number of spam emails that the appliance processed
Allowed The number of emails that the appliance allowed

Note: This number includes emails that appliance allowed, but
tagged as spam
Blocked The number of emails that the appliance blocked
Whitelist The number of emails from a sender on the Email Sender Whitelist
Blacklist The number of emails from a sender on the Email Sender Blacklist
Table 100: Antispam statistic descriptions
Refreshing the You can refresh the Antispam statistics manually or automatically at certain intervals. The
statistics refresh data options are as follows:

● every 1 minute
● every 2 minutes
To refresh the statistics:
268
Using the Email Sender Whitelist and Email Sender Blacklist

Introduction Use the Email Sender Whitelist and Email Sender Blacklist to control which domains or
email addresses the appliance identifies as spam. You can add, edit, or delete the Email
Sender Whitelist and Email Sender Blacklist from the Antispam Protection Settings tab.
Email Sender An Email Sender Whitelist contains domains and email addresses that the appliance
Whitelist never identifies as spam.
Email Sender The Email Sender Blacklist contains domains and email addresses that the appliance
Blacklist always identifies as sources of spam.
Considerations Consider the following when you add entries to the Email Sender lists:
● If you include an email address or domain on the Email Sender Whitelist, then the
appliance accepts all email from that sender, regardless of content.
● If you include an email address or domain on the Email Sender Blacklist, then the
appliance blocks all email from that sender, regardless of whether the Antispam
Module is in Learning Mode or Delete Mode.
Reference: For more information about Learning Mode and Delete Mode, see
“Learning Mode” on page 266 and “Delete Mode” on page 266.
What you can do You can use Email Sender lists to do the following:
with Email Sender
lists ● exempt one or more specific domains or email addresses from deletion or tagging
● delete or tag email as spam from individual domains or email addresses
Tip: You can include email distribution lists in an Email Sender list. The appliance filters
for the entries on the Email Sender list, but does not enforce the Antispam settings for
individuals included in that distribution list.
Using wildcards You can use two wildcard characters in an Email List entry:
● The question mark (?) represents any single character.

● The asterisk (*) includes groups of email addresses or domains.
You can use wildcards to the left, middle, or right of entries, and you can combine
wildcards.
Wildcard examples These examples identify spam_sender as a source of spam:
spam_sender@*.
*spam_sender@
If an entry is incomplete and includes no wildcards, then the appliance assumes wildcards
at the start and end of the entry. The following example identifies all email from sender
spam_sender as a source of spam, regardless of the domain:
spam_sender

is interpreted by the appliance as:
*spam_sender@*
The following example identifies any email sender from the domain domain_name as a
source of spam:
domain_name
*@domain_name*
The following examples identify spam@domain_name.net as a source of spam:
spa?@*domain_name.net
*@domain_name.n?t
sp?m@*.net
spam@?omain_name.*
?pam@*
Adding an Email To add an entry to the Email Sender Whitelist:

Sender Whitelist
entry 1. In the navigation pane, click + to expand the Antispam node.
2. Select Settings.
4. Locate the Email Sender Whitelist area.
5. Click Add.
6. In the Name box, type a domain or email address that you want to exempt from spam
filtering.
7. Click OK.
8. Repeat Steps 5 through 7 for each entry you want to add.
Adding an Email To add an entry to the Email Sender Blacklist:

Sender Blacklist
entry 1. In the navigation pane, click + to expand the Antispam node.
2. Select Settings.
4. Locate the Email Sender Blacklist area.
5. Click Add.
6. In the Name box, type a domain or email address that you want the appliance to
identify as a source of spam.
7. Click OK.
270

Editing an Email To edit an entry in an Email Sender list:

Sender list
2. Select Settings.
4. Locate the email sender list entry you want to edit.
5. Click Edit.
7. Click OK.
Copying and pasting You can copy and paste an email sender list entry before editing it. This is useful if you
Email Sender list want to add an entry that is similar to an entry already in the list.
entries
To copy and paste an email sender list entry:

2. Select Settings.
4. Locate the email sender list entry you want to copy.

Removing an Email To remove an email sender list entry:

Sender list entry
2. Select Settings.
4. Locate the Email Sender list entry you want to remove.
5. Click Remove.


272
Chapter 19
Using Web Filters
Overview
Introduction This chapter explains how to use the Web Filter Module in the Proventia Integrated
Security Appliance.
What you can do You can use Web Filters to control which Web sites are available to users on your
with Web Filters network. When you enable the Web Filter Module, the M Series appliance blocks or
allows access to Web sites based on criteria that you select. You can do the following:
● Filter Web sites based on pre-defined categories that you select.

● Specify individual URLs, domains, or IP addresses that the appliance blocks or
allows.
● Track the URLs that users request and access.
● Specify static source IPs that can override the filters, to allow select users to surf the
Internet freely.
Topic Page
Introduction to Web Filters 274
Setting Web Filter Options 276
Selecting Web Filter Categories 278
Using Blacklist and Whitelist Web Filter Overrides 280
Editing or Removing Blacklist and Whitelist Web Filter Overrides 283
Web Filter Logging and Events 285
Enabling Web Filter Event Notification 287
Web Filter Statistics 289
Web Filter Categories 291

Introduction to Web Filters

Introduction You can use Web Filters to control the following:
● what Web content is allowed or blocked

● who can override the Web filters to freely surf the Internet
● how the appliance notifies you about URL requests on your network
When a computer in your network attempts to access a Web site, the appliance:
● references the Web Filter and Antispam Database

● enforces Web Filters
● displays statistics about Web Filter data
Prerequisite You must have an active Internet connection before enabling the Web Filter module.
Important: Do not enable the Web Filter or Antispam Modules unless your appliance has
an active Internet connection. If the database cannot authenticate, the appliance may
incorrectly indicate that the database is not installed. This can prevent the Web Filter or
Antispam Modules from starting.
Before you enable the Web Filter or Antispam modules, do the following:
● Make sure that the appliance has an active Internet connection.

environment.
Reference: For more information, see the Proventia M Series Appliances 1.8 Readme on
the ISS Download Center at http://www.iss.net/download/.
Ways to apply Web You can apply Web filters in the following ways:
filters
● select Web Filter categories
● add URL, domain, and IP address entries to the blacklist and whitelists
How Web Filters The following table describes the Web Filter process:
work
Stage Description
1 The ISS Web crawlers continuously download Web content.
2 ISS analyzes the content and classifies it into Web Filter categories.
3 ISS stores this information in the Web Filter and Antispam Database.
Table 101: Web Filter process overview
274
Introduction to Web Filters
Stage Description
4 You enable the Web Filter Module on the appliance, and set the options.
You can choose the following:
• Web Filter categories containing the URLs that you want the appliance
to log
• whether the appliance blocks requests for the URLs in those
categories
• how the appliance responds to Web Filter events
• how often the appliance downloads database updates
5 To control access to specific Web sites, domains, and servers, add these
entries to the Blacklist or Whitelist filter overrides.
6 The appliance enforces your Web Filters. If a user attempts to access a

forbidden Web site, the appliance displays a Web page that informs the
user that the site is blocked.
Table 101: Web Filter process overview
If you already own If you already own an M Series appliance, you can use Web Filters if you do the following:
an M Series
appliance ● Download Firmware Update version 1.8 or later.
● Download the Web Filter and Antispam Database from the ISS database server.
Reference: For more information about downloading firmware updates, see the Help.
Blocking page The blocking Web page appears when a user requests a blocked URL. This page is stored
on the appliance.
Tips about icons The following table describes the icons that may appear on the Web Filter Settings page:
Icon Description
If this icon appears next to a field on this page, then data is required in the field or the
data in the field is invalid. If the icon appears next to a policy or a tab on this page,
then the policy or tab contains invalid settings or empty fields that require data.
If this icon appears at the top of a list, you can select an item in the list and click the
icon to copy the item to the clipboard.
If this icon appears at the top of a list, you can click the icon to paste an item from the
clipboard to the end of the list. You can then edit the pasted item.
Table 102: Web Filter Settings page icons

Setting Web Filter Options

Introduction This topic describes Web Filter options, what options are set by default, and how to enable
the Web Filter Module.
Web Filter options The following table describes the Web Filter options you can configure:
To... See...
disable URL Blocking “URL Blocking” on page 285.
select or deselect Web Filter categories “Selecting Web Filter Categories” on page 278.
add, edit, or remove entries in the Blacklist “Using Blacklist and Whitelist Web Filter Overrides”
or Whitelist filter overrides on page 280
enable or disable any of the following: “Web Filter Logging and Events” on page 285.
• event logging
• email notification
• SMTP traps
• SiteProtector notification
Table 103: Web Filter options
Default settings After you enable the Web Filter Module, the appliance enforces the default settings. The
table below describes the default Web Filter settings:
Option Default Setting
URL Blocking Enabled

Note: This setting blocks all URLs in the selected Web Filter categories.
For more information about URL Blocking, see “URL Blocking” on
page 285.
Filter Override - The following URL is added to the Destination Whitelist by default:
Destination Whitelist *.iss.net
(Allow)
Reference: For more information about the Destination Whitelist, see
“Using Blacklist and Whitelist Web Filter Overrides” on page 280.
Table 104: Web Filter default settings
276
Setting Web Filter Options
Option Default Setting
Web Filter The following Web Filter categories are selected by default.
Categories In the IT category group:
■ URL Translation Sites
■ Anonymous Proxies
In the Nudity category group:
■ Pornography
■ Erotic/Sex
In the Criminal Activities category group:
■ Illegal Activities
■ Computer Crime
■ Hate and Discrimination
■ Hacking
In the Extreme category group:
■ Extreme
In the Drugs category group:
■ Illegal Drugs
Reference: For more information about Web Filter categories, see
“Selecting Web Filter Categories” on page 278.
Table 104: Web Filter default settings
Enabling the Web To enable the Web Filter Module:

Filter Module
1. In the navigation pane, click + to expand the Web Filter node.
2. Select Settings.
4. Select the Web Filter Module Enabled box.

Selecting Web Filter Categories

Introduction When you select a Web filter category, the appliance blocks all requests from your
network for any URL, domain, or IP address that ISS includes in that category.
Note: You can also use the Blacklist or Whitelist filter overrides to control access to
specific Web sites, domains, and servers. For more information, see “Using Blacklist and
Whitelist Web Filter Overrides” on page 280.
If you disable URL Blocking, the appliance logs requests for access to any URL, domain,
or IP address in the Web Filter categories you select, but does not block the requests.
Important: You must enable the Web Filter Module before the appliance can enforce your
Web Filter selections. Make sure that you have selected the Web Filter Module Enabled
box on the Web Filter Protection Settings tab.
Web Filter category After ISS analyzes the content of a Web site, that Web site is assigned to one of 58
organization categories in the Web Filter and Antispam Database. Web Filter categories are organized
into 19 major groups.
Selecting Web You can select the following:

Filter categories
● the entire list of category groups
● any of the 19 major category groups
● individual categories
Web filter categories in the Proventia Manager interface are organized into 19 major
groups in the Web Filter tree. The Web Filter tree appears in the left pane of the Web Filter
Categories page. You can click any node on the Web Filter tree to expand it. When you
select a category group, the category description displays in the right pane.
To select a Web filter category:

2. Select Categories.
3. Select the box on the Web Filter tree for each filter category that you want to block or
log.
Note: If you select a major category group, you include all individual categories in
that group. If you select the Web Filter box at the top of the tree, you select all
category groups.
Deselecting Web To deselect a Web filter category:

Filter categories
1. In the main navigation pane, click + to expand the Web Filter node.
2. Select Categories.
278
Selecting Web Filter Categories
3. Clear the box on the Web Filter tree for the filter category that you want to deselect.
Note: If you deselect a major category group, you deselect all individual categories in
that group. If you clear the Web Filter box at the top of the tree, you deselect all
categories.

Using Blacklist and Whitelist Web Filter Overrides

Introduction Use the Blacklist or Whitelist filter overrides to control access to specific Web sites,
domains, and servers.
What you can do You can use filter overrides to do the following:
with filter overrides
● Exempt one or more specific Web sites, domains, or servers from Web Filters.
● Block or allow access to individual Web sites, domains, or servers.
● Allow specific users in your network to surf the Internet freely.
Important: When you add a URL, domain, or IP address to the blacklist or to the source or
destination whitelists, then that entry is an exception to the Web filter category.
Filter override A filter override is a list of specific exceptions to a Web Filter category. A whitelist or
definitions blacklist overrides any Web Filter categories that you select.
● Destination Whitelist—a list of URLs, domains, or IP addresses that users can always
access from your network, even if the destination belongs to a blocked Web filter
category. This is useful if you want to override a Web filter to allow access to specific
destinations in a blocked category, such as a single news site.
● Destination Blacklist—a list of URLs, domains, or IP addresses that users can never
access from your network. You can use this list to block destinations that aren’t
included in the Web filters you’ve selected.
● Source Whitelist—a list of static IP addresses that can freely access the Internet from
your network. This is useful if specific users in your network need unrestricted
Internet access.
Important: If you include a user on a Source Whitelist, then that user is exempt from
all Web Filters. The user can access any URL, domain, or IP address, even those
included on the Destination Blacklist.
Using wildcards in In a Source Whitelist filter override entry, you can use the asterisk (*) wildcard character
Source Whitelist in the trailing segment of an IP address range. The asterisk must be the final character in
entries the entry.
Source Whitelist The following examples include all IP addresses in the subnet:
wildcard examples
192.168.120.*
192.168.*
192.*
Using wildcards in You can use two wildcard characters in the Destination Whitelist or Blacklist filter
Destination override entries:
Whitelist or
Blacklist entries ● the question mark (?) to represent any single character
● the asterisk (*) to include groups of URLs such as:
■ an entire IP address range
■ all the pages in a Web site
280
Using Blacklist and Whitelist Web Filter Overrides
You can use the asterisk wildcard character in the leading or trailing segments of an IP
address range or URL. You cannot use a wildcard character in the middle segment of an
IP address or URL.
Destination If no wildcard is used in an incomplete entry, then the appliance assumes a wildcard at
Whitelist or the start and end of the entry:
Blacklist wildcard
examples iss
*iss*
Each of these examples includes all the Web pages in the ISS Web site:
*.iss.*
iss
*.iss.n?t
?*.net
.iss.net
These examples include all IP addresses in the subnet:
172.16.106.*
172.16.*
172.*
Adding a To add an entry to the Destination Whitelist:

Destination
Whitelist entry 1. In the navigation pane, click + to expand the Web Filter node.
2. Select Settings.
4. Locate the Filter Override - Destination Whitelist - (Allow) area.
5. Click Add.
The Add Filter Override - Destination Whitelist window appears.
6. In the Name box, type the URL, domain, or IP address that you want to allow.
7. Click OK.
Adding a To add an entry to the destination blacklist:

Destination
Blacklist entry 1. In the navigation pane, click + to expand the Web Filter node.
2. Select Settings.

4. Locate the Filter Override - Destination Blacklist - (Block) area.

5. Click Add.
The Add Filter Override - Destination Blacklist window appears.
6. In the Name box, type the URL, domain, or IP address that you want to block.
7. Click OK.
Adding a Source To add an entry to the source whitelist:

Whitelist entry
2. Select Settings.
4. Locate the Filter Override - Source Whitelist - (Allow) area.
5. Click Add.
The Add Filter Override - Source Whitelist window appears.
6. In the Name box, type the static IP address that you want to exclude from all Web
Filters.
7. Click OK.
282
Editing or Removing Blacklist and Whitelist Web Filter Overrides
Editing or Removing Blacklist and Whitelist Web Filter Overrides

Introduction You can edit, paste, or remove entries from the blacklist or whitelist Web filter overrides.
Editing a filter To edit an entry in a filter override list:

override entry
2. Select Settings.
4. Locate the filter override list entry you want to edit.
5. Click Edit.
The Edit Filter Override window appears.
7. Click OK.
Copying and pasting You can copy and paste a filter override entry before editing it. This is useful if you want
filter override to add an entry that is similar to an entry already in the list.
entries
To copy and paste a filter override entry:

2. Select Settings.
4. Locate the filter override list entry you want to copy.

Removing a filter To remove a filter override entry:

override entry
2. Select Settings.
4. Locate the filter override list entry you want to remove.

5. Click Remove.
284
Web Filter Logging and Events
Web Filter Logging and Events

Introduction If you enable Web Filter Event Logging, you can choose the following:
● which Web Filter events to log on the Alert Event Log page
● how the appliance responds to Web Filter events
Reference: For a list of Web Filter events, see “Web Filter Events” on page 431.
Web Filter event You can choose how the appliance responds to Web Filter events. You can select the
notification following Web Filter notification delivery options:
Option Description
Email Enabled Sends an email for each blocked URL request. The email contains
the source IP address, the requested URL, and the corresponding
Web Filter category.
SNMP Trap Sends an SNMP trap for each blocked URL request. The trap
contains the source IP address, the requested URL, and the
corresponding Web Filter category.
SiteProtector Enabled Sends the alert to the SiteProtector desktop controller
Table 105: Web filter notification options
Caution: If you send alerts to SiteProtector for events that occur frequently, the appliance
can generate a large number of alerts to SiteProtector. For more information, see “Using
Displaying Web If Web Filter Event Logging is enabled, you can choose which events the appliance
Filter events on the displays on the Alert Event Log page. You can select one of the following event log types:
Alert Event Log
page Option Description
Log Only Blocked Web Page Displays an event on the Alert Event Log page for each blocked
Requests URL request
Log All Web Page Requests Displays an event on the Alert Event Log page for each URL
request
Table 106: Web filter event log options
Caution: If you enable the Log All Web Page Requests option, the event log file could fill
:
very quickly. ISS recommends that you enable this option for troubleshooting purposes
only. If you have registered your appliance with SiteProtector, enable alert reporting to
SiteProtector, and then enable the Log All Web Page Requests option, then the appliance
could send a large number of alerts to SiteProtector. For more information, see “Using
URL Blocking When URL blocking is enabled, the appliance blocks all requests for URLs that belong to
the Web Filter categories you select. URL Blocking is enabled by default. If you want to
log URL requests, but not block them, then you can disable URL Blocking.

Disabling URL To disable URL blocking:

blocking
2. Select Settings.
4. Clear the URL Blocking Enabled box.
286
Enabling Web Filter Event Notification
Enabling Web Filter Event Notification

Introduction This topic describes how to enable or disable the following Web Filter event notification
settings used by the Proventia Manager:
● email notification
● SNMP trap response
● SiteProtector alert reporting
Prerequisites Consider the following prerequisites when you enable Web Filter event notification:
● You must configure email delivery setup before you can use the email notification
option for Web Filter events.
Reference: For more information, see “Adding an email response” on page 94.
● You must configure the SNMP response before you can use the SNMP Trap option.
Reference: For more information, see “Configuring SNMP” on page 97.
● You must have a SiteProtector console, and register your appliance with a
SiteProtector desktop controller, before you can use the SiteProtector event
notification option.
Reference: For more information, see “Using SiteProtector Management” on
page 338.
Enabling Web Filter To enable Web Filter event notification:

event notification
2. Select Settings.
4. Select the Enable Event Logging box.
5. In the Event Logging Type area, do one of the following:
■ Select Log Only Blocked Web Page Requests to log only the requests that the
appliance blocks.
■ Select Log All Web Page Requests to log all requests that the appliance processes.
Important: If you select Log All Web Page Requests when SiteProtector event
notification is enabled, the appliance may send a large number of alerts to
SiteProtector.
6. In the Event Notification Delivery area, do one of the following:
■ If you want to receive email notification for Web Page Requests, select the Email
Enabled box, and then go to Step 7.
■ If you do not want to receive email notification for Web Page Requests, clear the
Email Enabled box, and then go to Step 8.
Note: The Email Enabled box is selected by default.
7. Select an Email Name from the list.
8. To enable the SNMP response, select the SNMP Trap Enabled box.
9. To enable alerts to SiteProtector, select the SiteProtector Enabled box.


288
Web Filter Statistics
Web Filter Statistics

Introduction Use the Web Filter Status Page to view the Web filter categories you are using, and to
view how many URLs in each category are allowed or blocked.
Web Filter statistic The statistics are grouped into three areas:
areas
● Overview—contains overall statistics about requests for Web site access
● Filtered Categories—contains statistics for each Web Filter category you select
● White/Black List—contains statistics about the requests for Web sites that you’ve
included in a Whitelist or Blacklist
For each Web filter statistic, the number of URLs is followed by its percentage of the total.
Web Filter statistic If the Blacklist URLs statistic is 70(30.5%), the appliance processed 70 requests for URLs
example included on the Destination Blacklist. These 70 requests account for 30.5% of all URL
requests.
Overview statistics The following table describes the Overview statistics:
Total URLs processed The total number of URLs that the appliance has processed. This
number includes both blocked and allowed requests
Allowed The number of URL requests that the appliance allowed
Blocked The number of URL requests that the appliance blocked
Table 107: Overview statistics
Filtered Categories The Filtered Categories area contains a statistic for each Web Filter category that you
statistics select on the Web FilterÆ Categories page.
White/Black List The following table describes the White/Black List statistics:
statistics
Source IP Whitelist The total number of URL requests from each IP address included on
requests the Source Whitelist
Whitelist URLs The number of requests for URLs on the Destination Whitelist (Allow)
list
Blacklist URLs The number of requests for URLs on the Destination Blacklist (Block)
list
Table 108: White/Black List statistics
Refreshing the You can refresh the Web Filter statistics manually or automatically at certain intervals.
statistics The refresh data options are as follows:


● every 1 minute
● every 2 minutes
To refresh the statistics:
290
Web Filter Categories

Introduction After ISS analyzes the content of a Web site, that Web site is assigned to one of 58
categories in the Web Filter and Antispam Database. The categories are arranged into 17
major categories, so that you can select the major category or choose from individual
categories. You can select these categories on the Web FilterÆ Categories tab.
Nudity category The following table describes the individual Web Filter categories found in the nudity
category.
This category... Contains Web sites that include...
Pornography The depiction of sexually explicit activities and erotic

content unsuitable for persons under the age of 18
Erotic / Sex Erotic material or sex toys found on television or obtained

from magazines free of charge
Swimwear / Lingerie Bikinis, lingerie and nudity (no sexual references)
Table 109: Web filter nudity category descriptions
Ordering category The following table describes the individual Web Filter categories found in the Ordering
category.
Online Purchases Online shops that provide the opportunity to select from a
product range or order online
Auctions / Small Advertisements Online or offline auction sites, auction houses, or

advertisements
Table 110: Web filter ordering category descriptions
Society/Education The following table describes the individual Web Filter categories found in the Society/
/Religion category Education/Religion category.
Governmental Organizations Content for which governmental organizations are

responsible, such as government branches or agencies,
police departments, fire departments, hospitals, the United
Nations, or the European Community
Non-Governmental Organizations Non-governmental organizations such as clubs,

communities, non-profit organizations, and labor unions
Cities / Regions / Countries Regional information, Web sites of cities, regions, countries,
city maps, and city magazines
Education / Enlightenment Universities, colleges, schools, kindergartens, adult

education, course offerings, dictionaries, and encyclopedias
Political Parties Political parties
Table 111: Web filter society/education/religion category descriptions

Religion Religious content and information about these religions:

• Buddhism
• Christianity
• Hinduism
• Islam
• Judaism
This category also includes religious communities that have
emerged out of these religions.
Sects Sects, cults, occultism, or Satanism
Table 111: Web filter society/education/religion category descriptions (Continued)
Criminal Activities The following table describes the individual Web Filter categories found in the Criminal
category Activities category.
Illegal Activities Illegal activities, including child pornography
Computer Crime Illegal manipulation of electronic devices, data networks,

methods, password encryption, manuals for virus
programming, and credit card misuse
Hate and Discrimination Extreme right and left-wing groups, sexism, racism, and
other discrimination
Hacking Software vulnerabilities, license key lists, and illegal license

key generators
Table 112: Web filter criminal activities category descriptions
Extreme category The following table describes the individual Web Filter categories found in the Extreme
category.
Extreme Web sites that are normally assigned to other categories but
are particularly extreme in their content, such as violence
Table 113: Web filter extreme category descriptions
Games/Gambling The following table describes the individual Web Filter categories found in the Games/
category Gambling category.
Gambling Lottery organizations, casinos and betting agencies
Computer Games Computer games, computer game producers, cheat sites,

and online gaming zones
Toys Information about dolls, modeling, scale trains/cars, board

games, card games, and parlor games
Table 114: Web filter games/gambling category descriptions
292
Entertainment/ The following table describes the individual Web Filter categories found in the
Culture category Entertainment/Culture category.
Cinema / Television Cinema, television, program information, video on demand,

and others
Amusement / Theme Parks Organizations for recreational activities such as public

swimming pools, zoos, fairs, and amusement parks
Art / Museums Theaters, museums, exhibitions, and opening days
Music Radio stations, online radio, MP3, Real Audio, Microsoft

Media, homepages of bands, record labels, and music
vendors
Literature / Books Literature such as novels, poems, specialized books,

cooking books, advisories, and others
Humor / Comics Jokes, sketches, and other humorous content
Table 115: Web filter entertainment/culture category descriptions
Information/ The following table describes the individual Web Filter categories found in the
Communications Information/Communications category.
General News / Newspapers / Newspapers, magazines, and others

Magazines
Web Mail Web mail service providers and Web sites that enable
internet users to send or to receive emails via the Internet
Chat Chat room providers and Web sites that allow users to have
a direct exchange of information with another user
Newsgroups / Bulletin News Boards Web sites that provide posting boards or other methods that
/ Discussion Sites enable users to share information on a variety of topics
SMS / Mobile Phones / Fun Web sites that enable users to use SMS (Short Message
Applications Service) to send messages over the Internet to a mobile
phone. This category also includes providers and services
for mobile phone accessories that are not necessary for
daily use such as games, ring tones and covers
Digital Postcards Providers and Web sites that allow people to send digital
postcards via the Internet
Search Engines / Web Catalogs / Search engines, Web catalogs, and Web portals
Portals
Table 116: Web filter information/communications category descriptions

IT (Information The following table describes the individual Web Filter categories found in the IT
Technology) (Information Technology) category.
category
Software and Hardware Vendors / Producers of hardware used for information, measuring and
Distributors modular technology, vendors of software, and distributors
that provide hardware and software
Web Hosting Web hosting, Internet Service Providers, and providers of

broadband services
Information Security Sites Information security, privacy, and data protection for the
Internet and broadband services such as
telecommunications
URL Translation Sites Web sites that enable the translation of parts or the entire
content of a Web site into another language
Anonymous Proxies Web sites that allow users to anonymously view other Web
sites
Table 117: Web filter IT (Information Technology) category descriptions
Drugs category The following table describes the individual Web Filter categories found in the Drugs
category.
Illegal Drugs Illegal drugs such as LSD, heroine, cocaine, ecstasy,

marijuana, amphetamines, and hemp. This category also
includes the utilities for drug use, such as water pipes
Alcohol Alcohol distributors and alcohol as a pleasurable activity

such as wine, beer, liquor, and breweries
Tobacco Tobacco, tobacco vendors, and smoking, including

cigarettes, cigars, and pipes
Self Help / Addiction Self-help groups, marriage guidance counseling, and help
for addiction problems
Table 118: Web filter drugs category descriptions
Lifestyles category The following table describes the individual Web Filter categories found in the Lifestyles
category.
Dating / Relationships Web sites that promote interpersonal relationships
Restaurant / Bars Bars, restaurants, dance clubs, and fast food restaurants
Travel Monuments, buildings, sights, travel agencies, hotels,

resorts, motels, airlines, railways, car rental agencies, and
tourist information
Fashion / Cosmetics / Jewelry Fashion, cosmetics, jewelry, perfume, modeling, and model
agencies
Table 119: Web filter lifestyles category descriptions
294
Sports Sports, fan clubs, sport results, clubs, teams, and sporting
federations
Building / Residence / Furniture Property markets, furniture markets, prefabricated houses,

and design
Nature / Environment Pets, market gardens, and environmental protections
Table 119: Web filter lifestyles category descriptions (Continued)
Private Homepages The following table describes the individual Web Filter categories found in the Private
category Homepages category.
Private Homepages Private Web sites and homepage servers
Table 120: Web filter private homepage category descriptions
Job Search The following table describes the individual Web Filter categories found in the Job Search
category category.
Job Search Job offerings, job searches, job agencies, labor exchanges,
and temporary work
Table 121: Web filter job search category descriptions
Finance/Investing The following table describes the individual Web Filter categories found in the Finance/
category Investing category.
Brokerage Web sites that display stock exchange rates, and deal
exclusively with main stocks like finance, brokerage and
online trading
Investing Real estate, insurance, and construction financing
Banking Resort bank offices, credit unions, and online bank

accounts
Table 122: Web filter finance/investing category descriptions
Transportation The following table describes the individual Web Filter categories found in the
category Transportation category.
Transportation Automobiles, car maintenance, car exhibitions, motorbikes,

airplanes, ships, submarines, bikes, railways, and others
Table 123: Web filter transportation category descriptions

Weapons category The following table describes the individual Web Filter categories found in the Weapons
category.
Weapons Guns, knives, air guns, fake guns, explosives, ammunition,

military guns such as tanks and bazookas, guns for hunting,
and swords
Note: This category does not include household or
pocketknives.
Table 124: Web filter weapons category descriptions
Medicine category The following table describes the individual Web Filter categories found in the Medicine
category.
Health / Recreation / Nutrition Hospitals, doctors, drugstores, psychology, nursing, health

food stores, and medicine
Abortion Abortion
Table 125: Web filter medicine category descriptions
Spyware category The following table describes the individual Web Filter categories found in the Spyware
category.
Spyware Any technology that aids in gathering information about a

person or organization without their knowledge. On the
Internet, an intruder can place programming on a user's
computer to secretly gather information and relay it to
advertisers or other interested parties. An intruder can place
spyware on a computer as a software virus or as the result
of installing a new program. Also called spybot or tracking
software
Table 126: Web filter spyware category descriptions
SPAM category The following table describes the individual Web Filter categories found in the SPAM
category.
SPAM Email that contains unsolicited advertisements or offensive

content
Table 127: Web filter SPAM category descriptions
296
Reporting Incorrectly classified websites and spam can be reported using the following:
incorrectly
classified Websites To report... Send information to...
and spam
Incorrectly classified websites http://www.iss.net/products_services/
webfilter/test_site.php
Ham that is incorrectly classified as spam nospam@spam.iss.net
Spam that is not detected spamlearn@spam.iss.net
Table 128: Incorrectly classified website submission

298
Chapter 20
The Web Filter and Antispam Database
Overview
Introduction The ISS Web Filter and Antispam Database contains the classification information that ISS
gathers about Web sites. ISS uses fully automated Web crawlers to inspect millions of new
and updated Web sites every day. ISS analyzes the information, and then uses advanced
content analysis technology to classify the Web sites into 58 categories. The appliance uses
the information in the database to enforce Web filters and identify spam email.
Your M Series appliance comes with a local database already installed. You can use
automatic update settings to choose how often the appliance downloads updates from the
ISS database server to the database on your appliance.
How do existing M If you own an M Series appliance with a base version of 1.7 or earlier, you can use the Web
customers get the Filter and Antispam modules if you do the following:
database?
● Download Firmware Update version 1.8 or later from the ISS Web site.
● Download the Web Filter and Antispam Database from the ISS database server.
Reference: To determine the base version of the firmware that is installed on your
appliance, refer to the Base Version Number statistic in the System Status area on the
Home page. For more information about downloading firmware updates, see the Help.
For more information about downloading the database, see “Web Filter and Antispam
Database Page” on page 304.
Topic Page
How ISS Classifies Web Content 300
About the Database 302
Updating the Database 305

How ISS Classifies Web Content

Introduction ISS uses advanced content analysis tools to download and analyze Web content.
Automated Web crawlers inspect millions of new and updated Web sites every day. ISS
analyzes the information, and then classifies the Web sites into 58 categories using the
following:
● keyword searches
● intelligent text classification
● visual pornography detection
● visual object recognition
● visual optical character recognition
● overall classification
Keyword searches The keyword search determines the appropriate category for a Web site based on the
occurrence of certain words. Keyword searches are useful for classifying a URL.
Intelligent text Intelligent text classification evaluates keywords, how frequently a keyword appears, and
classification combinations of words. This method is a more reliable way of classifying a Web site that
contains a large number of words. A combination of keyword searches and intelligent text
classification can thoroughly analyze the text of a Web site.
Visual pornography Visual pornography detection can detect a high concentration of flesh tones in an image. If
detection an image contains a high concentration of flesh tones in comparison to the size of a face in
the image, then that image is potentially pornographic.
The Web crawler determines whether the image contains a face. If the Web crawler detects
a face in an image, it creates a sample color from the skin and evaluates how much of this
sample flesh color is present in the image. If the image does not contain a face, then the
Web crawler makes statistical assumptions about the amount of flesh in the image.
Visual object Visual object recognition analyzes each image for specific objects, such as signs, symbols,
recognition and trademarks. The Web crawlers can identify objects such as the following:
● inappropriate symbols (such as symbols used by hate groups)

● credit card logos
● sports brands
● car brands
● other well-known objects
Optical character Optical character recognition analyzes text that is embedded in an image. Using this tool
recognition together with keyword searches and text classification, the Web crawler can accurately
identify all text content on the Web site.
Overall Overall classification processes the results of all the tools that the Web crawler uses to
classification analyze Web content. This prevents a single tool from incorrectly classifying a Web site.
300
How ISS Classifies Web Content
How Web crawlers ISS Web crawlers classify millions of Web pages every day. The process of crawling the
work Internet is based on a “snowball” principle, so that the Web crawler analyzes a Web site
and then follows all the hyperlinks to other sites as well. The following table describes
how a Web crawler downloads information about a Web site.
Stage Description
1 The Web crawler visits a new or updated Web site.
2 The Web crawler downloads all HTML text and images on the Web site, and stores
this content for further analysis.
3 The Web crawler follows all hyperlinks to other sites, until no more unknown
hyperlinks are found.
4 The Web crawler sends the information to ISS for analysis and inclusion in the Web
Filter and Antispam Database.
Table 129: Web crawler stages
Web crawling The Web crawling strategy includes the following:

strategy
● visiting newly discovered servers and domains before going deeper on the same
server
● visiting one server multiple times, rather than downloading massive amounts of data
in a single visit
● using some Web crawlers to update and maintain the database while others search for
new content
● frequently visiting Web sites that change often
● updating the Web crawling system with information about new Web sites, domains,
and servers based on public host lists, domain registry information, and other
external sources

About the Database

How the appliance The appliance uses the information in the Web Filter and Antispam database to enforce
uses the database Web Filters and Antispam settings.
Information sources ISS uses powerful parallel computers and multiple database clusters to cache and store
Web site classification information, hyperlink structures, images, Web site text, and other
content. ISS uses several methods to add information to the database, including the
following:
● automated Web crawlers

● managed link lists
● newsgroups
● search engines
● other resources
If you have installed If you have installed Firmware Update version 1.8, you must download the database from
Firmware Update the ISS database server before you can use the Web Filter or Antispam modules. For more
version 1.8 information, see “Web Filter and Antispam Database Page” on page 304.
Prerequisite Before you enable the Web Filter or Antispam modules, do the following:
● Make sure that the appliance has an active Internet connection.

environment.
Important: If the database cannot authenticate, the appliance may incorrectly indicate
that the database is not installed. This can prevent the Web Filter or Antispam Modules
from starting.
Reference: For more information, see the Proventia M Series Appliances 1.8 Readme on
the ISS Download Center at http://www.iss.net/download/.
Information in the The following table describes the information contained in the database:
database
Item Example
Domains inappropriate_site.com
Hosts www.inappropriate_site.com
Directories www.inappropriate_site.com/pics/
HTML pages www.inappropriate_site.com/pics/index.html
Image URLs www.inappropriate_site.com/pics/001.jpg
IP addresses http://194.12.2.3
Table 130: Database information examples
302
About the Database
Database After ISS analyzes the content of a Web site, that Web site is assigned to one of 58
categories categories in the Web Filter and Antispam Database. For a complete list of the database
categories, see “Web Filter Categories” on page 291.
Database status You can view information about the database status on the System SettingsÆ Filter DB
descriptions tab. The following table describes the data in the Database Information area:
Mode The current database status. The mode statuses are:

• Not installed
• Installed
Version The local database version, in the following format:

• x.xxxx
Status The status of the local database. The possible statuses are:
• Installed
• Downloading
• Updating
Download Progress The progress of the local database download. The possible statistics are:
• x% (percentage of completed download)
• Indexing Database
Table 131: Database Information statistic descriptions
WebLearn feature If you enable the WebLearn feature, the appliance automatically reports unknown or
unrecognized URLs to ISS anonymously during database updates. The WebLearn feature
helps increase coverage of the Web crawling process, so that the ISS database is kept as
current as possible. You can enable WebLearn on the SystemÆ Filter DB tab.
Database advanced You can use advanced parameters to tune the database. For more information, see
parameters “Configuring Web Filter and Antispam Database Advanced Parameters” on page 391.
Two ways to obtain You can obtain a local Web Filter and Antispam Database in two ways:
a new database
● Download the database from the ISS database server. You can download a new
database to your appliance from the SystemÆ Filter DB page. See “Manually
Updating the Web Filter and Antispam Database” on page 33.
● Install the database from the Proventia Integrated Security Appliance Web Filter and
Antispam Database Recovery CDs that come with your appliance.
Note: The Web Filter and Antispam Database Recovery CDs are included for appliances
shipped with a base firmware version of 1.8 or later. To determine the base version of
the firmware that is installed on your appliance, refer to the Base Version Number
statistic in the System Status area of the Home page. You can order database recovery
CDs from ISS. Refer to the MYISS portion of our Web site at http://www.iss.net.
for more information.
Reference: For instructions about installing the database from the ISS Proventia Integrated
Security Appliance Web Filter and Antispam Database Recovery CD(s), see the instructions for
your M Series appliance model in Chapter 24, "System Backup and Recovery".

Web Filter and Antispam Database Page

Introduction Use the Web Filter and Antispam Database page to:
● view database status

● download or overwrite the database
● use advanced tuning parameters
Note: See “Manually Updating the Web Filter and Antispam Database” on page 33.
Database status You can view information about the database status on the SystemÆ Filter DB tab. The
descriptions appliance displays status information based on the following:
● the database mode

● whether a local database is installed
The following table describes the data available in the Database Information area:
Mode The current database status. The mode statuses are:

• Not installed
• Installed
Version The local database version, in the following format:

x.xxxx
Status The status of the local database. The possible statuses are:
• Installed
• Downloading
• Updating
Download Progress The progress of the local database download. The possible statistics are:
• x% (percentage of completed download)
• Indexing Database
Table 132: Database information
Database page in The Web Filter and Antispam Database page in SiteProtector displays the following tabs:
SiteProtector
● Database Settings
● Advanced Parameters
● Database status information is not visible in the SiteProtector interface. You must
unregister the appliance from SiteProtector before you can download the local
database to your appliance.
304
Updating the Database
Updating the Database

Introduction This topic describes how and when to download a local Web Filter and Antispam
Database from the ISS database server to your appliance.
Firmware update If you have installed Firmware Update version 1.8 or later, you must download the
database updates from the ISS database server before you can use the Web Filter or
Antispam modules.
Updating vs. If you have a database locally installed on your appliance, and you click Get Local DB on
overwriting the the SystemÆ Filter DB page, then the appliance overwrites the local database with the
database new downloaded version.
Important: If you have a database locally installed on your appliance, ISS recommends
that you update the database rather than overwrite it. Although Web Filter and Antispam
functionality is unaffected while you overwrite the database, the download could take
several hours. To update an existing local database, use the Update Management page.
Firmware update If you enable database updates and select the option to automatically install updates daily
reboot and or weekly, then the appliance will normally install both firmware and database updates.
database update However, if the appliance must reboot during the update process, then the appliance does
considerations not process the database update at that time.
Important: The appliance must reboot before creating a system backup, and some
firmware updates require the appliance to reboot after installation.
Consider the following when you schedule firmware and database updates:
● If the appliance installs a firmware update and must reboot, then the appliance will
not update the database until the next scheduled update.
● If you schedule a one-time-only installation for the firmware update, ISS recommends
that you schedule the installation for at least one hour after the appliance
automatically checks for updates. The appliance will install the database update
immediately at the automatic check, and then complete the one-time installation.
● Schedule automatic update checks at least one hour before installing firmware
updates or performing a system backup, to allow time for the updates to download.
Reference: See “About Updating the Appliance” on page 22.
Downloading the To download the Web Filter and Antispam Database from the ISS database server:
database
2. Select Filter DB.
3. Click Get Local DB.
The appliance begins downloading the database, and displays information about the
download status in the Database Information area. Press F5 to refresh the page and
check the progress of the installation in the Database Information area.
After the installation is complete, the appliance displays the status of the database as
Installed.

306
Part IIIl
Managing the
Appliance
Chapter 21
Managing Network Settings
Overview
Introduction This chapter describes how to configure and manage the network settings for your
appliance using Proventia Manager.
Topic Page
Overview of Network Configuration Settings 310
Configuring the External Interface in Proventia Manager 311
Configuring External Interface DNS Settings 313
Enabling the Internal Interfaces in Proventia Manager 317
Routing 318
Enabling or Disabling SSH 320
Configuring the DHCP Server 326
DNS Settings for the DHCP Server 329
Configuring Static Address Assignments for a DHCP Server 332
Configuring WINS Servers for DHCP Server 334
Viewing DHCP Leases 335
Changing Time Settings in Proventia Manager 336

Overview of Network Configuration Settings

Introduction You can change the following network configuration settings:
● IP addresses for external and internal interfaces

● subnet mask
● DNS settings for external interfaces
● default gateway
Why you may need You may need to change the network configuration settings for the following reasons:
to change settings
● Your company’s network policy has changed.
● Your company has relocated.
● You have changed your Internet Service Provider.
● You have changed addresses.
● You want to specify PPPoE or DHCP settings.
● You want to change DNS settings.
Options available Table 133 describes the options available for changing network interface settings:
for changing
settings If you want to… Then use this procedure…
enable or disable the external “Selecting the external IP address type” on page 312
interface
change the static IP address for an “Selecting the external IP address type” on page 312
external interface
specify dynamic IP configuration “Selecting the external IP address type” on page 312
configure PPPoE for use with a “Configuring PPPoE Authentication” on page 77.
broadband connection
specify DNS settings for an external “Specifying DNS settings” on page 314
interface
add a domain name to the DNS “Adding a DNS search path” on page 314
search path
edit a search path listing for DNS “Editing a DNS search path” on page 314
settings
copy a domain in the DNS search “Copying a DNS search path” on page 315
path
remove a DNS search path listing “Removing a DNS search path” on page 315
enable or disable the internal “Enabling the Internal Interfaces in Proventia Manager” on
interface page 317
change the IP address for an internal “Enabling the Internal Interfaces in Proventia Manager” on
interface page 317
Table 133: Network interface configuration options
310
Configuring the External Interface in Proventia Manager
Configuring the External Interface in Proventia Manager

Introduction This topic describes how to configure the appliance network interface settings for external
interfaces. This topic includes procedures for the following tasks:
● enabling the external interface

● setting IP addresses
● specifying DNS settings
● adding a DNS search path to associate a domain name and host name
● editing a DNS search path for the domain name
● editing, copying, removing a DNS search path
● changing the DNS search path order
About using your To use your appliance as a home gateway using a DSL Internet connection, you may need
appliance with a to configure the external interface to use Point-to-Point Protocol over Ethernet (PPPoE)
DSL connection authentication. Some Internet Service Providers (ISPs) use PPPoE technology for
connecting users on an ethernet connection to the Internet through a common broadband
medium, such as a single DSL line, wireless device, or cable modem. If you are unsure
whether to use PPPoE authentication, consult your ISP. For instructions about configuring
PPPoE authentication, see“Configuring PPPoE authentication” on page 77. For
information on resetting your PPPoE connection, see “The System Tools Page” on
page 81.
External interface Configuring the external interface is a three-task process:

configuration tasks
Task Description
1 Enable the external interface.
2 Select the external interface IP address type.
3 Configure external interface DNS settings.
Table 134: External interface configuration tasks
Enabling the To enable the external interface:

external interface
2. Select Networking.
3. Select the External Interface Configuration tab.
4. Select Enabled.
5. Type the appliance’s host name in the Host Name field.
Note: Use the format gateway1.example.com.

Selecting the To select the external interface IP Address type:

external IP address
type 1. In the navigation pane, click + to expand the System node.
3. Select an IP Address type in the IP Address area, as described in the following table:
IP Type Action
DHCP To use DHCP:

1. Select DHCP.
2. If needed, select Mac Address to Clone, and then type 6 hex pairs,
separated by colons.
Tip: Use the format AA:BB:CC:11:22:33.
PPPoE To use PPPoE authentication for DSL or cable service:

1. Select PPPoE.
2. Type the User Name and User Password.
3. Select a PPPoE Link Activation type. Options include the following:
• On Demand, which disconnects the DSL an hour after the last
access
• Continuous (recommended) which keeps the DSL connected
4. Accept Clamp MSS. See “What is ClampMSS?” on page 78.
Note: The default value is 1412.
5. If needed, type the Service Name.
Note: Most Internet Service Providers (ISPs) in the United States do
not require a service name. The Service Name is more commonly
used in Europe. Use the service name only if you know that your ISP
requires a specific name.
Static To use a static IP address:

1. Select Static.
2. Type the IP address of the appliance’s external interface, and then
press ENTER.
3. Type the Subnet Mask (network mask) value.
4. Type the gateway IP address in the Gateway field.
Note: If you want this interface to be the Primary Management
Interface for SiteProtector, then select the Primary Management
Interface check box.

5. Proceed to “Configuring External Interface DNS Settings” on page 313.
312
Configuring External Interface DNS Settings

Introduction Use the procedures in this topic to adjust or augment the external interface DNS settings.
This topic describes how to do the following:
● specify DNS settings

● add a DNS search path to associate a domain name and host name
● edit a DNS search path for the domain name
● copy a DNS search path
● remove a DNS search path
● change the DNS search path order
DNS and domain Every computer that hosts data on the Internet has a unique IP address. DNS allows you
names to associate a name with an IP address. A domain name always has two or more parts
separated by dots, and typically consists of some form of an organization's name and a
three letter or more suffix. To obtain a domain name, you must request a name from a
domain registrar. If a domain name is available, anyone can register the name through a
domain registrar for a fee, provided the name does not infringe on an existing trademark.
Example: The IP address for the White House is 198.137.240.100. Instead of remembering
the IP address for the White House website, you can type www.whitehouse.gov. In this
case, the domain name is whitehouse.gov.
Domain name The domain name suffix is a generic top-level domain that describes the type of
suffixes organization. In the White House domain name example, the suffix is.gov. The following
table describes some of the most common domain name categories reserved for each
organization type:
This domain Is reserved for...

name suffix...
.aero the air-transport industry
.biz businesses
.com businesses, commercial enterprises, or online services like America Online]

Most companies use this extension.
.coop cooperatives
.edu educational institutions and universities
.gov United States government agencies
.info all uses
.int organizations established by international treaties
.mil the United States military
.museum museums
.name individuals
Table 135: Domain name suffixes

This domain Is reserved for...

name suffix...
.net networks; usually reserved for organizations such as Internet service

providers
.org non-commercial organizations
.pro professionals, such as attorneys and physicians
Table 135: Domain name suffixes (Continued)
Specifying DNS To specify DNS settings:

settings
3. Scroll down to the DNS section.
4. Do you want to use dynamic settings?
■ If yes, select Use Dynamic Settings, and then go to Step 6.
5. Type the Primary DNS Server, Secondary DNS Server, and Tertiary DNS Server.
Tip: To move from one field to the next, press the TAB key.
Adding a DNS The DNS search path appends the domain name to the host name.
search path
Note: Associating these names enables the computer to more easily find the domain
location.
To add a search path for DNS settings:

4. In the DNS Search Path section, click Add.
5. Type the domain name to add to the search list, and then click OK.
The name appears in the Domain Name list.
Editing a DNS To edit a search path for DNS settings:

search path
314

4. In the DNS Search Path section, select a domain name, and then click Edit.
5. Edit the domain name, and then click OK.
The edited name appears in the Domain Name list.
Copying a DNS To add another search with the same values, you can copy a search path, and then change
search path the domain name.
To copy a DNS search path:

4. In the DNS Search Path section, select a domain name.

The copied domain name appears in the Domain Name list.
Removing a DNS To remove a search path for DNS settings:

search path
The Network Configuration page appears.
4. In the DNS Search Path section, select a domain name, and then click Remove.
The domain name is removed from the Domain Name list.
Changing the DNS You can change the order that the appliance uses when it searches DNS paths.
search path order
To change the DNS search path order:



5. Click the Up or Down arrows.
Tip: It is more efficient to place the most likely used search path at the top of the list.
316
Enabling the Internal Interfaces in Proventia Manager
Enabling the Internal Interfaces in Proventia Manager

Introduction This topic describes how to enable the internal interfaces using Proventia Manager. Use
the procedures in this topic to change your current settings, or to add additional interfaces
using the available ethernet ports.
Enabling the To configure an internal interface:

internal interface
3. Scroll down to the Internal Interfaces section.
4. Select Enabled.
5. Type the appliance’s IP address.
6. Type the Subnet Mask address for the appliance.
7. Do you want to designate the internal interface as the Primary Network Interface for
SiteProtector?
■ If yes, select the Primary Network Interface box, and then go to Step 8.
Reference: For more information about using the Primary Network Interface, see
“Using SiteProtector Management” on page 338.

Routing
Introduction This topic describes how to configure routing for IP addresses. Use the following
procedures if you need to add, edit, or remove a static route for networks behind a
firewall:
● adding routing
● editing routing
● copying routing
● removing routing
Route Configuration Use the Route Configuration page to configure routing for IP addresses. The following
Page table describes icons that may appear on this page:
Icon Description
If this icon appears next to a field on this page, it indicates one of the following:
• Data is required in the field.
• The data in the field is invalid.
If the icon appears next to a policy or a tab on this page, then the policy or tab
contains invalid settings or empty fields that require data.
If this icon appears at the top of a list, you can click the icon to paste a copied
item from the clipboard into a list. After you paste the item, you can edit it.
Table 136: Route configuration page icons
Add routing To add a route:

2. Select Routing.
3. Click Add.
4. Type an IP address in the Destination IP Address box.
5. Type a mask value in the Subnet Mask box.
6. Type an IP address in the Gateway IP Address box.
7. If needed, type a value in the Metric field.
Note: The Metric (or hop count) indicates the number of routes or segments between
the source and destination.
8. Click OK.
The route appears in the routing list.
318
Routing

Editing routing To edit a route:

2. Select Routing.
3. Select an IP Address, and then click Edit.
4. Continue as described in Steps 4 through 9 of the Add routing procedure.
Copying routing To copy a route:

2. Select Routing.
3. Select the IP address to copy.
4. Click the Copy icon

The copied IP address appears in the routing list.
6. If needed, change the copied route.
Removing routing To remove routing:

2. Select Routing.
3. Select an IP Address, and then click Remove.
The route is removed from the routing list.

Enabling or Disabling SSH

Introduction SSH is enabled by default, and accessible to the internal and external interfaces.
Important: The SSH daemon allows you to perform command line functions from a
remote computer. If you disable SSH, you cannot perform remote command line functions
on the appliance.
Enabling or To enable or disable SSH:

Disabling SSH
2. Select Services.
The Service Configuration page displays.
3. Select the Services tab.
■ To enable SSH, select the Enabled check box.
■ To disable SSH, clear the Enabled check box.
320
About DHCP
About DHCP
Introduction DHCP allows a server to lease (assign) temporary or permanent IP addresses to client
computers on your network. DHCP is routable, and does the following:
● supports manual, automatic, and dynamic address assignment

● provides client information, including the subnet mask, gateway address, and DNS
address
A DHCP server is usually a dedicated server, that includes a database of available IP

addresses. This server verifies the client's identity, leases an IP address to a client for a
predefined period of time, and reclaims the IP address when the lease expires.
DHCP features include the following:
● the DHCP relay agent

● DHCP leases
● a WINS server
DHCP relay agents If you have DHCP clients that must go through the appliance to get DHCP leases, you
must add a DHCP relay agent for an appliance interface. The DHCP server and client
communicate by broadcasting DHCP lease messages on the network. The appliance on
your network intercepts these messages, and the DHCP relay agent on the interface must
“relay” the messages between the DHCP server and client so the messages can pass
through the firewall. For example, the firewall forwards DHCP or BOOTP protocol
packets from one network to another.
Note: Configure DHCP relay agents on the Services tab of the Service Configuration
page.
DHCP leases A DHCP lease determines how long a computer keeps the IP address assigned by the
DHCP server. The DHCP server agent uses a database of IP addresses and computer
names to manage DHCP leases.
The following table describes the stages of the DHCP lease process:
Stage Description
1 You configure the DHCP server with the available IP address ranges. The
DHCP servers will lease these IP addresses to clients on your network.
2 You configure the DHCP relay agent on an appliance interface to pass DHCP
messages through the appliance firewall. The relay agent receives broadcast
messages on the network, and forwards them between the DHCP server and
the client.
3 When a client computer in a DHCP environment comes online, it checks to

determine whether it has a leased IP address.
Table 137: DHCP leases

Stage Description
4 The client does one of the following:

• If the client finds a leased IP address, then the configuration process is
complete.
• If the client doesn't find a leased IP address, it requests a lease from a
DHCP server.
• The client computer doesn't know the address of a DHCP server, so it
broadcasts a DHCPDISCOVER message across the network. This
message consists of the client's MAC address and its NetBIOS name.
5 When the DHCP server receives the IP lease request, it reserves an IP

address for the client from the pool of available IP addresses.
6 The DHCP server extends an IP lease offer to the client by broadcasting a

DHCPOFFER message across the network.
This message contains the client's MAC address, followed by the IP address
that the server is offering, the subnet mask, the lease duration, and the IP
address of the DHCP server making the offer.
7 If you have defined other DHCP servers on your network, they also receive the
DHCPOFFER offer message. The other DHCP servers withdraw any offers
that they might have made to the client, and return the address that they had
reserved for the client back to the pool of valid addresses.
Any number of DHCP servers can respond to an IP lease request, but the
client can only accept one offer per network interface card.
8 When the client receives an IP address lease offer, it broadcasts a

DHCPREQUEST message containing the IP address of the server that made
the offer. This message tells all other DHCP servers that the client has
accepted a lease offer.
9 When the DHCP server receives the DHCPREQUEST message from the
client, it sends a DHCPACK packet to the client to complete the IP address
lease process.
Table 137: DHCP leases
Tasks required to You can implement DHCP settings on the Service Configuration page. The following table
implement DHCP describes the tasks required to implement DHCP on your appliance:
Task Description
1 Place a DHCP server on a network segment.
2 Configure the DHCP server settings on the appliance. These settings

include:
• available IP address ranges that the DHCP server can lease to the
DHCP clients
• the lease time, in seconds, that the leased IP addresses will be valid
• your domain name suffix
3 Specify the DNS settings. These settings include the IP address of the
DNS server.
4 Specify static IP address assignments for any clients on your network

that you want to assign a permanent IP address. The DHCP server
cannot assign this permanent address to any other clients.
Table 138: DHCP implementation tasks
322
About DHCP
Task Description
5 If your network includes Windows clients, specify the IP address of the

WINS server.
6 Add and configure a DHCP relay agent, if required.
7 Make sure that the “Enable DHCP Requests to SELF” firewall access
policy is enabled.
Table 138: DHCP implementation tasks (Continued)
Recommendations ISS recommends the following when you use DHCP:
● The IP address ranges for each DHCP server must be within the subnet where the
server resides. You cannot use DHCP across different subnets.
● The IP address range for each DHCP server should contain enough IP addresses to
support all DHCP clients who will require an address from that range.
● If you use more than one DHCP server on your network, the scope of included
addresses must be different on the two servers. Allowing different servers to assign
the same addresses may cause problems, because different clients could contact the
servers at the same time, and the servers could issue duplicate IP addresses.
● If you use an alternate DHCP server on the same subnetwork, set the included ranges
on both servers, then specifically exclude the range of the other server on each.
● You can change the lease period to meet your network requirements. In general, the
more volatile the network (that is, the more frequently changes occur), the shorter the
lease should be. A short lease lets computers that are moved to new subnetworks
quickly obtain new IP addresses from the appropriate DHCP server on the new
subnetwork. If the number of IP addresses is large compared to the number of
computers, a longer lease time can be tolerated.
Caution: Be careful when you assign an unlimited lease time to a client. If you set an
unlimited lease time, the DHCP relay agent won't release a IP address, even if the
computer associated with the address is taken offline.
Adding a DHCP To add a DHCP relay agent:

relay agent
2. Select Services.
4. Click Add.
Note: If you have DHCP clients that must go through the appliance to get their
DHCP leases, you must add a DHCP Relay Agent entry.
5. Select the interface on which the DHCP clients are connected.
■ Type the IP address in the DHCP Server field.
■ Type the IP address in the BOOTP Server field.
7. Click OK.
The interface appears in the DHCP Relay Agent section.


Editing a DHCP To edit a DHCP relay agent:

relay agent
2. Select Services.
4. Select the interface to edit.
5. Select the interface number from the Interface list.
6. If needed, edit the IP address in the DHCP Server field.
7. If needed, edit the IP address in the BOOTP Server field.
8. Click OK.
The interface is updated in the list in the DHCP Relay Agent section.
Copying a DHCP To copy a DHCP relay agent:

relay agent
2. Select Services.
4. Select the interface to copy.

The interface is copied to the list in the DHCP Relay Agent section.
7. If needed, change the copied relay agent.
Removing a DHCP To remove a DHCP relay agent:

relay agent
2. Select Services.
4. Select the interface to remove.
5. Click Remove.
The interface is removed from the list in the DHCP Relay Agent section.
324
About DHCP


Configuring the DHCP Server

Introduction This topic describes how to configure the DHCP server. It includes procedures for the
following tasks:
● enabling the DHCP server

● adding address ranges (groups of addresses that the DHCP server passes to DHCP
clients)
● editing address ranges
● copying address ranges
● removing address ranges
Note: Configure the DHCP server on the DHCP Server tab of the Service Configuration
page. Note that you configure DHCP relay agents on the Services tab.
Tasks for DHCP To configure the DHCP server, you must do the following:
server configuration
Task Description
1 Enable the server.
2 Add address ranges.
3 If necessary, configure DHCP relay agents. See “DHCP relay

agents” on page 321.
Table 139: Tasks for DHCP server configuration
Enabling the DHCP To enable the DHCP server:

server
2. Select Services.
3. Select the DHCP Server tab.
4. Select Enable.
5. Type the internal IP address in the Gateway IP Address field.
6. Type in the lease time in seconds in the DHCP Client Lease Time field.
Adding address Address ranges are group of addresses that the DHCP server passes to DHCP clients. To
ranges add address ranges:

2. Select Services.
4. In the Address Ranges section, click Add.
5. Type the first and last IP addresses in the Address Range box.
326
Configuring the DHCP Server
6. Type the netmask address in the Subnet Mask box.

Note: The system applies this mask to each client.
7. Click OK.
The IP address range appears in the Address Ranges list.
Editing address To edit address ranges:

ranges
2. Select Services.
4. In the Address Ranges section, select the address range to edit.
5. Click Edit.
6. If needed, edit the Address Range.
7. If needed, edit the Subnet Mask.
8. Click OK.
Copying address To copy address ranges:

ranges
2. Select Services.
4. In the Address Ranges section, select the address range to copy.

The address range is copied to the list in the Address Ranges section.
7. If needed, change the copied address range.
Removing address To remove address ranges:

ranges
2. Select Services.

4. In the Address Ranges section, select the address range to remove.

5. Click Remove.
The address range is removed from the list in the Address Ranges section.
328
DNS Settings for the DHCP Server

Introduction This topic describes how to use default DNS settings or configure static DNS settings,
which the system applies to the DHCP clients. It includes procedures for the following
tasks:
● configuring DNS settings in Proventia Manager

● adding a DNS search path for the domain name
● editing a DNS search path for the domain name
● copying a DNS search path for the domain name
● removing a DNS search path
● changing the DNS search path order
Changing default To change default DNS settings:

DNS settings
2. Select Services.
4. Select Specify Settings.
5. Type the IP addresses for the Primary Nameserver, Secondary Nameserver, and
Tertiary Nameserver, using decimal notation.
Adding a DNS To add a DNS search path:

search path for the
domain name 1. In the navigation pane, click + to expand the System node.
2. Select Services.
4. In the DNS Search Path section, select a domain name, and then click Add.
5. Type the domain name to add to the search list, and then click OK.
The name appears in the Domain Name list.
Editing a DNS To edit a DNS search path:

search path for the
2. Select Services.
4. In the DNS Search Path section, select a domain name, and then click Edit.

5. Edit the domain name, and then click OK.

The edited name appears in the Domain Name list.
Copying a DNS To copy a DNS search path:

search path for the
2. Select Services.

The copied domain name appears in the Domain Name list.
Removing a DNS To remove a DNS search path:

search path for the
2. Select Services.
5. Click Remove.
The domain name is removed from the Domain Name list.
Changing the DNS You can change the order that the appliance uses when it searches DNS paths. To change
search path order the DNS search path order:

2. Select Services.
5. Click the Up or Down arrows.
Tip: It is more efficient to place the most likely used search path at the top of the list.
330


Configuring Static Address Assignments for a DHCP Server

Introduction This topic describes how to configure static IP addresses for a DHCP server in Proventia
Manager. It includes procedures for the following tasks:
● adding static IP addresses

● editing static IP addresses
● copying static IP addresses
● removing static IP addresses
Adding static IP To add static IP addresses:

addresses
2. Select Services.
4. In the Static Address Assignments section, click Add.
5. Type the Host Name.
6. Type the client’s MAC Address.
Tip: Type 6 2-hex pairs, separated by colons. Use the format AA:BB:CC:11:22:33.
7. Type the IP Address.
8. Click OK.
The address assignment appears in the list.
Editing static IP To edit static IP addresses:

addresses
2. Select Services.
4. In the Static Address Assignments section, select the host name to edit.
5. Click Edit.
6. If needed, edit the Host Name.
7. If needed, edit the MAC Address.
8. If needed, edit the IP Address.
9. Click OK.
The updated address assignment appears in the list.
332
Configuring Static Address Assignments for a DHCP Server
Copying static IP To copy static IP addresses:

addresses
2. Select Services.
4. In the Static Address Assignments section, select the host name to copy.

The copied host name appears in the list.
Removing static IP To remove static IP addresses:

addresses
2. Select Services.
4. In the Static Address Assignments section, select the host name to remove.
5. Click Remove.
The host name is removed from the list.

Configuring WINS Servers for DHCP Server

Introduction This topic describes how to configure Windows Internet Name Service (WINS) addresses
for a DHCP server in Proventia Manager. Windows clients use WINS addresses to resolve
host names.
Note: ISS recommends using just one WINS server on your network.
Use the following procedures to enter a preferred or alternate WINS server address.
Configuring WINS To configure WINS servers for DHCP:

for DHCP
2. Select Services.
4. In the WINS Configuration section, type the Preferred WINS server.
5. Type the Alternate WINS server.
334
Viewing DHCP Leases
Viewing DHCP Leases

Introduction This topic describes how to view active DHCP leases in Proventia Manager. It includes
● displaying DHCP leases

● copying DHCP leases
Displaying active To display DHCP leases:

DHCP leases
2. Select Services.
3. Select the DHCP Lease History tab.
4. Select an IP address, and then select Display.
5. Review the IP address for the DHCP server and the length of time that the lease is
active.
Copying active To copy DHCP leases:

DHCP leases
2. Select Services.
3. Select the DHCP Lease History tab.
4. Select an IP address, and then click the Copy icon.

The copied information appears in the list.

Changing Time Settings in Proventia Manager

Introduction This topic describes how to change the time and date settings in Proventia Manager. It
● changing the date and time

● enabling the network time protocol
Changing the date To change the date and time:

and time
2. Select Time.
3. Click the Date and Time arrow to see the calendar.
4. Select the correct month and date.
Tip: Use the arrows at the top to change the month and year in the calendar.
5. Select the hour and minutes in the Time boxes.
6. Click the Date and Time arrow to close the calendar.
7. Click the Time Zone arrow and select the correct time zone for your region.
Note: The default is America/New_York.
Enabling the The network time protocol synchronizes the configuration time with a network time
network time server.
protocol
To enable the network time protocol:

2. Select Time.
3. Do you want to enable the network time protocol?
■ If yes, select Enable NTP, and then go to Step 4.
■ If no, clear Enable NTP, and then go to Step 5.
4. Type the server name in the Server field.
336
Chapter 22
SiteProtector Management
Overview
Introduction This chapter describes how to manage the M appliance in SiteProtector.
Topic Page
Using SiteProtector Management 338
Considerations for Appliance Updates and Events with SiteProtector 341
Configuring SiteProtector Management Settings 343

Using SiteProtector Management

Introduction SiteProtector is an ISS management console. SiteProtector can manage a variety of
network assets such as appliances, agents, and sensors. If you use a SiteProtector agent
manager with your appliance, you can do the following:
● enable a SiteProtector Agent Manager to manage many important functions of your

appliance
● use a SiteProtector X-Press Update Server as an alternate update server
● manage appliances with the High Availability module enabled
Note: For more information about SiteProtector X-Press Update Server, see “Using the
SiteProtector X-Press Update Server” on page 38. For information about high availability,
see “SiteProtector Management of High Availability Appliances” on page 69.
The Management Configure SiteProtector management of your appliance on the System Æ Management
page page of the Proventia Manager. Use the Management page to do the following:
● register your appliance with a SiteProtector agent manager

● manage most appliance functions in SiteProtector
● add multiple agent managers
Reference: For more information about using the SiteProtector agent manager to manage
your appliance, see your SiteProtector documentation.
Functions you can You can use SiteProtector to administrate appliance management functions.
manage with
SiteProtector When you register your appliance with SiteProtector, then SiteProtector controls the
following management functions of the appliance:
● Firewall/VPN settings
● Intrusion prevention
● Notification
● Antivirus
● Web Filters
● Antispam
● Services (SSH, DHCP Relay, DHCP Server, SMTP, and HTTP Proxy)
Note: When you register the appliance with SiteProtector, the tabs that control these
functions are no longer visible in Proventia Manager. When you unregister the appliance
from SiteProtector, the management tabs are visible.
You can manage Update Settings in the Proventia Manager interface or in the
SiteProtector interface.
Network objects Configure address groups and port groups on the Firewall/VPNÆ Network Objects
page in the Proventia Manager. Address and port groups are network objects so that you
can share these lists among appliances in a SiteProtector group. If you use SiteProtector to
338
Using SiteProtector Management
manage multiple appliances, you can share address and port groups and apply them to
groups of appliances.
Note: For more information about using SiteProtector, refer to your SiteProtector
documentation. For more information, see “About Network Objects” on page 166.
When to use There are some settings that you must manage directly on the appliance, even when the
Proventia Manager appliance is registered with SiteProtector. Use the Proventia Manager for the following
tasks:
● assign management of device to SiteProtector

● revoke SiteProtector's management of device and restore management to Proventia
Manager
● apply firmware updates
● view and manage quarantined files
● apply quarantine table changes and DHCP leases
SiteProtector When you register the appliance with a SiteProtector group, you can do the following:
management
options ● allow the appliance to inherit sensor group settings
● manage some or all of settings for a single appliance in the group independently in
SiteProtector, so that the appliance maintains those individual settings regardless of
group settings
Registering the When you register your appliance in SiteProtector, you assign the appliance to a group in
appliance with a the Desired SiteProtector Group for Sensor field. You can configure group settings in
SiteProtector group SiteProtector, and SiteProtector can apply those settings to some or all appliances in the
group.
Important: In the SiteProtector interface, appliances and other protection agents are called
“sensors”, and you manage the appliance settings on the Sensor tab. An appliance can
only be assigned to a Sensor group that includes other appliances; do not assign an
appliance to a group that contains other types of sensors. For more information about the
SiteProtector interface, see your SiteProtector documentation.
Appliance A heartbeat is an encrypted, periodic HTTP request that the appliance uses to indicate it is
heartbeats still running and to allow it to receive updates from the agent manager. When you register
the appliance with SiteProtector, you specify the time interval between heartbeats to
SiteProtector.
When you register the appliance with SiteProtector, you can override SiteProtector
settings on the appliance for the first heartbeat. This allows the appliance to maintain its
own local settings until you change the settings in SiteProtector. For more information, see
“Overriding SiteProtector group settings” on page 344.
Primary The Primary Management Interface is the appliance interface (Internal, External, or DMZ)
Management IP address that SiteProtector:
Interface
● uses to identify the appliance
● tries first when communicating with the appliance or launching Proventia Manager

You select the Primary Management Interface during initial appliance setup (in the
Proventia Setup utility). You can change your selection on the SystemÆ Network
Configuration page.
Reference: For instructions about how to select the Primary Network Interface, see the
following:
■ “Configuring the External Interface in Proventia Manager” on page 311

■ “Enabling the Internal Interfaces in Proventia Manager” on page 317
Authentication level SiteProtector uses an SSL certificate for authentication. The appliance uses the certificate
to authenticate its connection to SiteProtector.
Authentication level options are as follows:
Option Description
trust-all The appliance does not use the SSL certificate presented by
SiteProtector. The appliance trusts all connections on port 3995 (or other
designated port), and sends alerts to any system to which it can connect
on that port
first-time-trust At the first connection, the appliance accepts the SSL certificate and
stores it. On all subsequent connections to the same SiteProtector agent
manager, SiteProtector must present the same certificate.
explicit-trust You must copy the SSL certificate to authenticate SiteProtector to the
correct location on the appliance prior to connecting. The certificates
should be placed in the /cache/spool/crm/cacerts directory.
Table 140: Authentication level options
Important: If you select explicit-trust, you must perform additional tasks. For more
information, refer to article number 2202 in the Internet Security Systems Knowledgebase:
http://www.iss.net/support/knowledgebase/
340
Considerations for Appliance Updates and Events with SiteProtector
Considerations for Appliance Updates and Events with

SiteProtector
Introduction This topic describes considerations for applying updates and configuring events when
you manage your appliance with SiteProtector.
Important: You can enable SiteProtector notification for events in the Proventia Manager
interface, but you must register your appliance with a SiteProtector agent manager before
the appliance can send events to the SiteProtector console.
SiteProtector and When the appliance is registered with SiteProtector, you must still update your appliance
appliance updates regularly to maximize performance and to insure that the appliance is running the most
up-to-date firmware, security content, and database. ISS recommends that you schedule
automatic database updates, security content updates, and firmware update downloads
and installations.
Note: You can download and install firmware updates while the appliance is registered
with SiteProtector, and you can use the SiteProtector X-Press Update Server as an alternate
update server. See “Using the SiteProtector X-Press Update Server” on page 38.
Update options You can use the Automatic Update Settings page in the Proventia Manager to schedule
the following automatic update and install options:
● Download and install firmware updates.

● Download and install security content updates.
● Download and update the database.
Reference: For more information, see “About Updating the Appliance” on page 22.
How the appliance You can specify the events that generate an alert to SiteProtector. When an event occurs,
delivers alerts to the appliance pushes an alert to SiteProtector. The event information in the alert can then
SiteProtector be used for reporting purposes. The alerts that are pushed to SiteProtector still appear in
the Alert Event Log page in the Proventia Manager, if those events are configured for alert
logging.
Important alert When you enable alerts to SiteProtector, consider the number of alerts that the appliance
considerations may generate when you enable alerts to SiteProtector.
Caution: If you enable alert delivery to SiteProtector for events that occur frequently, the
appliance may send a large number of alerts to SiteProtector. This could negatively
impact SiteProtector performance.

The following table describes some of the alerts that can be sent to SiteProtector.
Alert type Description
Alerts typically sent to SiteProtector Typical alerts sent to SiteProtector are:

• Intrusion Prevention events
• Antivirus events
• System error events
• Blocked URLs
• Email tagged as spam
General message events General message events that can send large numbers of
alerts to SiteProtector are:
• Deny Rule
• Allow Rule
• Rule Not Found
Other events Other events that can send large numbers of alerts to
SiteProtector are:
• Log All URL Requests (Web Filter module)
• Log All Email (Antispam module)
Table 141: Alerts sent to SiteProtector
342
Configuring SiteProtector Management Settings

Introduction This topic describes the following:
● prerequisites and recommendation

● how to set up and enable SiteProtector management on your appliance
● how to override SiteProtector group settings for the first heartbeat
Prerequisites To implement SiteProtector management of your appliance, you must have the following:
● a SiteProtector console that is running SiteProtector version 2.0 Service Pack 4 or

higher
● a group in SiteProtector to which the appliance will be assigned
Note: The group can contain M appliances only.
Reference: For more information about using SiteProtector, see your SiteProtector
documentation.
Recommendations ISS recommends that you do the following before you register your appliance with
SiteProtector:
● Verify the name of the SiteProtector sensor group to which you want to assign the
appliance.
● Verify the IP address and port for each SiteProtector agent manager that you want to
use with the appliance.
● Verify the Primary Management Interface on the Network Configuration page in
Proventia Manager that you want SiteProtector to use first when connecting to the
appliance.
Reference: For more information, see “Primary Management Interface” on page 339.
● Make sure that the appliance has the latest firmware update installed.
SiteProtector The following table describes the required and recommended tasks for setting up
management setup SiteProtector management on your appliance.
tasks
Task Description
1 Register your appliance with SiteProtector from the Management page in the Proventia
Manager interface.
2 Enable SiteProtector alerts for each module that you want to send alerts to the
SiteProtector console.
Note: Each module has an Event Notification page in the Proventia Manager and in
the SiteProtector interface where you can enable SiteProtector alerts for the module.
For more information about enabling alerts for a module in SiteProtector, see your
SiteProtector documentation.
Table 142: SiteProtector management setup task descriptions

SiteProtector The following table describes the SiteProtector management process.

management
process Stage Description Result
1 You create the sensor group in The sensor group exists in SiteProtector,
SiteProtector, and establish appliance and remains empty until you register an
settings for the group. appliance under that group name.
2 You register the appliance with the The appliance waits for the first
SiteProtector group on the Management heartbeat interval, and then sends a
page in the Proventia Manager. heartbeat to SiteProtector.
3 The appliance appears in the Depending on the override setting, the

SiteProtector console, and receives appliance either
updates. • Inherits group settings
• Maintains individual settings
Table 143: SiteProtector management process
Overriding When you register the appliance with SiteProtector, you must choose one of the following
SiteProtector group options:
settings
● allow the appliance to inherit group settings at the first heartbeat
● override the group settings at the first heartbeat so that the appliance maintains each
individual setting until you change that setting at the group level in SiteProtector
The Local Settings Override SiteProtector Group Settings box on the System
Management page in the Proventia Manager is enabled by default. Use this setting to
determine whether group settings are shared down to the appliance at the first heartbeat
to SiteProtector. If you leave this box selected, then the appliance maintains individual
settings and does not inherit group settings at the first heartbeat. After the first heartbeat,
any policy setting you change in SiteProtector at the group level is shared down to every
appliance in the group at the next heartbeat. You can manage the individual settings for
the appliance at the appliance level in SiteProtector.
Caution: Be careful when you disable the option to override group settings at the first
heartbeat. SiteProtector applies the group settings to the appliance even if the group
settings are not defined. If you disable the override option and apply SiteProtector group
settings to the appliance at the first heartbeat, be sure that you define group settings (such
as firewall rules) at the group level in SiteProtector. If you configure settings in Proventia
Manager, and then register the appliance without the group setting override option
enabled, then the appliance settings will be overridden at the first heartbeat with the
default, undefined group settings.
Reference: For more information about managing appliance settings in the SiteProtector,
see your SiteProtector documentation.
Override ISS recommends that you use the Local Settings Override SiteProtector Group Settings
recommendations option as follows:
● If you have not defined all of your group settings in SiteProtector, leave the Local
Settings Override SiteProtector Group Settings box enabled. This prevents
undefined SiteProtector group settings from overriding existing appliance settings. If
undefined group settings override existing policy settings, you must define the
appliance settings at the group level. The changes will be shared down to the
appliance at the next heartbeat.
344
● If you have defined all of your group policy settings in SiteProtector, clear the Local
Settings Override SiteProtector Group Settings box so that the appliance
immediately inherits the group settings at the first heartbeat. This allows you to apply
the group settings to the appliance without further changes.
Configuring To configure SiteProtector management of your appliance:

SiteProtector
Management 1. In the navigation pane, click + to expand the System node.
2. Select Management.
3. Select Register with SiteProtector.
4. Do you want local appliance settings to override SiteProtector group settings for the
first heartbeat?
■ If yes, select the Local Settings Override SiteProtector Group Settings box.
■ If no, clear the Local Settings Override SiteProtector Group Settings box.
5. Type a valid SiteProtector group name in the Desired SiteProtector Group for
Sensor field.
6. In the Heartbeat Interval (secs): field, type the number of seconds that you want the
appliance to wait between heartbeats to SiteProtector.
Note: This value must be between 60 and 86,400 seconds.
7. In the Agent Manager Configuration area, click Add.
The Add Agent Manager Configuration window appears.
8. Select the Authentication Level.
9. Type a meaningful name that corresponds to the SiteProtector Agent Manager in the
Name field.
10. Type the IP address of the SiteProtector Agent Manager in the Agent Manager
Address field.
11. Type the port number on which alerts are sent to SiteProtector in the Agent Manager
Port field.
Note: The default port number is 3995. If you change the default port number, you
must also configure the port number locally on the SiteProtector Agent Manager.
12. Is a proxy server installed in the network between the appliance and SiteProtector?
■ If yes, select the Use Proxy Settings box, and then go to Step 13.
■ If no, clear the Use Proxy Settings box, and then go to Step 16.
13. Type the IP address of the proxy server in the Proxy Server Address field.
14. Type the port number of the proxy server in the Proxy Server Port field.
15. Click OK.
16. Repeat Steps 6 through 15 for each appliance you want to add.


Introduction You can manage the HA cluster through the SiteProtector Agent Manager using the
virtual IP address of the cluster.
Viewing the HA SiteProtector sees the cluster as a single appliance. Configuration of the HA cluster uses
cluster the same CPE and policy components as Proventia Manager. In addition, SiteProtector
receives events from the HA cluster with the virtual IP address as the source.
Enabling Enable SiteProtector management for the HA appliance cluster after you apply all
SiteProtector network settings and HA settings on the appliances.
managment
If your secondary appliance is already registered with a SiteProtector Agent Manager, you
must unregister the secondary appliance from SiteProtector after you enable HA. After
you enable HA, the appliance becomes redundant and will appear as "offline" in the
SiteProtector console.
346
Chapter 23
Managing Events and Log Files
Overview
Introduction This chapter describes how to view alert event log files.
Topic Page
Accessing the Alert Event Log Page 348
Getting More Information About Events 352
Refreshing and Searching the Event Log File 353
Saving the Current Log File 357
Clearing the Alert Event Log File 358
Managing Saved Log Files 359

Accessing the Alert Event Log Page

Introduction You can access the Alert Event Log page in two ways:
● click the button

● click the Alerts node for each module
Viewing alerts for To view the alerts for a module using the Alerts button:
each module using
the Alerts button
● Click the button at the top of any page for the module.
For example, if you are on the Firewall/VPN Settings page and want to view firewall
alerts, click the Alerts button at the top of the page to display The Alert Event Log
page. The log displays alerts for the Firewall/VPN module only.
Note: You can filter results and view other alerts on the Alert Event Log page. See
“Refreshing and Searching the Event Log File” on page 353.
Viewing alerts for To view the alerts for a module using the Alerts node:
each module using
the Alerts node ● In the navigation pane, select the Alerts subnode for the module.
For example, if you want to view firewall alerts, expand the Firewall/VPN node, and
then click Alerts. The Alert Event Log appears, and displays alerts for the Firewall/
VPN module only.
Note: You can filter results and view other alerts on the Alert Event Log page. See
“Refreshing and Searching the Event Log File” on page 353.
Viewing security Use the Alert Event Log page to view security and system related alerts. You also use this
and system alerts page to access the Log File Management page.
When you select an Alert subnode for a module in the navigation pane, the Alert Event
Log page displays events for that module. The following table describes the alert
subnodes available in the navigation pane:
This Alert subnode... Displays alerts related to...
Firewall Alerts attempted attacks that occur in your network
Intrusion Prevention Alerts Quarantine
Antivirus Alerts related to viruses detected in files on your network
Web Filter Alerts the Web Filter and Antispam Database. See also,
Update Alerts
Antispam Alerts the Antispam module
System Alerts the appliance and its operation
Update Alerts firmware, security and database updates
Table 144: Available alert subnodes
348
About the event log The alert event log file contains the following types of alerts:
file
● intrusion prevention alerts are related to attempted attacks that occur in your network
● antivirus alerts are related to viruses detected in files on your network
● system alerts are related the appliance and its operation
About Rule Order The Rule Order value appears in the following locations in the Proventia Manager:
and RuleGUID
values ● the Access Policy page
● the Alert Event Log page
The Rule Order value represents the position of an access policy in the Access Policy
table. If you move an access policy up or down in the table, the Rule Order value will
increase or decrease. This value is useful for troubleshooting firewall alerts and the access
policies that generate those alerts.
The Rule GUID value appears in the Alert Event Detail window.
Risk level icons You can determine the risk level of an event by the icon in the Risk Level column of the
log file. The risk levels are as follows:
Icon Description
Indicates a Low Risk event.
Indicates a Medium Risk event.
Indicates a High Risk event.
Table 145: Risk level icons
Event information Additional information about events is available by clicking the event information icons
icons in the Event Name column of the log file. The event information icons are as follows:
Icon Description
Links to an X-Force Alert Description of the event.
Links to Antivirus Analysis Data about the event.
Table 146: Event information icons

Navigation icons Use the navigation icons on the Alert Log page and the Alert Event Detail window to
view alerts. The following table describes these icons:
This icon... On this page... Allows you to...
Alert Event Log page View the first page of alerts in the Alert Event Log
Alert Event Log page View the previous page of alerts in the Alert Event
Log
Alert Event Log page View the next page of alerts in the Alert Event Log
Alert Event Log page View the last page of alerts in the Alert Event Log
Alert Event Detail View the previous alert event detail record
Alert Event Detail View the next alert event detail record
Table 147: Alerts page navigation icons
Alert Event Log The following table describes the fields at the top of the Alert Event Log page:
general field
descriptions Alert Event Log column name Description
Refresh Data Refreshes the information on the Alert Event Log page.
Search by Alert Id# Type an Alert Id# from the Alert Event Detail in this field to
display the alert.
Record # Displays the number of records on the current page and the
total number of records.
Example
Record # 20357 to 20308 of 20407
Generate new log file from Alerts Click this link to save the log files currently in the Alert Event
Log queue.
Clear Current Alerts Click this link to clear the Alert Event Log.
View/Manage Log Files Displays the Log File Management Page.
Table 148: Alert Event log general field descriptions
Alert Event Log The following table describes the columns in the Alert Event Log table:
table column
descriptions Alert Event Log column name Description
Rec# Record number of the alert
Table 149: Alert event log table column descriptions
350
Alert Event Log column name Description
Risk Level Displays a risk level icon for the alert. Use this option to filter
events of a desired level.
Example: if you select Medium, the log will only display
Medium risk level alerts. No low or high level alerts.
Alert Name Displays the alert name
Source IP Displays the source IP address for the alert
Source Port Displays the source port and port name for the alert
Destination IP Displays the destination IP address of the event
Destination Port Displays the destination port and port name of the event
Protocol Displays the protocol and protocol number of the event
Rule Order Displays the number of the access policy number

corresponding to the event
Alert Date & Time Displays the date and time of the alert
Table 149: Alert event log table column descriptions (Continued)
Alert Event Detail The Alert Event Details window displays more detailed information about the event. The
window fields that appear in this window correlate with the type of alert.

Getting More Information About Events

Introduction This topic describes how to get more information about events that you see in the Alert
Event Log. It includes procedures for the following tasks:
● Viewing event details

● Getting intrusion prevention information
● Getting antivirus information
Viewing event To view event details:

details
● Click the event name in the Alert Name column.
The Alert Event Details window appears.
Tip: Click the Up or Down arrows to view details of the previous or next alert.
Getting intrusion To get more information about intrusion prevention events:

prevention
information
● Click the X-Force Alert icon in the Alert Name column.
The X-Force Alert Description of the event appears.
Getting antivirus To get more information about antivirus events:

information
● Click the Antivirus icon in the Alert Name column.

The Antivirus Analysis Data for the event appears.
Reference: For more information, see “Accessing the Alert Event Log Page” on
page 348.
352
Refreshing and Searching the Event Log File

Introduction You can refresh the event log file to ensure that you are viewing the latest events. You can
also filter events, search the event log file, and display detailed information about a
specific event in Alert Event Details window.
You can filter the Event Log File in two ways:
● by Alert Event Log field values

● by Alert Type
Messages for each You can filter the alert event log file by the Alert Type. The following table describes the
Alert Type Alert Type options:
This Alert Type... Contains these messages...
All Firewall • Resource Errors – Errors that occur with the firewall or with traffic
going through the firewall is written to the log file.
• Deny Rule Messages – If you have a deny rule with logging
enabled in a firewall policy and traffic is blocked on that rule, then an
event is written to the log file.
• Allow Rule Messages – If you have an allow rule with logging
enabled in a firewall policy and traffic is accepted on that rule, then
• Rule Not Found Messages – If a packet comes across your
network and is dropped because there are no matching firewall
policy rules, an event is written to the log file.
• Configuration Changes – Anytime a firewall rule, list, or any other
configurable firewall setting is modified, an event is written to the log
file.
Note: The event does not indicate which user made the change.
• Access Statistics – A log entry will be made at certain intervals
describing the current network activity.
• VPN Messages – Every time a user accesses your network
through one of the IPSEC or manual IPSEC policies, an event is
written to the log file.
• DNS and ICMP Messages – For all ICMP messages and all DNS
query and reply messages, an event is written to the log file.
Firewall Rule • Allow Rule

• Deny Rule
Firewall Alerts • Syn Flood

• Ping of Death
• IP Spoofing
• Invalid Packets
• General Attacks
Firewall General • Resource Error

• VPN Messages
Antivirus • Antivirus event messages
Table 150: Messages for each alert type

This Alert Type... Contains these messages...
Antispam • Log Only Email Tagged As Spam

• Log All Email
Web Filter • Blocked Web Page Requests

• All Web Page Requests
Intrusion Prevention • Blocked Attacks/Audits

• Non-Blocked Attacks
• Non-Blocked Audit
• General Event (quarantine rule and packet dropped)
System • System Error

• System Warning
• System Informative
Table 150: Messages for each alert type (Continued)
Searching with You can use the asterisk (*) wildcard character to search the following fields in the alert
wildcards event log:
● Alert Name
● Source IP Address
● Destination IP Address
Examples The following entry in the Source Address field displays all alerts with a Source IP
Address that begins with 129:
129*
The following entry in the Destination Address field displays all alerts with a Destination
IP Address ending with 129:
*129
The following entry in the Source Address field displays all alerts with a Source IP
Address that contains 129:
*129*
The following entry in the Alert Name field displays all alerts with names that begin with
“Firewall”:
Firewall*
Refreshing the To refresh the alert event log file:

event log file
● On the Alert Event Log page, select an option from the Refresh Data list.
The Alert Event Log page is refreshed to display the latest events.
354
Filtering by Alert You can filter the alert event log file by any of the following options in the Filter Options
Event Log field list. When you select an option from the list, the corresponding search fields appear. The
values following table describes the filter options and procedures:
Select this item from the And then do this...

Filter Option list...
Risk Level Select an option from the Risk Level list, and then click Go.
Options are:
• High
• Medium
• Low
Alert Name Type an alert name in the Alert Name field, and then click Go.
Alert Type Select an option from the Alert Type list, and then click Go.
Options are:
• All Firewall
• Firewall Rule
• Firewall Alerts
• Firewall General
• Antivirus
• Web Filter
• Antispam
• Intrusion Prevention
• System
See “Messages for each Alert Type” on page 353 for descriptions
of alerts that the appliance displays for each Alert Type.
Date and Time Type a date and time in the Start Date and Time field, type a date
and time in the End Date and Time field, and then click Go.
Consider the following requirements:
You must type the date in mm/dd/yyyy format.
Example: 01/01/2004
You must type the time in hh:mm:ss format.
Example: 14:25:00
You can omit the start date or end date, but you must enter a value
in at least one of the two fields. If you omit the time in the Start
Date and Time field, then the appliance interprets this value as
00:00:00. If you omit the time in the End Date and Time field,
then the appliance interprets this value as 23:59:59.
Source IP Type the source IP address for the alert event in the Source IP
field, and then click Go.
Destination IP Type the destination IP address for the alert event in the
Destination IP field, and then click Go.
Source and Destination IP Type the source IP address for the alert event in the Source IP
field, type the destination IP address for the alert event in the
Destination IP field, and then click Go.
Source Port Number Type the source port number for the alert event in the Source
Port field, and then click Go.
Table 151: Filter options and procedures

Select this item from the And then do this...

Filter Option list...
Destination Port Number Type the destination port number for the alert event in the
Destination Port field, and then click Go.
Protocol Number Type the protocol number for the alert event in the Protocol
Number field, and then click Go.
Multiple Values Type or select a value in any or all of the fields, and then click Go.
The appliance displays a field for each of the filter options.
To find a specific event, the value for each field you include in the
search must match the event.
Filter Off Click Go.

The appliance removes the event log filter and returns all events.
Table 151: Filter options and procedures (Continued)
Filtering the event To filter the event log file, do the following:
log file
1. Select an option from the Filter Options list.
2. In the field that appears, type or select the criteria for the filter.
3. Click Go.
The alert event log displays the events that match your criteria.
Removing the filter To remove the filter from the event log file:
from the event log
file ● Select Filter Off, and then click Go.
The alert event log displays all events.
Searching by Alert To search the alert event log file:

ID number
● On the Alert Event Log page, type the 26-character alert ID number in the Search by
Alert Id# field, and then click Go.
The event record is highlighted on the page.
356
Saving the Current Log File
Saving the Current Log File

Introduction This topic describes how to save the current alert event log file. A saved copy may be
beneficial for forensic purposes.
Note: When alert events are saved, the events remain visible in the Alert Event Log page.
How the log file is The current log file is saved as three comma separated values (.csv) files. The three files
saved are used to cross-reference the data displayed in the Alerts. The files are as follows:
● filename_eventdata.csv contains the distinct records that match the alert record
number. This file also lists the event name and the risk level.
● filename_eventinfo.csv contains the data listed in the event specific information
section of the alert.
● filename_eventresp.csv contains the data from the responses executed section of
the alert.
Saving the current To save the current alert event log file:
alert event log
● On the Alert Event Log page, click Generate new log file from Alerts.
The file is saved and the Log File Management page appears.
page 348.

Clearing the Alert Event Log File

Introduction This topic describes how to clear all events from the alert event log. When events are
cleared from the log, they no longer appear in the Alert Event Log page.
Before you begin Before you clear the alert event log file, you may want to save a copy for archiving. A
saved copy may be beneficial for forensic purposes.
Reference: For more information, see “Saving the Current Log File” on page 357.
Clearing the alert To clear the alert event log file:

event log file
1. On the Alert Event Log page, click Clear Current Alerts.
A confirmation message appears.
2. Click OK.
The Alert Event Log file is cleared.
page 348.
358
Managing Saved Log Files
Managing Saved Log Files

Introduction This topic describes how to managed the saved alert event log files on your system.
Managing the files involves either downloading them to another system or deleting them
or both. It includes procedures for the following tasks:
● downloading log files

● deleting log files
Viewing and Use the Log File Management page to view and manage your saved event log files.
managing saved
event log files
Downloading log This procedure describes how to download a saved log file from the appliance to a local
files workstation. After the download, the saved log file still exists on the appliance.
To download log files:
1. On the Alert Event Log page, click View/Manage Log Files.

2. Select a file to download, and then click Download.
3. Select Save the file to disk, and then click OK.
4. Type a File Name, and then click Save.
Deleting log files This procedure describes how to remove saved log files from the appliance.
To delete log files:
1. On the Alert Event Log page, click View/Manage Log Files.

■ Select a file to delete, and then click Delete.
■ Click Delete All.
A confirmation window appears.
3. Click OK.
The file or files are deleted.

360
Chapter 24
System Backup and Recovery
Overview
Introduction This chapter describes system backup and setting snapshot functions, and provides the
requirements and procedures for reinstalling and reconfiguring the Proventia Integrated
Security Appliance and software from the Recovery CDs.
Restrictions for Snapshot files for firmware versions 1.7 or earlier are not compatible with firmware
earlier firmware version 1.8 or later. ISS recommends that you create a new snapshot file after you update
versions your appliance.
Topic Page
System Backup and Recovery 362
Creating and Managing Snapshot Files 364
Creating or Restoring a System Backup 366
Using System Backups and Snapshots with High Availability Enabled 367
Proventia M10 and M30 Appliance Reinstallation Overview 371
Reinstalling the M10 and M30 Appliances 373
M50 Appliance Reinstallation Requirements 375
Reinstalling the M50 Appliance 376


Introduction This topic describes the backup and recovery process. Click Backup and Recovery in the
navigation pane to display the Backup and Recovery page.
There are two components to backup and recovery of your appliance:
Snapshots A snapshot is a file that stores your appliance’s configuration

settings. You can use the file to restore the appliance’s settings or
to configure the settings on another appliance.
System backups A system backup stores the operating system and configuration of
the appliance. When you restore from a system backup, you
restore the appliance to a previous state.
Table 152:
Note: ISS recommends that you create a system backup or download the snapshot files to
a local computer. For managing system snapshots with the High Availability module
enabled, see “Using System Backups and Snapshots with High Availability Enabled” on
page 367.
Note: Recovery CDs can be obtained from the ISS Technical Support Centers. See
“Getting Technical Support” on page xiv.
Backup restrictions The following restrictions apply to creating backups:
● You can have only one system backup. Creating a system backup overwrites the
previous backup.
● Creating a system backup takes the appliance offline and disrupts connectivity for
several minutes.
Important: If you configure the appliance and then click Restore from Backup before you
create a system backup, the appliance is restored from the default system backup that
does not contain your system configuration. You cannot log into the Proventia Manager
interface until you reconfigure the appliance using the Proventia Setup utility.
Reference: For more information about configuring the appliance with the proventia
Setup utility, see the Proventia M Appliance Quick Start Guide for your appliance model.
Clearing the Java After you restore the system from backup, do the following:
cache
● Close all browser windows.
● Clear the Java cache before you log back into the Proventia Manager.
Important: Failure to close all of the browser windows and clear the Java cache may cause
the Proventia Manager to behave unpredictably after the system restore is completed.
Why you should The Backup Description field on the Home page includes the date of the last system
create a backup backup. Review the Home page to determine whether a new backup is needed. You
should create a full system backup for the following situations:
362
● before you apply firmware updates

● when you need to save your configuration
Important: You should create a configuration settings snapshot prior to performing

backups or updates. For more information, see “Creating and Managing Snapshot Files”
on page 364.
Creating a system To create a system backup:

backup
1. In the navigation pane, select the Backup and Recovery node.
2. Select the Full Backup tab.
3. Click Create System Backup.
The system creates a full system backup. The IP address for the appliance is
unavailable during the backup process, and you cannot access the Proventia Manager
in the browser window.
Restoring a system To restore a system backup:

backup
3. Click Restore from Backup.
A message prompts you to continue the backup.
4. Click OK.
The system restores the backup.
Note: The IP address for the appliance is unavailable during the backup process, and
you cannot access the Proventia Manager in the browser window.
5. Close all Web browser windows.
Reference: For instructions about clearing the Java cache, refer to your operating
system documentation.
Note: If you enabled “Alert Logging for System Informative Events” and specified an
email address, you will receive an email notification once the appliance is back online.
If you have not enabled this notification setting, please wait at least 5 minutes before
you attempt to log back into the Proventia Manager.

Creating and Managing Snapshot Files

Introduction This topic describes how to create a file snapshot that stores your appliance’s
configuration settings. You can use the file to restore appliance settings or to configure
settings on another appliance. It includes procedures for the following tasks.
● Creating a snapshot file that stores your configuration settings.

● Applying a snapshot file.
● Managing snapshot files.
Note: ISS recommends that you create a system backup, or download the snapshot files to
a local computer.
Note: For managing snapshot files with the High Availability module enabled, see
“Using System Backups and Snapshots with High Availability Enabled” on page 367.
About snapshot When you create a snapshot file, the system creates a file that stores the appliance’s
files configuration settings, policy files, and log in accounts. This includes the three accounts
used to access the Proventia Manager.
FactoryDefault.settings is the default snapshot file, which includes the original appliance
settings.
Important: If you configure the appliance and then apply the default snapshot file before
you create a system backup, the appliance applies the default settings. You cannot log into
the Proventia Manager interface until you reconfigure the appliance using the Proventia
Setup utility.
Reference: For more information about configuring the appliance with the proventia
Setup utility, see the Proventia M Appliance Quick Start Guide for your appliance model.
Restrictions Snapshot files for firmware versions 1.7 or earlier are not compatible with firmware
version 1.8 or later. ISS recommends that you create a new snapshot file after you update
your appliance with firmware version 1.8.
Reference: See “About Updating the Appliance” on page 22.
Creating a To create a snapshot file:

snapshot file
2. Select the Settings Backup tab.
3. Click Add.
4. Type the snapshot name in the Define a name for the snapshot file field.
5. Click Create.
The new snapshot file appears in the Settings Backup table.
364
Creating and Managing Snapshot Files
Managing a To manage a snapshot file:

snapshot file
3. In the Settings Backup table, select the snapshot file you want to manage.
■ Click Apply to apply the snapshot file. The appliance updates the settings and
prompts you for the password that was in effect when you created the snapshot.
■ Click Delete to delete the selected file.
■ Click Download to open or save the file to your local computer.
■ To delete multiple selected files, press the CTRL key, select each file, and then click
Delete All.
Uploading a You can upload a snapshot file from an external source so that is available on the
snapshot file appliance.
To upload a snapshot file:

3. Click Add.
■ Type the snapshot name in the Snapshot file to Upload field.
■ Click Browse to locate the file name and add it from an external source.
5. Click Upload.
The snapshot file appears in the Settings Backup table.

Creating or Restoring a System Backup

Introduction This topic provides procedures for the following tasks:
● creating a system backup

● restoring a system backup
Click Backup and Recovery in the navigation pane to display the Backup and Recovery
page.
Note: ISS recommends that you create a system backup or download the snapshot files to
a local computer. For managing system snapshots with the High Availability module
enabled, see “Using System Backups and Snapshots with High Availability Enabled” on
page 367.
Creating a system To create a system backup:

backup
The Backup and Recovery page appears.
3. Click Create System Backup.
The system creates a full system backup. The IP address for the appliance is
unavailable during the backup process, and you cannot access the Proventia Manager
in the browser window.
Restoring a system To restore a system backup:

backup
3. Click Restore from Backup.
A message prompts you to continue the backup.
4. Click OK.
The system restores the backup. The IP address for the appliance is unavailable
during the backup process, and you cannot access the Proventia Manager in the
browser window.
5. Close all Web browser windows.
Reference: For instructions about clearing the Java cache, refer to your operating
system documentation.
Note: If you enabled “Alert Logging for System Informative Events” and specified an
email address, you will receive an email notification once the appliance is back on-
line. If you have not enabled this notification setting, please wait at least 5 minutes
before you attempt to log back into the Proventia Manager.
366
Using System Backups and Snapshots with High Availability Enabled
Using System Backups and Snapshots with High Availability

Enabled
Introduction This topic describes how to do the following on an appliance with the high availability
feature enabled:
● create a system backup

● restore from a system backup
● create snapshots
● apply snapshots
System backups and snapshots work similarly in non-HA and HA environments; the
important difference for an HA environment is that you must use the virtual IP address
(owned by the primary appliance) to manage the HA cluster. The primary appliance owns
the virtual IP addresses, so when you apply a snapshot to the primary appliance, you
apply the snapshot to both appliances in the HA cluster.
Note: For more information about system backups and snapshots, see “Creating and
Managing Snapshot Files” on page 364 and “Creating or Restoring a System Backup” on
page 366.
Restrictions Consider the following restrictions when you use snapshots with your HA appliances:
● You must use the virtual IP address of the HA cluster to apply a snapshot. The
primary appliance owns the virtual IP addresses, so apply the snapshot to the
primary appliance. When you apply the snapshot to the primary appliance, the
primary appliance copies the snapshot to the secondary appliance. If you apply the
snapshot directly to the secondary appliance, the secondary appliance fails.
Example
You have primary appliance A and secondary appliance B on your network. Create a
snapshot from primary appliance A. When you apply the snapshot, apply it to
primary appliance A. Appliance A copies the snapshot over to secondary appliance B.
If you try to apply the snapshot directly to secondary appliance B, appliance B fails
and the snapshot does not apply.
If primary appliance A fails, appliance B becomes primary. You can now apply the
snapshot to appliance B, since it is now the primary appliance.
● You can create a snapshot from either the primary or secondary appliance.
Note: ISS recommends that you create snapshots from the primary appliance.
● A snapshot must match the HA state (enabled or disabled) and existing network
settings of the cluster.
Example
If you try to apply a snapshot that enables HA to an appliance that does not have the
HA feature enabled, the snapshot fails. You cannot edit IP addresses or other network
settings in an HA cluster, so if you try to apply a snapshot containing different
network settings from the existing cluster network settings, the snapshot fails.
Recommendations ISS recommends that you do the following:

● Create the settings snapshot on both appliances before you enable the HA feature. If
you restore an HA appliance from system backup, you must repeat the HA
configuration process. You can save time by applying the settings snapshot after you
restore the appliance from backup.
● When you create a settings snapshot, create the settings snapshot on the primary
appliance.
When appliances You can create a snapshot on an appliance as usual. The appliances in an HA cluster will
synchronize system synchronize snapshots as follows:
snapshots with HA
enabled ● When you apply a snapshot to the primary appliance, the primary appliance
automatically copies the snapshot to the secondary appliance.
● When you enable the HA feature, the secondary appliance applies the snapshot
automatically.
● If you reboot the secondary appliance, the secondary appliance obtains the newest
snapshot from the primary appliance.
Creating a system This table describes the required tasks to create system backups for the primary (Unit A)
backup with HA and secondary (Unit B) appliances. To create a system backup with HA enabled, perform
enabled the tasks described in the following table:
Task Description
1 Use the Unit B (secondary appliance) unique internal IP address to connect to the
Unit B Proventia Manager interface.
2 Manually perform a system backup on Unit B
3 To verify that the backup was successful, go to the Status area on the Home Page
and make sure that the High Availability Active Status is Running.
5 To verify that the HA feature is running properly on Unit A, go to the System Status
area on the Home Page and make sure that the High Availability Active Status is
Running.
6
Expand the System node, select Tools, and then click .
Note: This forces a failover, so that Unit B becomes the primary appliance. After the
failover completes, the Secondary Appliance banner appears on Unit A.
7 Manually perform a system backup on Unit A.
8 Connect to the HA cluster in Proventia Manager using the internal virtual IP

address.
9 To verify that the HA feature is running properly, go to the Status area on the Home
Page and make sure that the High Availability Active Status is Running.
Table 153: Tasks for creating a system backup with HA enabled
368
Using System Backups and Snapshots with High Availability Enabled
Restoring from a This table describes the required tasks to create system backups for the primary (Unit A)
system backup with and secondary (Unit B) appliances. To restore from a system backup with HA enabled,
HA enabled perform the tasks described in the following table:
Task Description
2 Expand the System node, select High Availability, and then clear the HA Enabled
box.
Note: This disables the HA feature for both appliances.
3 Restore Unit A (the primary appliance) from a system backup.
4 Restore Unit B (the secondary appliance) from a system backup.
5 Reconfigure HA as described in “High Availability Task Overview” on page 52.
Table 154: Tasks for restoring from a backup with HA enabled
Creating a The procedure for creating a snapshot file on an HA appliance is the same as for a non-
snapshot file with HA appliance, but you must be sure to access the HA appliance via one of the virtual IP
HA enabled addresses. Do not use either appliance’s static IP addresses when you create a snapshot.
To create a snapshot file on an appliance with HA enabled:
1. Use the virtual IP address of the HA cluster to connect to the Proventia Manager
interface.
Note: Do not use either appliance’s static IP address.
4. Click Add.
5. Type the snapshot name in the Define a name for the snapshot file field.
6. Click Create.
The new snapshot file appears in the Settings Backup table.
Applying a snapshot The procedure for applying a snapshot file on an HA appliance is the same as for a non-
with HA enabled HA appliance, but you must use the virtual IP address of the HA cluster and apply the
snapshot to the primary appliance.
To apply a snapshot file to an HA cluster:
1. Use the virtual IP address of the HA cluster to connect to the Proventia Manager
interface on the primary appliance.
Important: Do not apply the snapshot to the secondary appliance.
4. In the Settings Backup table, select the snapshot file you want to apply.

5. Click Apply to apply the snapshot file.

The primary appliance does the following:
■ updates the settings and prompts you for the password that was in effect when you
created the snapshot
■ copies the snapshot to the secondary appliance
370
Proventia M10 and M30 Appliance Reinstallation Overview
Proventia M10 and M30 Appliance Reinstallation Overview

Introduction Use the Proventia M Integrated Security Appliance Recovery CD Set t hat comes with your M
appliance to reinstall the appliance software. The recovery CD reinstalls the original,
unconfigured software.
What you need To reinstall the M10 or M30 appliance, you need:
● a laptop or computer to use as your PXE boot server

Note: The BIOS settings on your PXE server computer must allow it to restart from a
CD. For information on your BIOS settings, refer to the documentation for your
computer.
● an ethernet crossover CAT5 cable
● the provided null modem cable
● a Proventia M Integrated Security Appliance Recovery CD Set Set
Using the PXE The Proventia M10 and M30 appliances use the Pre-boot eXecution Environment (PXE)
server technology to enable your computer to restart the M10 appliance from the network.
Note: The Web Filter and Antispam Database can be re-installed from the CDs or from
Proventia Manager from the SystemÆ FilterDB page and by clicking Get Local DB.
However, the database is a large file. It is recommended that you initially re-install it
locally using the CDs, and then retrieve the updates via Proventia Manager.See
“Manually Updating the Web Filter and Antispam Database” on page 33.
Before you reinstall Before you reinstall the appliance, you must verify:
● the IP address, subnet mask, and default gateway of the appliance’s management
interface
● the hostname, domain name, and DNS name server for the appliance
● that the appliance is running. If your appliance is not operating, contact ISS Customer
Support at support@iss.net
Using the appliance To reinstall and reconfigure the software, you must:
recovery CD
● reinstall the appliance
● log in and change the password
● configure the network and host and internal and external interfaces
● configure the time and date
● configure command line, administrative (admin), and Proventia Manager passwords
● restart the appliance and apply the settings
Caution: The Recovery CDs restore the appliance to its original configuration and
removes any customized settings. The appliance also reverts to the default login name
and password.

PXE boot server The computer or laptop you use as the PXE boot server must have the following:
hardware
requirements ● Pentium II or compatible CPU
● 64M RAM
● IDE CD-ROM drive
● COM1 serial port
● one of the following network cards:
■ 3Com 3c905C
■ Intel PRO/100
■ Intel PRO/1000
■ 3Com 3c575
■ Netgear FA511
■ Intel PRO/100 S Mobile Adapter
■ 3Com 3c574
■ Netgear FA411
Important: ISS supports only the network cards specified in the PXE boot server
hardware requirements.
372
Reinstalling the M10 and M30 Appliances
Reinstalling the M10 and M30 Appliances

Introduction This topic contains instructions for reinstalling the Proventia M Integrated Security
Appliance Recovery CD Set.
Setting up the PXE To set up a computer or laptop as the PXE server:

boot server
1. Turn off the appliance.
2. Plug one end of the provided null modem cable to the serial port of the appliance, and
the other end of the null modem cable to the COM1 serial port on the computer or
laptop that you are using as the PXE boot server.
3. Plug one end of the ethernet crossover cable into the Int interface on the appliance,
and the other end of the crossover CAT5 cable into the network interface of the PXE
boot server.
PXE setup diagram The PXE setup is shown in the following diagram:
Proventia Appliance
CONSOLE Internal
(serial port) Interface
ble
ca
m
de
1. Insert
Mo
Recovery CD
ll
Nu
CAT5 cable
Laptop
Serving as
2. Insert PXE SERVER
Database CDs
Figure 6: PXE setup diagram
Reinstalling the To reinstall the appliance software:

appliance
1. Insert the Proventia M Integrated Security Appliance Recovery CD Set into the CD-ROM
drive of the PXE boot server, and then restart the PXE boot server.
The Proventia Mxx Boot Server CD screen appears, and the system displays status
messages.
The PXE boot server displays the following messages:
***You may now boot your Proventia Mxx via the network***
***Starting Terminal Emulator***
***Press Control-G to Exit and Reboot***
Note: The PXE boot server now acts as a terminal emulator for the appliance, and
displays the console output of the appliance.

2. Turn on the appliance.

The PXE boot server displays boot process messages, and then displays the following
prompt:
Press L to boot from LAN, or press any other key to boot normally.
3. Press the L key. The following message appears:
Internet Security Systems
Proventia Mxx Recovery Boot
The PXE boot server displays status messages from the appliance, and then boots the
installer over the network.
Note: If you are running multiple PXE servers on your network, you need to
disconnect them prior to running the Mxx reinstallation. You can verify that you are
accessing the correct PXE server by the message displayed in Step 3.
4. At the prompt, type reinstall, and then press ENTER.
The installer reloads the operating system.
Caution: If you already have the database locally installed, you will overwrite the
database by reinstalling it.
5. The PXE boot server ejects the Proventia M Integrated Security Appliance Recovery CD
Set, and the following message appears.
Please insert Database CD#1
6. Insert Database CD#1 into the CD-ROM drive of the PXE server.
The installer loads the first database CD. The PXE server displays several status
messages during the process.
Note: The database spans two CDs.
7. You will be prompted to insert the second CD:
8. Insert Database CD#2. When the installation is complete, the appliance beeps and
restarts.
9. Perform the reconfiguration steps.
Reconfiguring the To reconfigure the appliance after you reinstall the software and database, follow the
appliance setup instructions in the Proventia M Appliance Quick Start Guide or “Perform the
reconfiguration steps as described in “Appliance Settings” on page 71 or in your
Proventia Mx Appliance Quick Start Guide” on page 376.
Note: You should complete your appliance configuration while connected to the PXE
boot server. When you have completed all reinstallation and reconfiguration steps, press
CTRL+G to shut down the PXE server.
Note: In order to access firmware and database updates, internet access is required.
Disconnect the PXE boot server and re-connect the internal interface to your network for
internet access.
374
M50 Appliance Reinstallation Requirements
M50 Appliance Reinstallation Requirements

Introduction You can reinstall the M50 appliance by using the Proventia Integrated Security Appliance
Recovery CD and the Proventia Integrated Security Appliance Web Filter and Antispam
Database CD Set. These CDs reinstall the original, unconfigured software and database.
Reinstallation tasks To reinstall the software, you must complete the following procedures:
Task Description
1 Reinstall the appliance.
2 Reinstall the database.
3 Log in to the Proventia Setup utility (command line) and change

the root, admin and Proventia Manager passwords.
4 Configure the network and host, including the internal and

external interfaces.
5 Configure the time and date.
6 Apply settings and reboot the appliance
Table 155: Reinstallation tasks
Caution: Rebooting with the recovery CD restores the appliance to its original
configuration and removes any customized settings. The appliance also reverts to the
default login name and password. ISS recommends that you create a Settings Snapshot
from the Proventia Manager before using this CD if you want to restore your customized
settings. For more information about creating a settings snapshot, refer to the Proventia M
Series Appliance User Guide.
Prerequisites Before you configure the M50 appliance, you must have completed the following
prerequisites:
● Verify the IP address, subnet mask, and default gateway of the appliance’s
management interface.
● Verify the hostname, domain name, and DNS name server for the appliance.
● Verify that the appliance is running. If your appliance is not operational, contact ISS
Customer Support at support@iss.net.
Note: The Proventia M50 appliance automatically senses network interface cards.

Reinstalling the M50 Appliance

Introduction This topic contains instructions for reinstalling the Proventia Integrated Security Appliance
Recovery CD and the Proventia Integrated Security Appliance Web Filter and Antispam
Database CD Set.
The Web Filter and Antispam Database can be re-installed from the CDs or from
Proventia Manager. However, the database is a large file. It is recommended that you
initially reinstall it locally using the CDs, and then retrieve the updates via Proventia
Manager.
Caution: If you already have the database locally installed, you will overwrite the
database by re-installing.
Reinstalling the To reinstall the appliance:

appliance
1. Remove the bezel cover on the front of the appliance.
2. Place the Proventia Integrated Security Appliance Recovery CD in the CD-ROM drive.
3. Connect a computer with a monitor and keyboard to the appliance.
Tip: You can manually turn the power off and on if the appliance is not responding.
4. At the prompt, type reinstall, and then press ENTER.
The installer reloads the operating system and ejects the CD. The following message
appears:
5. Insert the CD labelled Database CD #1 into the CD-ROM drive of the M50 appliance.
The appliance displays several status messages.
Note: The database spans two CDs.
6. When the prompt appears, insert the CD labelled Database CD #2 into the CD-ROM
drive of the M50 appliance.
When the installation is complete, the appliance beeps and restarts.
7. Perform the reconfiguration steps as described in “Appliance Settings” on page 71 or
in your Proventia Mx Appliance Quick Start Guide
376
Appendix A
Configuring Advanced Parameters
Overview
Introduction This appendix describes the advanced parameters used by the Proventia Integrated
Security Appliance.
What are advanced You can configure (or tune) certain parameters for the appliance to better meet your
parameters? security needs or to enhance the performance of your hardware. These advanced
parameters are composed of name and value pairs.
Components that The components of the Proventia Integrated Security Appliance that can be tuned are as
can be tuned follows:
● event notification
● intrusion prevention responses and signatures
● firewall/VPN
● antivirus
● automatic updates
● services
● Web Filter and Antispam Database
● high availability
Name/value pairs Advanced parameters are composed of name and value pairs. Each name and value pair
has a default value. However, not all advanced parameters appear on the Advanced
Parameters tab for a component. Only the most often-used advanced parameters appear
on the tab.
If you do not want to use the default value, you can add or edit name and value pairs for
any component that can be tuned.
Tuning parameter Tuning parameter value types are as follows:

value types
● boolean
● number
● string

377
Chapter A: Configuring Advanced Parameters
In this appendix This appendix contains the following topics:
Topic Page
Configuring Event Notification Advanced Parameters 379
Configuring Intrusion Prevention Advanced Parameters 381
Configuring Firewall or VPN Advanced Parameters 383
Configuring Antivirus Advanced Parameters 385
Configuring Automatic Update Advanced Parameters 387
Configuring Services Advanced Parameters 389
Configuring Advanced Parameters for High Availability 393
Advanced Parameters for Event Notification 395
Advanced Parameters for the Intrusion Prevention Component 397
Block Rule Keywords for the Intrusion Prevention Component 404
Protection Response Keywords for the Intrusion Prevention Component 406
Advanced Parameters for the Firewall and VPN Components 408
Advanced Parameters for the Antivirus Component 411
Advanced Parameters for Automatic Updates 417
Advanced Parameters for Services 418
Advanced Parameters for the Web Filter and Antispam Database 419
Advanced Parameters for High Availability 420
378
Configuring Event Notification Advanced Parameters
Configuring Event Notification Advanced Parameters

Introduction There may be instances in which the event notification settings must be tuned. You tune
these settings by adding or editing name and value pairs in the Event Notification Settings
Advanced Parameters tab.
Reference: For information about available parameters, refer to “Advanced Parameters

for Event Notification” on page 395.
Adding an event To add an event notification advanced parameter:

notification
advanced 1. In the navigation pane, click + to expand the System node.
parameter
3. Select the Advanced Parameters tab.
4. Click Add.
5. Type the parameter name in the Name field.
6. Type a meaningful description in the Description field.
7. Specify the value type and value in the Value area.
8. Click OK.
Editing an event To edit an event notification advanced parameter:

notification
parameter 2. Select Notification.
4. Select an advanced parameter, and then click Edit.
5. Continue as described in Steps 5 through 9 of the “Adding an event notification
advanced parameter” procedure.
Copying and pasting You can copy and paste a parameter before editing it. This is useful if you want to add an
an event notification parameter that is similar to an parameter already in the list.
advanced
parameter To copy and paste an event notification advanced parameter:

4. Select an advanced parameter, and then click the Copy icon.

The appliance copies the parameter to the end of the list.
6. If necessary, edit the parameter, and then click OK.

379

Removing an event To remove an event notification advanced parameter:

notification
parameter 2. Select Notification.
4. Select an advanced parameter, and then click Remove.
The parameter is removed.
380
Configuring Intrusion Prevention Advanced Parameters
Configuring Intrusion Prevention Advanced Parameters

Introduction There may be instances in which the intrusion prevention settings must be tuned. You
tune these settings by adding or editing name and value pairs in the Intrusion Prevention
Settings Advanced Parameters tab.

for the Intrusion Prevention Component” on page 397.
Adding an intrusion To add an intrusion prevention advanced parameter:

prevention
advanced 1. In the navigation pane, click + to expand the Intrusion Prevention node.
parameter
2. Select Settings.
4. Click Add.
8. Click OK.
Editing an intrusion To edit an intrusion prevention advanced parameter:

prevention
parameter 2. Select Settings.
5. Continue as described in Steps 5 through 9 of the “Adding an intrusion prevention
an intrusion parameter that is similar to an parameter already in the list.
prevention
advanced To copy and paste an intrusion prevention advanced parameter:
parameter
2. Select Settings.


381

Removing an To remove an intrusion prevention advanced parameter:

intrusion prevention
parameter 2. Select Settings.
382
Configuring Firewall or VPN Advanced Parameters
Configuring Firewall or VPN Advanced Parameters

Introduction There may be instances in which the firewall or VPN settings must be tuned. You tune
these settings by adding or editing name and value pairs in the Firewall/VPN Settings

for the Firewall and VPN Components” on page 408.
Adding a firewall or To add a firewall or VPN advanced parameter:

VPN advanced
parameter 1. In the navigation pane, click + to expand the Firewall/VPN node.
2. Select Settings.
4. Click Add.
8. Click OK.
Editing a firewall or To edit a firewall or VPN advanced parameter:

VPN advanced
2. Select Settings.
4. Click Edit.
5. Continue as described in Steps 5 through 9 of the “Adding a firewall or VPN
a firewall or VPN parameter that is similar to an parameter already in the list.
advanced
parameter To copy and paste a firewall or VPN advanced parameter:

2. Select Settings.


383

Removing a firewall To remove a firewall or VPN advanced parameter:

or VPN advanced
2. Select Settings.
384
Configuring Antivirus Advanced Parameters
Configuring Antivirus Advanced Parameters

Introduction There may be instances in which the antivirus settings must be tuned. You tune these
settings by adding or editing name and value pairs in the Antivirus Settings Advanced
Parameters tab.

for the Antivirus Component” on page 411.
Adding an antivirus To add an antivirus advanced parameter:

advanced
parameter 1. In the navigation pane, click + to expand the Antivirus node.
2. Select Settings.
4. Click Add.
8. Click OK.
Editing an antivirus To edit an antivirus advanced parameter:

advanced
2. Select Settings.
4. Select a parameter to edit, and then click Edit.
5. Continue as described in Steps 5 through 9 of the “Adding an antivirus advanced
parameter” procedure.
an antivirus parameter that is similar to an parameter already in the list.
advanced
parameter To copy and paste an antivirus advanced parameter:

2. Select Settings.


385

Removing an To remove an antivirus advanced parameter:

antivirus advanced
2. Select Settings.
386
Configuring Automatic Update Advanced Parameters
Configuring Automatic Update Advanced Parameters

Introduction There may be instances in which the automatic update settings must be tuned. You tune
these settings by adding or editing name and value pairs in the Automatic Update
Settings Advanced Parameters tab.

for Automatic Updates” on page 417.
Adding an To add an automatic update advanced parameter:

automatic update
advanced 1. In the navigation pane, click + to expand the Updates node.
parameter
appears.
5. Click Add.
9. Click OK.
Editing an To edit an automatic update advanced parameter:

automatic update
parameter 2. Select Automatic Settings.
appears.
6. Continue as described in Steps 6 through 10 of the “Adding an automatic update
an automatic parameter that is similar to an parameter already in the list.
update advanced
parameter

387
To copy and paste an automatic update advanced parameter:

appears.

Removing an To remove an automatic update advanced parameter:

automatic update
parameter 2. Select Automatic Settings.
appears.
388
Configuring Services Advanced Parameters
Configuring Services Advanced Parameters
Introduction There may be instances in which the service settings must be tuned. You tune these
settings by adding or editing name and value pairs in the Services Settings Advanced
Parameters tab.

for Services” on page 418.
Adding a services To add Services advanced parameter:

advanced
parameter 1. In the navigation pane, click + to expand the System node.
2. Select Services.
4. Click Add.
8. Click OK.
Editing a services To edit an event notification advanced parameter:

advanced
2. Select Services.
5. Continue as described in Steps 5 through 9 of the “Adding a services advanced
parameter” procedure.
a services advanced parameter that is similar to an parameter already in the list.
parameter
To copy and paste a services advanced parameter:

2. Select Services.

The appliance copies the parameter to the clipboard.


389

Removing a To remove an services advanced parameter:

services advanced
2. Select Services.
The parameter is removed.
390
Configuring Web Filter and Antispam Database Advanced Parameters
Configuring Web Filter and Antispam Database Advanced

Parameters
Introduction There may be instances in which the Web Filter and Antispam Database settings need to
be tuned. You can tune parameters by adding or editing name/value pairs in the Web
Filter and Antispam Database Advanced Parameter tab.
Adding a database To add a database advanced parameter:

advanced
parameter 1. In the navigation pane, click + to expand the Web Filter node.
2. Select Settings.
4. Click Add.
8. Click OK.
Editing a database To edit a database advanced parameter:

advanced
2. Select Settings.
6. Click OK.
a database entry that is similar to an entry already in the list.
advanced
parameter To copy and paste a database parameter:

2. Select Settings.
4. Locate the parameter you want to copy, and then click the Copy icon.

391

Removing a To remove a parameter:

database advanced
2. Select Settings.
4. Locate the parameter you want to remove.
5. Click Remove.
392
Configuring Advanced Parameters for High Availability
Configuring Advanced Parameters for High Availability

Introduction There may be instances in which the high availability settings must be tuned. You tune
these settings by adding or editing name and value pairs in the High Availability
Considerations If you use advanced parameters, disable Proxy ARP on the secondary device. This
prevents the secondary from responding to Proxy ARP addresses
Reference: For information about available parameters, refer to“Advanced Parameters for
High Availability” on page 420.
Adding a high To add a high availability advanced parameter:

availability advanced
4. Click Add.
8. Click OK.
Editing a high To edit a high availability advanced parameter:

5. Continue as described in Steps 5 through 9 of the “Adding an intrusion prevention
a high availability parameter that is similar to an parameter already in the list.
advanced
parameter To copy and paste a high availability advanced parameter:


393

Removing a high To remove a high availability advanced parameter:

394
Advanced Parameters for Event Notification
Advanced Parameters for Event Notification

Introduction This topic describes the advanced parameters for event notification.
Adding, editing, and For procedures for adding, editing, and removing advanced parameters, refer to
removing advanced “Configuring Event Notification Advanced Parameters” on page 379.
parameters
Advanced Table 156 describes the default advanced parameters for System Settings, and uses the
parameter following values:
descriptions
● <namespace> is one of the following:
■ pam for intrusion prevention
■ provm for system, antivirus, firewall, and VPN
● <algorithm-id> is the algorithm id number associated with the issue
Name Field Type/Values Default Description

Value
event.enabled. Boolean/ n/a Determines whether the specified

<namespace>. enabled, disabled event is enabled or disabled.
<algorithm-id>
event.priority. Number n/a Sets the priority of a particular event.

<namespace>. Priority levels include the following:
<algorithm-id> 1 = high
2 = medium
3 = low
event.response. String/ n/a Sets the response for the event.

<namespace>. response keyword Response keywords are as follows:
<algorithm-id>
• DISPLAY:Default
• EMAIL:Default or
EMAIL:<EmailName>
Note: <EmailName> is the email
response name that is set on the
System Notification
You can set only one response
advanced parameter for each event.
To set multiple responses for an
event, you must use a comma to
separate the responses.
Example:
event.response.pam.20000001
DISPLAY:Default,EMAIL:Defau
lt
Trace.csf.filename String /tmp/ Identifies the name of the csf trace file.
CrmTrace.t
xt
Table 156: Advanced parameter descriptions for notification responses

395
Name Field Type/Values Default Description

Value
Trace.csf.level Number 0 Identifies the level of trace information

to display in the csf trace file. Trace
level settings are as follows:
• 0 - No trace
• 1 - Only errors
• 2 - Only errors and warnings
• 3 - Only errors, warnings, and
anything worth noticing
• 4 - Only errors, warnings, anything
worth noticing, and informational
messages
• 5 - Errors, warnings, anything
worth noticing, informational
messages, and debug messages
• 6 - All of levels 1 through 5
Trace.other. String /tmp/ Identifies the communications trace

filename CrmComm file.
Trace.txt
Trace.other.level Number 0 Identifies the level of trace information

to display in the communications trace
file. Trace level settings are as follows:
• 0 - No trace
• 1 - Only errors
• 2 - Only errors and warnings
• 3 - Only errors, warnings, and
anything worth noticing
• 4 - Only errors, warnings, anything
worth noticing, and informational
messages
• 5 - Errors, warnings, anything
worth noticing, informational
messages, and debug messages
• 6 - All of levels 1 through 5
Eventlog.maxsize Number 15000000 Identifies the maximum size in bytes

of the event log.
Eventlog.fullpolicy String/ WRAP Indicates that the event log is full.

WRAP, STOP
Table 156: Advanced parameter descriptions for notification responses (Continued)
396
Advanced Parameters for the Intrusion Prevention Component

Introduction This topic describes how to tune the intrusion prevention component of the Proventia
removing advanced “Configuring Intrusion Prevention Advanced Parameters” on page 381.
parameters
Advanced Table 157 describes the advanced parameters for intrusion prevention:
parameter
descriptions Name Field Type/Values Default Value Description
ipm.default.block. number/ 3600 seconds Specifies the number of

duration number of seconds (1 hour) seconds to block future
traffic, if the duration in the
block rule is zero.
ipm.drop.invalid. boolean/ on If set to on, then the intrusion

checksum on, off prevention software drops all
packets that contain an
invalid checksum.
If set to off, then the intrusion
prevention software does not
drop packets that contain an
invalid checksum.
ipm.drop.invalid.prot boolean/ on If set to on, then the intrusion

ocol on, off prevention software drops all
packets that contain an
invalid protocol.
drop packets that contain an
invalid protocol.
ipm.drop.resource. boolean/ on If set to on, then the intrusion

error on, off prevention software emits an
error message and drops the
current packet if insufficient
resources are available to
inspect the packet for
attacks.
drop the current packet, even
if there are insufficient
resources.
Table 157: Advanced parameter descriptions for intrusion prevention

397
Name Field Type/Values Default Value Description
ipm.drop.rogue.tcp. boolean/ off If set to on, then the intrusion

packets on, off prevention software emits an
error message and drops the
current TCP packet if it is not
a SYN packet and not part of
an existing connection. All
packets that are part of an
already established TCP
connection are considered
rogue packets when PAM is
reloaded, because PAM
flushes all TCP connection
records.
drop rogue TCP packets.
ipm.dump.all boolean/ off If set to on, then the intrusion

on, off prevention software dumps
all packets, as they are read,
from the IP stack to a
TCPDUMP capture file
named /var/log/iss-ipm/
dump.pid.tcpdump, where
pid is the current process id
of the intrusion prevention
software packet inspection
process.
dump all packets as they are
read from the IP stack.
ipm.dump.all.issues boolean/ off If set to on, then the intrusion

on, off prevention software dumps
all packets that trigger an
issue. The single packet
capture is stored in the
TCPDUMP capture file
issue.issueid.frame.pid.tcpdu
mp, where issueid is the
issueid of the current issue,
frame is the frame number of
the current packet, and pid is
the current process id of the
intrusion prevention software
packet inspection process.
dump any packets that
trigger issues unless
specified by the advanced
parameter
ipm.issue.dump.issueid.
Table 157: Advanced parameter descriptions for intrusion prevention (Continued)
398
ipm.dump.invalid. boolean/ on If set to on, then the intrusion

checksum on, off prevention software dumps
all packets that contain an
invalid checksum. The single
packet capture is stored in
the TCPDUMP capture file
invalid-
checksum.frame.pid.tcpdum
p, where frame is the frame
number of the current packet,
and pid is the current process
id of the intrusion prevention
process.
dump packets that contain an
invalid checksum.
ipm.dump.invalid. boolean/ on If set to on, then the intrusion

protocol on, off prevention software dumps
all packets that contain an
invalid protocol. The single
invalid-
protocol.frame.pid.tcpdump,
where frame is the frame
number of the current packet,
and pid is the current process
id of the intrusion prevention
process.
dump packets that contain an
invalid protocol.
ipm.issue. boolean/ off If set to on, then the intrusion

<algorithm-id> on, off prevention software
configures PAM to detect
and report the specified
issue.
configure PAM to detect and
report the specified issue.
Note: <algorithm-id> is the
algorithm id number
associated with the issue.

399
ipm.issue.block.rule. string/ n/a If one or more block rule

<algorithm-id> one or more block keyword(s) is specified, then
rule keywords the intrusion prevention
software replaces any block
rules recommended by PAM
for the specified issue.
Multiple block rules can be
specified for a single issue.
The value of the string is
interpreted as a comma-
separated list of one or more
of the block rule keywords.
If no block rule keyword is
specified, then the intrusion
prevention software ignores
all block rules recommended
by PAM for the specified
issue.
Reference: See “Block Rule
Keywords for the Intrusion
Prevention Component” on
page 404 for the complete
list of keywords and
information about how to use
them.
algorithm id number
400
ipm.issue.dump. boolean/ off If set to on, then the intrusion

<algorithm-id> on, off prevention software dumps
all packets that trigger the
specified issue. The single
issue.issueid.frame.pid.tcpdu
mp, where algorithm-id is the
algorithm id number of the
current issue, frame is the
frame number of the current
packet, and pid is the current
process id of the intrusion
prevention software packet
inspection process. This
advanced parameter is
ignored if
ipm.dump.all.issues is
enabled.
dump any packets that
trigger issues unless
specified by the advanced
parameter
ipm.dump.all.issues.
algorithm id number
ipm.issue.log. boolean/ on If set to on, then the intrusion

<algorithm-id> on, off prevention software writes an
event to the system log file
when PAM detects the
specified issue.
write an event to the system
log file for the specified issue.
algorithm id number

401
ipm.issue.name. string/ n/a If a new name is specified,

<algorithm-id> new name for the then the intrusion prevention
issue software overrides the issue
name recommended by PAM
for the specified issue.
If no new name is specified,
then the intrusion prevention
software emits a warning and
ignores the advanced
parameter.
algorithm id number
ipm.issue.priority. string/ n/a If the new priority is set to

<algorithm-id> new priority for the low, medium, or high, then
issue as follows: the intrusion prevention
software overrides the
• low
priority recommended by
• medium PAM for the specified issue.
• high If the new priority is not set to
low, medium, or high, then
the intrusion prevention
software emits a warning and
ignores the advanced
parameter.
algorithm id number
ipm.issue.protocol. string/ n/a If a new protocol is specified,

<algorithm-id> new protocol for then the intrusion prevention
the issue software overrides the
protocol recommended by
PAM for the specified issue.
If no new protocol is
specified, then the intrusion
prevention software emits a
warning and ignores the
advanced parameter.
algorithm id number
402
ipm.issue.response. string/ n/a If new response keywords

<algorithm-id> new response are specified, then the
keywords for the intrusion prevention software
issue replaces any responses
recommended by PAM for
the specified issue. Only one
set of responses can be
specified for each issue. The
value of the string is
interpreted as a comma-
separated list of one or more
of the protection response
keywords.
If no new response keywords
are specified, then the
intrusion prevention software
ignores all responses
recommended by PAM for
the specified issue.
Reference: See “Protection
Response Keywords for the
Intrusion Prevention
Component” on page 406 for
the complete list of keywords
and information about how to
use them.
algorithm id number

403
Block Rule Keywords for the Intrusion Prevention Component

Introduction PAM includes a Quarantine Rules table that contains entries, called block rules, that
specify which packets to block and how long to block them. The intrusion prevention
software adds block rules to the Quarantine Rules table when the recommended response
contains either the block-future-traffic or block-future-icmp-traffic response keywords.
Creating new block New block rules can be created for both attack or audit issues, and existing block rules can
rules be overridden using the advanced parameter ipm.issue.block.rule.issueid.
Block rule keyword A block rule consists of a number of fields that define what packets will be filtered. A
descriptions packet must match all conditions specified by the fields in order to be filtered.
The intrusion prevention software recognizes the following block rule keywords:
Name Field Type Description
block-by-intruder- Boolean If set to enabled, the intrusion prevention software

addr drops all packets whose source or destination IP
address (depending on the direction of the rule)
matches the intruder address of the original attack
or audit packet.
block-by-intruder- Boolean If set to enabled, the intrusion prevention software

port drops all packets whose source or destination port
(depending on the direction of the rule) matches
the intruder port of the original attack or audit
packet.
Note: This field is ignored if the response type is
block-future-icmp-traffic.
block-by-victim-addr Boolean If set to enabled, the intrusion prevention software

drops all packets whose source or destination IP
address (depending on the direction of the rule)
matches the victim address of the original attack or
audit packet.
block-by-victim-port Boolean If set to enabled, the intrusion prevention software

drops all packets whose source or destination port
(depending on the direction of the rule) matches
the victim port of the original attack or audit packet.
block-future-icmp-traffic.
block-by-icmp-type Boolean If set to enabled, the intrusion prevention software

drops all packets whose ICMP type matches the
ICMP type of the original attack or audit packet.
block-future-traffic.
block-by-icmp-code Boolean If set to enabled, the intrusion prevention software

drops all packets whose ICMP code matches the
ICMP code of the original attack or audit packet.
Note: This field is ignored if the response type if
block-future-traffic.
Table 158: Block rule keyword descriptions
404
Block Rule Keywords for the Intrusion Prevention Component
Name Field Type Description
duration: <seconds> Number Specifies the number of seconds to block. If the

duration is set to zero, the duration will default to
the value specified by the
ipm.default.block.duration advanced parameter.
percentage: <ratio> Number Specifies what percentage of packets to block. A

value of 100 indicates that all packets should be
blocked.
Table 158: Block rule keyword descriptions (Continued)

405
Protection Response Keywords for the Intrusion Prevention

Component
Introduction The intrusion prevention software can perform one or more protection responses to
automatically block attack and audit issues as they are detected.
Creating new You can use the advanced parameter ipm.issue.response.issueid to create new responses
responses for attack or audit issues, and to override existing responses.
Protection The intrusion prevention software recognizes the following protection response
response keyword keywords:
descriptions
Response Keyword Description
drop-packet The intrusion prevention software drops the current packet. The packet is
or drop not forwarded on to its destination.
block-connection The intrusion prevention software uses the PAM connection tagging to
or block drop all future packets associated with the current TCP connection. In the
case of connectionless protocols, such as UDP, the intrusion prevention
software drops the current packet.
block-future-traffic For each block rule recommended by PAM or specified in the configuration
or block-traffic file, the intrusion prevention software adds a pair of entries to the
Quarantine Rules table to block all future traffic in both directions.
block-future-icmp- For each block rule recommended by PAM or specified in the configuration
traffic file, the intrusion prevention software adds a single entry to the Quarantine
or block-icmp-traffic Rules table to block all future ICMP traffic in the specified direction only.
block-intruder If the current packet is a TCP packet, then the intrusion prevention
software adds a pair of entries to the quarantine rules table to block all
future traffic between the intruder and victim hosts. If the current packet is
not TCP, then no action is taken.
block-trojan If the current packet is a TCP packet, then the intrusion prevention
future traffic to and from the victim port on the victim host. If the current
packet is not TCP, then no action is taken.
block-worm If the current packet is a TCP packet, then the intrusion prevention
future traffic between the intruder host and victim port on any system. If the
current packet is not TCP, then no action is taken.
none Specifies that no protection response should be taken for the current
issue.
Important: This keyword should not be used in conjunction with any other
response keyword.
Table 159: Protection response keyword descriptions
406
Protection Response Keywords for the Intrusion Prevention Component
Response Keyword Description
reset If the current packet is a TCP packet, then the intrusion prevention
software sends a TCP reset packet back to both the intruder and victim. If
the current packet is not TCP, then no action is taken.
Notes:
• This response is ignored if the advanced parameter ipm.allow.reset is
disabled.
• In some instances, PAM may modify the current packet to the victim to
neuter the effect of the attack. This response is ignored if the advanced
parameter ipm.allow.modify is disabled.
reset-victim If the current packet is a TCP packet, then the intrusion prevention
software sends a TCP reset packet back to the victim. If the current packet
is not TCP, then no action is taken.
Notes:
• This response is ignored if the advanced parameter ipm.allow.reset is
disabled.
• In some instances, PAM may modify the current packet to the victim to
neuter the effect of the attack. This response is ignored if the advanced
parameter ipm.allow.modify is disabled.
reset-intruder If the current packet is a TCP packet, then the intrusion prevention
software sends a TCP reset packet back to the intruder. If the current
packet is not TCP, then no action is taken.
Note: This response is ignored if the advanced parameter ipm.allow.reset
is disabled.
Table 159: Protection response keyword descriptions (Continued)

407
Advanced Parameters for the Firewall and VPN Components

Introduction This topic describes how to tune the firewall and VPN components of the Proventia
removing advanced “Configuring Firewall or VPN Advanced Parameters” on page 383.
parameters
Advanced Table 160 describes the advanced parameters for the firewall and VPN components:
parameter
descriptions Name Field Type/ Default Value Description
Values
attack.icmperror_ Boolean/ True Controls whether the firewall

messages True, False detects and reports ICMP
error messages.
attack.mimeflood Boolean/ False Controls whether the firewall

True, False detects and reports mime
flood attacks.
attack.mimeflood_ Number 8192 Specifies the maximum size

maxhdrlen of a mime header.
attack.mimeflood_ Number 16 Specifies the smallest

maxhdrs number of mime headers that
are detected before reporting
the attack.
attack.log_one_ Number 1 Protects the event log system

attack_every from being flooded with
duplicate attack entries.

policy_every from being flooded with
duplicate rule entries.

vpn_every from being flooded with
duplicate VPN entries.
attack.synflood Boolean/ True Controls whether the firewall

True, False detects SYN flood attacks.
connlim.dmz Number 101150 Specifies the maximum

number of connections
allowed from the DMZ
network.
connlim.external Number 101150 Specifies the maximum

allowed from the external
network.
Table 160: Advanced parameter descriptions for firewall component
408
Advanced Parameters for the Firewall and VPN Components
Name Field Type/ Default Value Description

Values
connlim.exttoself Number 4999 Specifies the maximum

allowed from either the
external or eth2 (DMZ) to the
appliance.
connlim.internal Number 101150 Specifies the maximum

allowed from the internal
network.
connlim.self Number 101150 Specifies the maximum

allowed from the appliance.
ipre.enabled Boolean/ True Enables or disables IP

True, False reassembly.
ipre.max_frag_ Number 44 Specifies the maximum

count number of fragments allowed
per packet for IP reassembly.
ipre.max_packet_ Number 65535 Specifies the maximum

size allowed packet size for IP
reassembly.
ipre.min_frag_size Number 512 Specifies the smallest

allowed fragment size for IP
reassembly.
ipre.timeout Number/ 60 Specifies the time in seconds

1 - 120 within which all fragments
inclusive must be received for IP
reassembly.
srvctimeout.ftp Number 14400 Specifies the number of

seconds before an FTP
connection times out.
srvctimeout.http Number 360 Specifies the number of

seconds before an HTTP
srvctimeout.https Number 360 Specifies the number of

seconds before an HTTPS
srvctimeout.icmp Number 60 Specifies the number of

seconds before an ICMP
connection is timed out.
srvctimeout.tcp Number 14400 Specifies the number of

seconds before a TCP
srvctimeout.udp Number 60 Specifies the number of

seconds before a UDP
Table 160: Advanced parameter descriptions for firewall component (Continued)

409
Name Field Type/ Default Value Description

Values
syslog.firewall_ String Firewall Specifies the text that is

name attached to each firewall-
related entry written to the
syslog.
syslog.log_override.disab Boolean None Stops the firewall from

le.<number> logging events for a specific
message ID <number>.
syslog.log_override.count Number Same as system Overrides the log_rate limit

.<number> count for a specific message
ID <number>.
syslog.log_override.time Number Same as system Overrides the log_ratelimit

time for a specific message
ID <number>.
syslog.server String 127.0.0.1 Specifies the syslog server to

which firewall events are
written.
Note: If you change this
setting, you will not see
firewall and VPN alerts on the
Alert Event Log page.
stealth.external.enabled Boolean, False Enables stealth drop on all

True / False packets matching a reject
rule for traffic origination from
external to an internal host.
stealth.internal.enabled Boolean, False Enables stealth drop on all

internal to an external host.
stealth.self.enabled Boolean, False Enables stealth drop on all

internal or external host to
any interface on the
appliance.
Table 160: Advanced parameter descriptions for firewall component (Continued)
410
Advanced Parameters for the Antivirus Component

Introduction This topic describes how to tune the Antivirus component of the Proventia Integrated
Security Appliance.
removing advanced “Configuring Firewall or VPN Advanced Parameters” on page 383.
parameters
Advanced Table 161 describes the advanced parameters for the Antivirus component:
parameter
avlib.2level_lib String libgenav.so Specifies the name of the AV

library loaded by all proxies.
ftp.av_max_subfiles Number 2000 Specifies the maximum number

of subfiles to include in a virus
scan. If this number is
exceeded, the scan is aborted.
ftp.av_max_k_ Number (20*1024) Specifies the maximum

expand expansion size of a
compressed file. If this size is
exceeded, the virus scan is
aborted.
ftp.av_max_k_ Number 500 Specifies the maximum

classifloops number, in thousands, of
classification loops. If this
number is exceeded, the virus
scan is aborted.
ftp.av_max_scan_ Number 30 Specifies the number of

time seconds that the antivirus
software will attempt to virus
scan a file. If this time is
aborted.
ftp.max_size Number 2048 Specifies the maximum size in

MB of a downloading file to be
virus scanned. If this size is
exceeded, the download is
aborted.
http.av_max_ Number 2000 Specifies the maximum number

subfiles of subfiles to include in a virus
http.av_max_k_ Number (20*1024) Specifies the maximum

aborted.
Table 161: Advanced parameter descriptions for Antivirus component

411
http.av_max_k_ Number 500 Specifies the maximum

scan is aborted.
http.av_max_scan_ Number 30 Specifies the number of

time seconds that the antivirus
aborted.
http.prefix String ht_ Specifies the prefix of the http

files written to the http scan
directory.
http_proxy.disk_ Boolean Off Enables or disables local

cache caching of static internet
content by the http transparent
proxy.
http.quarantine_dir String /var/av/ Specifies the directory in which

quarantine/ quarantine files are saved.
http.quarantine_ Number/ 0 Indicates whether the antivirus

scan_fails 0,1 software saves a copy of a file
when an error is returned on
that file.
Settings are as follows:
• 0 - File is not saved.
• 1 - File is saved to the
quarantine directory.
http.scan_dir String /var/av/scan Specifies the directory in which

antivirus scanning occurs for
http.
Table 161: Advanced parameter descriptions for Antivirus component (Continued)
412
http.scan_images Number/ 0 Indicates whether files of the

0,1 following types are excluded
from virus scanning:
• .aif • .mpeg
• .aifc • .mpg
• .aiff • .mpga
• .asc • .nrg
• .au • .pbm
• .avi • .pxc
• .bmp • .pgm
• .csv • .png
• .eps • .pnm
• .gif • .ppm
• .gho • .ps
• .ief • .qt
• .iso • .ra
• .jpe • .ram
• .jpeg • .rgb
• .jpg • .rm
• .kar • .rof
• .latex • .snd
• .log • .tex
• .mid • .texi
• .midi • .texinfo
• .mov • .tif
• .movie • .tiff
• .mp2. • .tsv
• .mp3 • .txt
• .mpa • .wav
• .mpe • .wma
• .mpeg • .xbm
• .mp3 • .xpm
• .mpa • .xwd
• .mpe
• 0 - Excluded files are not scann
• 1 - Excluded files are scanned.

413
issavd.internal_if String eth0 Specifies an interface name

that local clients route through
to reach the appliance.
Interface names are as follows:
• eth0 - defines internal
• eth1 - defines external
• eth2 - defines DMZ
This parameter helps to
determine if the source of a
virus is in a local or remote
node.
issavd.cache_ Number 2000 Specifies the maximum number

entries of entries in the file cache.
issavd.cache_ Number 3600 Specifies the maximum number

timeout of seconds an entry is in the file
cache before it times out.
issavd.dat_dir String /etc/av/dat Specifies the location of the

antivirus signature files.
issavd.ip_cache_ Number 5000 Specifies the maximum number

entries of entries in the local IP client
cache.
issavd.ip_cache_ Number 3600 Specifies the maximum number

timeout of seconds an entry is in the
local IP client cache before it
times out.
issavd.virus_ Number 3600 Specifies the maximum number

timeout of seconds an entry is in the
virus cache before it is timed
out.
MessageWall. String <parameter> <parameter> can be any

<parameter> MessageWall parameter in the
messagewall.conf file.
Note: The string is not case
sensitive.
pop3.av_max_ Number 2000 Specifies the maximum number

pop3.av_max_k_ Number (20*1024) Specifies the maximum

aborted.
pop3.av_max_k_ Number 500 Specifies the maximum

scan is aborted.
414
pop3.av_max_scan Number 30 Specifies the number of

_time seconds that the antivirus
aborted.
pop3.maxchilds Number 100 Specifies the maximum number

of child processes that can exist
at a given time.
pop3.scan_dir String /var/av/scan Specifies the directory in which

POP3.
pop3.scannertype String generic Specifies the pop3vscan

antivirus scanner to use.
Note: Pop3vscan can use
several types of antivirus
scanners. ISS uses a new
generic antivirus API.
quarantine.active Number/ 1 Indicates whether files

0, 1 containing viruses are written to
the quarantine directory.
• 0 - Infected files are
permanently deleted.
• 1 - Infected files are saved
in the quarantine directory.
quarantine.dir_size Number 10000000000 Specifies the number of bytes in

the antivirus quarantine
directory.
quarantine.max_ Number 2592000 Specifies the maximum number

age (30 days) of seconds that an entry is left
in the antivirus quarantine
directory before being deleted.
quarantine. String /var/av/ Specifies the quarantine

quarantine_dir quarantine directory for all infected files.
quarantine.scan_ Number 900 Specifies the seconds between

frequency successive quarantine directory
scans.
smtp.av Number/ 1 Indicates whether the antivirus

0, 1 software scans files. Settings
are as follows:
• 0 - Files are not virus
scanned.
• 1 - Files are virus scanned.
smtp.av_max_ Number 2000 Specifies the maximum number


415
smtp.av_max_k_ Number (20*1024) Specifies the maximum

aborted.
smtp.av_max_k_ Number 500 Specifies the maximum

scan is aborted.
smtp.av_max_scan Number 30 Specifies the number of

_time seconds that the antivirus
aborted.
smtp.cfas Number 0 Indicates whether the antivirus

software scans files that are
inspected by the Web Filter or
Antispam modules. Settings are
as follows:
• 0 - Files are not virus
scanned.
• 1 - Files are virus scanned.
smtp.cfas_lib String /usr/lib/ Specifies the Web Filter and

libcfasmail.so Antispam library.
smtp.prefix String sm_ Specifies the prefix of the

temporary files generated by
the smtp proxy and scanned by
the antivirus software.
smtp.scan_dir String /var/av/scan Specifies the directory in which

smtp.
416
Advanced Parameters for Automatic Updates
Advanced Parameters for Automatic Updates

Introduction This topic describes how to tune automatic updates for the Proventia Integrated Security
Appliance.
removing advanced “Configuring Automatic Update Advanced Parameters” on page 387.
parameters
Advanced Table 162 describes the advanced parameters for automatic updates:
parameter
Update.disable. Boolean/ false Enables or disables remote

remote.discovery true, false discovery of update files from
the download site.
Update.disable.wfas Boolean/ false Enables or disables discovery

db.update.discovery true, false of Web Filter and Antispam
database updates. The
appliance will not check for
database updates even when
a database is installed.
Update.preserve. Boolean/ false Enables or disables deleting

update.files true, false update package files after they
have been successfully
installed.
Update.update. string /var/spool/updates Specifies the fully qualified

directory path to which the update
package files are downloaded
and manually copied.
Update.update.logs. string /var/spool/updates/ Specifies the fully qualified

directory logs directory to which the update
installs and uninstall log files
are copied.
Update.enable.com Boolean/ false Enables or disables Curl log

m.debug true, false messages sent to the
CrmTrace.txt file. The CRM’s
trace level must be set to 6
(debug) for the logging
messages to appear. The Curl
logs messages are derived
from debug messages
generated from the Curl library
as it communicates with the
update server.
Table 162: Advanced parameter descriptions for updates

417
Advanced Parameters for Services

Introduction This topic describes how to tune Services for the Proventia Integrated Security Appliance.
removing advanced “Configuring Services Advanced Parameters” on page 389.
parameters
Advanced Table 162 describes the advanced parameters for Services:

parameter
dhcpserver.ddns- String None Determines the ddns-update-

update-style style setting for the dhcp
server.
Table 163: Advanced parameter descriptions for services
418
Advanced Parameters for the Web Filter and Antispam Database
Advanced Parameters for the Web Filter and Antispam

Database
Introduction This topic describes how to tune automatic updates for the Proventia Integrated Security
Appliance.
removing advanced “Introduction” on page 389.
parameters
Advanced The following table describes the advanced parameters for the Web Filter and Antispam
parameter Database:
description
max_bandwidth number/ 0 Limits the bandwidth utilized when

kilobytes per second downloading the complete
database and incremental
updates.
(0 = unlimited)
debug.level number 0 Specifies the number of diagnostic

messages. Settings are as
follows:
• 0 - No messages
• 1
• 2
• 3
• 4
Table 164: Advanced parameter descriptions for the Web Filter and Antispam Database

419
Advanced Parameters for High Availability

Introduction This topic describes how to tune high availability for the Proventia Integrated Security
Appliance.
Adding, editing, and For procedures for adding, editing, and removing advanced parameters, refer
removing advanced “Configuring Advanced Parameters for High Availability” on page 393.
parameters
Advanced The following table describes the advanced parameters for high availability:
parameter
description Name Field Type/Values Default Value Description
debug.log Boolean unchecked Enable separate log files for

HA.
These files are:
/var/log/ha-log and /
var/log/ha-debug
udp.broadcast Boolean unchecked Enable the heartbeat UDP

packets to be broadcast over
all internal interfaces.
udp.port integer 0.65535 694 Port value to send heartbeat

UDP packets
Table 165: Advanced parameter descriptions for high availability
420
Appendix B
Appliance Events
Overview
Introduction This appendix defines the possible values that indicate the disposition of events.
In this appendix This appendix contains the following topics:
Topic Page
Firewall Events 422
System Events 428
Antivirus Events 429
Intrusion Prevention Events 430
Web Filter Events 431
Antispam Events 432
Update Events 433
High Availability Events 434

421
Firewall Events
Definitions Table 166 identifies possible firewall events and defines the messages associated with
each event.
Issue ID Event Name Messages Packet

Disposition
3000012 Firewall_Resource_Error Ceiling for number of connections reached, dropping Dropped

packet
Ceiling for number of connections to the device, dropping
packet
Memory allocation for connection failed, dropping packet
Unable to send syn packet
Send final ACK to target failed
Attempt to release incorrect TCP nat port
Attempt to release incorrect UDP nat port
Attempt to release incorrect ICMP nat port
Traffic Police module Init function failed (module not
present)
Traffic Shaping module Init function failed (module not
present)
Unable to get PortMap for NAT %lx:%ld Proto %u
Unable to free Unknown Protocol NAT port for %lx:%ld
Unable to free TCP NAT port for%lx:%ld
Unable to free UDP NAT port for%lx:%ld
Unable to free ICMP NAT port for%lx:%ld
Unable to free GRE NAT port for%lx:%ld
Unable to free Unknown Protocol NAT port for%lx:%ld
Aol ALG Alloc Entry Failed!
Dns Alloc Entry Failed!
Dropping DNS request as memory allocation failed
Dmy ALG Alloc Entry Failed!
Invalid FTP PASV cmd reply seen, dropping packet
FTP Get port failed
Invalid FTP PASV cmd reply seen, dropping packet
FTP PASV cmd response came without request, dropping
packet
FTP ALG Alloc Entry Failed!
H.323:Registration Failed because InitPerBuffers Failed
H.323: Unable to get Nat port
H.323:Failed to Allocate memory for H323_H245
Connection
H.323:Failed to make H323_H245 Connection
H.323:Failed to Create memory for pH323_RtpRtcp
H.323:Failed to Create memory for pH323_T120
H.323:Failed to make connection for H323T120
Table 166: Firewall event dispositions
422
Firewall Events

Disposition
3000012 Firewall_Resource_Error H.323:Failed to make connection for H323RtpRtcp Dropped

H.323:Failed to Allocate Memory for H323T120
H323GK ALG Alloc Entry Failed!
Ils ALG Alloc Entry Failed!
IRC:Failed to allocate memory for IRC connection
IRC:No of Messages are more than
MAX_IRC_REQUESTS
IRC:Size of Message is more than MAX_IRCSIZE
IRC:Something wrong%d
IRC:Something gone wrong in Notice Message
IRC:Unable to Allocate memory for IRCData
IRC:Unable to allocate create dynamic association for
IRC
IRC:Unable to create IGWbuf for IRC
Msn ALG Alloc Entry Failed!
N2P ALG Alloc Entry Failed!
N2PE ALG Alloc Entry Failed!
Pptp Alloc Entry Failed!
Rpc Alloc Entry Failed!
RPC Program Number%lu denied
Stored RPC transaction Id doesn't match server
response, dropping packet
RPC Server's response is undecipherable, dropping
packet
RTSP:Failed to allocate memory for RTSP connection
RTSP:Failed to allocate IGWbuf for RTSP connection
RTSP:Failed to NatPort for RTSP connection
RTSP:Failed to Create RTSP Data connection
Sql ALG Alloc Entry Failed!
Tftp ALG Alloc Entry Failed!
ALGSipInit::Could Not allocate Ctrl Info
ALGSipInit::Failed to set app process
ALGSipInit::Failed to set app process
ALGSipProcess::Unsupported SIP message
ALGSipProcess::ALGSipMangleMessage returned error
ALGSipProcess::Failed to allocate new buffer
ALGSipMangleMessage::Failed to create association for
RTP.
ALGSipMangleMessage::Failed to create association for
RTP.
ALGSipProcess::Failed to Allocate CtrlInfo
ALGSipProcess::Failed to create association
Memory allocation for AppRegister failed.
ICMP Type: %u Code: %u Memory allocation failed,
dropping packet
Table 166: Firewall event dispositions (Continued)

423

Disposition
30000012 Firewall_Resource_Error Unable to get PortMap for NAT %lx:%ld Proto %u Dropped
Unable to allocate memory for NAT portmap (%lx->%lx)
ADAlgRegisterNatPorts:Some ports in the specified
Range already Registered
AlgId %d Protocol %d StartPort %ld EndPort %ld
ADAlgRegisterNatPorts: Unable to get memory
ADAlgRegisterNatPorts:Invalid Range StartPort %ld
EndPort %ld
ADAlgRegisterNatPorts:Trying to register twice. AlgId %d
Protocol %d
Attempt to de-register port map for unavailable NIP %lx-
%lx
Something went wrong in function ADLDelNatPort
Unable to get PortMap for NAT %lx Proto %d
3000009 Firewall_Invalid_Packet Attempt to Access Blocked NEWS Group %s Dropped

Attempt to contact ProxyServer, dropping packet
HTTP request exceed the buffer limit of URL keyword
filtering
Denyed key-word \"%s\" found in the URI
Memory allocation failed URL filtering, closing the
connection
Invalid HTTP request, closing the connection
3000004 Firewall_Syn_Flood Crossed 80% of resource. Possible flooding (TCP) Allowed
3000007 Firewall_IP_Spoofing Spoofing detected, dropping packet Dropped
3000010 Firewall_Rule_Not_Found Security policy unavailable for access policy, dropping Dropped
packet
Access Policy not found, dropping packet
3000011 Firewall_Allow_Rule Service access request successful Allowed
3000008 Firewall_Deny_Rule Deny access policy matched, dropping packet Dropped

Access policy referred on deny timerange, dropping
packet
3000013 Firewall_Access_Statistics Connection terminated/closed/timed out. Bytes Not Applicable

transferred : %lu
424
Firewall Events

Disposition
3000006 Firewall_General_Attack Possible Land attack detected, dropping packet Dropped

Unable to find route for source, dropping packet
Source IP is a broadcast address, dropping packet
Unable to determine route to destination, dropping packet
TCP connection request received is invalid, dropping
packet
Invalid ack value received for connection, dropping packet
UDP echo response received for uninitiated echo request
(Possible smurf attack), dropping packet
Echo response for uninitiated echo request (Possible
Smurf Attack), dropping packet
General attack detected, dropping packet (not used
currently)
IP header length is less then the minimum length
Packet without any data received
Packet with Short TCP Header length detected,packet
dropped
Dropping packet due to length problem in TCP
TCP Null Scan attack detected
Packet with Short UDP Header length detected, packet
dropped
Dropping packet because of invalid length in UDP
Packet with Short ICMP length detected, packet dropped
Dropping ICMP packet of type %d (unknown type)
Post Connection SYN attack detected
Security Policy configured but plain pkt received, dropping
packet
Rate-Limiting: Max Conn Rate reached, new conns will
not be formed
Rate-Limiting: Max Conn Limit reached, new conns will
not be formed
Data packet received after reset, dropping packet
Blind Spoofing attack detected
Zero bytes transferred for connection (non-ICMP)
Zero bytes transferred for connection (ICMP)

425

Disposition
3000006 Firewall_General_Attack Data connection not established from remote Dropped

Received Invalid DNS reply with ID: %u
FTP Bounce attack detected dropping packet
MIME Header Length Exceeded the Maximum Limit in the
HTTP Request
Maximun number of MIME Header in the HTTP nequesyt
exceeded
Rate-Limiting: Maximum Packet Rate reached, dropping
the packet
Rate-Limiting: Maximum Bandwidth Reached, dropping
the packet
Packet with sequence number out of range
detected,dropping packet
Invalid sequence number received with Reset, dropping
packet
ICMP Type: %u Code: %u, Received duplicate sequence
number: %u
ICMP Type: %u Code: %u Echo response received for
unknown sequence number %u, dropping packet
Packet header length is less than expected, dropping
packet
Received packet is too small to yank IP header, dropping
packet
Checksum error, dropping packet
Packet without any data received,packet dropped
Zero data length IP fragment detected, dropping fragment
Length in IP Header > Data length. Possible JOLT attack
Fragment of size less than configured minimum fragment
size detected
Fragment of size less than configured minimum fragment
size detected
Reassembly is currently disabled
IpReassembly Fragment count exceeds max limit
IpReassembly last Fragment length changed
IP Reassembly : Overlapped IP fragment received,
Dropping Fragment
IP Reassembly : Overlapped IP fragment received
IpReassembly Datagram size exceeds max limit
IpReassembly time out
Icmp error message received for uninitiated connection
ICMP error message contains less data than expected
(Possible attack)
Dropping ICMP error packet to external n/w
Dropping ICMP error packet
426
Firewall Events

Disposition
3000014 Firewall_DNS_and_ICMP Received DNS request with ID: %u Allowed

Received DNS reply with ID: %u
ICMP Type: %u Code: %u Sequence number: %u
received
3000015 Firewall_VPN IKE Init Cookie: %s & Resp Cookie: %s Deleting the Allowed
IsakmpSA
IKE Init Cookie: %s & Resp Cookie: %s IKE phase-II msg
not received after retries
IKE Init Cookie: %s & Resp Cookie: %s IKE start phase-I
success
IKE Init Cookie: %s & Resp Cookie: %s Quick Mode
completed of msg ID %s
IKE Init Cookie: %s & Resp Cookie: %s Sending a Delete
payload for phase-I
IKE Init Cookie: %s & Resp Cookie: %s Sending a Delete
payload for phase-II
IKE Init Cookie: %s & Resp Cookie: %s Started phase-I
negotiation
IKE Init Cookie: %s & Resp Cookie: %s Started Quick
Mode of Msg ID %s
3000016 Firewall_Configuration_Change Access policy with Rule id: %d has been added Not Applicable
Access policy with Rule id %d has been deleted
Configuration for box access has been modified
Configuration for firewall attacks has been modified
Max association limits for different networks has been
modified
3000005 Firewall_Ping_of_Death Ping of Death attack detected (proto is ICMP) Dropped

Jolt attack detected (proto is not ICMP)

427
System Events
Definitions Table 167 identifies system events.
Issue ID Event Name Messages
1000000 System_Info The appliance is now restarted. You may access it

using Proventia Manager.
There are updates available to be installed.
There are updates available to be downloaded.
1000001 System_Warning See event for message details.
1000002 System_Error See event for message details.
1000003 System_Failed_Login Failed login detected,src-

ip=%s,service=%s,username=%s
1000004 System_Successful_Login Successful login detected,src-

ip=%s,service=%s,username=%s
Table 167: System events dispositions
428
Antivirus Events
Antivirus Events
Definitions Table 168 identifies antivirus events.
2000000 Specific_Virus_Flood See event for message details.
2000001 Local_Client_Virus_Flood See event for message details.
2000002 Local_Client_Sent_Virus See event for message details.
2000003 Virus_Found_In_Encapsulating_Object See event for message details.
2000004 Virus_Found_In_File See event for message details.
Table 168: Antivirus events

429
Intrusion Prevention Events

Definitions Table 169 identifies intrusion prevention events.
4000000 IPM_Dynamic_Rule_Added See event for message details.
4000001 IPM_Dynamic_Rule_Removed See event for message details.
4000002 IPM_Dynamic_Table_Cleared See event for message details.
4000003 IPM_Dynamic_Rule_Expired See event for message details.
4000004 IPM_Packet_Dropped See event for message details.
4000005 IPM_Internal_Error IPM Internal Error. Contact ISS Technical Support.
Table 169: Intrusion prevention events
430
Web Filter Events
Web Filter Events

Definitions Table 170 identifies Web Filter events.
5000000 WFM_URL_Blocked Requested URL matched a blocked category

See event for message details.
5000001 WFM_URL_Requested URL request received

Table 170: Web Filter events dispositions

431
Antispam Events
Definitions Table 171 identifies Antispam events.
6000000 ASM_Spam_Detected Email received

6000001 ASM_Email_Received Email is classified as spam

Table 171: Antispam events dispositions
432
Update Events
Update Events
Definitions Table 172 identifies update events.
7000000 Update_Available Updates are available for security (Antivirus or

Intrusion Prevention), firmware and/or the Web Filter
and Antispam Database.
7000001 Update_Installation Installations have occured for security (Antivirus or

Intrusion Prevention) updates or firmware updates.
7000002 Update_Uninstall A security update (Antivirus or Intrusion Prevention)

has been uninstalled.
Note: Firmware and database updates cannot be
uninstalled or rolled back
7000003 Update_Error An error has occured related to the update process.

Table 172: Update events dispositions

433
High Availability Events

Definitions Table 172 identifies high availability (HA) events.
waiting for info per CR 41471
Table 173: HA events dispositions
434
Glossary
a
access policy—A group of firewall settings that defines the attributes of the firewall. The firewall examines the
network packet and determines whether to accept or deny the packet based on rules in the access policy.
Configure access policies on the Access Policy Page.
address group—A network object that includes either one or more address names or one or more address groups.
address name—A network object that includes any IP address, a single IP address,a single IP address range, a
single IP address and CIDR mask, or a single address list. Note: An address list can contain more than one
IP address range.
AES —The Advanced Encryption Standard (AES) is a symmetric block cipher that can process data blocks of 128
bits. Key length must be 128, 192, or 256 bits.
AH—The Authentication Header (AH) provides data integrity, origin authentication, and optional replay
resistance. Its primary function is to provide authentication services. It does not provide any
confidentiality.
Alternate Node—The secondary appliance in the pair of appliances in an HA cluster.
Alternate Node Interface—The internal interface for the secondary appliance in an HA cluster.
Authentication Algorithm —Supported authentication algorithms are MD5 and SHA1. See MD5 and SHA1.
Authentication Level —SiteProtector uses an SSL certificate for authentication. The M appliance uses this
certificate to authenticate its connection to SiteProtector. Authentication level options are:
trust-all - The appliance does not use the SSL certificate presented by SiteProtector. The appliance trusts all
connections on port 3995 (or other designated port), and sends alerts to any system to which it can connect
on that port.
first-time trust - At the first connection, the appliance accepts the SSL certificate and stores it. On all
subsequent connections to the same SiteProtector desktop controller, SiteProtector must present the same
certificate.
explicit trust - You must copy the SSL certificate to authenticate SiteProtector to the correct location on the
appliance before connecting. The certificates should be placed in the /cache/spool/crm/cacerts directory.
If you select explicit trust, you must perform additional tasks. For more information, refer to article number
2202 in the Internet Security Systems Knowledgebase.
Authentication Mode—The authentication mode defines how the local peer will identify itself to the remote peer.
The options are Pre-Shared Key, DSS Signed, and RSA Signed.

Glossary
b
boot-P—The BOOTstrap Protocol (boot-P) is a TCP/IP protocol that provides network configuration information
to a diskless workstation. This protocol allows a workstation that does not have a disk to configure itself
dynamically during startup. This protocol provides three services: IP address assignment, detection of the
IP address for a central server, and the name of a file to be loaded and run by the host. When a workstation
first boots, it sends a BOOTP message to a central server. The central server sends the network configuration
information back to the workstation. DHCP may be used to replace BOOTP.
c
Certificate Authority (CA)—A trusted third party organization that issues digital certificates used to create digital
signatures and public-private key pairs. The certificate authority guarantees that the individual granted the
unique certificate is who he or she claims to be. Usually, this means that the CA has an arrangement with a
financial institution, such as a credit card company, that provides it with information to confirm an
individual's claimed identity.
certificates—Digital certificates encrypt data using Secure Sockets Layer (SSL) technology, the industry-standard
method for protecting Web communications. Simply installing a digital certificate turns on their SSL
capabilities.
CHAP—Challenge Handshake Authentication Protocol. CHAP uses a 3-way handshake to periodically verify the
identity of the peer. This occurs during initial link establishment, and may be repeated any time after the
link has been established.
cluster—See High Availability.
d
Database Update—A Web Filter and Antispam Database update from the ISS database server that contains Web
Filter classification information. Database updates can be automatically downloaded and installed.
Dead Timeout—The pre-determined period of time that the secondary HA appliance waits for a response to the
heartbeat sent to the primary appliance. When the dead timeout period expires, the secondary appliance
assumes that the primary appliance has failed, and takes over the virtual IP addresses for all interfaces.
Delete Mode—In Delete Mode, the appliance deletes spam emails according to the delete threshold level you
select. If the email’s spam content is below the threshold, the appliance adds a [SPAM] header to the email
subject line. If the email contains more spam content than the threshold, the appliance deletes the email.
Delete Threshold —The Delete Threshold setting allows you to set the level of spam content that the appliance
uses as the baseline to tag or delete spam email.
DES—The Data Encryption Standard (DES) algorithm is designed to encrypt and decrypt blocks of data consisting
of 64 bits under control of a 64-bit key. Decrypting is accomplished by using the same key as for encrypting,
but with the schedule of addressing the key bits altered so that the decrypting process is the reverse of the
encrypting process. Key length must be 3 characters.
3DES—The secret Triple-Data Encryption Standard (3DES) key shared between the communicating parties is a
simple variant on the DES-CBC algorithm. The DES function is replaced by three rounds of that function,
an encryption followed by a decryption followed by an encryption, each with independent keys: k1, k2 and
k3. Key length must be 24 characters.
436
Glossary
Destination Address—The IP address of the computer that receives the network packet.
Destination Blacklist—A Destination Blacklist is a list of URLs, domains, or IP addresses that users can never
access from your network. You can use this list to block destinations that aren’t included in the Web filters
you’ve selected.
Destination NAT Rule—Translates routable IP addresses to internal, non-routable IP addresses for inbound
network traffic. Destination NAT rules can also translate the destination port of a TCP or UDP packet to
another port. Destination NAT Rules prevent non-routable IP addresses in your network from appearing
to users outside the network.
Destination Port—The port number that the originating computer asks the receiving computer to open.
Destination Whitelist —A Destination Whitelist is a list of URLs, domains, or IP addresses that users can always
access from your network, even if the destination belongs to a blocked Web filter category. This is useful if
you want to override a Web filter to allow access to specific destinations in a blocked category, such as a
single news site.
DHCP—The Dynamic Host Configuration Protocol (DHCP) supports automatic address assignment and improved
configuration management of IP networks.
DHCP Lease—The length of time that a DHCP server allows a client to use an assigned IP address. When a lease
is made to a client, it is described as active. When half of the allowed lease time has expired, the client must
renew its address lease assignment with the DHCP server. The lease duration is defined in seconds. A lease
time of 0 seconds permanently reserves the lease for a client so that the lease never expires.
DHCP Relay Agent—A protocol that allows the DHCP server to communicate through the appliance firewall to
assign IP addresses to clients on the network. The relay agent sits on the appliance interface, and relays
DHCP messages through the firewall between clients on the network and the DHCP server.
Diffie-Hellman Group—Diffie-Hellman consists of seven groups. This appliance supports three of the seven. The
supported groups are, Group 1, Group 2 and Group 5 .The higher the group number, the more difficult it
is for a third-party to guess the session key value. For IPSEC policies, you may also use a Private Group,
created using the New Group Exchange. Not all the supported groups listed here are available for every
Diffie-Hellman Group setting in the Proventia Manager.
Direction—Specifies the direction of network traffic for the access policy. Direction options are:
Inbound - applies to network traffic that is coming into your network
Outbound - applies to network traffic that is leaving your network
Auto - applies to both inbound and outbound network traffic
DNS —Domain Name Server. An Internet service that translates domain names into IP addresses.
Domain Name—The name associated with an IP address. A domain name always has two or more parts separated
by dots and typically consists of some form of an organization's name and a three letter or more suffix. For
example, to access the White House website, you could type its IP address into the address box of your Web
browser. However, most people prefer to use the domain name "www.whitehouse.gov." In this case, the
domain name is whitehouse.gov.
Domain Name Suffix—These generic top-level domain extensions found at the end of a URL or email address
signify the type of organization associated with the domain name.
DSA—Digital Signature Standard (DSS) is the digital signature algorithm (DSA) developed by the U.S. National
Security Agency (NSA) to generate a digital signature for the authentication of electronic documents. DSS

Glossary
was put forth by the National Institute of Standards and Technology (NIST) in 1994, and has become the
United States government standard for authentication of electronic documents.
Dynamic Interface—The appliance interface is the name of the appliance interface to select when you use
Dynamic IP Addresses in a Many-to-One NAT Configuration. Options are: eth0 (internal interface), eth1
(always the external interface), eth2 (available internal interface) and PPP0 (created automatically when
PPPoE is running on the appliance).
Use the Dynamic Interface feature with DHCP and PPPoE configurations of the external interface. For
DHCP, the dynamic interface is the eth1 (external) interface of the appliance. For PPPoE, the dynamic
address is PPP0. This interface is created automatically when PPPoE is running on the appliance. The non-
routable addresses are translated to the IP address that is assigned to the eth1 or PPP0 interface.
Dynamic Address Name—The name that you can share among many appliances with different Dynamic
Address Lists. Each appliance has one or more Dynamic Address Lists that contain addresses specific to
that appliance. You can associate the Dynamic Address Lists from many appliances with one Dynamic
Address Name network object. When you use the Dynamic Address Name to define a policy change in
SiteProtector for a group of appliances, each appliance implements the change using the values in its
individual Dynamic Address List associated with that name.
e
Email Sender Blacklist—The Email Sender Blacklist contains domains and email addresses that the appliance
always identifies as sources of spam.
Email Sender Whitelist—The Email Sender Whitelist contains domains and email addresses that the appliance
never identifies as spam.
Encryption Algorithm or ESP Algorithm—The encryption algorithm is a mathematical algorithm for encrypting
and decrypting binary coded information. Encryption converts data to an unintelligible form called
ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext.
Encryption methods are DES, 3DES, and AES. (See DES, 3DES and AES)
ESP —Encapsulating Security Payload. Provides several security services, including data confidentiality, integrity,
origin authentication, limited traffic flow confidentiality, and optional anti-replay services.
Event Notification—You can configure how the appliance sends notification responses for events. The following
types of responses are available:
- Email responses send alerts by email to an individual address or email group.
- You can define multiple email notifications for these responses and configure the data sent.
- SNMP responses send SNMP traps to a consolidated SNMP server.
- Alert delivery to SiteProtector sends alerts to the SiteProtector desktop controller.
f
failover—In a High Availability environment, a failover occurs when the primary appliance in the cluster fails and
the secondary appliance assumes the primary role. If the secondary appliance does not receive a response
from the primary appliance for a predetermined period of time, called the dead timeout, the primary
appliance is considered to have failed. When this occurs, the secondary appliance takes over all virtual IP
addresses for all interfaces and becomes the primary appliance. See also Forced Failover.
Firewall—A system or combination of systems that enforce a boundary between a computer or network and
external networks. The primary purposes of a firewall are to provide a single point of entry where a
network can be defended to provide access to the Internet from inside the network, and controlled access
438
Glossary
from the Internet to computers inside the network. Two typical types of firewalls are a network-level
firewall, or packet filter, examines traffic at the network protocol packet level; and an application-level
firewall which examines traffic such as FTP, email, or Telnet at the application layer. Firewalls can also
re-address, or translate, outgoing traffic.
Firewall General Messages—General messages include:

Resource Errors – Errors that occur with the firewall or with traffic going through the firewall. Such errors
are written to the log file.
Deny Rule Messages – If you have a deny rule with logging enabled in a firewall policy, and traffic is
blocked on that rule, then an event is written to the log file.
Allow Rule Messages – If you have an allow rule with logging enabled in a firewall policy, and traffic is
accepted on that rule, then an event is written to the log file.
Rule Not Found Messages – If a packet comes across your network and is dropped because there are no
matching firewall policy rules, an event is written to the log file.
Configuration Changes – Any time a firewall rule, list, or any other configurable firewall setting is
modified, an event is written to the log file. If the event does not indicate which user made the change, the
following messages occur:
Access Statistics – A log entry will be made at certain intervals, describing the current network activity.
VPN Messages – Every time a user accesses your network through one of the IPSEC or manual IPSEC
policies, an event is written to the log file.
DNS and ICMP Messages – For all ICMP messages and all DNS query and reply messages, an event is
written to the log file.
Firmware Update —An update from the ISS Download Center that containsnew program files, fixes or patches,
enhancements, or online Help. Firmware updates can be automatically downloaded and installed. Some
firmware updates require that you reboot your appliance after installation.
FTP—File Transfer Protocol is a set of rules used to exchange files between computers on the Internet. FTP is an
application protocol that uses the Internet's TCP/IP protocols. FTP protocol is typically designated as port
21. Using FTP, you can delete, rename, move, and copy files at a server. You must log on to the FTP server
to do so. However, you can use anonymous FTP to access publicly available files.
FQDU—A Fully Qualified Domain Name is a name that contains a host, second level domain, and a top level
domain. For example, ftp.companyname.com is an FQDN.
g
gateway —A network gateway is an internetworking system joining two networks. Because a network gateway,
by definition, appears at the edge of a network, related functionality like firewalling tends to be installed
on the network gateway.
gateway Antispam—Your Proventia appliance uses Antispam software to analyze text, URLs, and attachments
in all email traffic passing through your network allow harmless email to pass instantly, but responds to
inappropriate email by doing one of the following: labeling the email as spam in the subject header or
deleting the email.
gateway Antivirus—With the Antivirus feature, all traffic through the gateway is filtered, even if client desktop
protection is disabled or out of date. Your Proventia appliance offers easy, single-point-of-administration
and high speed analysis of files in real time from web sites and webmail (HTTP), download sites (FTP),
corporate and personal email (SMTP, POP3), and 100% wildlist coverage.The WildList Organization
International (http://www.wildlist.org) is a great source of information about which viruses are
spreading in the wild.
GRE—The Generic Route Encapsulation (GRE) protocol is used in conjunction with Point-to-Point Tunneling
Protocol (PPTP) to create virtual private networks (VPNs) between clients or between clients and servers.

Glossary
After the PPTP control session has been established, GRE is used to encapsulate the data or payload in a
secure manner. The data or payload that is going to pass through the tunnel is given a Point-to-Point
Protocol (PPP) header and then placed inside a GRE packet. The GRE packet carries the data between the
two tunnel endpoints. After the GRE packet has arrived at the final destination (the endpoint of the tunnel),
it is discarded and the encapsulated packet is then transmitted to its final destination.
h
Ham —Legitimate email that does not contain advertising or inappropriate content. The appliance uses
information in the Web Filter and Antispam Database and Email addresses, and domains in the Email
Whitelist and Email Blacklist, to allow Ham to reach its destination.
heartbeat—A repeating signal transmitted from one appliance to another that indicates that the appliance is in
operation. For the appliance high availability feature, a heartbeat occurs when one appliance "pings" (sends
broadcast/multicast messages) to check the status and availability of the other appliance.
high availability—The Proventia M Series appliance offers active-passive high availability (HA) by using virtual IP
addresses shared between two appliances: the primary appliance and the secondary appliance. The
secondary appliance waits in passive mode, ready to operate as the primary appliance if the primary
appliance fails. The two appliances connect using a dedicated interface link between the primary and
secondary forming a “cluster pair”. The appliances periodically send heartbeats to monitor status. If the
secondary appliance does not receive a response from the primary appliance for a predetermined period of
time, called the dead timeout, the primary appliance is considered to have failed. When this occurs, the
secondary appliance takes over all virtual IP addresses for all interfaces in the cluster and becomes the
primary appliance.
HTTP —Hypertext Transfer Protocol. A set of rules for exchanging text, graphic images, sound, video, and other
multimedia files on the World Wide Web. HTTP protocol uses port 80.
i
IANA—Internet Assigned Numbers Authority. The global authority that allocates IP addresses to Internet
registries, such as a Local Internet Registry (LIR), a National Internet Registry (NIR), or a Regional Internet
Registry (RIR). These registries then allocate IP addresses to Internet Service Providers. When a company
needs an allotment of routable IP addresses, the company's ISP assigns the addresses out of its allocation.
ICMP—Internet Control Message Protocol (ICMP) applies to packets containing error, control, and informational
messages.
ID Type—Defines the type of data used for authentication.
IKE—Internet Key Exchange. A method for establishing a security association (SA) that authenticates users,
negotiates the encryption method, and exchanges the secret key. IKE is used in the IPSEC protocol.
IKE Direction—How the peer uses the VPN tunnel. The options are: Initiator Only (initiates VPN requests),
Responder Only (responds to VPN requests), Both Directions (initiates and responds to VPN requests).
Inbound Policies—Inbound firewall access policies apply to network traffic that is coming into your network.
Initialization Vector—The initialization vector is used in encrypting the first packet. Successive packets are
encrypted by values that are derived while encrypting previous packets. If the initialization vector is not
specified, one is chosen randomly, using a specified algorithm.
interface—A connection between two systems or devices. The connections can be internal, external, or PPPoE.
440
Glossary
IP address—An identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol
route messages based on the IP address of the destination.
IPSEC—IP Security. A security protocol that provides authentication and encryption over the Internet.
IPSEC Encapsulation Modes—IPSEC supports the following ways to encapsulate network packets:
Tunnel - the most frequently used encapsulation method. In tunnel mode, the entire IP data packet is
protected. Tunnel mode allows a packet to be delivered to a peer that is not the cryptographic endpoint,
such as a gateway device. An IPSEC packet in tunnel mode has two IP headers: The outer IP header contains
the information for delivering the entire packet to the gateway device.The inner IP header is encrypted
and contains only the original information intended for the targeted host on the other side of the VPN
tunnel.
Transport - protects only the upper layer of protocols; the original IP header is not encrypted. Transport
mode can only be used when the cryptographic endpoint is the same as the communication endpoint. This
limits transport mode to peer-to-peer tunnels.
IPSEC Policy—IPSEC policies define the IPSEC protocol, key exchange method, and other necessary information
needed to provide security to IP packets.
IPSEC Template Proposal—A profile of IPSEC settings that defines the contents of certificates issued by that
Certificate Authority (CA). You must complete the template proposal before the CA can issue an IPSEC
certificate.
IP Spoofing—An attack wherein a system attempts to illicitly impersonate another system by using IP network
address. This type of vulnerability allows an intruder to forge packets to your system by taking advantage
of TCP sequence prediction, insecure sockets, and predictable passwords. There are several methods for
changing an IP address to one that is acceptable to a firewall, so as to trespass on an internal network.
Spoofing is generally used to hide an attacker's identity or to illegitimately take over a network-based
conversation.
ISP—Internet Service Provider. A vendor who provides access for customers (companies and private individuals)
to the Internet.
l
L2TP—Layer 2 Tunneling Protocol. An extension of the Point-to-Point Tunneling Protocol (PPTP) used by an
Internet service provider to enable the operation of a virtual private network over the Internet. L2TP does
not include encryption, but defaults to using IPSEC in order to provide VPN connections from remote users
to the corporate LAN. L2TP is included with most new Microsoft operating systems.
L2TP Endpoint IP Address—The IP address for the appliance side of the L2TP VPN tunnel. This IP address is the
endpoint of the local VPN connection. The L2TP endpoint IP address for the appliance must be a fixed,
globally unique IP address, and should not be in the L2TP IP Address Pool, or used for any other interface
on the appliance.
L2TP Host Name—When you configure the L2TP Host Name for an L2TP/IPSEC Remote Client Security
Gateway, this value is the host name of the appliance. You configured this host name when you configured
the appliance, and you can view this Device Name in the top right corner of the Home Page in Proventia
Manager.
Example
Device Name: myappliance.mycompany.com

Glossary
L2TP IP Address Pool—The range of IP addresses that the appliance assigns to remote VPN clients. When the
appliance receives a request from a remote client for a VPN connection to the LAN, the appliance assigns
the client an L2TP Endpoint IP address from the L2TP IP Address Pool.
Learning Mode—In Learning Mode, the appliance tags spam emails according to the Delete Threshold level you
select. If the email contains less spam content than the threshold, the appliance adds a [SPAM] header to
the email subject line. If the email contains more spam content than the threshold, the appliance adds a
[SPAM+] header to the email subject line. Learning Mode is useful if you want to see which emails the
appliance identifies as [SPAM] and [SPAM+]. You can adjust the Delete Threshold setting to get the best
performance for your network before you begin deleting spam emails.
m
MAC Address—Medium Access Control address. Also called the MAC name. A MAC address is the number
unique to each network interface card (NIC) in the network. The MAC address is programmed into the
card, usually during manufacture. A MAC address contains two distinct identifiers programmed into ROM
(Read Only Memory), which cannot be changed: the number assigned by the IEEE to the NIC
manufacturer and the Extension ID assigned by the manufacturer. MAC names stay with the NIC card and
are location-independent. Destination and source MAC names are included in the header of network
packets, and routing devices use this information to forward packets on the network.
Many-to-Many NAT—A NAT configuration that translates an IP address in a group or range of non-routable IP
addresses inside your network to the first available IP address in a group or range of routable IP addresses.
Many-to-One NAT—A NAT configuration that translates an IP address in a group or range of non-routable IP
addresses inside your network to one routable IP address by assigning different ports. Also known as single
address NAT, PAT (Port Address Translation), or port-level multiplexed NAT.
Message Digest 5 (MD5)—is an algorithm that is used to create digital signatures. It is intended for use with 32-
bit machines. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed
string of digits, also called a message digest. When using a one-way hash function, one can compare a
calculated message digest against the message digest that is decrypted with a public key, to verify that the
message hasn't been tampered with. This comparison is called a hashcheck. Key length must be 16
characters.
Monitor IP addresses—Monitor IP addresses are an optional feature that you can use for an HA cluster to
periodically determine if the network is healthy. You can specify the IP address of another network device,
outside of the HA cluster, to send ICMP echo request packets and wait for replies. If the appliances do not
reply within the dead timeout period, then the connection is considered down. The primary HA appliance
polls the secondary appliance to determine which appliance has the highest number of reachable network
devices. If the primary appliance does not have the highest count, then a failover occurs.
MSS—Maximum Segment Size. The MSS value that defines the amount of data that can be transmitted in a single
TCP packet. On IPv4 networks, this value should be 40 bytes less than the interface MTU (Maximum
Transmission Unit).
MSS clamping—Maximum Segment Size Clamping. MSS clamping intercepts and modifies the MSS negotiation
of TCP connections. This is useful to work around path MTU issues without adjusting the MTU on client
computers. The ClampMSS option causes PPPoE to “clamp” or control the TCP maximum segment size.
ClampMSS resolves ICMP-related connectivity problems with TCP traffic for Internet access, FTP, and
email. The default value for the appliance ClampMSS option is 1260. ClampMSS is enabled by default. See
“Why use ClampMSS?” on page 78.
MTU—Maximum Transmission Unit. The MTU parameter specifies the largest physical packet size, in bytes, that
a network can transmit. This parameter becomes an issue when networks are interconnected and the
442
Glossary
networks have different MTU sizes. Any packets larger than the MTU value are divided (fragmented) into
smaller packets before being sent. Ideally, the MTU on your network should match the smallest MTU of all
the networks between your computer and a message's final destination. If the packets in your messages are
larger than one of the intervening MTUs, the routing device fragments the packet into pieces that will fit
into the frames of the next-hop network. This process slows down transmission speeds. Some applications,
including many Web browsers, set a "do not fragment" flag on their packets. These packets are dropped if
they exceed the MTU limit.
n
NAS ID—Network Access Server (NAS) is a platform or collection of platforms that interfaces between the packet
world, such as the Internet, and the circuit world, such as the Public Switched Telephone Network (PSTN).
NAT—Network Address Translation. A feature of most firewalls that enables a local area network (LAN) to use one
set of IP addresses for internal traffic, and a second set of addresses for external traffic. NAT has the benefit
of hiding internal IP addresses from outside the LAN, providing a way of using many internal IP addresses
given one external IP address (very useful for DSL or ISDN connections used by many computers), and
combining different internal connections into one Internet connection.
NAT Configuration—Defines how your NAT policy translates IP addresses on your network. A NAT
Configuration can be any of the following:
Many-to-One NAT - translates one routable IP address for many internal, non-routable addresses
One-to-One NAT - translates one routable IP address for each internal, non-routable original address
Many-to-Many NAT - translates a range of routable IP addresses for a range of internal, non-routable IP
addresses.
NAT Policy—Network Address Translation Policy. A group of NAT settings that defines how the firewall
translates IP addresses for inbound and outbound network traffic. Configure NAT policies on the NAT
Policy Page
Network Objects—A firewall or VPN element or group of elements that you define and name. Use network
objects to easily manage firewall and VPN policies by naming frequently used elements or groups of
elements, and sharing them among multiple policies. Configure network objects on the Firewall/VPN
Network Objects page.
Nonce—A parameter that varies with time. Because a nonce changes with time, it is easy to tell whether or not an
attempt to replay or reproduce a file is legitimate; the current time can be compared with the nonce. If it
does not exceed it or if no nonce exists, then the attempt is authorized. Otherwise, the attempt is not
authorized.
NTP—The Network Time Protocol synchronizes the configuration time with a network time server.
0
One-to-One NAT—A NAT configuration that translates one non-routable IP address inside your network to one
routable IP address.
OSPF—Open Shortest Path First. A routing protocol that determines the best path for routing IP traffic over a TCP/
IP network based on distance between nodes and several quality parameters. OSPF is an interior gateway
protocol (IGP), which is designed to work within an autonomous system. It is also a link state protocol that
provides less router-to-router update traffic than the RIP protocol (distance vector protocol) that it was
designed to replace.
Outbound Policies —Outbound firewall access policies apply to network traffic that is leaving your network.

Glossary
p
Packet Values —A security association is created if the specified value is in the packet.
Example: If only the Source IP selector value is set to PKT_VAL, a security association is created for every
possible IP address included in the IP security policy parameters. If the source IP address range is 10.1.5.1
to 10.1.5.100, then 100 security associations will be created. A security association is not created if there is
no traffic from the source IP address.
PAP—Password Authentication Protocol. PAP requires users to enter a password before accessing a secure system.
The user's name and password are sent in cleartext over the wire to a server, where they are compared with
a database of user account names and passwords. This technique is vulnerable to wiretapping (sniffing)
because the password can be captured and used by someone to log on to the system.
PAP is not recommended in most cases. However, some authentication systems will fall back to PAP if no
better authentication scheme is available. CHAP (Challenge Handshake Authentication Protocol) is an
alternative protocol that avoids sending passwords in any form over the wire by using a challenge/
response technique.
PAT—Port Address Translation is a type of network address translation. During PAT, each computer on a LAN is
translated to the same IP address, but with a different port number assignments. PAT is also referred to as
overloading, port mapping, port-level multiplexed NAT, or single address NAT.
Perfect Forward Secrecy—To prevent the possibility of a third party discovering a key value, IPSEC uses a
process known as Perfect Forward Secrecy (PFS). This process periodically creates a new key value based
on values supplied by both parties in the exchange. Because both parties contribute a random value known
only to them, each new key generated is in no way similar to the previously created keys. Using PFS means
that even if a third party managed to intercept a symmetrical key, that party can only use the intercepted
key for a short time. Additionally, since the newly created key is not based on the previously intercepted
key, the third party must begin a new brute force calculation to guess the new key value. With PFS enabled
in IPSEC, the creation of a new key takes longer than if not using PFS. However, using PFS helps prevent
data from being intercepted and decoded by a third party.
PFS Group—Perfect Forward Secrecy Group. This group can be the Diffie-Hellman Group 1 or Group 2. For IPSEC,
the PFS Group determines the degree of difference between the initial and successive PFS keys.
ping—A common method for troubleshooting host access. A ping tests an ICMP echo message and its reply. Ping
is the simplest test for a host. Run ping to view the packets transmitted, packets received, percentage of
packet loss, and round-trip time in milliseconds. If ping fails, try using traceroute. See “traceroute” on
page 448.
Ping of Death—A denial of service attack using ping to transmit an ICMP echo packet greater than 65535 bytes in
length to a vulnerable computer. The IP specification prohibits packets this large from being created, but
fragmentation allows this packet to be transmitted. The vulnerability exists in the reassembly code of the
victim system's networking stack. Once the packet has been reassembled, the packet may be too large to fit
in the allocated buffer, and causes a buffer overflow. The buffer overflow can cause certain systems to crash,
reboot, or behave in unpredictable ways. This attack is not limited to ICMP and can be exploited with any
protocol that uses IP.
policy—A firewall rule that tells the firewall/VPN module how to handle a specific type of traffic.
policy list—A list of firewall rules for a particular interface and direction.
POP3 —Post Office Protocol version 3 (POP3) is the protocol that is generally used to retrieve email from certain
Internet service providers. POP3 protocol is port 110.
444
Glossary
PPP0—The appliance interface used with the Point-to-Point Protocol over Ethernet (PPPoE). The appliance creates
this interface automatically when you enable PPPoE.
PPPoE—Point to Point Protocol over Ethernet. PPPoE is a specification for connecting the users on an Ethernet to
the Internet through a common broadband medium, such as a single DSL line, wireless device or cable
modem.
Port Group—A network object that includes one or more Port Names or one or more Port Groups.
Port Name—A network object that includes either a single port or multiple port ranges.
PPTP —Point-to-Point Tunneling Protocol. Allows remote clients to create VPN tunnels to a private network. Since
the Internet is essentially an open network, the PPTP is used to ensure that messages transmitted from one
VPN peer to another are secure. PPTP is included with most Microsoft operating systems.
Primary Management Interface—The appliance interface (Internal or External) IP address that the SiteProtector
desktop controller uses to identify the appliance, and tries first when communicating with the appliance or
launching Proventia Manager.
Protocol—Agreed-upon methods of communications used by computers. A specification that describes the rules
and procedures that products should follow to perform activities on a network, such as transmitting data.
If they use the same protocols, products from different vendors should be able to communicate on the same
network.
Proventia Setup Utility (provsetup)—The command line interface for the appliance operating system. Use this
tool to configure initial connection settings, network interfaces and passwords. You can also use Proventia
Setup for appliance settings management when a Web browser is not available. You must use the Proventia
Setup Utility to set the initial network settings before you can log on to the Proventia Manager.
Proventia Manager (provmanager)—The Web-based user interface for the Proventia M integrated security
appliances.
Proxy —Proxy is an application running on a gateway, that relays packets between a trusted client and an
untrusted host. A proxy application accepts requests from the trusted client for specific Internet services
(HTTP, FTP, SMTP, or POP3), and then acts on behalf of the client to establish the connection for the
requested service. The request appears to originate from the gateway running the proxy, rather than the
client. A "transparent proxy" makes no modifications to a request from a client other than what is absolutely
required for identification and authentication. For SMTP, the proxy server intercepts all requests to scan for
viruses.
q
Quarantine rule—A dynamically generated rule that specifies the network packets to block and the length of time
to block them. The IPS module on the appliance generates quarantine rules dynamically in response to
intrusions, and stores the rules in the Quarantine Table.
r
RADIUS—Remote Authentication Dial-In User Service. Client/server-based authentication software that
centralizes the administration of user profiles maintained in authentication databases, simplifying the
process of supporting multiple VPN switches. The remote access servers act as RADIUS clients that connect
to the centralized authentication server.

Glossary
Relay IP Addresses—A list of IP addresses that includes the users in your network that can send email to another
domain.
Remote ID—Remote ID is the identity the VPN client is expecting to receive during Phase 1 from the VPN gateway.
The ID type defines the type of data used for authentication. This identity can be an IP address, a fully
qualified domain name, an email address, a string or a certificate issuer.
RSA—Rivest-Shamir-Adleman. A public key encryption algorithm invented in 1977, and named after its inventors.
A large number algorithm, RSA key sizes range from 768 to 2048 bits. RSA is highly immune to even the
most persistent brute force attacks. RSA Security Inc. offers a number of security tools based on the RSA
core algorithm. PGP (Pretty Good Privacy) and SET (Secure Electronics Commerce) incorporate the RSA
algorithm.
RuleGUID—A unique identifier assigned to access policies. The Rule GUID of an access policy (or firewall rule)
appears in the Alert Event Detail window, and can identify the rule that generated a common firewall alert
in the Alert Event Log. The Rule GUID value does not change when you edit the access policy, but changes
if you click the up or down buttons to move the policy up or down in the Access Policies table.
Rule Order—A value that represents the placement of an access policy in the Access Policy table. If you move an
access policy up or down in the table, the Rule ID value will increase or decrease. This value is useful for
troubleshooting firewall alerts and corresponding access policies.
s
Security Association Selectors —Security association selectors are as follows: Source IP Selector Value,
Destination IP Selector Value, Transport Selector Value (protocol), Source Port Selector Value, Destination
Port Selector Value, User ID Selector Value (not used), and Sensitivity Selector Value (not used).
Security Content Update —An update from the ISS Download Center that contains intrusion prevention and
antivirus content. Security content updates can be automatically downloaded and installed.
Security Gateway —A group of settings that defines the remote peer for a VPN connection. You can reuse a
Security Gateway to quickly create VPN connections. The types of Security Gateways are: Auto Key
IPSEC, IPSEC Remote Client, L2TP/IPSEC Remote Client, and Manual Key IPSEC.
Security Policy Database Values —A security association is created if the specified value is in the security policy
database.
Security process—Indicates the security action for packets on IPSEC connections. The options are:
Apply (routes packets through the VPN tunnel), Bypass (does not route packets through the VPN tunnel),
and Discard (drops packets).
Security Parameters Index —The Security Parameter Index (SPI) is a 32-bit field that uniquely identifies the
Security Association (SA) to which a packet belongs. The SPI is included with all packets so that the
receiving host can match it to an entry in its Security Parameters Database (SPDB) and retrieve the SA to
check the security of the received packet. SPI values remain the same throughout the IPSEC connection.
When the connection is terminated, the SPI values are reclaimed and may be used again in a new IPSEC
connection.
Security protocol—The security protocol options are: ESP With Auth (provides data encryption and data
authentication), ESP (provides only data encryption), ESP and AH (combination of ESP and AH protocols),
ESP With Auth and AH (a combination of ESP With Auth and ESP and AH protocols), AH (only packet
authentication). Not all the security protocol options listed here are available for every Security Protocol
setting in the Proventia Manager. Some vendors refer to ESP with Auth as ESP.
446
Glossary
SHA1—Secure Hash Algorithm (SHA1) produces a condensed representation of the message, called a message
digest. The message digest is used during generation of a signature for the message. SHA1 is also used to
compute a message digest for the received version of the message during the process of verifying the
signature. Any change to the message in transit will result in a different message digest, and the signature
will fail to verify. SHA1 is used by both the transmitter and intended receiver of a message in computing
and verifying a digital signature. Key length must be 20 characters.
Simple Network Management Protocol (SNMP)—The protocol used for the management and monitoring of
network devices and their functions. Data is passed from SNMP agents, using the reporting process activity
in each network device, and sent to the management console. The agents return information in a MIB
(Management Information Base) file.
SiteProtector—The ISS management console. SiteProtector can manage a variety of network assets, such as
appliances, agents, and sensors.
SMTP —Simple Mail Transfer Protocol (SMTP) is a set of rules for sending email messages between servers.
Messages are sent under the control of a message transport system. SMTP is generally used to send
messages from a mail client to a mail server. SMTP protocol uses port 25.
Source Address—The IP address of the computer that sends the network packet.
Source NAT Rule—Translates internal, non-routable IP addresses to unique, routable IP addresses for outbound
network traffic. Source NAT Rules let computers inside your network communicate with computers on the
public network.
Source Port—The source port that the originating computer assigned to a network packet.
Source Whitelist —A Source Whitelist is a list of static IP addresses that can freely access the Internet from your
network. This is useful if specific users in your network need unrestricted Internet access.
Important: If you include a user on a Source Whitelist, then that user is exempt from all Web Filters. The
user can access any URL, domain, or IP address, even those included on the Destination Blacklist.
SPAM —Email that contains unsolicited advertisements or offensive content.
Spyware—Any technology that aids in gathering information about a person or organization without their
knowledge. On the Internet, an intruder can place programming on a user's computer to secretly gather
information and relay it to advertisers or other interested parties. An intruder can place spyware on a
computer as a software virus or as the result of installing a new program. Also called spybot or tracking
software.
SSH—Secure Shell provides secure logon for Windows and Unix clients and servers. SSH replaces telnet, ftp and
other remote logon utilities with an encrypted alternative.
SSL—Secure Socket Layer certficates authenticate the connection to the appliance in SiteProtector. SSL works by
using a private key to encrypt data that's transferred over the SSL connection.
Stateful Firewall —The Stateful Firewall module supports traditional allow/deny rules by address/port, named
lists of objects, DHCP server, NAT, PAT, DHCP client, PPPoE (for DSL/cable connections) and ICSA
(certification pending).
stub domain—In IP networks, a local domain that uses IP addressing for local packet routing, such as a LAN (Local
Area Network), that only handles traffic originated or destined to hosts in the domain. To communicate
outside a stub domain, you must use NAT (Network Address Translation).

Glossary
Subnet Mask—Allows routing devices to move packets more quickly on a subnet (short for "subnetwork"). An IP
address includes a number to represent the network address and a number to represent the host number
address. After a packet arrives at the network gateway with its unique network number, the routing device
can forward the packet within the network using the subnet number as well. The router knows which bits
to look at or ignore by looking at a subnet mask. A subnet mask allows the routing device to look only at
the bits selected by the mask, rather than the entire 32 bit address. A mask is simply a screen of numbers
that tells the routing device which numbers to look at underneath. In a subnet mask, a "1" or higher over a
number means "Look at the number underneath"; a "0" means "Don't look."
SYN Flood—Also referred to as SYN packet, is a denial of service attack that sends falsified TCP connection
requests faster than the target computer can process them. When the victim replies to the false requests, it
is trapped into waiting for a confirmation that never arrives. When the connection request table fills up, all
new connection requests are ignored. SYN floods rarely crash a computer. After the attacker ceases the
attack, networks generally return to a normal state. Newer or patched operating systems handle their
resources more efficiently, but may still be vulnerable to this attack. Techniques such as improved memory
allocation, dropping specific incoming connections, RST and SYN cookies, and reducing the timeout value
for confirmation help to reduce the impact of a SYN flood. SYN flood attacks can be a portion of a structured
attack. They may be used to disable one side of a connection in TCP hijacking, or prevent authentication or
communication between servers.
t
TCP —Transmission Control Protocol (TCP) applies to connections between two hosts that exchange streams of
data.
traceroute—A utility that traces a packet from your computer to an Internet host, showing how many hops the
packet requires to reach the host and how long each hop takes. Traceroute is a UNIX utility.
Translated Address—The routable IP address that the appliance uses as the public-facing address for a computer
inside your network.
TTL—Time to Live. Used in the IP protocol, TTL is a time, typically in seconds, after which a packet fragment can
be deleted by any device on the network. This is often used when a router develops an error that would
result in a packet circulating forever. See also Traceroute and UDP.
Tuning Parameter—Specify a tuning parameter as follows: To specify a boolean value of enabled, select Boolean,
and then select Enabled. To specify a boolean value of disabled, select Boolean, and then clear the Enabled
check box. To specify a numeric value, select Number, and then type a number in the Value field. To specify
a text value, select String, and then type the text in the Value field.
u
UDP—User Datagram Protocol (UDP) applies to a connectionless protocol that allows direct sending and receiving
of datagrams over an IP network.
URI—Uniform Resource Indicator. The address of a resource on the Internet. The URI includes the protocol, such
as https, in addition to the Universal Resource Locator (URL). Example: http://www.iss.net.
URL Blocking—When you enable Web Filters, URL Blocking is enabled by default. When URL blocking is enabled,
the appliance blocks all requests for URLs that belong to the Web Filter categories you select. If you disable
URL Blocking, the appliance logs requests for access to any URL, domain, or IP address in the Web Filter
categories you select, but does not block the requests.
448
Glossary
v
Virtual IP addresses—Virtual IP addresses are configured on both the primary and secondary High Availability
appliances, but are enabled only on the primary appliance so that only the primary appliance is routing
network traffic. All external clients use these addresses to communicate with the HA cluster.
Virtual Gateway—The IP address of the default external gateway for the HA cluster. Example: 10.10.100.1
VPN—Virtual Private Network. Allows the user to access and use the Internet as a private network.
VPN Module—The Proventia M Series appliance accepts VPN connections from the following:
Site-to-Site: Remote office and partner
Clients: Home offices and mobile users
w
Web Filters —Specify which Web sites are available to users on your network. When you enable the Web Filter
Module, the M Series appliance blocks or allows access to Web sites based on Web Filter criteria that you
select.
wildlist—The WildList Organization International (http://www.wildlist.org) is a great source of information

about which viruses are spreading throughout the real world.
WINS—Windows Internet Naming Service. WINS is a proprietary Microsoft name resolution service that provides
dynamic NetBIOS name-to-IP address mapping, and solves the problem of locating network resources that
understand NetBIOS API calls in a TCP/IP network. WINS servers maintain computer names (NetBIOS
names) and IP addresses automatically. In most cases, it is used with DHCP as to dynamically provide an
NT-based domain name server with the names and IP addresses of Windows computers.
x
XAuth—XAuth, which is short for Extended Authentication, provides secondary user name and password
authentication for the IKE session. The XAuth program is used to edit and display the authorization
information used in connecting to the X server. This program is usually used to extract authorization
records from one machine and merge them in on another. Not to be confused with the X Window System
technology.

Glossary
450
Index
a configuring SMTP 99
antivirus alerts 349
access 111 antivirus software, configuring 19
access policies 105 appliance models 6
high availability 49 appliance proxies 104
accessing appliance VPN components 145
Proventia Setup utility 8 authentication 183
adding an email response 94 authentication algorithms
adding an IPSEC policy 200–201 MD5 183
adding static IP addresses 332 Secure Hash Algorithm (SHA1) 183–184
address range list entry 137 authentication header 196
advanced parameters authentication header (AH) 201
database 303 authentication, PPPoE 77
agent 338
alert event log 14
alert logging b
disabling 92 blacklists 280
enabling 92 block percentage 256
alert types
blocking page 275
antivirus 349
boot server requirements 372
intrusion prevention 349
bootloader password 90
system 349
bootloader password, enabling 75
alerts for each module 10
alternative update serve 38
antispam
and delete threshold 266
c
configuring SMTP 99 certificates
email sender blacklist 268 prerequisites to installing 229
email sender whitelist 268 requesting 229
how it works 263 revocation list
installing 232
logging and events 267
removing 233
options 265
change 89
spam tagging sensitivity 265
change the date and time 336
statistics 268
changing
wildcards 269
DNS search path order 315
with firmware update 264
time zone settings 80
antivirus
comma separated values 357
configuration
required tasks 18
configure 72
configure an L2TP/IPSEC VPN connection 150
configuring 125
a RADIUS client and primary server 162
antivirus software 19

451
Index
appliance interfaces 18 deployment example 2

database parameters 419 high availability physical network 48
DHCP relay agent 19 high availability standard deployment 47
event notification 94 monitor IP logical network diagram 64
external interface 310–311 monitor IP physical deployment 63
firewall 18 Diffie-Hellman Group 184
high availability parameters 420 display DHCP leases 335
NAT list 136 DNS settings
notification responses for events 252, 397, 408, changing the search path order 315
411, 417–418 copying a search path 315
PPPoE authentication 77 removing a DNS search path 315
SMTP proxy 19 documentation, locating x
VPN xi, 19 downloading a saved log file 359
configuring DNS settings in Proventia Manager 329 DSA certificate requests 224
configuring IPSEC policies 200 dynamic address name 138
conventions, typographical dynamic nameserver assignment 74
in commands xiii
in procedures xiii
in this manual xiii e
copy DHCP leases 335
editing an IPSEC policy 201
copying a quarantine rule 256 email response
adding 94
d email sender blacklist 268

email sender whitelist 268
database enable high availability 56
advanced parameters 303 enabling the RADIUS client and server 162
and Web crawlers 301 encapsulating security payload (ESP) 201
categories 303 Encapsulating Security Protocol (ESP) 196
for existing customers 299 encapsulation methods
for SA 198 and IPSEC 195
information in 302 ESP 196
introduction 302 event 395
keyword searches 300 event notification 105
optical character recognition 300 events
pornography detection 300 configuring notification 94
recovery CD 303 response types 94
status descriptions 303 expiration time 256
text classification 300
visual object recognition 300
visual pornography detection 300 f
WebLearn feature 303 failover 4, 83
dead timeout 56 files
default NAT Configuration 136 comma separated values (.csv) 357
delete threshold 266 firewall configuration 18
destination address 104, 142 firewall/VPN protection status page 106
destination IP 256 force failover page 51
destination port 142, 256 FTP proxy 104
destination port number 104
device name 10
DHCP relay agent, configuring 19
diagrams
452
Index
g Web site xiv

intruder events 256
generate a license key file 16 intrusion prevention alerts 349
intrusion prevention signatures, updating 18
IPSEC 195
h supported protocols 196
IPSec 144
heartbeat 4 IPSEC policies
high 43 configuring 200
high availability 4
access policies 49
alternate node 60
configure the primary appliance 52
k
key information
configure the secondary appliance 53
used by key exchange 199
dedicated HA Interface 46
keyword searches 300
deployment 47
disabling HA 54
enabling 54
interface name 56
l
logical network diagram 47 L2TP 144, 218
monitor IP addresses 61 L2TP End Point IP Address 159, 218
NAT Policies 49 L2TP Host Name 218
physical network diagram 48 L2TP IP Address Pool 159, 218
reinitializing an appliance 70 L2TP Tunnel Authentication 218
replacing a failed appliance 70 license key file 16
requirements 49 license key file, installing 18
shared secret 57 licensing page 16
SiteProtector management 69 local domains
status information 67 editing 101
update requirements 68 log files
upgrading existing devices to use HA 51 downloading 359
virtual gateway 57 saving 357
virtual IPs 58
VPN policy considerations and other restrictions
high availability status 67
44
m
HTTP proxy 102, 104 managing system settings
creating a snap-shot file 336
i manual key management 199

manual or automatic updates 33
IANA 126, 141, 440 manual updates task overview 31
ICMP 82 message digest
ICMP Code 256 and authentication algorithms 183
ICMP Type 256 monitor IP Addresses 61
IKE policies monitoring internal and external connections 62
and RADIUS client 161
IKE SA information 106
important system messages 10
installing
license file 16
Internet Security Systems
technical support xiv

453
Index
n for IKE 106

POP3 proxy 104
n 371 pornography detection 300
NAT policies 105 port forwarding 141
navigation 10 PPPoE authentication 77
navigation pane 10 PPPoE options 77
navigation procedures 15 PPTP 144
network 310 Pre-boot eXecution Environment (PXE) technology 371
network access server (NAS) 162 primary appliance 4, 44
network protocols Primary Network Interface 317
IPSEC 144 protection status 10
L2TP 144 protection status page 11
PPTP 144 protocol 104, 256
network protocols for VPN 144 protocol name 142
notification responses 94 Proventia 8
Web Filters 285 Proventia Appliance Recovery CD 371, 375
proxy redirection rules 105
proxy redirection rules control 121
o PXE
boot server requirements 372
optical character recognition 300
setup diagram 373
order of rules in the policy 112
overrides 283
ow 273 q
quarantine file management 239, 243
p quarantine rules management 255
quarantine rules table 256
packet filtering 104
quarantined files 243
pam 299
quarantined intrusions 243
passwords
administrative 89
bootloader 90
changing 89
r
root 89 RADIUS client 161
ping a computer 82 RADIUS server 161
policy states RADIUS server for authenticating user name/
password 161
readme document xi
reboot 81
recommended tasks 19
configure antivirus software 19
configure SMTP proxy 19
configure VPN 19
create a DHCP relay agent 19
update antivirus definitions 18
reconfigure the appliance 374
reconnect the PPPoE connection 82
recovery CD
454
Index
for Proventia appliance 371, 375 configuring 99

register the license key files 16 SMTP proxy 104
reinitialize a secondary appliance 83 SMTP proxy, configuring 19
reinstall the appliance software 373 source address 104, 142
reinstalling the appliance source IP 256
procedure 373 source port 256
reconfiguring 374 source port number 104
required procedures 371, 375 spam 262
using the recovery CD 371, 375 spam tagging 265
relay IPs stages of NAT 127
editing 100 static and dynamic NAT 128
release DHCP lease 83 statistics 236
removing a certificate revocation list 233 subnodes 10
removing a quarantine rule 256 system alerts 349
renew the DHCP lease 83 system backup, creating 20
replacing a failed HA appliance 70 system messages 14
requests system reports 10
for DSA certificates 224 system snapshot, creating 20
required tasks 18 system status 10
configure the firewall 18
install license key file 18
update intrusion prevention signatures 18
update the firmware and Web Filter database 18
t
technical support, Internet Security Systems xiv
reset existing firewall connections 82
revocation list text classification 300
for certificates 232 the 22
time and date
rollback an update 25
changing settings for 79
root password 89
traceroute 82
routine maintenance tasks 20
traceroute protocols 81
statuses, viewing 20
translated address 142
system backup 20
translated port 142
system snapshot 20
transmission control protocol (TCP) 201
routing device 104
transport mode 195
trust levels 39
s trusted certificate authority
installing 227
saving the current log file 357 tunnel mode 195
secondary appliance 4, 44 tunneling 145
security associations (SAs) 198 types of wizards 153
defining host communication 198 typographical conventions xiii
statistics 107
security gateways 145
security parameter index (SPI) 199 u
self certificate
UDP 82
process for creating 229
update an appliance, HA 36
setting the time and date 79
update history table 32
shut down 81
updating
SiteProtector
antivirus definitions, updating 18
and Primary Network Interface 317
SMTP
and antivirus 3

455
Index
firmware and Web Filter database 18

updating the appliances in HA 67 x
upgrading existing devices to HA 51 XAuth to authenticate remote users via RADIUS 161
URL Blocking 285 X-Press update server 38
user assigned nameservers 74
v
view 348
viewing a quarantine rule 256
Virtual 144
virtual gateway 57
virtual IP 4, 44, 449
virus quarantine 243
visual object recognition 300
VPN addresses
configuring the RADIUS backup server 162
VPN and IPSec tunnels 145
VPN configuration 19
VPN settings
configuring a RADIUS client 161
VPN technologies 144
VPN Users list 148
w
Web Filters
and SiteProtector alerting 285
and URL blocking 285
blocking page 275
categories 278
category descriptions 291
enabling 277
introduction 274
logging and events 285
notification settings 285
options 276
overrides 283
selecting filters 278
statistics 289
using blacklist or whitelist overrides 280
using wildcards 280
Web site, Internet Security Systems xiv
WebLearn 303
whitelists 280
wide area network (WAN) 144
wildcards 280
Windows Internet Name Service (WINS) 334
456
Internet Security Systems, Inc. Software License Agreement
THIS SOFTWARE PRODUCT IS PROVIDED IN OBJECT CODE AND IS LICENSED, NOT SOLD. BY INSTALLING, ACTIVATING, COPY-
ING OR OTHERWISE USING THIS SOFTWARE PRODUCT, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE
AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE
PRODUCT AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE.
IF THE SOFTWARE PRODUCT WAS OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE
KEYS IN LIEU OF RETURN.
1. License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a nonexclusive and non-
transferable, limited license for the accompanying ISS software product and the related documentation (“Software”) and the associated license key(s) for use
only on the specific network configuration, for the number and type of devices, and for the time period (“Term”) that are specified in ISS’ quotation and Licensee’s
purchase order, as accepted by ISS. ISS limits use of Software based upon the number of nodes, users and/or the number and type of devices upon which it
may be installed, used, gather data from, or report on, depending upon the specific Software licensed. A device includes any network addressable device con-
nected to Licensee’s network, including remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. A device may
also include ISS hardware delivered with pre-installed Software and the license associated with such shall be a non-exclusive, nontransferable, limited license to
use such pre-installed Software only in conjunction with the ISS hardware with which it is originally supplied and only during the usable life of such hardware.
Except as provided in the immediately preceding sentence, Licensee may reproduce, install and use the Software on multiple devices, provided that the total
number and type are authorized by ISS. Licensee acknowledges that the license key provided by ISS may allow Licensee to reproduce, install and use the Soft-
ware on devices that could exceed the number of devices licensed hereunder. Licensee shall implement appropriate safeguards and controls to prevent loss or
disclosure of the license key and unauthorized or unlicensed use of the Software. Licensee may make a reasonable number of backup copies of the Software
and the associated license key solely for archival and disaster recovery purposes. In connection with certain Software products, ISS licenses security content on
a subscription basis for a Term and provides Licensee with a license key for each such subscription. Content subscriptions are licensed pursuant to this License
based upon the number of protected nodes or number of users. Security content is regularly updated and includes, but is not limited to, Internet content (URLs)
and spam signatures that ISS classifies, security algorithms, checks, decodes, and ISS’ related analysis of such information, all of which ISS regards as its con-
fidential information and intellectual property. Security content may only be used in conjunction with the applicable Software in accordance with this License. The
use or re-use of such content for commercial purposes is prohibited. Licensee’s access to the security content is through an Internet update using the Software.
In addition, unknown URLs may be automatically forwarded to ISS through the Software, analyzed, classified, entered in to ISS’ URL database and provided to
Licensee as security content updates at regular intervals. ISS’ URL database is located at an ISS facility or as a mirrored version on Licensee’s premises. Any
access by Licensee to the URL database that is not in conformance with this License is prohibited. Upon expiration of the security content subscription Term,
unless Licensee renews such content subscription, Licensee shall implement appropriate system configuration modifications to terminate its use of the content
subscription. Upon expiration of the license Term, Licensee shall cease using the Software and certify return or destruction of it upon request.
2. Migration Utilities – For Software ISS markets or sells as a Migration Utility, the following shall apply. Provided Licensee holds a valid license to the ISS Software
to which the Migration Utility relates (the “Original Software”), ISS grants to Licensee as the only end user a nonexclusive and nontransferable, limited license to
the Migration Utility and the related documentation (“Migration Utility”) for use only in connection with Licensee’s migration of the Original Software to the replace-
ment software, as recommended by ISS in the related documentation. The Term of this License is for as long as Licensee holds a valid license to the applicable
Original Software. Licensee may reproduce, install and use the Migration Utility on multiple devices in connection with its migration from the Original Software to
the replacement software. Licensee shall implement appropriate safeguards and controls to prevent unlicensed use of the Migration Utility. Licensee may make
a reasonable number of backup copies of the Migration Utility solely for archival and disaster recovery purposes.
3. Third-party Products - Use of third party product(s) supplied hereunder, if any, will be subject solely to the manufacturer’s terms and conditions that will be pro-
vided to Licensee upon delivery. ISS will pass any third party product warranties through to Licensee to the extent authorized. If ISS supplies Licensee with Crys-
tal Decisions Runtime Software, then the following additional terms apply: Licensee agrees not to alter, disassemble, decompile, translate, adapt or reverse-
engineer the Runtime Software or the report file (.RPT) format, or to use, distribute or integrate the Runtime Software with any general-purpose report writing,
data analysis or report delivery product or any other product that performs the same of similar functions as Crystal Decisions’ product offerings; Licensee agrees
not to use the Software to create for distribution a product that converts the report file (.RPT) format to an alternative report file format used by any general-pur-
pose report writing, data analysis or report delivery product that is not the property of Crystal Decisions; Licensee agrees not to use the Runtime Software on a
rental or timesharing basis or to operate a service bureau facility for the benefit of third–parties unless Licensee first acquires an Application Service Provider
License from Crystal Decisions; Licensee may not use the Software or Runtime Software by itself or as part of a system to regularly deliver, distribute or share
Reports outside of the Runtime Software environment: (a) to more than fifty (50) end users directly, or (b) to a location that is accessible to more than 50 end
users without obtaining an additional license from Crystal Decisions; CRYSTAL DECISIONS AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES,
EXPRESS, OR IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY, FIRNESS FOR A PARTICULAR PURPOSE,
AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. CRYSTAL DECISIONS AND ITS SUPPLIERS SHALL HAVE NO LIABILITY WHATSOEVER
UNDER THIS AGREEMENT OR IN CONNECTION WITH THE SOFTWARE. In this section 3 “Software” means the Crystal Reports software and associated
documentation supplied by ISS and any updates, additional modules, or additional software provided by Crystal Decisions in connection therewith; it includes
Crystal Decisions’ Design Tools, Report Application Server and Runtime Software, but does not include any promotional software of other software products pro-
vided in the same package, which shall be governed by the online software license agreements included with such promotional software or software product.
4. Beta License – If ISS is providing Licensee with the Software, security content and related documentation as a part of an alpha or beta test, the following terms
of this Section 4 additionally apply and supercede any conflicting provisions herein or any other license agreement accompanying, contained or embedded in the
subject Beta Software or any associated documentation. ISS grants to Licensee a nonexclusive, nontransferable, limited license to use the ISS alpha/prototype
software program, security content, if any, and any related documentation furnished by ISS (“Beta Software”) for Licensee’s evaluation and comment (the “Beta
License”) during the Test Period. ISS’ standard test cycle, which may be extended at ISS’ discretion, extends for sixty (60) days, commencing on the date of
delivery of the Beta Software (the “Test Period”). Upon expiration of the Test Period or termination of the License, Licensee shall, within thirty (30) days, return to
ISS or destroy all copies of the Beta Software, and shall furnish ISS written confirmation of such return or destruction upon request. Licensee will provide ISS
information reasonably requested by ISS regarding Licensee’s experiences with the installation and operation of the Beta Software. Licensee agrees that ISS
shall have the right to use, in any manner and for any purpose, any information gained as a result of Licensee’s use and evaluation of the Beta Software. Such
information shall include but not be limited to changes, modifications and corrections to the Beta Software. Licensee grants to ISS a perpetual, royalty-free, non-
exclusive, transferable, sublicensable right and license to use, copy, make derivative works of and distribute any report, test result, suggestion or other item
resulting from Licensee’s evaluation of its installation and operation of the Beta Software. If Licensee is ever held or deemed to be the owner of any copyright
rights in the Beta Software or any changes, modifications or corrections to the Beta Software, then Licensee hereby irrevocably assigns to ISS all such rights,
title and interest and agrees to execute all documents necessary to implement and confirm the letter and intent of this Section. Licensee acknowledges and
agrees that the Beta Software (including its existence, nature and specific features) constitute Confidential Information as defined in Section 18. Licensee fur-
ther agrees to treat as Confidential Information all feedback, reports, test results, suggestions, and other items resulting from Licensee’s evaluation and testing of
the Beta Software as contemplated in this Agreement. With regard to the Beta Software, ISS has no obligation to provide support, maintenance, upgrades, mod-
ifications, or new releases. However, ISS agrees to use its reasonable efforts to correct errors in the Beta Software and related documentation within a reason-
able time, and will provide Licensee with any corrections it makes available to other evaluation participants. The documentation relating to the Beta Software may
be in draft form and will, in many cases, be incomplete. Owing to the experimental nature of the Beta Software, Licensee is advised not to rely exclusively on the
Beta Software for any reason. LICENSEE AGREES THAT THE BETA SOFTWARE AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS”
FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WAR-
RANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. LICENSEE ACKNOWLEDGES AND AGREES
THAT THE BETA SOFTWARE MAY CONTAIN DEFECTS, PRODUCE ERRONEOUS AND UNINTENDED RESULTS AND MAY AFFECT DATA NETWORK
SERVICES AND OTHER MATERIALS OF LICENSEE. LICENSEE’S USE OF THE BETA SOFTWARE IS AT THE SOLE RISK OF LICENSEE. IN NO EVENT
WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED
BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA SOFTWARE LICENSE BY WRITTEN NOTICE TO
ISS.
5. Evaluation License - If ISS is providing Licensee with the Software, security content and related documentation on an evaluation trial basis at no cost, such
license Term is 30 days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software and security content for evalua-
tion in a non-production, test environment. The following terms of this Section 5 additionally apply and supercede any conflicting provisions herein. Licensee
agrees to remove or disable the Software and security content from the authorized platform and return the Software, security content and documentation to ISS
upon expiration of the evaluation Term unless otherwise agreed by the parties in writing. ISS has no obligation to provide support, maintenance, upgrades, mod-
ifications, or new releases to the Software or security content under evaluation. LICENSEE AGREES THAT THE EVALUATION SOFTWARE, SECURITY
CONTENT AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRAN-
TIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF
ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE EVALUA-
TION LICENSE BY WRITTEN NOTICE TO ISS.
6. Covenants - ISS reserves all intellectual property rights in the Software, security content and Beta Software. Licensee agrees: (i) the Software, security content
or Beta Software is owned by ISS and/or its licensors, is a valuable trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii)
to take all reasonable precautions to protect the Software, security content or Beta Software from unauthorized access, disclosure, copying or use; (iii) not to
modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of the Software, security content or Beta
Software; (iv) not to use ISS trademarks; (v) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software, security content or Beta
Software; and (vi) not to transfer, lease, assign, sublicense, or distribute the Software, security content or Beta Software or make it available for time-sharing,
service bureau, managed services offering, or on-line use.
7. Support and Maintenance – Depending upon what maintenance programs Licensee has purchased, ISS will provide maintenance, during the period for which
Licensee has paid the applicable maintenance fees, in accordance with its prevailing Maintenance and Support Policy that is available at http://docu-
ments.iss.net/maintenance_policy.pdf. Any supplemental Software code or related materials that ISS provides to Licensee as part of any support and mainte-
nance service are to be considered part of the Software and are subject to the terms and conditions of this License, unless otherwise specified.
8. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period
of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Software or security content will conform to material
operational specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software or security content is
installed, implemented, and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any
nonconformity within the warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS
to Licensee. Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software or security content,
(ii) modification of the Software or security content, (iii) failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interac-
tion with software or firmware not provided by ISS. If Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Soft-
ware or security content or, if ISS determines that repair or replacement is impractical, ISS may terminate the applicable licenses and refund the applicable
license fees, as the sole and exclusive remedies of Licensee for such nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND
LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFT-
WARE OR THE SECURITY CONTENT WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION OF THE SOFTWARE OR SECURITY CON-
TENT WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE OR SECURITY CONTENT ERRORS WILL BE CORRECTED.
LICENSEE UNDERSTANDS AND AGREES THAT THE SOFTWARE AND THE SECURITY CONTENT ARE NO GUARANTEE AGAINST UNSOLICITED E-
MAILS, UNDESIRABLE INTERNET CONTENT, INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS, CANCELBOTS OR OTHER SIMI-
LAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR THAT ALL SECURITY THREATS AND VUL-
NERABILITIES, UNSOLICITED E-MAILS OR UNDESIRABLE INTERNET CONTENT WILL BE DETECTED OR THAT THE PERFORMANCE OF THE
SOFTWARE AND SECURITY CONTENT WILL RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT
IN THIS SECTION 8 ARE THE SOLE AND EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.
9. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE AND SECURITY CONTENT ARE EACH PROVIDED
“AS IS” AND ISS HEREBY DISCLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MER-
CHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO
REPRESENTATIONS OTHER THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PRO-
VIDED HEREUNDER, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.
10. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software and security content that are granted herein. ISS
shall defend and indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright,
trade secret, or patent as a result of the use or distribution of a current, unmodified version of the Software and security content, but only if ISS is promptly noti-
fied in writing of any such suit or claim, and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available infor-
mation and reasonable assistance. The foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement
or misappropriation relating to the Software and security content.
11. Limitation of Liability - ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF
THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE
RECEIVED THE SOFTWARE. OR SECURITY CONTENT, AS APPLICABLE, IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY
INCLUDING CONTRACT AND TORT (INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCI-
DENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
DAMAGES FOR LOST PROFITS, LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
12. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without
prior written notice from ISS, at the end of the term of the License, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may imme-
diately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or expiration
of a license for Software, Licensee shall cease all use of such Software, including Software pre-installed on ISS hardware, and destroy all copies of the Software
and associated documentation. Termination of this License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall
not limit either party from pursuing any other remedies available to it.
13. General Provisions - This License, together with the identification of the Software and/or security content, pricing and payment terms stated in the applicable ISS
quotation and Licensee purchase order (if applicable) as accepted by ISS, constitute the entire agreement between the parties respecting its subject matter.
Standard and other additional terms or conditions contained in any purchase order or similar document are hereby expressly rejected and shall have no force or
effect. ISS Software and security content are generally delivered to Customer by supplying Customer with license key data. If Customer has not already down-
loaded the Software, security content and documentation, then it is available for download at http://www.iss.net/download/. All ISS hardware with pre-installed
Software and any other products not delivered by download are delivered f.o.b. origin. This License will be governed by the substantive laws of the State of Geor-
gia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention on Contracts for the Interna-
tional Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will not affect the validity of the
balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing signed by an authorized
officer of ISS.
14. Notice to United States Government End Users - Licensee acknowledges that any Software and security content furnished under this License is commercial
computer software and any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use,
modification, reproduction, display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is
subject to the terms, conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212
and DFAR Subsection 227.7202-3 and Clause 252.227-7015 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc.,
6303 Barfield Road, Atlanta, GA 30328, USA.
15. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, security content, any related technology, or any direct
product of either except in full compliance with the export controls administered by the United States and other countries and any applicable import and use
restrictions. Licensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or
the U.S. Commerce Department’s Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to
any country to which the United States has embargoed the export of goods (currently Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) or for use with
chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee represents and warrants that it is not located in, under control of, or a national
or resident of any such country or on any such list. Many ISS software products include encryption and export outside of the United States or Canada is strictly
controlled by U.S. laws and regulations. ISS makes its current export classification information available at http://www.iss.net/export. Please contact ISS’ Sourc-
ing and Fulfillment for export questions relating to the Software or security content (fulfillment@iss.net). Licensee understands that the foregoing obligations are
U.S. legal requirements and agrees that they shall survive any term or termination of this License.
16. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation
of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of
the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that com-
puter network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use
the Software in accordance with all applicable laws, regulations and rules.
17. Disclaimers - Licensee acknowledges that some of the Software and security content is designed to test the security of computer networks and may disclose or
create problems in the operation of the systems tested. Licensee further acknowledges that neither the Software nor security content is fault tolerant or designed
or intended for use in hazardous environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon
systems, life-support systems, nuclear facilities, or any other applications in which the failure of the Software and security content could lead to death or personal
injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the fore-
going disclaimers and hereby waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom.
18. Confidentiality - “Confidential Information” means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges
that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party (“Receiving Party”) which
receives Confidential Information of the other party (“Disclosing Party”) with respect to any particular portion of the Disclosing Party’s Confidential Information
shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to
the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time of
disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confidentiality
to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of the Dis-
closing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could severely
and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information of the
Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon demand by
the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all copies of the Dis-
closing Party’s Confidential Information in the Receiving Party’s possession or control and destroy all derivatives and other vestiges of the Disclosing Party’s
Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive property of the
Disclosing Party.
19. Compliance - From time to time, ISS may request Licensee to provide a certification that the Software and security content is being used in accordance with the
terms of this License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification
shall state Licensee’s compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written
notice, at its own expense appoint a nationally recognized software use auditor, to whom Licensee has no reasonable objection, to audit and examine use and
records at Licensee offices during normal business hours, solely for the purpose of confirming that Licensee’s use of the Software and security content is in com-
pliance with the terms of this License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably
interfere with the normal business operations of Licensee. If such audit should reveal that use of the Software or security content has been expanded beyond the
scope of use and/or the number of Authorized Devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable cur-
rent list prices required to bring Licensee in compliance with its obligations hereunder with respect to its current use of the Software and security content. In addi-
tion to the foregoing, ISS may pursue any other rights and remedies it may have at law, in equity or under this License.
20. Data Protection - The data needed to process this transaction will be stored by ISS and may be forwarded to companies affiliated with ISS and possibly to Lic-
ensee’s vendor within the framework of processing Licensee’s order. All personal data will be treated confidentially.
Revised March 16, 2004.

Proventia Mseries Userguide 2.3

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Proventia Mseries Userguide 2.3

Uploaded by

Copyright:

Available Formats

®

April 18, 2005

Part I: Getting Started

Chapter 2: Getting Started

Chapter 3: Updating the Appliance

Part II: Configuring the Appliance

Proventia M Series Appliances User Guide Release 2.3 iii

Chapter 5: Appliance Settings

Chapter 6: System Settings

Chapter 7: Firewall Settings

Chapter 8: Access Polices

Chapter 9: NAT Polices

Chapter 10: VPN Settings

Chapter 11: Network Objects

Chapter 12: Working with IKE Policies

Chapter 13: Working with IPSEC

Chapter 14: Security Gateways

Chapter 15: Managing Certificates

Chapter 16: Antivirus Settings

Chapter 17: Intrusion Prevention

Proventia M Series Appliances User Guide Release 2.3 v

About Intrusion Prevention Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Chapter 18: Antispam Settings

Chapter 19: Using Web Filters

Chapter 20: The Web Filter and Antispam Database

Part III: Managing the Appliance

Chapter 22: SiteProtector Management

Using SiteProtector Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Chapter 23: Managing Events and Log Files

Chapter 24: System Backup and Recovery

Appendix A: Configuring Advanced Parameters

Appendix B: Appliance Events

Proventia M Series Appliances User Guide Release 2.3 vii

Proventia M Series Appliances User Guide Release 2.3 ix

Information is organized into three main sections as shown in Table 1:

Part III–Managing the • information on managing and maintaining your appliance

Appendixes • advanced configuration parameters for advanced configuration

Table 1: Guide organization

ISS Proventia Integrated Online help located in Proventia Manager

Proventia Integrated General information about appliance features

Table 2: Reference documentation

Proventia M Series Appliances User Guide Release 2.3 xi

Conventions Used in this Guide

Convention What it Indicates Examples

Bold An element on the graphical Type the computer’s

SMALL CAPS A key on the keyboard. Press ENTER.

Æ A sequence of commands From the taskbar, select

Constant Information to type in exactly md ISS

Italic Information that varies md your_folder_name

[] Optional information. dir [drive:][path]

| Two mutually exclusive verify [ON|OFF]

{} A set of choices from which % chmod {u g o

Table 4: Typographic conventions for commands

Proventia M Series Appliances User Guide Release 2.3 xiii

Support levels ISS offers three levels of support:

Americas 24 hours a day

Table 5: Hours for technical support

Regional Electronic Support Telephone Number

North America Connect to the MYISS Standard:

Latin America support@iss.net (1) (888) 447-4861 (toll free)

Table 6: Contact information for technical support

Regional Electronic Support Telephone Number

Europe, Middle support@iss.net (44) (1753) 845105

Properly install the hardware and connect the cables

Configure the internal interface(s)

Configure the external interface(s)

Configure the time and date

Configure the command line and Web passwords

Apply the settings

Verify that you have Internet Explorer Version 6 or later installed.

Connect a computer or laptop to the internal network.