User Manual for SifoWorks D
Contents
1. User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Each of the steps above is briefly introduced in the table below Operation Description Configuring Basic Refers to the configuration of virtual ports Network Settings VLANs IP addresses and routes necessary to connect SifoWorks to the network Note that you should assign the outgoing ports for VPN connections to virtual Port 2 For detailed information on how to configure these settings please refer to 3 2 Setting up the Basic Network Settings Enable VPN N A Select Outgoing Select the VLAN assigned with data ports in Interface Virtual Port 2 to use these data ports as the outgoing interface for VPN connections Adding Certificates Add the root CA local CA and remote CA if needed for IKE authentication Please skip this step if you are using the shared private key method for IKE authentication Adding IKE Add the IKE Internet Key Exchange used to establish VPN connections Adding Address Objects Add address objects representing the two end points of a VPN connection Adding VPN Connections N A APPLI CATION EXAMPLE 1 REMOTE ACCESS A system administrator wants to set up SifoWorks to implement IPsec VPN in the network shown below so as to provide secured remote accesses to internal resources by mobile employees VPN Tunnel 211 192 98 220 SifoWorks 192 168 1 0 24 Remote mobile2. ARP Address Resolution Protocol Address resolution protocol is used to map an IP address to a MAC address during the transmission of data packets ARP Cache An ARP cache records IP to MAC mappings in a temporary cache in all hosts with the TCP IP protocol installed Example Host A sends data to host B Before sending a packet host A checks its own ARP table for host B s IP address If found host A obtains host B s MAC address from the ARP table otherwise host A sends a broadcast packet through the network to obtain host B s MAC address and updates it s own ARP cache accordingly ARP cache utilizes an aging mechanism Any entries that were unused for a period of time will be removed from the ARP cache Dynamic ARP Dynamic ARP entries are generated during successful address resolutions These entries will be automatically removed from the host after a period of time SifoWorks dynamic ARP table lists all dynamic ARP entries Static ARP These are ARP entries manually added into the system Static ARP entries will not be automatically deleted by the system Hence storing static ARP entries can reduce security risks due to ARP spoof or IP spoof attacks You can manually add static ARP into the system from the Network gt ARP Setting interface You can also move selected dynamic ARP entries to the static ARP table 82 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD130
3. From the left menu bar select VPN gt VPN Connection to view the list of VPN connections Click Add New VPN In the Add New VPN Connection interface configure as follows Connection Name RemoteConnect Local Subnet Local Remote Subnet roadwarrior Using Tunnel Using IKE Remotel KE State Start LL Note If the remote subnet of this VPN connection is dynamic such as mobile client end select the address object roadwarrior for the Remote Subnet field In this situation VPN connections can only be initiated from the remote clients User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Add New VPN Connection Connection Name RemoteConnect LTP Local Subnet Remote Subnet roadwarrior Using tunnel Using Manual State Start Stop Route Backup Connection C Using IKE Save Cancel 4 Click Save to add this VPN connection to the list APPLICATION EXAMPLE 2 SITE TO SITE ACCESS Two SifoWorks devices are deployed by the company one in its HQ office network and another in its branch office network To provide for secured accesses between the branch and HQ networks the system administrators at each network must set up their respective SifoWorks device such that both devices are connected via a site to site VPN connection The network topology is shown below VPN Tunnel Branch SifoWorks SifoWorks N A WAN VPor
4. tab enter the User Name and Password used to authenticate SifoWorks when establishing the connection L Note You can also select a schedule weekly schedule object in the Schedule drop down menu The system will attempt to establish disconnect the PPPoE connection according to the schedule automatically 3 Click Save to save the settings 4 Click Next gt to view the Connection tab Here you can Click Start The system will begin to dial the connection Once connected you can view various connection information such as IP address gateway etc from the Monitor tab Click Stop to disconnect the connection User Manual for SifoWorks D Series Firewall 75 OD1300UME01 1 3 Chapter 3 Network Configuration 3 6 Specifying DNS Servers To specify the IP addresses of DNS servers to be connected to SifoWorks so that the system is equipped with domain name resolution capability CONFIGURATION PROCEDURE Step 1 Login to SifoWorks via a read write administrator account Step 2 From the left menu bar select Network gt DNS Setting Step 3 Enter the IP address of the Primary DNS server Step 4 Enter the IP address of the Secondary DNS server Step 5 Click Save to save the configuration 3 7 Configuring DDNS You can connect SifoWorks to a DDNS Dynamic Domain Name System server to provide the DDNS service This allows users to establish dynamic VPN connections under the PPPoE access method I
5. Breathing Life into Security SifoWorks D Series 3 04 Firewall User Manual OD1300UME01 1 3 NOTICE No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose without receiving written permission from O2S ecurity O2Security and its subsidiaries reserve the right to make changes to their documents and or products or to discontinue any product or service without notice and advise customers to obtain the latest version of relevant information to verify before placing orders that information being relied on is current and complete All products are sold subject to the terms and conditions of sale supplied at the time of order acknowledgement including those pertaining to warranty patent infringement and limitation of liability O2Security warrants performance of its products to the specifications applicable at the time of sale in accordance with O2Security s Standard warranty Testing and other quality control techniques are utilized to the extent O2Security deems necessary to support this warranty Specific testing of all parameters of each device is not necessarily performed except those mandated by government requirements Customer acknowledges that O2Security products are not designed manufactured or intended for incorporation into any systems or products intended for use in connection with life support or other hazardous activities or environments in which the fa
6. Description sina sohu 163 china chinaren google Select File Click Browse and select the text file containing the list of URLs created earlier myURL txt User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 Add URL sina sahu 163 china chinaren google Description URL List Pattern Operation File List Keyword Pattern Wildcards Regular Expression Save Retum _ 6 Click Save The interface will refresh to display a new entry in the File List 7 Click Return to save this URL object and return to the URL content filtering object list User Manual for SifoWorks D Series Firewall 103 OD1300UME01 1 3 Chapter 4 Firewall Rule Management Step 3 Add a web content filtering rule 1 From the left menu bar select Firewall gt Content Filtering The Web Filter tab interface will be displayed 2 Click Add Web Filtering from the bottom of the web filtering rule list 3 In the displayed interface configure Name forbid popular Prohibited URL myURL Description forbid accesses to sina sohu 163 china chinaren google Add Web Filtering Rule Name forbid_popular Prohibited URL myURL b URL WhiteList NONE qj Prohibited HTTP Method E Get C Put CI Head C Options CO Connect Prohibited Keyword NONE he Erase Item CI JavaScript C Java Applet Activex C Cookie Proh
7. From the left menu bar select Object gt Address to display the list of address objects Click Add New Address and configure as follows Name Local IP 10 1 1 0 Netmask 255 255 255 0 Click Save to add the new address object Step 5 Add VPN connection 1 From the left menu bar select VPN gt VPN Connection to view the list of VPN connections Click Add New VPN In the Add New VPN Connection interface configure as follows Connection Name RemoteConnect Local Subnet Local Remote Subnet roadwarrior Using Tunnel Using IKE Remotel KE State Start LL Note If the remote subnet of this VPN connection is dynamic such as mobile client end select the address object roadwarrior for the Remote Subnet field In this situation VPN connections can only be initiated from the remote clients User Manual for SifoWorks D Series Firewall 245 OD1300UME01 1 3 Chapter 11 Device Deployment Example Add New VPN Connection Connection Name RemoteConnect LTP Local Subnet Remote Subnet roadwarrior Using tunnel Using IKE RemotelKE s State Start Stop Route Backup Connection C Using IKE 4 Click Save to add this VPN connection to the list 11 6 2 Testing the Configuration This procedure tests the system to check if SifoWorks VPN function has been correctly configured Step 1 From a host in the WAN network install an IPsec VPN client software Th
8. Ping Result To view the result of the executed Ping commands Trace Route Executes the Traceroute command to check connectivity between SifoWorks and external networks Trace Route Result To view the result of the executed traceroute commands Log Server To configure the system s log server Log Global To specify the maximum number of log entries to store for each log type Also set up the policy for deleting log entries From this interface you can also select whether to record DNS log ICMP log and log all data packets that do not match any filter rules Log Export To export logs to an external FTP server Log Filter This allows you to specify criteria to filter logs for each log type that are to be stored locally LocalDB or remotely Serverl Server4 You can also specify filter criteria to select the logs that are to be sent via email EmailAlert or exported to a FTP server This allows you to select to store only the necessary logs The system further enhances user convenience when viewing logged information by allowing you to specify the format of logs for each log type Email Alert To enable and set up the log email alert function including configuring the email address to receive log files the time interval between each mail send etc Admin Log To search and view administrative logs System Log To search and view system logs Security Log To search and view security logs Traffic Log To search and view t
9. When enabled e You will be able to view various information including the assigned IP address gateway and DNS server etc Click Refresh to view the Status of the connection between the DHCP server and SifoWorks The possible status include Connecting Connected and Failed Click Release to release the currently assigned IP address You can then manually add another static IP address or select to obtain a new IP dynamically e When an IP address is dynamically assigned and a static route specifying the default gateway corresponding to the VLAN has not been added SifoWorks automatically adds the gateway address obtained from the DHCP server as a static route in the Network gt Route Setting list For example the dynamic P address obtained IS 192 168 1 100 255 255 0 0 and the gateway is 192 168 0 1 SifoWorks will generate a static route using the address 192 168 0 1 as the default gateway for the network segment 0 0 0 0 0 0 0 0 This operation is not executed if a static route has already been added prior to the dynamic IP assignment e f the system has been configured to assign DNS information when assigning dynamic IP addresses and no DNS server address has been added in the Network gt DNS Setting interface the system automatically sets up SifoWorks DNS setting using the DNS information obtained e If a VLAN has been configured with the DHCP service either DHCP server or DHCP relay server
10. has been properly set up according to the configurations above and operate correctly in the network Warning During the testing process if any network services are disconnected due errors in filter rule operations you can add an Accept All filter rule to identify the error If you are unable to resolve the problem please restore your network to the state before SifoWorks was deployed and contact O2Security s technical support personnel Step 1 Connecting SifoWorks to the networks LO Note This step explains how to connect SifoWorks data ports to the network Please skip this step if your device is already connected to the network according to the example topology Using network cables connect the LAN domain to the device s FEO port WAN domain to the FE1 port and the DMZ domain to the FE2 port Step 2 Check WAN to DMZ accesses Attempt to access the Web server in the DMZ domain using a host in the WAN domain using the address http 211 192 98 220 If you can successfully access the server please move to the next step If you are unable to access the server the WAN to DMZ filter rule or DMZ s DNAT rule may be incorrect Please check these rules and make any modifications required Step 3 Check LAN to DMZ accesses Attempt to access the Web server in the DMZ domain using a host in the LAN domain using the address http 211 192 98 220 If you can successfully access the server please move to the
11. interface will be displayed Configure as follows IKE Name Remotel KE Remote Gateway Dynamic NextHop 211 192 98 217 P Add New IKE 4 Phase One Method Authenticate Method Phase Two Proposal Advanced Setting Local Interface WAN IKE Name RemotelKE Remote Gateway Static Gateway IP Dynamic DNS Domain Dynamic Local ID Pi Remote ID NextHop 211 192 968 217 strict Algorithm Match Next gt Cancel 4 Click Next gt to display the Phase One Method tab Configure as follows Algorithm 3des md5 modp1536 Exchange main mode 5 Click Next gt to view the Authenticate Method tab Select PSK and enter 12345678 as the Preshare Key Re enter this key in the Retype textbox to confirm 6 Click Next gt to display the Phase Two Proposal tab Enable Using ESP and select the esp 3des md5 ESP Algorithm Also select the Using PFS option Add New IKE Phase One Mathod Authenticate Method Phase Two Froposal Encapsulation Using ESP Algorithm esp 3des md5 a E me PFS Group is same as Phase one s Using PFS DH Group lt Back Next gt Cancel 7 Click Next gt to view the Advanced Setting tab Keep the default configuration for all parameters in this tab and click Save to save this IKE record User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 Step 4 Add address objects L Z 3
12. Click the radio button to select the version Range evl v2c ev3 Community Name Only available if SNMP How to Configure v1 v2c versions are Enter the value in selected SNMP v1 v2c uses the textbox community name authentication Range String of 1 15 characters Sec Name Only available if SNMP v3 is How to Configure selected Enter the value in the textbox Range String of 1 15 characters Sec Level Only available if SNMP v3 is How to Configure selected There are three Select the option security levels from the drop down e Noauthnopriv menu Does not require Range authentication private e Noauthnopriv key and passwords e Authnopriv e Authnopriv Peer u IV Requires authentication and password but not private key e AuthPriv Requires authentication and password along with private key 196 User Manual for SifoWorks D Series Firewall Chapter 9 System Settings OD1300UMEO01 1 3 Field Name Explanation Configuration Auth Protocol Only available if SNMP v3 How to Configure and the Authnopriv or Select the protocol AuthPriv Sec Level is from the drop down selected men Range e HMAC MD5 96 e HMAC SHA 96 Auth Only available if SNMP v3 How to Configure Password Retype and the Authnopriv or Enter the value in AuthPriv Sec Level iS the textbox selected l Range String of 8 This is the password used 45 characters for authenti
13. From this list you can e View all IP addresses with bandwidth limitations and their current upload download and total bandwidth utilization e Edit the IP rate limit for a particular IP address Click the icon from the Operation column corresponding to the IP address you wish to modify the IP rate limit for Please refer to 7 3 Limiting IP Traffic for details on this interface 10 3 5 Session Number These are reports showing the number of established sessions new sessions and total sessions Established sessions refer to all sessions that have been accepted by SifoWorks New sessions refer to connections waiting for SifoWorks reply Total sessions include the number of both established and new sessions You can also select to view reports showing the distribution of sessions according to the various protocols including TCP UDP and ICMP etc SifoWorks generates session number reports using statistics collected from the past 1 hour You can also view history session number reports that were generated using statistics from any previous 7 days interval User Manual for SifoWorks D Series Firewall 209 OD1300UME01 1 3 Chapter 10 System Maintenance CONFIGURATION PROCEDURE 210 Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 The procedure below explains how to view the traffic reports generated by SifoWorks It also describes the various options available when viewing these reports Login to SifoWorks
14. How to Configure packets Enter the value in the textbox Range 30s 200 User Manual for SifoWorks D Series Firewall Chapter 9 System Settings Field Name TCP Timeout UDP Timeout UDP Stream Timeout Explanation CLOSE Timeout value when TCP connection is CLOSE state CLOSE WAIT in Timeout value when TCP connection is CLOSE WAIT state ESTABLISHED in Timeout value when TCP connection is ESTABLISHED state FIN WAIT in Timeout value when TCP connection is FIN WAIT state LAST ACK in Timeout value when TCP connection is LAST ACK state TIME WAIT in Timeout value when TCP connection is TIME WAIT state in the the the the the the the the the the the the Timeout value for single directional UDP connections Timeout for UDP connections User Manual for SifoWorks D Series Firewall bi directional OD1300UME01 1 3 Configuration How to Configure Enter the value in the textbox Range 10s How to Configure Enter the value in the textbox Range 600s How to Configure Enter the value in the textbox Range 600s How to Configure Enter the value in the textbox Range 120s How to Configure Enter the value in the textbox Range 30s How to Configure Enter the value in the textbox Range 120s How to Configure Enter the value in the textbox Range 30s How to
15. L Note You can also set up the system to automatically perform an IDP rule upgrade daily without manual operations from administrators CONFI GURATI ON PROCEDURE 116 Step 1 Step 2 Step 3 Before performing an IDP rule upgrade ensure that your SifoWorks device is able to access external networks The configuration procedure is as follows Login to SifoWorks via a read write administrator account Optional Specify an email address From the left menu bar select IDP gt Upgrade Setting 2 In this interface enter the domain name of the SMTP Server used to send the notification mail the User Mail Address to send the mail to and the Password to authenticate SifoWorks with the SMTP server Upgrade Setting User Mail Address admin example exch cam Password 3 Click Save to save the settings A success message should be displayed Upgrade IDP rules 1 From the left menu column select IDP gt Rule Upgrade The Upgrade IDP Rule interface will be displayed showing the current IDP rule version 2 Click Upgrade An upgrade success message should be displayed after a few minutes 3 Click OK to return to the Upgrade IDP Rule interface Check to ensure that the IDP rule version displayed here has been changed User Manual for SifoWorks D Series Firewall Chapter Virtual Private Networks This chapter includes the following Overview Briefly introduces SifoWorks high
16. Mice SAA SifoWorks D100 10M 100M ADSL Management Power Management Self adaptive Ethernet Ports Port Port LED Serial Port FEOQ FE7 Power Socket Power Switch ptt tet ty aap Une EHI oa EER ANN l 2 User Manual for SifoWorks D Series Firewall Chapter 1 Product Overview OD1300UME01 1 3 SifoWorks D200 FEO FE7 Read Write Network LEDs LED 10M 100M ADSL Management Power Management Self adaptive Ethernet Ports Port Port LED Serial Port FEO FE7 Power Socket Power Switch SifoWorks D300 FEO FE7 Read Write Network LEDs LED 10M 100M ADSL Management Power Management Self adaptive Ethernet Ports Port Port LED Serial Port FEO FE7 Power Socket Power Switch User Manual for SifoWorks D Series Firewall 3 OD1300UME01 1 3 Chapter 1 Product Overview 1 2 2 Device Ports Name Explanation Type FEO FE7 10M 100M self adaptive Ethernet RJ 45 ports For connection to networks with 10M 100M speed to monitor and filter data packets MGT1 Used for ADSL connections The RJ 45 device can be connected to the Internet using PPPoE via a ADSL modem MGTO To connect to an administrative PC RJ 45 via a standard network cable for system configuration Monitor ports are also used as the heartbeat monitoring port under HA mode CONSOLE RS232 serial port A serial cable is DB 9 used to connect this port to an administrative PC The system can then be
17. Normal administrators can be assigned with one of two operation authority including Read only These administrators can view but cannot modify any system configurations Read Write These administrators can view and modify the accessible system configurations e Auditor Administrators These administrators are able to view system logs reports and system status displayed on the Ul s Home page Auditor administrators are mainly involved in analyzing the system and network operating status 184 User Manual for SifoWorks D Series Firewall Chapter 9 System Settings OD1300UME01 1 3 Hence the authority assigned to each account type can be illustrated as follows from highest authority level to lowest authority level Root Administrator admin gt normal read write administrators gt normal read administrators gt auditor administrators 1 Note Only the default administrator account admin can manage other administrator accounts All other accounts are only allowed to modify their own account password APPLICATION EXAMPLE Step 1 Step 2 Step 3 Step 4 Step 5 A system administrator assigned with the admin account wants to add a read write account for a maintenance engineer to allow him to manage the system s network configurations and filter rules He thus adds an account with username admin1 password 12345678 This account is allowed to login to the system vi
18. Save to add this VPN connection to the list REFERENCE Operations related to IPsec VPN connections include e 3 2 Setting up the Basic Network Settings e 3 5 Configuring PPPoE Connections e 3 7 Configuring DDNS 140 User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 6 3 Configuring PPTP VPN Connections Users remotely connected on a PPTP Point to Point Tunneling Protocol VPN connection can access the Internet via an encrypted tunnel Since all PCs running on Windows 2000 or later versions are installed with a PPTP VPN client the configuration task for PPTP is greatly simplified PPTP VPN connections are applicable for IP networks Only one tunnel can be established between two peers connected via a PPTP VPN L Note Please ensure that SifoWorks basic network setting has already been configured Please refer to 3 2 Setting up the Basic Network Settings for details on this configuration CONFIGURATION FLOWCHART The flowchart below shows the steps to configure a PPTP VPN Start Adding VPN Users Adding VPN User Group Adding IP Pool Configuring PPTP VPN Access End User Manual for SifoWorks D Series Firewall 141 OD1300UME01 1 3 Chapter 6 Virtual Private Networks This table briefly introduces each of the configuration steps Operation Description Adding VPN Users To add PPTP VPN connection users Adding
19. TA OVC VICW aaro iaa N E E E A E 148 TZ CNI UM OOS SEIVICOS ear e eer e e EN 148 FoK LP Tall merere a E R eisen eyes nomaes 152 7 4 Activating High Availability ssssunrseusrsensssrresrerrrnrennrrensrnrrunsrnnrsnnrnsanrarrnarnnna 157 ko CONTOGUMING DSS CEVICES eeso E tienen ese oteed eee deinen aoa eae 163 7 6 Upgrade Intelligent Recognized Protocols IRP cccccceceeseeeeeeeeeeeeeeeeeneneeees 174 S Loe Matta emen Eserinin O veces E O E 175 o L OV CPV I Wenaas EA 176 9 2 Managing LOO SEINVETS ionia a a N E 178 9 3 CONnfgurinGLog AttrDUTES n ereroeasrre orir a ee aa a r a 179 G4 EXPONINO LOO uree Ea E A a E O A E ERA 179 8 5 Customizing Log Filter Criteria and Log Format sseseseressrrrrerrrrrrrsrerererererr 180 8 6 Seting up EMall Alert Sen a T a a es O a E U ANEA 181 Sed VIEWING LOGS aeai a a a a a E ATR 182 POY SLOCUM SEMINI S cereais onre r a Ee E ES NEEE EES aS AE EEEE ESENS 183 DOV EEVICW oo E aa A E A E AA 184 9 2 Managing Administrator ACCOUNTS arriserriei cigsar neta dias ated EA N 184 9 3 Setting Up Basic System Configuration e arnee a a a a 189 9 4 Import Export Configuration File sssssssssssrsrrrrrrrrrrrrererrrsrsrerrrsrererererrrrrrrre 191 9 5 Upgrade System Software cc ccccc cece ce cee nsec eee eeeeeeeeeeeeeeeeseeeeeeeensegaeeeeneages 192 9 6 Connect to a Network Management SYStEM cc cece ccc ce eee e eee eeeeeeeeeeeneneeeenaaes 193 9 7 CONMGUFING TIMeEOUL ValUES is siati
20. TCP UDP ICMP Others Total How to Configure _ Enter the values in _ the textboxes Packet Rate PPS Maximum number of packets that can be transmitted per second _ including connection requests and other data _ transmission This configuration will only _ be effective if Enable Packet Rate Limit is selected in the Anti Dos _ Working Mode tab From All Total request rate connection number and packet rate for all source addresses From Single The request rate Source IP Address connection number and packet rate for each source IP address 166 User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 aae Defense Time When an attack is detected How to Configure SifoWorks will drop packets Enter the value in until the packet rate is leSS he textbox i than the alarm threshold Example 2s Once the packet rate has decreased to less than the alarm threshold SifoWorks will continue to drop _ packets for a period of time equal to the defense time Alarm Threshold Alarm threshold total How to Configure threshold Alarm Enter the value in Threshold percentage the textbox This value is used by the Example 80 system to determine when attacks occur The system detects normal traffic no attack if packet rate is less than this value User Manual for SifoWorks D Series Firewall 167 OD
21. VLAN To DMZ Address From Predefine ALL Address To Custom I P Netmask 10 1 1 2 255 255 255 255 Service HTTP 8 Check the Intelligent Recognized Protocols checkbox and select http from the adjacent drop down menu Virtual Port From Virtual Port To VLAN From VLAN To Address From Custom IF Netmask f Predefine authentication Address To Custom Netmask 255 255 255 255 Predefine Authentication user0 Intelligent Recognized Protocols http schedule none Source Mar lt Back Save Cancel 9 Click Save to save the filter rule User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 Step 4 Adda filter rule to allow LAN users access to the Web server 1 Return to the filter rule list Firewall gt Filter Rule and click Add New Filter Rule 2 In the Action To Take tab select the Action Accept Click Advanced to view the advanced rule options and enable Log Click Next gt to view the Match tab Here configure as follows Virtual Port From VPort1 Virtual Port To VPort3 VLAN From LAN VLAN To DMZ Address From Custom I P Netmask 192 168 1 0 255 255 255 0 Address To Custom I P Netmask 10 1 1 2 255 255 255 255 Service HTTP 5 Check the Intelligent Recognized Protocols checkbox and select http from the adjacent drop down menu Virtual Port From Virtual Port To VLAN From
22. e TFTP VNC RTSP H 323 SIP M_HTTP_Proxy e SMTP POP3 IMAP e AIM MSNMessenger QQ YahooMessenger POPO e Bittorrent Edonkey Mute Foxy Kugoo Xunlel Additional information on the above protocols e Emule and BT SifoWorks is able to block data traffic and apply QoS on non encrypted data packets However QoS cannot be applied on encrypted packets Hence if the is an excessive amount of encrypted packets we recommend directly blocking Emule and BT traffic SifoWorks blocks Emule and BT traffic by preventing the client from obtaining information of seeders from the server Hence the system is unable to block Emule or BT download traffic if seeder information has already been obtained e Xunlel Xunlet downloads uses multiple protocols such as FTP HTTP BT and Emule etc Hence for HTTP or FTP Xunlei downloads we recommend using a combination of FTP and Xunlei protocols to enforce QoS For Xunlei downloads using BT and Emule you should not select Xunlei when creating the filter rule Select BT or Emule instead User Manual for SifoWorks D Series Firewall 97 OD1300UME01 1 3 Chapter 4 Firewall Rule Management AAA Authentication The AAA module supports up to 1024 local authentication users and 64 authentication groups Each group can contain up to 512 members Group members can be e Local users e External authentication servers e Users of external authentication servers that are mappe
23. e e ExampleGroup FilterRule Step 5 Add authentication address L From the left menu bar select System gt Auth Address At the bottom of the list displayed click Add New Auth Address In the Add New Auth Address interface configure as follows Name ExampleAuthAddress From Address ExampleAddress Service HTTP Users ExampleGroup 1 Note Idle Duration refers to the timeout value of users access to the Internet via SifoWorks after authentication If no Internet access via SifoWorks was made by the authenticated user for this period of time the system will prompt the user to re authenticate himself Add New Auth Address Name ExampleAuthAddress From Address ExampleAddress Service Users ExampleGroup Group Idle Duration 1 300 minutes Description 4 94 Click Save to save the new authentication address User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 Optional Customize authentication interface 1 From the left menu bar select System gt Auth Server Click the Banner tab to customize the authentication interface 3 Here enter the various messages to be displayed on the user authentication interface 4 Click Save to save the settings Add filter rule From the left menu bar select Firewall gt Filter Rule 2 Click Add New Filter Rule to view the filter rule addition interface
24. 1 hour Click the Current Monitor Listen Current 1Hours radio button to view the chart generated based on statistics collected from the past 1 hour e To view report generated using statistics from any past interval up to 7 days Manually select the time interval to generate the report for by selecting the History Query Listen Past 7Days radio button In the From and TO date time textboxes that appear specify the starting and ending time of the desired time interval to view the history report generated based on statistics collected during this period Note that the maximum time interval you can enter is 7 days Step 6 Click Go to refresh the report to display the graph according to your settings User Manual for SifoWorks D Series Firewall 211 OD1300UME01 1 3 Chapter 10 System Maintenance 10 4 Performing Network Diagnostics SifoWorks provides two network diagnostics command Ping and Traceroute to help you test for connectivity between SifoWorks and the networks CONFIGURATION PROCEDURE PING Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 The procedure to execute the Ping command from the SifoWorks Web UI is as follows Login to SifoWorks via a read write or read only administrator account From the left menu select Diagnostics gt Ping In the Ping Test interface that appears enter the Domain Name or IP Address of the ping target Optional Set up the various optional parameters of
25. 1 hour or history reports statistics from any past interval of up to 7 days e View report generated using statistics for the last 1 hour Click the Current Monitor Listen Current 1lHours radio button to view the chart generated based on statistics collected from the past 1 hour e View report generated using statistics from any past interval up to 7 days Manually select the time interval to generate the report for by selecting the History Query Listen Past 7Days radio button In the From and TO date time textboxes that appear specify the Starting and ending time of the desired time interval to view the history report generated based on statistics collected during this period Note that the maximum time interval you can enter is 7 days Step 5 Click Go to refresh the interface to display the graph according to your settings in step 4 User Manual for SifoWorks D Series Firewall 207 OD1300UME01 1 3 Chapter 10 System Maintenance 10 3 3 Traffic Reports These reports are generated based on the total traffic inbound outbound bi directional transmitted via SifoWorks Individual traffic reports for each network port are also generated The system generates traffic reports using statistics collected from the past 1 hour You can also view history traffic reports that were generated using statistics from any previous 7 days interval CONFI GURATI ON PROCEDURE The procedure below explains how to view the traffic reports gene
26. 3 9 Managing the ARP TablesS ccccccceeee eee e cece eeeeeseeeeeeeeeeeeeneeeeeeeetteeeggaeenereeeeeas 82 A Tir wea IR Cele IV aa CT ONG sae ceescscacetncetcessszy eo saracetevestanescotesesenetsteceestns stb ecbiavenretsavtan erveeeniagdens 85 At OVC VICW E E A E A ont taunt E E E T 86 4 2 Managing Filter RUIS acricrcricesirirrrensiiis ei a e E EE PERN ESE 87 Wo Manan EOC I RUG Sige ceva seiiernd ae eared AA cubes cnatnaire teins Mend aaaesteneeonanas 99 4 4 Managing Content Filtering RUICS cccccce cece cece cece ee eeeeeeee eee eeeeeeeeeneeeeeenennas 101 5 Intrusion Detection and Prevention iviecccscesssssccsssecesnsscvossandexcdvescsenssesssdensnsaseestandec lt dvesasensteseses 109 SMEO a ATE EEEE E E E EE E E 110 5 2 Configuring and Enabling IDP cc cece cece eee ee eee e eee eeeeeeeeeeeeeeteeeeteeeeneerennes 110 Di Upgrade OP RUO aa pinnmenn risen E ida re Ree eR Reotep EE denne 116 6 Vittual Private INCU O06 ian ccccepansscetustassseenonsceauaveasesmnnenastedtewuceanenseecusenasedaneusasdaseassstanenseeanstoasess 117 EOV W Aa ere teen ere Te a nn ee hee en ee eT 118 6 2 Configuring IPSEC VPN CONNECTIONS ccc ccc ceceee seen eee aa a aaea 120 6 3 Configuring PPTP VPN COnnectiOns ccccccceceee sees cece eeeeeeeeeeeeeeeeeteeneeenennenngs 141 6 4 Configuring L2TP VPN COnnectiOns ccccccceceeseeseeeeeeeeeeeeeeeseeeeeeeseeeegaeneenngs 144 FRG ATIC OG PNC LO ING eaae AE AAEE EEEE E 147
27. Balance C Save Cancel 4 Click Save to save the new DNAT rule 62 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 APPLICATION EXAMPLE 2 MAPLIST A network administrator needs to add SNAT rules for all LAN to WAN connections VPort1 to VPort2 to translate the private IP addresses of all hosts in the LAN network to two public IP address when accessing the external network The internal addresses include Original IP address Translated IP address Port number 192 168 1 1 192 168 1 100 IP 211 192 98 220 Port 1025 65535 192 168 2 1 192 168 2 100 IP 211 192 98 220 Port 1025 65535 192 168 3 1 192 168 3 100 IP 210 82 98 220 Port 1025 65535 192 168 4 1 192 168 4 100 IP 210 82 98 220 Port 1025 65535 The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account Step 2 From the left menu bar select Object gt MapList The list of maplist objects will be displayed User Manual for SifoWorks D Series Firewall 63 OD1300UME01 1 3 Chapter 3 Network Configuration Step 3 Add a new maplist object 64 1 Click Add New MapList from the bottom of the maplist object list 2 Set up the maplist object as follows Name LAN to WAN Original IP From 192 168 1 1 To 192 168 1 100 Translated IP From 211 192 98 220 To 211 192 98 220 Translated Port From 1025 To 65535 Click Save to save this addr
28. Configure Enter the value in the textbox Range 180s 201 OD1300UME01 1 3 Aggressive Aging Settings tab Field Name Explanation Chapter 9 System Settings Configuration Low Watermark High Watermark Percent of Timeout Do not activate aggressive aging if the of currently established sessions against the maximum number of sessions supported by the system is less than this value Activate aggressive aging if the of currently established sessions against the maximum number of sessions supported by the system is greater than this value When aggressive aging is activated delete a session if the of its idle time against its timeout is greater than this value How to Configure Enter the value in the textbox Default 70 How to Configure Enter the value in the textbox Default 85 How to Configure Enter the value in the textbox Range 30 User Manual for SifoWorks D Series Firewall Chapter System Maintenance This chapter includes the following sections e Overview Briefly lists the various system maintenance tools provided by SifoWorks e Monitoring Sessions and Online Users Detailed explanation on how to view and manage the list of established sessions list of authenticated users that are currently online DHCP lease information e Viewing Reports Introduces the system s reporter function including how to enable disable the reporte
29. From the left menu bar select System gt SNMP Setting to view the SNMP list From the top left corner of this list select to enable On the system s SNMP Status Click Add New SNMP In the interface displayed configure as follows SNMP Version V3 Sec Name SifoView Sec Level AuthPriv Auth Protocol HMAC MD5 96 Enter the authentication and privacy passwords in the Auth Password Retype and Priv Password Retype textboxes respectively Click Save to save the SNMP proxy Step 3 Add Registration Server 1 2 3 From the left menu bar select System gt Registration Server At the bottom of the list displayed click Add Registration Server In the interface displayed configure as follows Server Name SifoView Enable On IP 10 1 1 7 Port 666 Interval 60 Bind IP 10 1 1 1 4 Click Save to save the new registration server record User Manual for SifoWorks D Series Firewall 195 OD1300UME01 1 3 Chapter 9 System Settings UI PARAMETER REFERENCE The tables below explain the parameters you may need to configure when setting up SifoWorks to be monitored and or configurable from a centralized network management system This includes the SNMP Setting SNMP Trap and Registration Server configuration interfaces System gt SNMP Setting gt Add New SNMP Field Name Explanation Configuration SNMP Version SNMP protocol version to How to Configure Use
30. Intrusion Detection and Prevention OD1300UME01 1 3 Each configuration is briefly introduced in the table below Operation Description Configuring Network Configure the system to differentiate Variables between internal and external network addresses Manage Rule Groups Enable entire rule groups or a subset of rules within a group and modify each rule s attributes Define Customized Add customized IDP rules Rules Configure the Pre Select whether to enable the pre processors processors IP Defragmentation TCP Stream Reassembly Port Scan and configure the corresponding parameters Select IDP Work Mode Specify the IDP working mode APPLICATION EXAMPLE The network topology used in this example is shown below Internet WAN 211 192 98 220 SifoWorks LAN 192 168 1 1 DMZ 10 1 1 1 LAN Switch Subnet 1 LAN LAN a Switch Switch Server Domain DHCP Server 10 1 1 3 Fy E 192 168 1 0 24 192 168 1 0 24 10 1 1 0 24 Subnet 2 Switch User Manual for SifoWorks D Series Firewall 113 OD1300UME01 1 3 114 Step 1 Step 2 Chapter 5 Intrusion Detection and Prevention After analyzing the network and company s policies the administrator determines that the IDP function must be activated on SifoWorks with the following configuration Internal networks LAN and DMZ domains External network WAN domain Use system pre defined rules are to be used No additional cus
31. LAN M VLAN To Address From Custom 92 168 1 Netmask 255 255 255 0 Predefine Authentication userQ1 Address To Custom IF 112 Netmask 255 255 255 255 Predefine ALL authentication userQ1 HTTP v Intelligent Recognized Protocols http Schedule none wt Source Mar lt Back Save Cancel 6 Click Save to save the filter rule User Manual for SifoWorks D Series Firewall 233 OD1300UME01 1 3 Chapter 11 Device Deployment Example Step 5 Add a filter rule to allow LAN users to access the mail server 234 1 Return to the filter rule list Firewall gt Filter Rule and click Add New Filter Rule 2 In the Action To Take tab select the Action Accept Click Advanced to view the advanced rule options and enable Log 3 Click Next gt to view the Match tab and configure as follows Virtual Port From VPort1 Virtual Port To VPort3 VLAN From LAN VLAN To DMZ Address From Custom I P Netmask 192 168 1 0 255 255 255 0 Address To Custom I P Netmask 10 1 1 2 255 255 255 255 Service SMTP 4 Check the Intelligent Recognized Protocols checkbox and select smtp from the adjacent drop down menu Action To Take Match Virtual Port To AN VLAN To Custom 955 255 255 0 Virtual Port From VLAN From Address From Netmask Predefine ALL authentication userQl Address To Custom Netmask 255 255 255 255 Predefi
32. Prevention SifoWorks IDP module not only detects intrusion attacks accurately and effectively it can also analyze and prevent intrusions according to network needs J Warning The IDP module ties up a considerable amount of system resources when activated Hence we recommend that you contact O2Security s technical Support personnel before activating this module Enabling this module is not recommended if your network does not require IDP 5 2 Configuring and Enabling IDP This section explains the IDP function and guides you through the steps to configure and activate IDP on your SifoWorks device IDP Work Modes SifoWorks supports 3 IDP working modes including e Sniffer This is an attack detection mode In this mode the system analyses data flow to detect intrusions only The system notifies an administrator of any detected abnormalities by sending an alert and or logging the event e In line This is the attack prevention mode In this mode the system checks the data packets for any intrusions When an abnormality is detected the system blocks this data flow to prevent the intrusion e Stop Disable the IDP module IDP Rules 7500 IDP rules are pre defined by the system categorized into groups You can manually select the rule groups your network requires You can also define customize rules for more precise control I DP Pre processors SifoWorks also supports three pre processing operations on all
33. Reset 3 Click Next gt to move to the Source tab Configure the defense settings based on source addresses In the Source tab keep all default settings for each field and click Next gt to display the Destination tab Configure the defense settings based on destination addresses In the Destination tab keep all default settings for each field and click Next gt to display the Syn Proxy tab Configure SYN Proxy mode In the Syn Proxy interface select the Never Proxy option Click Next gt to move to the interface for the Other Attacks tab Set up IDS defense against other types of attacks In this interface check the checkboxes corresponding to the Land Attack and ARP Spoof options Click Save to save the IDS configurations User Manual for SifoWorks D Series Firewall 165 OD1300UME01 1 3 Chapter 7 Advanced Functions UI PARAMETER REFERENCE The tables below explains the parameters found in the various tabs in the Advance gt IDS Setting interface Source tab lato CeMNEVeats Explanation Request Rate Maximum number of PPS connection requests per second A connection request refers to the first packet of each connection You can specify request rate for different types of connections separately The connection types include e TCP e UDP e CMP e Others e Total Conn Number Maximum allowed number of connections for each type
34. Select Action as Accept Click Advanced to display the advanced options and select to enable Log for this rule 4 Click Next gt to navigate to the Match tab Here configure Virtual Port From VPort1 Virtual Port To VPort2 VLAN From LAN VLAN To WAN Address From Authentication ExampleGroup Group Address To Predefine ALL Service HTTP 5 Select to enable the Intelligent Recognized Protocol function and select http from the drop down menu The figure below shows the above configurations Action To Take Match N Virtual Port From VPort1 x Virtual Port To VPort2 v VLAN From LAN o v VLAN To WAN v Address From Custom IP Netmask Predefine ALL v Authentication ExampleGroup v Address To Custom IP Netmask Predefine ALL v Authentication user01 v Service HTTP v Intelligent Recognized Protocols http v Schedule none v Source Mac lt Back Save Cancel 6 Click Save to save the filter rule User Manual for SifoWorks D Series Firewall 95 OD1300UME01 1 3 96 Step 8 Chapter 4 Firewall Rule Management Optional Check if the configuration is correct using any of the authentication users 1 Note If you can execute this step successfully you have correctly configured the system to meet the necessary requirements Otherwise please return to the above steps to check if any errors
35. SifoWorks provides a multi gateway access load balancing function along with load balancing for connections and servers The system establishes an independent tunnel for IPsec VPN providing security and redundancy for connections between branch networks without compromising the firewall s performance This ensures that information can be transmitted securely within the company Comprehensive multi SifoWorks helps to achieve comprehensive level flow control flow control by combining SifoWorks IP rate limit function together with IRP Intelligent Recognized Protocols and QoS High Availability HA SifoWorks supports the high availability HA mode AS Active Standby User Manual for SifoWorks D Series Firewall Chapter 1 Product Overview OD1300UME01 1 3 1 3 1 Status based Access Control Status based access control over packet transmission within a network is the firewall s basic functionality This is achieved using a high density security chip embedded within SifoWorks When SifoWorks receives a packet it first checks if there is any session information corresponding to this packet The system then decides whether to forward this packet directly or continuing matching it against the security rules based on the result of this check Session establishment for TCP transmission requires a three way handshake A similar mechanism is used for other protocols such as UDP and ICMP Status based control over sessions reduces net
36. Step 12 Adda web content filtering rule 1 From the left menu bar select Firewall gt Content Filtering The Web Filter tab interface will be displayed 2 Click Add Web Filtering from the bottom of the web filtering rule list 3 In the displayed interface configure Name forbid popular Prohibited URL myURL Description forbid accesses to sina sohu 163 china chinaren google Add Web Filtering Rule Name forbid_popular Prohibited URL myURL v URL WhiteList NONE i Prohibited HTTP Method E Get C Put C Head C Options CO Connect Prohibited Keyword NONE v Erase Item C JavaScript C Java Applet Activex C Cookie Prohibit C Multithreading Download Description forbid accesses to sina sohu 163 china chinaren google Save Cancel 4 Click Save to save the new rule and return to the web filtering rule list 238 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 Step 13 Add a filter rule allowing LAN users to access external networks only after they are authenticated locally by the system The filter rule must also prohibit user access to specific URLs 1 From the left menu bar select Firewall gt Filter Rule 2 Click Add New Filter Rule from the bottom of the filter rule list displayed 3 In the Action To Take tab select the rule Action Accept and click Advanced to vie
37. Users can login to SifoWorks only if it is within their account s validity period CONFIGURATION PROCEDURE TRADITIONAL LOGIN Step 1 Activate your web browser on the administrative PC Step 2 Step 3 Your administrative PC must be able to access the network where SifoWorks is deployed in If your PC is directly connected to SifoWorks via a cross over cable please ensure that your PC s IP address is within the Same subnet as the IP address of SifoWorks administrative interface In the address bar enter SifoWorks administrative IP address If this is the initial login to the system via the management port please enter the factory default address https 172 16 0 1 in your web browser For information on modifying SifoWorks administrative IP address please refer to 3 2 Setting up the Basic Network Settings A login dialog window will appear Enter your user name and password in the respective textboxes Step 4 Click Login to login to the system User Manual for SifoWorks D Series Firewall 19 OD1300UME01 1 3 Chapter 2 Getting started CONFIGURATION PROCEDURE OTP LOGIN Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 20 Activate your web browser on the administrative PC Your administrative PC must be able to access the network where SifoWorks is deployed in If your PC is directly connected to SifoWorks via a cross over cable please ensure that your PC s IP addres
38. access method PPPoE Point to Point Protocol over Ethernet is a widely used Internet access method SifoWorks uses the MGT1 port as the interface for PPPoE connections Two PPPoE modes are supported including e Common mode The system processes PPPoE traffic via software Under this mode simply connect the network cable for PPPoE access to the MGT1 port As PPPoE traffic is handled by software this mode ties up a large amount of system resources Hence if PPPoE traffic in your network is large we recommend using Fast mode instead e Fast mode In fast mode PPPoE traffic is forwarded via hardware by SifoWorks security chip Here you must connect the network cable for PPPoE accesses to the MGT1 port then connect a network cable between MGTO and FE7 Up to 50M of traffic is supported under fast mode As fast mode forwards PPPoE traffic via hardware better performance can be observed under this mode L Note As both MGTO and MGT1 ports are used in fast mode administrators must login to SifoWorks via the FEO FE6 data ports When configuring filter rules to support PPPoE connections e Under PPPoE common mode select PPPoE in the filter rule s Virtual Port From and Virtual Port To parameters This indicates that the incoming and outgoing interface is MGT1 e Under PPPoE fast mode select ADSL_HIGHSPEED in the filter rule s VLAN From and VLAN To parameters to indicate MGT1 as the incoming and outgoin
39. amp client User Manual for SifoWorks D Series Firewall 123 OD1300UME01 1 3 Chapter 6 Virtual Private Networks In this network e First hop gateway IP from firewall to Internet is 211 192 98 217 e Pre shared private key 123456 is used for authentication e IKE phase 1 algorithm is 3des md5 modp1536 e IKE phase 2 algorithm is esp 3des md5 The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account Step 2 Enable VPN 1 From the left menu bar select VPN gt IPSec Setting 2 Toggle the VPN module ON 3 Click Save to confirm the setting Step 3 Select the outgoing interface 1 From the VPN gt IPSec Setting interface click the IPSec Interface IP tab 2 Select the VLAN WAN as the outgoing interface IPSec Switch IPSec Interface IP l Interface IP 3 Click Save to save the configuration 124 User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Step 4 Add IKE 1 From the left menu bar select VPN gt IKE From the bottom of the IKE list displayed click Add New IKE 3 The Add New IKE interface will be displayed Configure as follows IKE Name Remotel KE Remote Gateway Dynamic NextHop 211 192 98 217 Add New IKE 4 New IKE Phase One Method Authenticate Method Phase Two Proposal Advanced Setting Local Inter
40. downloads and IM messaging Using a port protocol system the intelligent protocol recognition function is able to identify and block illegal data flow This function supports a wide number of protocols including e HTTP FTP SOCKS SSH Telnet e TFTP VNC RTSP H 323 SIP M_HTTP_Proxy e SMTP POP3 IMAP e AIM MSNMessenger QQ YahooMessenger Popo e Bittorrent Edonkey MUTE FOXY Kugoo Xunlei 1 3 5 DoS DDoS Defense DOS DDOS attacks are a common threat faced by network security systems Using viruses trojans or malwares hackers can manipulate machines to initiate such attacks by simply sending a command Network usage will be disrupted if the firewall is unable to differentiate between such machines and legal users when a DOS DDOS attack occurs SifoWorks provides the following DOS DDOS defense mechanisms e TCP protocol SifoWorks uses a SYN cookie mechanism to perform authentication A packet is identified as a legal data flow if it is successfully authenticated via this mechanism The system will then check the packet against sessions or rules Otherwise the packet is identified as an illegal data flow and dropped 8 User Manual for SifoWorks D Series Firewall Chapter 1 Product Overview OD1300UME01 1 3 UDP and other protocols SifoWorks uses an overall record mechanism based on source IP Each record includes the connection speed total connection number traffic etc SifoWorks allows for more than 1M of sourc
41. in step 3 above from the Available Users list and click gt to assign users to this group Click Save to save the authentication user group and return to the list User Manual for SifoWorks D Series Firewall 235 OD1300UME01 1 3 Chapter 11 Device Deployment Example 236 Step 9 Add authentication addresses 1 From the left menu bar select System gt Auth Address 2 From the bottom of the list displayed click Add New Auth Address 3 The Add New Auth Address interface will display Configure as follows Name ExampleAuthAddress From Address ExampleAddress Service HTTP Users ExampleGroup 1 Note Idle Duration refers to the timeout value of users access to the Internet via SifoWorks after authentication If no Internet access via SifoWorks was made by the authenticated user for this period of time the system will prompt the user to re authenticate himself Add New Auth Address Name ExampleAuthAddress From Address ExampleAddress Service Users ExampleGroup Group Idle Duration 1 300 minutes Description 4 Click Save to save the new authentication address Step 10 Customize the user authentication interface From the left menu bar select System gt Auth Server 2 Click the Banners tab to customize the authentication interface 3 Here enter the various messages including Banner Title Welcome ExampleGroup Success Message Authentication Successf
42. list of VLANs 2 Click the icon corresponding to VLAN1 and unselect all data ports from the VLAN 3 Return to the VLAN list Click Add New VLAN and configure as follows Name LAN VLAN ID 2 Select the port FEO MTU 1500 Status Up 4 Click Save to save and return to the VLAN list Repeat steps 2 4 to add a WAN VLAN The final VLAN list is shown in the figure below vian name vin Pons User Pons Operation ADMIN 0 N A MGTO Virtual Port1 VLAN1 1 Virtual Port2 G Virtual Port3 Virtual Port Virtual Port2 A Virtual Port3 Virtual Portt Virtual Port2 OG Virtual Port3 User Manual for SifoWorks D Series Firewall 57 OD1300UME01 1 3 Chapter 3 Network Configuration Step 4 Setting up IP Addresses l 2 From the left menu bar select Network gt IP Config From the list displayed click the icon corresponding to LAN The system will display the Show IP Configure configuration interface Select Static IP Address and click Add New IP In the next interface configure IP as 192 168 1 1 and netmask 255 255 255 0 Click Save to save the new IP address and return to the Show IP configure interface Click Return to return to the VLAN IP list Repeat steps 2 6 and add IP netmask 211 192 98 220 255 255 255 0 for the WAN VLAN 0 0 ration ADMIN 172 16 0 1 255 255 0 0 VLAN1 1 192 168 1 1 255 255 255 0 DE
43. object administrator account filter rule etc that is stored and displayed using lists on the system e SifoWorks User Interface Describes the SifoWorks UI user interface and the various system menu options e Task List Lists the various tasks a SifoWorks administrator may need to perform when managing the system and network activities e Device Quick Configuration Guide Displays a flowchart and brief explanation on how to deploy and configure your SifoWorks device to provide basic functionality in your existing network User Manual for SifoWorks D Series Firewall 15 OD1300UME01 1 3 Chapter 2 Getting started 2 1 SifoWorks Deployment Topology By selecting different work mode for the SifoWorks system you can deploy SifoWorks using one of three modes Transparent mode route mode and hybrid mode Each of these modes is explained in detail below Note Please refer to 3 Network Configuration for information on setting up SifoWorks working mode and other network parameters 2 1 1 Transparent Mode Transparent mode is suitable for networks that do not require routing or NAT address translations All devices directly connected to SifoWorks are located within the same network domain An example would be deploying SifoWorks between a router and a layer 3 switch In this mode no modifications to the existing network settings are necessary NAT or routing via SifoWorks is not required for local network devices An exampl
44. password recovery mechanism and specifying the timeout value for the web Ul CONFIGURATION PROCEDURE Step 1 Login to SifoWorks via a read write administrator account Step 2 From the left menu bar select System gt Common Setting Step 3 You can click on any of the tabs Misc Setting Date Setting Advanced Options Web Server Cert in this interface and configure as necessary Step 4 Click Save to save your settings UI PARAMETER REFERENCE The tables below explain the parameters that can be configured on the various tabs of the System gt Common Setting interface Misc Setting tab Field Name Explanation Configuration Web Time Out Timeout setting to enhance How to Configure system security If no Enter the value in operations are made by a the textbox user on the system s web UI during this time the system automatically Range 60 3600s disconnects the user Example 300 Enabled Password Select whether to enable How to Configure Recover SifoWorks password Check the checkbox recovery mechanism to enable To recover the default password press and hold the Reset button located between MGTO and the power LED on the device s front panel for at least 10 seconds using a thin wire User Manual for SifoWorks D Series Firewall 189 OD1300UME01 1 3 Chapter 9 System Settings Field Name Explanation Configuration Language Select the UI display How to Co
45. performance VPN engine and explains basic VPN concepts Configuring IPsec VPN Connections Describes how to configure an IPsec VPN connection Using examples this section also introduces how to establish remote access VPN connections site to site VPN connections and dynamic VPN connections based on DDNS Configuring PPTP VPN Connections Describes how to configure a PPTP VPN connection Configuring L2TP VPN Connections Describes how to configure a L2TP VPN connection This chapter is recommended for administrators wanting to configure SifoWorks VPN related settings User Manual for SifoWorks D Series Firewall 117 OD1300UME01 1 3 Chapter 6 Virtual Private Networks SifoWorks provides a high performance VPN engine supporting IPsec VPN PPTP VPN and L2TP VPN This chapter explains how to set up VPN connections for each of these 3 types of VPN VPN Virtual Private Network This refers to the creation of a temporary and secured connection from a public network usually the Internet to a private network VPN helps to extend the company s internal network boundaries allowing users on external networks to access internal resources safely The basic functions that a VPN connection should provide include e Data encryption to prevent data transmitted via the public network from being intercepted and leaked e Data and identity authentication to ensure that received data is complete and legal and to verify users ide
46. query criteria to search for specific log records You can click Advanced to enter more specific search criteria Step 4 Click Go to search for and display the list of logs fulfilling the specified criteria Step 5 Optional For log lists that span more than a single page use the Go To drop down menu to view the other pages 182 User Manual for SifoWorks D Series Firewall Chapter System Settings The following sections can be found in this chapter e Overview Briefly introduces the various operations relating to system setting configurations e Managing Administrator Accounts Explains how to manage administrator accounts via the SifoWorks UI and the various administrator access authorities e Setting Up Basic System Configuration Introduces the system date time display language password recover mechanism configurations e Import Export Configuration File Describes in detail how to save the current system configurations into a backup file and how to import a previously backup configuration file to restore the system s settings e Upgrade System Software Explains how to upgrade the system s software e Connect to a Network Management System Guides you through the procedure to set up SNMP proxy SNMP trap and registration server to connect SifoWorks to a centralized network management system e Configuring Timeout Values Explains the various timeout parameters and how to specify timeout values to r
47. rule is effective The device is operating in the network correctly if all 3 conditions below are true you can successfully login access the Internet is blocked from the web sites that were prohibited such as www sina com Otherwise the LAN to WAN filter rule may not have been defined correctly Please check the rule and make any modifications required 242 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 11 6 Phase 4 Configuring VPN 11 6 1 Configuration Procedure In this phase set up SifoWorks to allow remote users to establish VPN connections with the device so that they can access internal resources from external networks securely Step 1 Enable VPN 1 From the left menu bar select VPN gt IPSec Setting 2 Toggle the VPN module ON 3 Click Save to confirm the setting Step 2 Select the outgoing interface 1 From the VPN gt IPSec Setting interface click the IPSec Interface IP tab 2 Select the VLAN WAN as the outgoing interface IPsec Switch B Interface IF 211 192 986 220 3 Click Save to save the configuration User Manual for SifoWorks D Series Firewall 243 OD1300UME01 1 3 Chapter 11 Device Deployment Example Step 3 Add IKE 244 1 From the left menu bar select VPN gt IKE 2 From the bottom of the IKE list displayed click Add New I KE 3 The Add New IKE
48. system s NAT performance Server Load Balance These objects are applied on destination NAT DNAT rules to achieve load balancing between multiple servers via DNAT Schedule To add a recurring or one time schedule to be used when defining weekly schedule objects or to be used in filter rules directly to control the time period during which the rule is valid For example you can add a schedule to only enable a filter rule from 1 3pm daily Weekly Schedule To add edit delete weekly schedule objects These objects can be used when defining filter rules to control the time rules are valid For example you can set up a rule to be valid only between 1pm 3pm every Monday You must use schedule objects when defining weekly schedule objects IP Pool To manage IP pool objects each containing a range of IP addresses IP pool objects are used to facilitate the configuration of VPN connections specifies the range of IP addresses that can be assigned to the VPN clients Content Filtering Obj To manage URL email or keyword objects used in defining content filtering rules 26 User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 Virtual Port Config To group SifoWorks data ports into three virtual ports VLAN Setting To add and configure VLANs according to your network topology IP Config To configure the IP address for each VLAN You can also modify the administrative IP of SifoWorks from th
49. systems Smurf attacks sends large number of ICMP packets mainly reply packets for the Ping command to the broadcast address of a _midware proxy The IP address of the host being How to Configure attacked is used as the Check the checkbox source IP of these packets to enable The midware proxy will then send the packets to all hosts in its subnet causing the target host to crash Enable or disable defense against Replay attacks When enabled SifoWorks will be able to identify and block intercepted packets sent by the attacker thus preventing Replay attacks Replay attacks refer to the sending of packets that were intercepted by the attacker thus allow access to the resources of the system being attacked User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 Field Name WinNuke Explanation Configuration Enable or disable defense against WinNuke SifoWorks identifies and blocks encrypted attack packets thus preventing WinNuke attacks WinNuke attacks involve sending TCP fragments to an already connected host usually to NetBIOS port 139 configured with the emergency symbol URG resulting in duplicate NetBIOS fragments This causes systems using lt Windows to crash TearDrop Bonk User Manual for SifoWorks D Series Firewall Enable or disable defense against IP Fragment type attacks The that can be
50. the Ping command including the Number of Pings packets to send the Size of each ping packet and the time Interval between the sending of each packet Click Confirm to execute the command The interface will automatically refresh to display the result of the Ping command 1 Note You can manually navigate to the result screen by selecting Diagnostics gt Ping Result from the left menu bar From the Ping result screen you can e Click Cancel to terminate the current Ping command execution e Click Clear to clear the current result screen User Manual for SifoWorks D Series Firewall Chapter 10 System Maintenance OD1300UME01 1 3 CONFIGURATION PROCEDURE TRACE ROUTE The procedure to execute the Traceroute command from the SifoWorks Web UI is as follows Step 1 Login to SifoWorks via a read write or read only administrator account Step 2 From the left menu select Diagnostics gt Trace Route Step 3 In the Trace Route interface that appears enter the Domain Name or IP Address of the traceroute target Step 4 Optional Set up the various optional parameters of the command including the Number of Hops Number of Probes and the amount of time to wait for a respond after sending a traceroute packet before it Timeout Step 5 Click Confirm to execute the command The interface will automatically refresh to display the result of the traceroute command L Note You can manually navigate to the r
51. the VPN module On 3 Click Save to confirm the setting 130 User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UMEO01 1 3 Step 9 Select the outgoing interface for SifoWorksB 1 From the VPN gt IPSec Setting interface click the IPSec Interface IP tab 2 Select the VLAN WAN as the outgoing interface 3 Click Save to save the configuration IPSec Switch IPSec Interface IP Interface IP 202 112 11 222 Step 10 Add IKE for SifoWorksB 1 From the left menu bar select VPN gt IKE 2 From the bottom of the IKE list displayed click Add New I KE 3 The Add New IKE interface will be displayed Configure as follows IKE Name Branchl KE Remote Gateway Static Gateway IP 211 192 98 220 NextHop 202 112 11 1 P Add New IKE 4 New IKE Phase One Method Authenticate Method Phase Two Proposal Advanced Setting Local Interface WAN kd IKE Name BranchlKE Remote Gateway Static Gateway IP 211 192 965 220 Dynamic DNS Domain E O Dynamic Remote ID domain name MextHop Strict Algorithm Match Next gt Cancel 4 Click Next gt to display the Phase One Method tab The configuration is as follows Algorithm 3des md5 modp1536 Exchange main mode 5 Click Next gt to view the Authenticate Method tab Select PSK and enter 12345678 as the Preshare Key Re enter this key in the Retype textbox to
52. time UI display language password recover settings etc Import Export When you want to save current 9 4 Configuration File system configurations into a backup file or restore the system configurations from a previously saved file Upgrade System When you want to upgrade the 9 5 Software system s software version Connect to a Network When you want to connect the 9 6 Management System device to a network management system to achieve centralized management Configuring Timeout When you need to adjust system 9 7 Values timeout configurations to meet your network requirements or to raise system performance 36 User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 System Maintenance Monitoring Sessions and Online Users Viewing Reports Performing Network Diagnostics Restoring System Settings User Manual for SifoWorks D Series Firewall To view the list of currently 10 2 established sessions and the authenticated users that are online This operation also allows you to view DHCP lease information When you want to enable or disable 10 3 report monitoring or view real time or history reports of various system Statuses When you want to execute Ping or 10 4 Traceroute commands to check for network connectivity between SifoWorks and external networks When you need to restore the 10 5 system s configurations to factory default settings retrieve the administrati
53. topology with SifoWorks deployed in hybrid mode is shown below Internet WAN 211 192 98 220 VPort3 SifoWorks 192 168 1 1 WAN VPort2 Subnet 1 Subnet 2 Server Domain bo Switch LAN Switch Switch 192 168 1 0 24 192 168 1 0 24 211 192 98 0 24 18 User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 2 2 Basic System Operations 2 2 1 System Login After deploying SifoWorks in your network SifoWorks administrators can login to the system s UI via the Internet Explorer browser version 6 0 or later or the Mozilla Firefox browser version 1 5 or later SifoWorks supports 2 login methods e Traditional Login Logging into the system via user name and password e OTP One Time Password Login Uses a one time password to login to the system The system computes a response string based on password and a dynamically generated challenge string User password will not be transmitted over the network thus ensuring user security 1 Note OTP login can only be used by users whose account is configured with the allow OTP login attribute and JRE version 1 6 0 or later is installed on the host used to access SifoWorks You can request for a login administrator account from the system s default administrator using the admin account Whether your account is allowed to login via OTP depends on your account settings added by the default administrator
54. up the Basic Network Settings Configuring NAT Setting up DHCP Service Configuring PPPoE Connections Specifying DNS Servers Configuring DDNS Managing IP MAC Bindings Managing the ARP Tables During the installation of SifoWorks or when you need to modify network configurations When SifoWorks must perform NAT on the transmitted data packets When SifoWorks Is to be set up as a DHCP server or specify DHCP relay servers to provide DHCP services To set up SifoWorks such that the system is able to establish PPPoE connections with external networks To equip SifoWorks with domain name resolution capability To establish connections with DDNS servers to provide DDNS service allowing users to establish dynamic VPN connections via PPPoE To set up IP MAC bindings in the system to ensure that users can only access the system through allowed hosts To manage the static and dynamic ARP entries generated by SifoWorks when transmitting data packets through the networks 3 2 3 3 3 4 Firewall Rule Management Managing Filter Rules Managing Local Rules Managing Content Filtering Rules User Manual for SifoWorks D Series Firewall When filter rules for packets arriving at the data ports need to be added or modified To set up SifoWorks such that users can access the system by connecting via a data port When the system needs to filter application layer data including HTTP FTP and Emai
55. which interface to route accesses to using the source IP even if the destination URL destination IP is identical Multi Gateway Routing Multiple gateway addresses can be configured for a single route The system selects the next hop gateway address based on a priority system thus achieving load balancing The system must be able to dynamically monitor the status of each gateway When a particular gateway fails SifoWorks promptly modifies route configurations directing all traffic from the failed gateway to other gateways Ensuring packet continuity Packets belonging to the same connection should be transmitted via the same route to ensure continuity SifoWorks not only ensures that packets from the same connection are transmitted via the same gateway but also uses route mirroring to ensure continuity for connections from an external source That is all packets of a connection entering SifoWorks from gateway A will be transmitted from the same gateway 1 3 8 High Performance VPN Engine SifoWorks high performance VPN engine supports IPsec VPN PPTP VPN and L2TP VPN The system supports the DES 3DES and AES encryption algorithms MD5 and SHA1 authentication algorithms The DES and AES modules are equipped with up to 200Mbps processing capability IPsec VPN also supports AH ESP and AH ESP modes User Manual for SifoWorks D Series Firewall 11 OD1300UME01 1 3 Chapter 1 Product Overview 1 3 9 Multi Gateway Access
56. 0 0 0 Destination Mask 0 0 0 0 Gateway 211 192 98 217 Dev WAN Enable Yes Add New Static Route Destination IP Destination Mask Gateway Outgoing Device Gateway 211 192 96 217 weight Dev WAN M Add new gateway yes Ono _ Save Cancel 5 Click Save to save the new route 11 3 2 Testing the Configuration If SifoWorks has already been connected to the network that is network cables have already been connected between FEO FE1 and FE2 and the networks and an Accept All filter rule has been added hosts in the connected LAN WAN and DMZ networks should be able to communicate with each other You may use the Ping command to test this connectivity If your device has not been connected to the network you will not be able to perform any tests to check the configurations made during this phase at this point Please continue to the next configuration phase below 226 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 11 4 Phase 2 Configuring NAT 11 4 1 Configuration Procedure The following steps guide you through setting up the NAT rules required according to the network analysis in 11 1 Network Topology and Company Requirements Step 1 From the left menu bar select Firewall gt NAT Rule The list of source NAT SNAT rules will be displayed Step 2 Add SNAT rule 1 In the SNAT tab click Add New SNAT 2 In the Add
57. 0 255 255 255 0 Address To Custom I P Netmask 10 1 1 2 255 255 255 255 Service HTTP Select to enable the Intelligent Recognized Protocol function and select http from the drop down menu The figure below shows the above configurations virtual Port To VLAN To Custom IP 192 168 1 0 Netmask 255 255 2550 Predefine Authentication Custom Netmask 255 255 255 255 Predefine Authentication HTTP Intelligent Recognized Protocols http none Source Mac 5 Click Save to save this filter rule and return to the filter rule list User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 Step 5 Add a filter rule to allow LAN users to access the SMTP mail server 1 Click Add New Filter Rule to display the configuration interface to add a new filter rule 2 Select Action as Accept Click Advanced to display the advanced options and select to enable Log for this rule 3 Click Next gt to view the Match tab interface Configure as follows Virtual Port From VPort1l Virtual Port To VPort3 VLAN From LAN VLAN To DMZ Address From Custom I P Netmask 192 168 1 0 255 255 255 0 Address To Custom I P Netmask 10 1 1 3 255 255 255 255 Service SMTP 4 Select to enable the Intelligent Recognized Protocol function and select smtp from the drop down menu The figure below shows the above conf
58. 00 Sessions Session Establishment Rate 6 000 per Second Number of Security Policies e D100 4000 e D200 D300 8000 Number of Customizable 8 Security Domains Packet Latency 5us 13us User Manual for SifoWorks D Series Firewall 13 OD1300UME01 1 3 Chapter 1 Product Overview 1 4 2 Device Dimensions The following table details the physical dimensions of the SifoWorks device Index Value Length x Breadth 428mm x 358mm x 47mm x Height Weight 5kg 1 4 3 Power The following table lists the power supply requirements of the SifoWorks device Voltage 90V 260V Frequency 50Hz 60Hz 1 4 4 Operating Environment The physical operating environment requirements of the SifoWorks device are detailed in the table below Index Operational Temperature 02C 402C Non operational Temperature 102C 702C Humidity 10 90 1 4 5 Reliability I ndex The following table shows the reliability index of the SifoWorks devices Index Value MBTF Mean Time Between Failure 100 000h 14 User Manual for SifoWorks D Series Firewall Chapter Getting started This chapter comprises of the following sections e SifoWorks Deployment Topology Explains the three commonly used deployment modes of SifoWorks e Basic System Operations Describes the basic SifoWorks operations including system login and logout This section also describes the procedure to add edit and delete records where a record refers to an
59. 01 1 3 Add IP Rate Limit Subnet IP Address me Address 192 168 1 0 Mask 255 255 255 0 Upload Limit 20000 Kb Input Number Over 100 100 000 000 Or 0 Down Limit 40000 Kb Input Number Over 100 100 000 000 Or 0 Mode O Single Share Status on Oof Descirption Loo tax 32characters Save Cancel 3 Click Save to save the new limit and return to the IP rate limit list Step 4 Add IP rate limit for the IP range 1 Click Add from the bottom of the list displayed 2 The Add IP Rate Limit interface will be displayed Here configure IP Address Type Range Address 192 168 2 1 To 192 168 2 20 Upload Limit 1000 Down Limit 1000 Status On 3 Click Save to save the new limit and return to the IP rate limit list Step 5 Add IP rate limit for the single host 1 Click Add from the bottom of the list displayed 2 The Add IP Rate Limit interface will be displayed Here configure IP Address Type Host Address 192 168 2 21 Upload Limit 2000 Down Limit 2000 Status On 3 Click Save to save the new limit and return to the IP rate limit list User Manual for SifoWorks D Series Firewall 155 OD1300UME01 1 3 REFERENCE 156 Step 6 Step 7 Chapter 7 Advanced Functions Optional Adjust the list of IP rate limits SifoWorks matches data packets to the IP rate limits by scanning the list in a top down manner You may wish to adjust the position of IP rate limits in this li
60. 0UME01 1 3 CONFIGURATION PROCEDURE Step 1 Login to SifoWorks via a read write administrator account Step 2 From the left menu bar select Network gt ARP Setting to view the ARP tables Step 3 From this interface you can e Click Add New Static ARP to display the Static ARP Setting interface Enter the IP and MAC addresses and click OK to save the Static ARP entry e Click the Dynamic ARP tab to view the dynamic ARP table Select ARP entries from this table and click Set to Static to add the selected dynamic ARP mappings to the static ARP table User Manual for SifoWorks D Series Firewall 83 Chapter Firewall Rule Management This chapter includes the following sections Overview Briefly explains the various types of firewall rules including filter rules local rules and content filtering rules Managing Filter Rules Describes in detail how to define filter rules according to your company s actual requirements to accurately control the flow of traffic between the various data ports Managing Local Rules Explains how to configure local rules to control accesses to the SifoWorks system for configuration and maintenance via data ports Managing Content Filtering Rules Detailed explanation on how to define content filtering rules according to your company s requirements controlling transmitted application layer packets including HTTP FTP and Email packets This section also explain
61. 1 1 1 What IS SifoWorks sesesssnererrererrrrrrsrrrrerrrrrrererrererrrrrrerrrrrrererrererrrrrrerrrrrrerre 2 1 2 SifoWorks Hardware Specifications ccc cece cece cece eeeeee eee eeeeeeeeeeeeeeeeeeteeeeeeannnengs 2 L3 What Call SHOWS DO 4 rans rennerenaasne nies eoniaad AA EREE ree 5 LA SY SECIN S DECINICAUONS syrcc E E aE E E EE EE l3 ZOnE STE e e E E EE E E E E et euerees 15 2 1 SifoWorks Deployment Topology sssssssrsrrerrsrrsrerrrrrsrrsrrrrerrrrrsrrrrerrerrrrerrene 16 22 Basie SYSLEM OPSTraLlONS sccrrinpisnrere sr renra s ar EKTA ERAIN In EIEREN TEENE EENIA iS 19 23 SITOVVOlK S USer Intera CE srona EAN EE EREN EE ENAN 23 Zi E ISU E EEE T EEEE E E E ETT 33 2 5 Device Quick Configuration Guide es seserssrsrererrerrrrrrererrererrrrrrerrrrrrerrrrsrrrrne 38 SN CIWOrk CONC UE AU ON ciin a E EEEE TE E tana 41 KALOV ON ON eieren eE ER E E E E en E 43 3 2 Setting up the Basic Network SettingS ssssrererrererrrrerrrrererrrrererrrrerrrrrrerrrrne 43 3 3 Configuring Network Address Translation cccccce cece ee eeeeeeeeeeeeeeeeeeeeeneeeeeeeanas 59 BS CUEING UP TOG PS CIC Oc ices ciate veer er E sect ceutetes E E EEEa 69 3 5 Configuring PPPOE CONNECTORS ciniveuitanrrinescinenas seed AN E EN 73 3 6 Specifying DNS ServerS sssssererrrrererrrrerrrrrrsrrrrerrrrrrerrrrrrererrrrerrrrrrerrrrerrrrne 76 3 7 CONTINI DONS hanere E E E A E OE S 76 3 3 Ma anadina TP MAC BINGINOS sirirermirre sitein r E EE 78
62. 1 1 3 Step 2 Add address object 1 From the left menu bar select Object gt Address 2 Click Add New Address 3 Inthe Add New Address interface configure as follows Address Name ExampleAddress IP 192 168 1 0 NetMask 255 255 255 0 Add New Address Address Name ExampleAddress IP 192 168 1 0 NetMlask 4 Click Save to save the address object Step 3 Add authentication users 1 From the left menu bar select System gt Auth User 2 Click Add New Auth User 3 In the Add New AuthUser interface enter User Name User01 AuthServer LOCAL User Attribute Filterrule status Enable Password 123456 Confirm Password 123456 4 Click Save to save the authentication user 5 Repeat steps 2 4 to add the other authentication users index ame aniou unserer fO same Operation 0 ration user01 FilterRule LOCAL enable 1 userd2 FilterRule LOCAL enable User Manual for SifoWorks D Series Firewall 93 OD1300UME01 1 3 Chapter 4 Firewall Rule Management Step 4 Add authentication user group 5 From the left menu bar select System gt Auth Group Click Add New Auth User Group Enter the Auth Group Name ExampleGroup Check the Filterrule Attribute Select all authentication users added in step 3 above from the Available Users list and click gt to assign users to this group Click Save to save the authentication user group
63. 1 3 Log Management Managing Log Servers When you need to configure the 8 2 local and remote log servers Serverl Server 4 or limit the number of log records that can be generated per second Configuring Log When you need to control the log 8 3 Attributes display such as the log levels to be recorded select the log levels to include in email alerts whether to log DNS requests etc Exporting Logs Set up the system to export logs to 8 4 the specified FTP server Customizing Log Filter When you need to customize the 8 5 Criteria and Log filter criteria and format of logs to Format be stored via each storage method localDB remote server email FTP export Setting Up Email To set up the system to send email 8 6 Alerts alerts for specific log entries including specifying the recipient addresses and time interval between the sending of mails etc Viewing Logs To query and view the admin 8 7 system security and traffic logs User Manual for SifoWorks D Series Firewall 35 OD1300UME01 1 3 Chapter 2 Getting started System Settings Managing You should perform this operation if 9 2 Administrator you want to Accounts 1 add edit or delete an existing admin user account 2 set up attributes such as retry times freeze duration for an account These operations can only be performed by the default administrator account admin Setting up Basic When you need to set up system 9 3 System Configuration date
64. 1300UME01 1 3 Step 3 Add a new server load balance object 1 From the list of objects displayed click Add Server Load Balance 2 Inthe Add Server Load Balance interface that appears configure Name Web_ Server Port Translation From 80 To 80 Load Balance Method Weight Check the checkbox to enable the Sticky session function 4 Click Add New Server In the Server IP textbox that appears enter the IP address of the first web server 10 1 1 10 In the adjacent Weight textbox enter 20 5 Repeat 4 to add the remaining 4 web servers The final configuration interface should be similar to the following figure Add Server Load Balance Name Web Server Port Translation From 80 Tolo Load Balance Method Round Robin Weight Sticky Add New Server Server IP 401410 O Weight 2 20 o 255 Server IP hoai Weight 20 20 o 255 Server IP 401112 Weight 25 25 o 255 Server IP 401113 Weight 25 25 o 255 Server IP 01114 Weight 10 10 0 255 Save Cancel 6 Click Save to save the new server load balance object User Manual for SifoWorks D Series Firewall 67 OD1300UME01 1 3 Chapter 3 Network Configuration Step 4 From the left menu bar select Firewall gt NAT Rule Click the DNAT tab to view the list of DNAT rules Step 5 Adda DNAT rule 1 Click Add New DNAT 2 In the configuration interface that displayed configure as follows Virtual Port From VP
65. 1300UMEO01 1 3 168 Destination tab Chapter 7 Advanced Functions Field Name Request Rate PPS Explanation Configuration Maximum number of connection requests per second A connection request refers to the first packet of each connection You can specify request rate for different types of connections separately TCP UDP ICMP Others Total Conn Number Maximum allowed number of connections for each type TCP UDP ICMP Co Others Total How to Configure Packet Rate PPS Maximum number of Enter the value in packets that can be _ the textboxes _ transmitted per second _ including connection requests and other data _ transmission This configuration will only _ be effective if Enable Packet Rate Limit is selected in the Anti Dos Working Mode tab To Single Dest IP _ Address The request rate connection number and packet rate for individual destination IP address User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 aae Defense Time When an attack is detected How to Configure SifoWorks will drop packets Enter the value in until the packet rate is leSS the textbox i than the alarm threshold Example 2s Once the packet rate has decreased to less than the alarm threshold SifoWorks will continue to drop packets for a period of time equal to the defense time Alarm Thres
66. 192 168 1 1 255 255 255 0 e WAN 211 192 98 220 255 255 255 0 e DMZ 10 1 1 1 255 255 255 0 Static route for the WAN outgoing interface with the following configurations e Destination P Netmask 0 0 0 0 0 0 0 0 e Gateway 211 192 98 217 SNAT DNAT User Manual for SifoWorks D Series Firewall From LAN to WAN Translated source IP 211 192 98 220 Port range 1025 65535 From WAN to DMZ Translated destination IP 10 1 1 2 Translated port 80 219 OD1300UME01 1 3 Chapter 11 Device Deployment Example Filter Rules IRP QoS The firewall should provide the following data filtering control e External users in the WAN network can access the Web server in the DMZ domain via HTTP QoS is applied on all WAN to DMZ traffic VPort2 to VPort3 Maximum bandwidth 60Mbps Guaranteed bandwidth 20Mbps e LAN users can access the Web server in the DMZ domain via HTTP e LAN users can access the SMTP server in the DMZ domain via SMTP SifoWorks Intelligent Recognized Protocols IRP must be enabled for each of the above filter rules preventing illegal data flows Log must be enabled for the above filter rules for future analysis AAA Authentication LAN users in the domain Content Filtering 192 168 1 10 255 255 255 0 must be authenticated by SifoWorks AAA module before they can access the WAN network via HTTP All users are authenticated locally The list of users are e User01 123456 e User02 12345
67. 1pm 3pm every Monday Local Rules These rules allow administrators to configure and manage the SifoWorks system via the network ports Local rules e Identify the incoming interface through virtual port and VLAN configurations e Identify the data flow based on IP address service and MAC address e Permits or denies traffic from passing through the firewall through an Action parameter e Can limit the maximum number of concurrent connections for each host or network segment This is only configurable if the rule s Action is accept e Can be configured with a schedule object specifying when this rule is effective For example a rule can be set up to be effective only between 1pm 3pm every Monday 86 User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 Content Filtering Rules Content filter rules determine if an application layer data packet HTTP FTP and Email protocols is allowed to pass through the firewall Content filter rules include URL filtering email filtering FTP filtering and keyword filtering Content filter rules will only be effective when they are applied on filter rules Before managing any type of firewall rules please ensure that your SifoWorks system has been successfully connected to your network by completing the basic network configuration operation Please refer to 3 2 Setting up the Basic Network Settings for details 4 2 Managin
68. 3 The resulting QoS list should be similar to the figure below QOS Status Max Bandwidth Guaranteed Bandwidth VPortt E vPort2 0 0 Kbps 0 Kbps 5 1 60000 Kbps 20000 Kbps 2 0 Kbps 0 Kbps 3 0 Kbps 0 Kbps Se El VPorts 0 0 Kbps 0 Kbps 1 60000 Kbps 20000 Kbps 2 0 Kbps 0 Kbps 3 0 Kbps 0 Kbps 230 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 Step 3 Add a filter rule with QoS to allow external users to access the Web server 1 From the left menu select Firewall gt Filter Rule to view the list of filter rules already defined in the system 2 Click Add New Filter Rule to view the 2 tab interface for adding filter rules In the Action To Take tab select the rule Action Accept Click AdvancedE to view the advanced rule options Check the checkbox to enable Log and QOS Select 1 for both the Incoming Level and Outgoing Level fields YS SS Action To Take Acce pt Drop Advanced El L TCP Window Tracking LI content Filtering NONE v Qos par Level 1 k a Level 1 k Wax Connections Netmask 255 255 255 255 Next gt Cancel User Manual for SifoWorks D Series Firewall 231 OD1300UME01 1 3 232 Chapter 11 Device Deployment Example 7 Click Next gt to move to the Match tab and configure as follows Virtual Port From VPort2 Virtual Port To VPort3 VLAN From WAN
69. 4 2 Managing Filter Rules for details on filter rule records CONFI GURATI ON PROCEDURE Step 1 Step 2 Step 3 Step 4 Navigate to the configuration page for the particular type of record from the left menu bar From the record list click the icon in the row corresponding to the record to be modified From the configuration interface displayed modify the settings as required Click Save to save the changes A success message should be displayed by the system 2 2 5 Delete Records This section explains how to delete a system record LLI Note This section gives an overall explanation to the procedure to delete a record entry from the system For detailed information on the various kinds of records please refer to the appropriate sections later in this manual For example you can refer to 9 2 Managing Administrator Accounts for information on user account records or 4 2 Managing Filter Rules for details on filter rule records CONFI GURATI ON PROCEDURE Step 1 Step 2 Step 3 22 Navigate to the configuration page for the particular type of record from the left menu bar From the record list click the G icon in the row corresponding to the record to be deleted From the confirmation popup window click OK to delete the record and refresh the list User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 2 3 StfoWorks User Interface Upon su
70. 6 These users are not allowed to access the following URLs e www sina com e www sohu com e www 163 com e www china com e www chinaren com e www google cn 220 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example VPN IPsec VPN IDS User Manual for SifoWorks D Series Firewall OD1300UME01 1 3 To allow remote mobile employees to access the internal servers in the DMZ domain securely SifoWorks must be able to accept VPN connection requests from these remote users VPN connections uses the pre shared key 12345678 IKE phase 1 algorithm is 3des md5 modp1536 IKE phase 2 algorithm is esp 3des md5 Enable SifoWorks IDS function to protect the internal network against attacks When traffic exceeds a threshold SifoWorks must automatically drop connections Threshold values for both source based and destination based traffic are to maintained as the system s default value with packet rate limit enabled SYN proxy is disabled on the system SifoWorks must also be able to detect and prevent LAND Attack and ARP spoof attacks 221 OD1300UME01 1 3 Chapter 11 Device Deployment Example 11 2 Configuration Flowchart This example follows the following procedure when setting up SifoWorks to suit the requirements explained in the previous section SNAT DNAT IPSec VPN 222 Start t Configuring basic network settings VPort VLAN IP address rou
71. 92 168 1 3 WINS Server 2 192 168 1 4 IP Address From 192 168 1 10 IP Address To 192 168 1 100 IP Address From 192 168 1 110 IP Address To 192 168 1 200 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 Configure DHCP Setting on LAN DHCP Service Type DHCP Server O DHCP Relay None DHCP Server Settings Gateway 192 168 1 1 NetMask 255 255 255 0 Default Lease Period 7 Day s 0 Hour s 0 Minute s Max Lease Period 100 Day s 0 Hour s 0 Minute s Domain Name DNS Server 1 192 168 1 3 DNS Server 2 192 168 1 4 Wins Server 1 192 168 1 3 Wins Server 2 192 168 1 4 IP Address From 192 168 1 10 To 192 168 1 100 From 192 168 1 110 To 192 168 1 200 From To Static IP Address IP MAC Add New Static IP Save Cancel Step 5 Click Save to save the configuration and return to the DHCP list Step 6 Click the Y icon corresponding to the VLAN representing your LAN network The DHCP status will be displayed as Running in the list as shown below 1 VLAN NAA None 2 LAN Server 192 168 0 1 GIG 3 WAN NAA None 4 DMZ NAA None User Manual for SifoWorks D Series Firewall 71 OD1300UME01 1 3 Chapter 3 Network Configuration APPLICATION EXAMPLE 2 DHCP RELAY SE
72. AN 211 192 98 220 255 255 255 0 DMZ 10 1 1 1 255 255 255 0 Static Routes Destination Netmask 0 0 0 0 0 0 0 0 Gateway 211 192 98 217 Outgoing Interface WAN The configuration procedure is as follows Step 1 Login to SifoWorks using a read write administrator account Step 2 Configuring Virtual Ports From the left menu bar select Network gt Virtual Port Config 2 Click Virtual Port Config from the bottom of the virtual port list to view the Virtual Port Edit interface 3 Using the and buttons move FEO to Virtual Port1 FEL to Virtual Port2 and all other ports to Virtual Ports 4 Click Save to save the configuration and return to the Virtual Port list 52 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 Step 3 Configuring VLANs 1 From the left menu bar select Network gt VLAN Setting to display the list of VLANs 2 Click the icon corresponding to VLAN1 and unselect all data ports from the VLAN 3 Return to the VLAN list and click Add New VLAN and configure the following Name LAN VLAN ID 2 Select the port FEO MTU 1500 Status Up 4 Click Save to save and return to the VLAN list Repeat steps 2 4 to add two other VLANs for the WAN and DMZ domains The resulting list of VLANs is shown in the figure below VLAN Port VLAN Name ADMIN 0 NIA MGTO Virtual Port1 VLAN1 1 Virtual Port2 ry Virtual Po
73. Chapter 3 Network Configuration The configuration procedure is as follows Collect the corresponding MAC addresses for each of the IP addresses in the range 192 168 1 10 192 168 1 60 and record it in a table similar to the one below L Note SifoWorks automatically adds all static ARP entries into the IP MAC binding list and all dynamic ARP entries into the IP MAC dynamic cache list You can select to add IP MAC pairs in the dynamic cache to the IP MAC binding list For more information on ARP please refer to 3 9 Managing the ARP Tables IP Address MAC Address 192 168 1 10 00 14 22 B0 7A 9E 192 168 1 11 00 1C C3 44 9D 20 192 168 1 60 Login to SifoWorks via a read write administrator account From the left menu bar select Network gt I P MAC Binding Configure the IP MAC binding settings 1 From the displayed list IP MAC Binding Setting tab click the icon corresponding to the VLAN representing your LAN network 2 In the interface displayed select to Enable Source MAC Binding Block data packets from Undefined Hosts IPMAC Binding Policy Setting VLAN LAN Source MAC Bindina Enable Disable Policy For Undefined Host Allow Block Save Cancel 3 Click Save to save the settings User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 Step 5 Set up the static IP MAC bindings 1 Return to the previous interface and se
74. D indicator lights e What can SifoWorks Do Introduces the main functions of the SifoWorks firewall e System Specifications Contains information on the various SifoWorks devices performance and capacity indexes device dimensions power supply requirements operating environment and reliability factor For an overall understanding of the SifoWorks firewall please refer to this chapter User Manual for SifoWorks D Series Firewall 1 OD1300UME01 1 3 Chapter 1 Product Overview 1 1 What is Sifo Works O2Security s new generation firewall product SifoWorks is a multi functional security gateway system equipped with the best data packet handling capability in the industry SifoWorks also supports various other security mechanisms such as firewall IPsec VPN content filtering etc providing security on higher network levels and thus enhancing the overall security of user s networks The SifoWorks D series family includes the following device models e SifoWorks D100 e SifoWorks D200 e SifoWorks D300 The term SifoWorks is used in this document to refer to all the above models 1 2 SifoWorks Hardware Specifications 1 2 1 Device Box The figures below show the physical device of each SifoWorks models SifoWorks D100 FEO FE7 Read Write Network LEDs LED FEO FEI FE2 FE3 rl r 6 rl rl
75. DIT 211 122 985 220 255 255 255 0 Step 5 Managing Routes L Destination IP 0 0 0 0 Destination Mask 0 0 0 0 Gateway Outgoing Device Enable yYes ONo From the left menu bar select Network gt Route Setting to view the system s route list Click Clear Invalid Route to remove all unused routes from the list Click Add New Static Route from the bottom of the list In the Add New Static Route interface that appears configure the following Destination IP 0 0 0 0 Destination Mask 0 0 0 0 Gateway 211 192 98 21 7 Dev WAN Add New Static Route wan Ni Gateway 211 192 98 217 Weight Dev Add new gateway 5 Click Save to save the route and return to the static route list 58 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 3 3 Configuring Network Address Translation This section explains how to manage source and destination NAT in SifoWorks Note that your system s basic network configurations should already be properly set up Please refer to 3 2 Setting up the Basic Network Settings for information on configuring SifoWorks basic network settings Source NAT SNAT Performs address translation on the source address of all data packets matching the rule Source NAT is mainly used for accesses to the external networks from internal users Destination NAT DNAT Performs a
76. E phase one algorithm is 3des md5 modp1536 and the phase two algorithm is esp 3des md5 The configuration procedure is as follows SifoWorksA HQ Network Step 1 Login to SifoWorks via a read write administrator account Step 2 Enable VPN on SifoWorksA 1 From the left menu bar select VPN gt IPSec Setting 2 Toggle the VPN module On 3 Click Save to confirm the setting Step 3 Select the outgoing interface for SifoWorksA 1 From the VPN gt IPSec Setting interface click the IPSec Interface IP tab Select the VLAN WAN as the outgoing interface 3 Click Save to save the configuration 134 User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Step 4 Adding IKE for SifoWorksA 1 From the left menu bar select VPN gt IKE 2 From the bottom of the IKE list displayed click Add New I KE 3 The Add New IKE interface will be displayed Configure as follows IKE Name HQIKE Remote Gateway Dynamic DNS Domain www example com NextHop 211 192 98 217 Add NewiKE 4 New IKE M Phase One Method Authenticate Method Phase Two Proposal Advanced Setting Local Interface WAN IKE Name Hake si Remote Gateway Static Gateway IP aan Dynamic DNS Domain www example com Dynamic Remote ID O domain name v NextHop 211 192 98 217 Strict Algori
77. Flow control None Restore Defaults Enter the user name and password to login to SifoWorks via the hyper terminal The login user name and password is admin and admin123 respectively Enter the command get ip ADMIN into the interface The system will display your system s administrative IP address L0 Note Type the command to view the command line interface s help information User Manual for SifoWorks D Series Firewall 215 Chapter Device Deployment Example This chapter includes the following sections Network Topology and Company Requirements This section explains the network topology of a typical company used in this example and analyzes the various network requirements including NAT filter rules VPN and IDS etc Configuration Flowchart A flowchart showing the configuration procedure that will be detailed in later sections is displayed here Phase 1 Configuring the Basic Network Settings Explains phase 1 of the configuration procedure guiding you through the steps to set up SifoWorks basic network settings Phase 2 Configuring NAT Explains phase 2 of the configuration procedure guiding you through the steps to define NAT rules according to the requirements Phase 3 Defining Filter Rules Explains phase 3 of the configuration procedure guiding you through the steps to manage the filter rules on the device Phase 4 Configuring VPN Explains phase 4 of the con
78. From the SNAT tab click Add New SNAT 2 In the interface displayed configure as follows Virtual Port From VPort1 Virtual Port To VPort2 VLAN From LAN VLAN To WAN Single IP 211 192 98 220 Range Port 1025 65535 Add New SNAT Virtual Port From VPortt Virtual Port To Predefine ALL Y Address To O Custom IF SEE Netmask fs Predefine ALL Y Service echedule Action Translated Address No Map Single IP O Range IP Single Port fs Range Port To C Sticky Map List C LAN to WAN Save Cancel _ 3 Click Save to save the new SNAT rule and return to the NAT rule list User Manual for SifoWorks D Series Firewall 61 OD1300UME01 1 3 Chapter 3 Network Configuration Step 4 Add a destination NAT rule 1 Back at the Source NAT tab interface click the Destination NAT tab 2 Click Add New NAT Rule In the interface displayed configure as follows Virtual Port From VPort2 VLAN From WAN Address To 211 192 98 220 255 255 255 255 Service HTTP Single IP 10 1 1 2 Single Port 80 Add New DNAT Virtual Port From Virtual Port To ALL VLAN From WAN ka VLAN To ALL Address From Custom IF Ee Netmask Predefine ALL w Address To Custom IF Netmask 255 255 255 255 Predefine ALL w Service schedule Action Translated Address No Map Single IF O Range IP Single Port ORangePot S C Sticky Server Load
79. IP Netmask 192 168 1 10 255 255 255 255 Local Address Address List 192 168 1 1 Service All Action To Take Match Virtual Port From VPort1 VLAN From Address From custom IP Netmask 255 255 255 255 Predefine Local Address Custom O Address List 192 168 1 1 Service ochedule source Mac lt Back Save Cancel Step 6 Click Save to save the local rule 100 User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 4 4 Managing Content Filtering Rules Content filtering rules filter contents of application data packets For more explanation on content filtering rules please refer to 4 1 Overview You can define content filtering rules according to your network requirements Note however that content filter rules will only be effective when it is selected as part of a packet filter rule 4 2 Managing Filter Rules contains more information on managing filter rules CONFIGURATION FLOWCHART The following flowchart lists the steps to successfully set up content filtering in the SifoWorks system Start Adding Content Filtering Objects Adding Content Filtering Rules Applying Content Filtering Rules End Each step is briefly described in the table below Operation Description Adding Content Filtering Add the objects to be used in the content Objects filtering rules This can be URL
80. KE Name HQIKE Remote Gateway Static Gateway IP 202 112 11 222 NextHop 211 192 98 217 Add New IKE Phase One Method a Authenticate Method Phase Two Proposal Advanced Setting Local Interface WAN IKE Name HQIKE Remote Gateway Static Gateway IP 202 112 11 222 Dynamic DNS Domain Dynamic Local ID d domain name J Remote ID F domain name vi NextHop 211 192 98 217 Strict Algorithm Match Next gt Cancel 4 Click Next gt to display the Phase One Method tab Configure according to the following Algorithm 3des md5 modp1536 Exchange main mode User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 D 6 Click Next gt to view the Authenticate Method tab Select PSK and enter 12345678 as the Preshare Key Re enter this key in the Retype textbox to confirm Click Next gt to display the Phase Two Proposal tab Enable Using ESP and select the esp 3des md5 ESP Algorithm Also select the Using PFS option Authenticate Method Phase Two Proposal Encapsulation Using ESP Algorithm O using AH Algorithm s PFS Group is same as Phase one s Using PFS DH Group lt Back Next gt Cancel Click Next gt to view the Advanced Setting tab Keep the default configuration for all parameters in this tab and click Save to save this I
81. KE record Step 5 Add address objects on SifoWorksA i From the left menu bar select Object gt Address to display the list of address objects Click Add New Address and configure as follows Name Local IP 192 168 1 0 Netmask 255 255 255 0 Click Save to add the new address object Back at the address object list click Add New Address to add another address object with the following configuration Name Remote IP 192 168 2 0 Netmask 255 255 255 0 Click Save to save this address object User Manual for SifoWorks D Series Firewall 129 OD1300UME01 1 3 Chapter 6 Virtual Private Networks Step 6 Add VPN connection on SifoWorksA 1 From the left menu bar select VPN gt VPN Connection to view the list of VPN connections Click Add New VPN In the Add New VPN Connection interface configure as follows Connection Name HQConnect Local Subnet Local Remote Subnet Remote Using Tunnel Using IKE HQIKE State Start Add New VPN Connection Connection Name LTP C Local Subnet Using tunnel Using Manual Using IKE HQIKE w State stat O Stop Route Backup Connection F Using IKE Save Jf Cancel 4 Click Save to add this VPN connection to the list SifoWorksB Branch Network Step 7 Login to SifoWorksB via a read write administrator account Step 8 Activate VPN on SifoWorksB 1 From the left menu bar select VPN gt IPSec Setting 2 Toggle
82. Max Bandwidth for both virtual ports to 100000 QOS List QOS Status Qo5 State State on off State on off Max Bandwidth 100000 Kbps State On Off Max Bandwidth 100000 Kbps Save Reset _ 3 Click Save to save the setting Step 3 Define QoS priority levels for each virtual port 1 Select Advance gt QoS Setting from the left menu bar and click the QOS List tab 2 Click the EI icon corresponding to VPort2 to expand the list to display virtual port 2 s priority levels 3 Click the icon for VPort2 s priority level 1 In the interface that displays enter 60000 and 20000 in the Max Bandwidth and Guaranteed Bandwidth textboxes respectively 4 Click Save to save the setting and return to the QoS list Repeat steps 2 4 to configure the QoS priority level for VPort3 The resulting QoS list should be similar to the figure below QOS Status Max Bandwidth Guaranteed Bandwidth vPortt E VPort2 0 0 Kbps 0 Kbps 1 60000 Kbps 20000 Kbps 2 0 Kbps 0 Kbps 3 0 Kbps 0 Kbps G E VPort3 0 0 Kbps 0 Kbps 1 60000 Kbps 20000 Kbps 2 0 Kbps 0 Kbps G 3 0 Kbps 0 Kbps User Manual for SifoWorks D Series Firewall 151 OD1300UME01 1 3 Chapter 7 Advanced Functions Step 4 Add a filter rule that applies QoS From the left menu bar select Firewall gt Filter Rule to add a new filter rule for traffic from WAN to DMZ Enable th
83. New SNAT configuration interface that is displayed configure as follows Virtual Port From VPortl Virtual Port To VPort2 VLAN From LAN VLAN To WAN Single IP 211 192 98 220 Range Port 1025 65535 Virtual Port From VPort1 vi VLAN From LAN i Address From Custom IP Predefine Address To Custom IP Predefine Add New SNAT Virtual Port To VPort2 v VLAN To WAN 4 Netmask ALL v Netmask ALL v J Service ALL Schedule none Single IP Range IP Single Port Range Port C Sticky Map List F LAN_to_WAN Action endGsecuscacteseveucesuescuuccccccascnebarsdesesadcacsdcerssascuccecesccenacusssaadescsstsccucvatstsvauccecsusssccecesusteaceudssussccccaestssccccaesssaavecceessssce Translated Address No Map 211 192 968 220 To 1025 To 65535 Save Cancel 3 Click Save to save the SNAT rule User Manual for SifoWorks D Series Firewall 227 OD1300UME01 1 3 Chapter 11 Device Deployment Example Step 3 Add destination NAT DNAT rule 1 In the NAT list click the DNAT tab to view the list of destination NAT rules 2 At the bottom of this list click Add New DNAT Virtual Port From VPort2 VLAN From WAN Address To 211 192 98 220 255 255 255 255 Service HTTP Single IP 10 1 1 2 Single Port 80 Add New DNAT Virtu
84. P SERVER As shown in the figure below SifoWorks provides DHCP services to the LAN network Internet WAN 211 192 98 220 SifoWorks DMZ A 10 1 1 1 LAN Switch Subnet 1 Subnet 2 Server Domain k as Js m LAN LAN LAN 7 Switch Switch S 192 168 1 0 24 Switch 192 168 1 0 24 10 1 1 0 24 User Manual for SifoWorks D Series Firewall 69 OD1300UME01 1 3 Step 1 Step 2 Step 3 Step 4 70 Chapter 3 Network Configuration In this network e IP address range available for use by the DHCP service is 192 168 1 10 192 168 1 100 and 192 168 1 110 192 168 1 200 e Gateway IP address of the LAN domain is 192 168 1 1 255 255 255 0 e Default DHCP lease time is 7 days e Maximum DHCP lease time is 100 days e P address of the DNS servers are 192 168 1 3 and 192 168 1 4 e P address of the WINS servers are 192 168 1 3 and 192 168 1 4 The configuration procedure is as follows Login to SifoWorks using a read write administrator account From the left menu bar select Network gt DHCP Setting Click the icon corresponding to your LAN network s VLAN from the displayed DHCP list The Configure DHCP interface will be displayed Configure as follows DHCP Service Type DHCP Server Gateway 192 168 1 1 Netmask 255 255 255 0 Default Lease Period 7 days 0 hours 0 minutes Max Lease Period 100 days 0 hours 0 minutes DNS Server 1 192 168 1 3 DNS Server 2 192 168 1 4 WINS Server 1 1
85. P SYN packets Proxy only when detect SYN flood Only enable SYN Proxy if a SYN flood is detected User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions Other Attacks tab OD1300UME01 1 3 Field Name Land Attack Explanation Configuration Enable or disable defense against Land attacks Land attacks refer to the sending of TCP SYN packets continuously from the attacker to the host being attack These packets have identical IP source and destination addresses TCP source and destination _ ports This causes the attacked host to send reply packets to itself repeatedly How to Configure _ causing it to crash or Check the checkbox _ reboot due to the large to enable traffic load Enable or disable defense against ARP Spoof attacks ARP spoof attacks uses fake IP and MAC addresses to deceive the ARP mechanism generating large amounts of ARP packets to choke the network or achieve man in the middle to carry out ARP redirection and sniffer attacks User Manual for SifoWorks D Series Firewall 171 OD1300UME01 1 3 172 Field Name Chapter 7 Advanced Functions Smurf Explanation Configuration Enable or disable defense against Smurf attacks Smurf attacks combine IP Spoof and ICMP echo reply methods to flood the targeted system with large amount of network transmissions causing the system to deny services to other legitimate
86. Pre Shared key Cancel User Manual for SifoWorks D Series Firewall 247 OD1300UME01 1 3 Chapter 11 Device Deployment Example S Security Policy Editor SafeNet SoftRemote aal xal 16 My Dina i amp New Connection i My Identity Authentication Phase 1 Proposal 1 g Key Exchange Phase 2 Proposal 1 a Other Connections foup Diffie Hellman Group 5 S Security Policy Editor SafeNet SoftRemote Proposal 1 big aor Ly ther Connections Diffie Hellman Group 5 S Security Policy Editor SafeNet SoftRemote E J My Connections EdE New Connection i 3 My Identity A Security Policy g Authentication Phase 1 i A Proposal 1 d S Key sant Phase 2 a Other ee Hash Alg E Encapsulation v 248 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 Step 3 Activate the IPsec VPN connection Activate the connection configured in the previous step If a Success message such as Successfully connected to My Connections New Connection is displayed the VPN function has been configured correctly Otherwise SifoWorks IPsec VPN function is not working properly Please check your IPsec VPN client logs at the remote host or login to SifoWorks to check the related logs generated by the system to locate the problem and modify the configuration accordingly If the problem persists please contact O2Secu
87. RVER As shown in the network topology below SifoWorks is set up to provide DHCP relay services to LAN IP address of the DHCP server is 10 1 1 3 Internet WAN 211 192 98 220 SifoWorks LAN DMZ 10 1 1 1 Subnet 2 Server Domain DHCP Server 10 1 1 3 oa LAN Switch pj 10 1 1 0 24 The configuration procedure is as follows LAN Switch 192 168 1 0 24 192 168 1 0 24 Step 1 Login to SifoWorks using a read write administrator account Step 2 From the left menu bar select Network gt DHCP Setting Step 3 Click the icon corresponding to the VLAN representing your LAN network from the displayed DHOP list Step 4 The Configure DHCP interface will be displayed Configure as follows DHCP Service Type DHCP Relay DHCP Relay Server 10 1 1 3 Interface DMZ Step 5 Click Save to save the configuration and return to the DHCP list Step 6 Click the Y icon corresponding to the VLAN representing your LAN The DHCP status will be displayed as Running in the list as shown below index VLAN Name DHCP Status Mode Gateway Server Operation 1 VLANI N A None J 2 LAN Relay 10 1 1 3 GG 3 WAN N A None 4 DMZ N A None G 72 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 3 5 Configuring PPPoE Connections To set up SifoWorks such that the device is able to establish connections with external networks via the PPPoE
88. Setting tab Keep the default configuration for all parameters in this tab and click Save to save this IKE record User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Step 11 Add address objects on SifoWorksB 1 From the left menu bar select Object gt Address to display the list of address objects 2 Click Add New Address and configure as follows Name Local IP 192 168 2 0 Netmask 255 255 255 0 Click Save to add the new address object 4 Back at the address object list click Add New Address to add another address object with the following configuration Name Remote IP 192 168 1 0 Netmask 255 255 255 0 5 Click Save to save this address object Step 12 Add VPN connection on SifoWorksB 1 From the left menu bar select VPN gt VPN Connection to view the list of VPN connections 2 Click Add New VPN 3 In the Add New VPN Connection interface configure as follows Connection Name BranchConnect Local Subnet Local Remote Subnet Remote Using Tunnel Using IKE Branchl KE State Start User Manual for SifoWorks D Series Firewall 139 OD1300UME01 1 3 Chapter 6 Virtual Private Networks Add New VPN Connection Connection Name BranchConnect L TP Local Subnet Remote Subnet Using tunnel Using Manual Using IKE BranchlKE w State stat Stop Route Backup Connection Using IKE Save Cancel 4 Click
89. SifoWorks DHCP Client function will not be effective for this VLAN Hence the VLAN cannot be dynamically assigned with an IP address 1 Note For details on DNS and DHCP please refer to 3 6 Specifying DNS Servers and 3 4 Setting up DHCP Service respectively You can assign VLAN IP s manually or dynamically under HA mode For details on HA please refer to 7 4 Activating High Availability Working Mode SifoWorks supports 3 working modes including transparent mode route mode and hybrid mode When two data ports assigned to different virtual User Manual for SifoWorks D Series Firewall 45 OD1300UME01 1 3 46 Chapter 3 Network Configuration ports belong to the same VLAN these two ports are operating in transparent mode When two data ports are assigned to different VLANs these ports operate in route mode e The system is running in transparent mode if all its data ports are operating in transparent mode e The system is running in route mode if all its data ports are operating in route mode e f a portion of the system s data ports are running in route mode while another group of ports are running in transparent mode the system is operating in hybrid mode Access Mode and Trunk Mode This refers to a VLAN s working mode Under access mode the same data port can only be assigned to a single VLAN Under trunk mode the same data port can be assigned to multiple VLANs Static Routes and Poli
90. Start Set up Admin IP Configuring Basic Network Master Settings Configuring HA Settings Set up Admin IP Slave Configuring HA Settings Connect Network Cables Master Activate HA Slave Activate HA End l User Manual for SifoWorks D Series Firewall 157 OD1300UME01 1 3 Chapter 7 Advanced Functions The above flowchart is briefly explained in the table below Device Operation Description Master Set up Admin IP Specify the administrative IP address of the master SifoWorks device Configuring Basic Set up the virtual port VLAN IP address Network Settings and route configurations necessary to connect SifoWorks to your network Please refer to 3 2 Setting up the Basic Network Settings for details on configuring the device s basic network settings Note that under HA both static and dynamic IP address configuration for VLANs are supported Configuring HA Configure HA related parameters Settings including local IP neighbor IP keepalive heartbeat and HA timeout etc Slave Set up Admin IP Specify the administrative IP address of the slave SifoWorks device Configuring HA Configure HA related parameters Settings including local IP neighbor IP keepalive heartbeat and HA timeout etc Master amp Connect Network Connect a data cable and a heartbeat Slave Cables monitoring cable between the master and slave devices and connect the devices to t
91. TO and the power LED on the device s front panel for at least 10 seconds using a thin wire You can only execute the password recovery operation if you have enabled this function Enabled Password Recover option from the System gt Common Setting interface If you have forgotten the device s administrative IP address please refer to Configuration Procedure Retrieving Administrative IP Via Serial Port for information on retrieving this IP From the left menu bar select System gt Common Settings Click the Advanced Options tab on the displayed interface Here click the Restore to Default button to restore your system s configurations User Manual for SifoWorks D Series Firewall Chapter 10 System Maintenance OD1300UME01 1 3 CONFIGURATION PROCEDURE RETRIEVING ADMINISTRATIVE IP VIA SERIAL PORT Step 1 Step 2 Step 3 Step 4 The following steps help you to retrieve your system s administrative IP address by connecting a PC directly to the device s management serial port Using a RS 232 serial cable connect SifoWorks management serial port to your administrative PC s COM port On the administrative PC activate a hyper terminal program and establish a connection to SifoWorks with the following configurations Bits per second 9600 Data bits 8 Parity None Stop bits 1 COM1 Properties Port Settings Bits per second Seii Data bits 8 Parte None Stop bits 1
92. To define local rules used to control access to the SifoWorks system via data ports These rules restrict administrative accesses to the firewall To add source or destination NAT rules translating source or destination addresses of specific data packets To apply maplist objects to source NAT rules or server load balancing objects in destination NAT rules you must create the corresponding objects from the Object gt MapList or Object gt Server Load Balancing interfaces first To manage a list of content filtering rules set up according to the company requirements filtering data on the application layer that are allowed to pass through SifoWorks Menu IDP Network Variables Rule Group Control User Defined Rules Rule Upgrade Upgrade Setting Preprocessors IDP Control 28 To differentiate between internal and external networks To enable disable all rules or a subset of rules within each IDP rule group You can also modify the attributes of each rule To define IDP rules customized according to your company s needs To upgrade the set of IDP rules To configure the system such that it is able to perform IDP rule upgrade operations The system automatically downloads the upgrade file from an O2Security server You can set up an email address before executing a rule upgrade Any alert messages generated due to an upgrade failure can then be sent to this email address To enable an
93. Upgrading Click Browse and select the update file to be imported Click Save to begin importing the file to update the system s IRP function From the left menu bar select System gt Common Setting Click to display the Advanced Options tab Click the Reboot System button to restart the SifoWorks device User Manual for SifoWorks D Series Firewall Chapter Log Management This chapter includes the following sections Overview Introduces SifoWorks log management function briefly explaining the various log levels log types and the log storage methods Managing Log Servers Details how to set up remote log servers up to 4 remote servers and limit the number of log records that can be generated per second Configuring Log Attributes Explains the configuration of various log attributes including the maximum number of logs to store for each log type log deletion policy whether to log DNS ICMP request and whether to log packets that did not match any filter rule Exporting Log Introduces the log export function to backup logs to FTP servers Customizing Log Filter Criteria and Log Format Describes how to customize the filter criteria and format of logs that are stored locally LocalDB remotely Server 1 Server 4 sent in emails Email Alert or exported to a FTP server Export Setting up Email Alerts Explains how to enable SifoWorks log email alert function sending specific logs to an
94. VPN User TO manage PPTP VPN connection users using Groups group objects for configuration convenience Adding IP Pool To define a pool of IP addresses for PPTP VPN connections This prevents accesses to the network via PPTP VPN from illegal users Configuring PPTP VPN N A Access CONFIGURATION PROCEDURE Step 1 Add VPN users 1 From the left menu bar select System gt Auth User to view the list of authentication users Click Add New Auth User from the bottom of this list In the displayed interface enter the user s User Name and Password Select PPTP for the User Attribute parameter Click Save to save the new authentication user Repeat steps 2 5 to add other authentication users Step 2 Add VPN user groups From the left menu bar select System gt Auth Group 2 At the bottom of this list click Add New Auth User Group 3 Here enter the authentication group Name Select PPTP for Attribute In Auth Group select the users from the Available Users list and click the 77 gt button to add them to this group 4 Click Save to save the authentication group Step 3 Add IP pool 1 From the left menu bar select Object gt IP Pool 2 Click Add New IP Pool from the bottom of the IP Pool Object list 3 Enter the Name of the IP pool object and specify the IP range in the IP From and IP To textboxes 4 Click Save to save the new IP pool object 142 User Manual for Si
95. a OTP The configuration procedure is as follows Login to the system via the admin account From the left menu column select System gt Admin Setting to view the list of administrator accounts Click Add New AdminUser From the Add New AdminUser interface displayed enter the following information User Name adminll Auth Server Local Password and Confirm Password 12345678 Level readwrite Select Active and Enable OTP Add New AdminUser User Name Max 31 Characters Auth Server Password Confirm Password Level readwrite Active El Enable OTP Click Save to save the new administrator account User Manual for SifoWorks D Series Firewall 185 OD1300UME01 1 3 UI PARAMETER REFERENCE Chapter 9 System Settings The tables below explain the configuration parameters found in the System gt Admin Setting interface Add New AdminUser Add New Auditor Field Name Explanation Configuration User Name Auth Server Password Confirm Password 186 Name of the administrator account The authentication server used to authenticate this administrator You can add authentication servers from the System gt Auth Server interface Select LOCAL to authenticate this user locally Account password How to Configure Enter the character string in the textbox Range String of characters of length between 1 31 E
96. ad of having to re arrange the physical cable connections SifoWorks identifies the incoming and outgoing interfaces of a filter rule using virtual ports and VLANs Hence VLANs can be simplified to be used by SifoWorks to separate network domains of differing security attributes A VLAN should be added for each of these domains Each VLAN is then assigned to one or more physical SifoWorks data port For example the network domain where the company s employees are located should be assigned to 1 VLAN LAN assigned with the physical ports FEO and FE1 The domain where the company s servers such as Web server mail server etc are located is assigned to another VLAN DMZ assigned with FE2 A third VLAN WAN with data port FE3 is used to identify external networks User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 IP Route and DHCP According to the actual network environment you should add IP addresses to each VLAN and set up SifoWorks to provide DHCP service or DHCP relay service for each VLAN You should also add the necessary static routes and policy routes if any for your network VLAN IP addresses can be manually added via the system s UI You can also set up SifoWorks to dynamically assign IP address gateway and DNS server address information via DHCP You must enable SifoWorks DHCP Client function for the specific VLAN to dynamically assign IP addresses to
97. aise system s performance You should refer to this chapter when you want to perform operations related to the configuration of various system settings User Manual for SifoWorks D Series Firewall 183 OD1300UME01 1 3 Chapter 9 System Settings This series of operations guides you through setting up SifoWorks normal operating environment This includes managing administrator accounts basic system configurations managing configuration files upgrading system software configuring timeout etc 9 2 Managing Administrator Accounts This function allows you to add edit or delete administrators You can also set up attributes such as number of allowed login retries and the lock duration for each account The system default administrator Root User account is admin with password admin123 This account can access all system functions and cannot be deleted All user defined administrator accounts can be authorized to access different system functions according to their assigned authority level Two types of administrators can be added e Normal Administrators These administrators are able to view and manage most of the system s functions including network settings firewall rules VPN IDP log and report etc Normal administrators are not able to modify other administrator accounts upgrade system software and import configuration files These functions are only accessible by the default admin account
98. al Port From VPort2 l Virtual Port To VLAN From WAN y VLAN To Address From Custom IP Netmask Predefine ALL Oo wN Address To Custom IP 211 192 98 220 Netmask 255 255 255 255 Predefine ALL v Serice HTTP v Schedule none v Action secocccocoscooeccocosooscccocoseosoceoccocosoccosoceosoococossosoocoooccosoococescoooooocoseosoococcocosoecocosesooccocoocosoocososeosoococossosoccososeosooessoseseo Translated Address O No Map Single IP 10 14 42 Range IP To Single Port 80 Range Port To C Sticky Server Load Balance Fi Test B 3 Click Save to save the DNAT rule 11 4 2 Testing the Configuration If SifoWorks is connected to the network that is network cables have already been connected between FEO FE1 and FE2 and the networks and an Accept All filter rule has been added hosts in the LAN domain will be able to access the external network using masked addresses External users will also be able to access the web server in the DMZ domain via the address http 211 192 98 220 Otherwise you will not be able to perform any tests to check the configurations made during this phase at this point Please continue to the next configuration phase below 228 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 11 5 Phase 3 Defining Filter Rules 11 5 1 Con
99. al port where QoS is enabled Virtual ports maximum bandwidth restriction is immediately effective even if QoS is not applied on any filter rule QoS Priority Levels Each virtual port includes 4 QoS priority levels 0 3 each configured with a guaranteed and a maximum bandwidth A different QoS priority level for incoming and outgoing interfaces can be selected when applying QoS onto a filter rule imposing separate bandwidth limitations on the two interfaces A non zero maximum and guaranteed bandwidth configuration for QoS level O is taken to be the default values for the corresponding virtual port This configuration is effective even if QoS is not applied onto a filter rule The maximum bandwidth for any QoS level cannot be higher than the maximum bandwidth of the virtual port Maximum bandwidth configured for QoS levels 1 3 cannot be higher than that for level 0 148 User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions CONFI GURATI ON FLOWCHART OD1300UME01 1 3 The flowchart below illustrates the procedure to set up SifoWorks QoS service 4 sit 7 Enable QoS State Configure the Maximum Bandwidth Y Define QoS Priority 7 Applying QoS in Filter Rules 7 ED Each of the above operations is introduced in the table below Operation Enable QoS State Configure the Maximum Bandwidth Define QoS Priorit
100. and Load Balancing Using its routing function 1 3 7 Routing Capability SifoWorks is able to support multi gateway access This in turn equips SifoWorks with the capability of achieving load balancing between multiple connections and servers As the system establishes independent tunnels for IPsec VPN it provides security and redundancy for connections between the company s branch networks without compromising the firewall s performance This ensures that information can be transmitted securely within the company SifoWorks is also able to balance traffic load among multiple servers via DNAT Destination Network Address Translation rules For example multiple Web servers are set up to provide services externally at the Same time Using a round robin or priority weight system SifoWorks can distribute traffic among these servers A Sticky option is also available in SifoWorks ensuring that requests from the same host are processed by the same server Round robin External connection requests will be assigned to the servers in a round robin manner If Sticky is enabled the system will establish a relationship between source and destination addresses using the hash algorithm The connection is then assigned to the next available server e Priority weight All servers are assigned with a priority weight value External connection requests are then distributed to the servers according to their priority Servers w
101. ange 1 100s server Bind IP IP address of SifoWorks How to Configure data port This allows the Enter the value in network management the textbox system to correctly identify the packet source even if packets have been processed via NAT User Manual for SifoWorks D Series Firewall 199 OD1300UME01 1 3 Chapter 9 System Settings 9 7 Configuring Timeout Values Configuring the various timeout values helps to raise system performance SifoWorks is configured with a series of default timeout values determined by studying the actual network requirements of most networks Generally we do not recommend modifying any timeout value You may wish to contact O2Security s technical assistance personnel if you want to modify these values CONFIGURATION PROCEDURE Step 1 Login to SifoWorks via a read write administrator account Step 2 From the left menu bar select System gt Timeout Setting Step 3 Modify the settings in the Timeout Setting and or Aggressive Aging Settings tabs accordingly Step 4 Click Save to save your configurations A success message should be displayed UI PARAMETER REFERENCE The table below explains the parameters found in this two tabbed interface Timeout Setting tab Field Name Explanation Configuration Generic Timeout Timeout value for all How to Configure protocols other than ICMP Enter the value in TCP and UDP the textbox Range 500s ICMP Timeout Timeout for all ICMP
102. ations including timeout for ICMP TCP UDP connections etc Registration Server Specify the server where a network management system will automatically discover this device for management You must first enable and configure SNMP Setting for this function to operate properly 24 User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 Auth Server To configure external authentication servers customize the authentication interface and related security settings Other than the default local authentication method SifoWorks also supports the use of RADIUS LDAP and AD authentication servers to authenticate users Auth Address Manage the address range of authentication users and the authentication server associated to each range A user will only be authenticated by the authentication server if his IP address is within the associated address range Auth User Manage the list of authentication users You can define three types of authentication users filter rule L2TP and PPTP Auth Group To manage authentication users using groups VPN Wizard A step by step wizard to set up a basic point to point IPsec VPN connection Filter Rule Wizard A step by step wizard to add a filter rule Session To view session information including source IP destination IP protocol established time etc for each session You can also manually terminate selected sessions from this interface O
103. ave the setting Step 2 Add VPN users 1 From the left menu bar select System gt Auth User to view the list of authentication users 2 Click Add New Auth User from the bottom of this list 3 In the displayed interface enter the users User Name and Password Select L2TP for the User Attribute parameter Click Save to save the new authentication user Repeat steps 2 5 to add other authentication users User Manual for SifoWorks D Series Firewall 145 OD1300UME01 1 3 146 Step 3 Step 4 Step 5 Step 6 Step 7 Chapter 6 Virtual Private Networks Add VPN user groups From the left menu bar select System gt Auth Group 2 At the bottom of this list click Add New Auth User Group 3 Here enter the authentication group Name Select L2TP for Attribute In Auth Group select users from the Available Users list and click the gt button to assign them to this group 4 Click Save to save the authentication group Add IP pool 1 From the left menu bar select Object gt IP Pool 2 Click Add New IP Pool from the bottom of the IP Pool Object list 3 Enter the Name of the IP pool object and specify the IP range in the IP From and IP To textboxes 4 Click Save to save the new IP pool object Add IKE Add the IKE needed to establish L2TP VPN connections Please disable the Strict Algorithm Match option when adding IKE You can refer to 6 2 Confi
104. cation Priv Protocol Only available if SNMP v3 How to Configure and the AuthPriv Sec Uses DES by Pevenice cee default This value Cannot be modified Priv Only available if SNMP v3 How to Configure Password Retype and the AuthPriv Sec Enter the value in Level is selected the textbox This is the encryption key used by the privacy protocol Range String of 8 15 characters User Manual for SifoWorks D Series Firewall 197 OD1300UME01 1 3 198 Chapter 9 System Settings System gt SNMP Trap gt Add New SNMP Trap Field Name Version Host IP Host Port Local IP Community Type Explanation SNMP protocol version IP address of the Trap recipient Port number of the Trap recipient This refers to the bind IP or the IP address of the SNMP Trap sender This address is included in the Trap packet to allow recipients to obtain the source IP address of the Trap sender even if the packets were processed via NAT Community name used for authentication Only available if SNMP v2c is selected There are two types of SNMP traps e trap Asynchronous transmission of SNMP Trap packets The reliability of the packets cannot be guaranteed e nform Synchronous transmission of SNMP Trap packets The system will wait for a response from the receiving host after transmitting the packet Configuration How to Configure Select the version using ra
105. ccessful login the SifoWorks administrative UI will be displayed e n e t ee N SifoWorks Pp a B System Status Recent Alarms manually Refresh Port Status Device Information System Status Status Status Hardware Version SifoWorks D 300 irmware Version 3 04 17 ins Unlinked Unlinked D300 CHN 00 2000000 1 0000025 OW900238 Unlinked Unlinked Serial Number Unlinked Unlinked Policy 0 1 a Memory 0 Up Time 0Days OHours 7Minutes 10Seconds System Time 2008 09 17 10 09 50 GMT Time Zone CST SifoWorks web UI includes 3 areas Toolbar The toolbar is located at the top right corner of the interface and includes several buttons Opens a new window displaying the system s online help ay Opens a new window loading O2Security s home page http www o2security com Opens a new window loading the authentication website http www us cert gov EE Navigate to the System Configuration interface to select the UI s display language 5 Logout of the SifoWorks system Menu Bar The leftmost column of this interface is the menu bar You can navigate to the configuration monitoring interfaces of the various system functions by selecting the corresponding menu options The tables later in this section briefly explain each option User Manual for SifoWorks D Series Firewall 23 OD1300UME01 1 3 Chapter 2 Gettin
106. cluding n please use n pattern Matches pattern All results can be obtained from the generated Matches set VBScript uses the SubMatches set while Visual Basic Scripting Edition uses the 0 9 attributes To match the brackets please use and A B Matches A or B For example z food matches either z or food z f ood will match either zood or food xyz Matches any string containing 1 or more characters from the character set For example abc will match plain since it contains the character a a z Matches any string containing 1 or more characters from this range of characters xN N is a hexagonal value for the character For example x41 will match A while x041 is equivalent to x04 and 1 ASCII values of characters can be used 108 User Manual for SifoWorks D Series Firewall Chapter Intrusion Detection and Prevention This chapter includes the following e Overview Briefly introduces SifoWorks Intrusion Detection and Prevention I DP module e Configuring and Enabling IDP Detailed explanation on how to configure and enable DP e Upgrade IDP Rules Describes how to upgrade the IDP rule set to the latest version Please read this chapter when setting up or modifying the system s IDP function User Manual for SifoWorks D Series Firewall 109 OD1300UME01 1 3 Chapter 5 Intrusion Detection and
107. cognized Protocol option to control illegal data flows If the rule action is Accept you can apply content filtering rules to the filter rule to filter the contents of the data packets If the rule action is Accept you can enable QoS to limit the maximum and guaranteed bandwidth available for the incoming and outgoing interfaces If the rule action is Accept you can specify the maximum number of concurrent sessions allowed and limit the number of connections allowed per host or network domain e Select a schedule to specify the time period during which the rule is effective Configure the IPsec VPN PPTP VPN and or L2TP VPN settings to allow remote users to establish VPN connections with SifoWorks Configure SifoWorks own IDS service or connect the device to a third party IDS device to provide this service Reference 6 2 Configuring IPsec VPN Connections 6 3 Configuring PPTP VPN Connections 6 4 Configuring L2TP VPN Connections 7 5 Configuring IDS Services Note Detailed explanation of each of the above device functions can be found in the Overview section of the corresponding chapter or in the function s own section in this manual User Manual for SifoWorks D Series Firewall Chapter Network Configuration This chapter includes the following sections Overview Brief introduction on the various network configuration operations Setting up the Basic Netwo
108. configured using a hyper terminal program Please configure as follows when establishing a connection via hyper terminal Bits per second 9600 Data bits 8 Parity None Stop bits 1 4 User Manual for SifoWorks D Series Firewall Chapter 1 Product Overview OD1300UME01 1 3 1 2 3 Device LED AEG Status Explanation Power LED U On Device is receiving power from the source normally Off Device is off or not receiving power from the source normally Read Write LED H Flickering Device is currently performing read write operations Off Device is not performing any read write operations Network Port LED On Corresponding network port FEO FE7 is connected to a network Flickering Data is being transmitted via the corresponding network port FEO FE7 Off Corresponding network port FEO FE7 is not connected to a network 1 3 What can SifoWorks Do The main functions provided by SifoWorks are listed in the table below Each function is described in detail in the following sections Function Description Status based access Status based access control realized via control the security chip embedded within SifoWorks Dynamic port analysis SifoWorks uses a Helper module on the application layer to perform dynamic port analysis The module supports various application layer protocols including RTSP H 323 FTP PPTP etc Internal address masking Using NAT and PAT techniques SifoWorks capability via NAT an
109. confirm User Manual for SifoWorks D Series Firewall 131 OD1300UME01 1 3 6 Chapter 6 Virtual Private Networks Click Next gt to display the Phase Two Proposal tab Enable Using ESP and select the esp 3des md5 ESP Algorithm Also select the Using PFS option r Authenticate Method Phaze Two Proposal Encapsulation Using ESP Algorithm O using AH Algorithm PFS Group is same as Phase one s Using PFS DH Group lt Back Next gt Cancel 7 Click Next gt to view the Advanced Setting tab Keep the default configuration for all parameters in this tab and click Save to save this IKE record Step 11 Add address objects on SifoWorksB L 132 From the left menu bar select Object gt Address to display the list of address objects Click Add New Address and configure as follows Name Local IP 192 168 2 0 Netmask 255 255 255 0 Click Save to add the new address object Back at the address object list click Add New Address to add another address object with the following configuration Name Remote IP 192 168 1 0 Netmask 255 255 255 0 Click Save to save this address object User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Step 12 Add VPN connection on SifoWorksB 1 From the left menu bar select VPN gt VPN Connection to view the list of VPN connections Click Add New VPN In the Add New VPN Co
110. cy Routes The system supports both static routes and policy routes with policy routes giving greater flexibility over routing control The system prioritizes policy routes User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 CONFI GURATI ON FLOWCHART The steps to set up the system s basic network settings are shown in the flowchart below lt gt Configuring Virtual Ports y Configuring VLANs Y Setting up IP Addresses 7 Managing Routes 7 ED Each step is briefly described in the table below Operation Description Configuring Virtual Ports Assigning the data ports to the virtual ports Configuring VLANs Add VLANs and assign data ports to VLANs Setting up IP Addresses Configuring the IP addresses of each VLAN This can be static IPs added manually or dynamic IPs obtained from a DHCP server Managing Routes Adding route information into the system User Manual for SifoWorks D Series Firewall 47 OD1300UME01 1 3 Chapter 3 Network Configuration APPLICATION EXAMPLE 1 TRANSPARENT MODE A company uses private IP addresses within its internal networks connecting to external networks via a layer 3 switch and a router The external IP address is 210 192 98 220 For the security of the network and to manage network performance the company deploys SifoWorks between the layer 3 switch and router T
111. d Email interface configure Name myMail Description sina sohu 163 Email sina com Add Email Name myhlail sina sahu 163 Description Email List Email Fattern Operation File List Email T E a TE Pattern Wildcards Regular Expression 5 Click Save This email domain will be added to the Email List 6 Repeat steps 5 6 to add the remaining two email domains sohu com 163 com User Manual for SifoWorks D Series Firewall 105 OD1300UME01 1 3 Name sina sohu 163 Description Email Pattern Operation Email List sina com Wildcards sohu com Wildcards G 163 com Wildcards G File List File Name Pattern Operation Email O File Pattern Wildcards Regular Expression Save Return Chapter 4 Firewall Rule Management Email Configure Click Return to save this email object and return to the email content filtering object list Step 3 Adda mail content filtering rule 1 2 3 4 Name forbid_popular Prohibited SMTP Server Prohibited Sender myMail v Sender White List NONE i Prohibited Receiver NONE k Receiver White List NONE i Prohibited Subject NONE v Prohibited Keyword NONE Prohibited Attached File Name NONE Max Receiver Number Email Size Bytes Description forbid mail from sina sohu 163 From the left menu tree select Firewall gt Content Filtering Click t
112. d is able to mask internal network structure PAT and addresses Users can define SNAT DNAT and double NAT rules SifoWorks selects the port using an optimization algorithm raising the utilization of ports and IP addresses User Manual for SifoWorks D Series Firewall Ul OD1300UME01 1 3 Chapter 1 Product Overview Intelligent Protocol Intelligent protocol recognition effectively Recognition identifies and controls applications that attempt to communicate with the network via a non standard port For example the function can prevent services using a protocol other than HTTP from connecting to the network over port 80 controlling downloads using P2P clients or IM messaging etc DOS DDOS defense SifoWorks defends the network against DOS DDOS attacks by e Using the SYN cookie mechanism to perform authentication for TCP based applications e For applications based on other protocols SifoWorks uses a mechanism based on the source IP address Content filter SifoWorks supports the filtering of data on the application layer for the HTTP email and FTP protocols Rich routing capabilities SifoWorks provides rich routing capabilities including e 3 layer route forwarding e Support for multi gateway routing e Ensuring the continuity of data packets using route mirroring technology High performance VPN SifoWorks provides a high performance engine VPN engine supporting IPsec VPN PPTP and L2TP Multi gateway access and
113. d level for ease of management The system categorizes all logs using a total of 8 log levels and 4 log types Log Levels The system log levels are listed below in ascending order of importance e Debug e Info e Notice e Warn e Error e Critical e Alert e Emerg Log Types e Admin Log Records administrative operations performed on the SifoWorks systems This includes changes to network configuration adding of objects etc e System Log Log records related to system operation status such as enabling a function module HA device swap etc e Security Log All logs related to attacks on the network detected by SifoWorks such as attacks detected by the IDP module etc e Traffic Log Logs all packets transmitted through SifoWorks such as a connection establishment data packets allowed to pass through the firewall etc User Manual for SifoWorks D Series Firewall 177 OD1300UME01 1 3 Chapter 8 Log Management 8 2 Managing Log Servers This section explains how to set up connection to up to 4 remote log servers Serverl Server4 for the SifoWorks system You can also control log traffic specifying the maximum number of logs that can be stored per second CONFIGURATION PROCEDURE 178 Step 1 Step 2 Step 3 Step 4 Step 5 Login to SifoWorks via a read write administrator account From the left menu column select Log gt Log Server Optional Enable log traffic control 1 From the Throughpu
114. d locally This is used if only a subset of the users on the external authentication server must be authenticated To add these users navigate to the System gt Auth User gt Add New Auth User interface Enter the user name and select the corresponding authentication server You need not enter password information for these users SifoWorks process filter rules assigned with authentication users in two phases e Authentication phase The user enters his authentication information in the authentication interface Upon successful authentication the user will be listed in the Online User list e Authorization phase The system matches the online user information with filter rules to assign user authorization If authentication is required for both source and destination addresses that is Authentication is selected for both Address To and Address From parameters both users source and destination hosts must be authenticated before the packet will match the filter rule Related Tasks Operations related to filter rules include e 4 4 Managing Content Filtering Rules e 7 2 Setting Up QoS Services e 7 6 Upgrade Intelligent Recognized Protocols IRP e 10 2 Monitoring Sessions and Online Users MAINTENANCE RECOMMENDATIONS 98 You are recommended to export the current filter rule list Export Rules button to a locally saved file before modifying the filter rule list User Manual for SifoWorks D Series Fir
115. d set up the IP Defragmentation TCP Stream Reassembly or Port Scan preprocessors To select IDP working mode User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 Menu VPN IPsec Setting To enable disable VPN and select the outgoing interface used for IPsec VPN connections Virtual Port 2 is used as the default outgoing interface Hence simply select the VLAN assigned to the desired outgoing interface from the list of VLANs assigned to Virtual Port 2 Manual Key To manage the manual keys used to establish VPN connections This is mainly used to test if IPsec VPN is working correctly We do not recommend establishing VPN connections using manual key for normal operations IKE To manage the list of IKE Internet Key Exchange used for VPN connection establishment VPN Connection To manage VPN connections Root CA To manage root CAs used during IKE authentication Local CA To manage local CAs used during IKE authentication Remote CA To manage remote CAs used during IKE authentication PPTP To configure PPTP VPN connections L2TP To configure L2TP VPN connections User Manual for SifoWorks D Series Firewall 29 OD1300UME01 1 3 Chapter 2 Getting started QoS Setting To define QoS priority levels for each virtual port This can then be applied to filter rules to enable the QoS service You can also enable disable QoS and set up the maximum and guaranteed bandwidth for each
116. data packets are masqueraded to originate from trusted addresses thus tricking firewalls and routers into believing that the packets are from trusted networks to gain access illegally IP addresses of hosts can be easily modified On the other hand MAC addresses are written into the network card itself and are thus difficult to modify Hence binding IP addresses to MAC addresses can help to reduce IP spoofing attacks When SifoWorks receives a data packet it will first check the packet s source IP and MAC addresses against the IP MAC binding records in its list Users can also configure host policies to determine whether to accept data packets from hosts not included in the ARP tables 78 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration APPLICATION EXAMPLE OD1300UME01 1 3 In the network topology shown below we want to bind the IP addresses of all users in the LAN network Internet WAN 211 192 98 220 Subnet 2 LAN Switch Switch 192 168 1 0 24 192 168 1 0 24 In this network SifoWorks Server Domain DHCP ep 10 1 1 0 24 e Range of IP addresses to be binded is 192 168 1 10 192 168 1 60 e Drop all accesses from other IP addresses e Enable MAC binding e Enable the system to update neighbor s cache with an update interval of 10 seconds User Manual for SifoWorks D Series Firewall 79 OD1300UME01 1 3 80 Step 1 Step 2 Step 3 Step 4
117. ddress translation on the destination address of all data packets matching the rule Destination NAT is mainly used for accesses to the internal network such as accesses to an internal web server from an external user Map List A maplist object contains a list of multiple address mappings This object can be applied on SNAT rules The system supports up to 10 maplist objects Each object can contain a maximum of 1000 address mappings As each maplist object can contain multiple address mappings the use of these objects can greatly reduce the number of SNAT rules thus optimizing system performance Furthermore SifoWorks uses the quick search function to search for matching SNAT rules using maplist objects This greatly reduces the search time further enhancing the performance of the system Hence we recommend adding SNAT rules that uses maplist objects if your network requires several source network address translations for non continuous IP addresses or port numbers User Manual for SifoWorks D Series Firewall 59 OD1300UME01 1 3 Chapter 3 Network Configuration Server Load Balancing SifoWorks is able to balance traffic load on multiple servers via DNAT rules You can add up to 10 DNAT rules that apply server load balance objects Up to 20 servers can be defined in each object The system supports two load balancing mechanisms round robin and server priority A Sticky option is also available in SifoWorks ensuring t
118. destination IP protocol used corresponding protocol characteristics when the session was established and how long the session was maintained for CONFIGURATION PROCEDURE Step 1 Step 2 Step 3 The procedure to manage the list of currently established session is described in the steps below Login to SifoWorks via an administrator account L Note If you are only intended to view session information simply login to SifoWorks via a read only administrator account If you need to manually terminate sessions please login with a read write account From the left menu bar select Monitor gt Session to view the list of currently established sessions From this list you can e Search for specific sessions Click Query In the Query Session interface specify search criteria and click Search to search for specific sessions e Export the session to a local file Click Save export the session list to a file to be stored locally e Terminate specific sessions Click Delete In the Delete Session interface specify the necessary criteria and click Delete to terminate all sessions matching these criteria User Manual for SifoWorks D Series Firewall Chapter 10 System Maintenance OD1300UME01 1 3 10 2 2 Online Users Refers to all currently online users who have been successfully authenticated Users can be added via the System gt Auth User interface to be locally authenticated by SifoW
119. detected by SifoWorks are e TearDrop e Bonk e Boink e Nestea How to Configure Check the checkbox to enable e Newtear e Syndrop e j olt2 e Oshare e Saihyousen e 1234 e Ping of death Note The IP header of an IP packet contains two bytes representing the length of the IP packet The longest length of any IP packet is OxFFFF 65535bytes Processing of IP fragments larger than this length will cause errors to occur in certain systems thus causing the system to deny services Also some systems will not be able to process IP fragments if the offset of the different fragments have been specifically structured causing the systems to crash 173 OD1300UME01 1 3 Chapter 7 Advanced Functions 7 6 Upgrade Intelligent Recognized Protocols IRP SifoWorks supports updating of IRP by importing protocol recognition update patch files This updates the system to recognize protocols that are newly developed or modified thus enhancing the stability of the firewall This section guides you through the procedure to update SifoWorks IRP function For more information on the IRP function please refer to 1 3 4 Intelligent Protocol Recognition CONFIGURATION PROCEDURE 174 Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 The procedure to update SifoWorks IRP function is as follows Login to SifoWorks using a read write administrator account From the left menu bar select Advance gt IRP
120. dio buttons Range evil ev2C How to Configure Enter the value in the textbox How to Configure Enter the value in the textbox Default 162 How to Configure Enter the value in the textbox How to Configure Enter the value in the textbox Default public How to Configure Select the option from the drop down menu Range e trap inform User Manual for SifoWorks D Series Firewall Chapter 9 System Settings OD1300UME01 1 3 System gt Registration Server gt Add Registration Server Field Name Explanation Configuration Server Name Name of the server How to Configure Enter the value in the textbox Range String of 1 15 characters Enable Enable or disable the use of How to Configure this server ee the On or Note that if the SNMP Off radio button to Status in the System gt enable or disable SNMP Setting interface is this function disabled this function will respectively not be enabled even if this i Range value is On e On e Off P IP address of the network How to Configure management server Enter the value in the textbox Port UDP listening port of the How to Configure network management Enter the value in server the textbox Range 1 9999 Interval The time interval between How to Configure each sending of information Enter the value in packets from the system tO the textbox the network management R
121. e Defragmentation tab 2 Select to Enable I P Defragmentation Defragmentation stream Reassembly Add IP Defragmentation IP Defragmentation Enable Disable Max Fragments 65536 Memory Cap 4 bytes Restore To Default Setting Policy List Index Policy Bind To Anomaly Detection Timeout Min ttl Operation 1 FIRST any yes 60 1 Add New Policy Save Reset 3 Leave the default settings for all parameters and click Save to save the configuration 4 Select the Stream Reassembly tab and toggle to disable Off the TCP stream reassembly pre processor Click Save to save the settings 6 Select the Portscan tab and toggle to disable Off the Port scan pre processor 7 Click Save to save the settings Step 5 Select IDP work mode 1 From the left menu bar select IDP gt IDP Control 2 Enable the IDP state In line 3 Click Apply to save the configuration User Manual for SifoWorks D Series Firewall 115 OD1300UME01 1 3 Chapter 5 Intrusion Detection and Prevention 5 3 Upgrade IDP Rules Through this function you can upgrade your system s IDP pre defined rule set to the latest version The system automatically connects to the specified O2Security server to obtain the upgrade file You should add a notification email address to the system before performing an IDP upgrade The system will then able to notify you if the upgrade failed
122. e configure the log attributes as required For example enter 50000 as the Max Items of admin logs and 10 as the corresponding Del Policy The system will thus store up to 50000 admin logs When this number is exceeded the system will automatically delete 10 of the stored admin logs that is the oldest 5000 admin log records Step 4 Optional Select whether to log DNS request ICMP request and or packets that did not match any filter rules For example to log all DNS requests check the checkbox at the front of the Log Every DNS Request option Step 5 Click Save to save the configuration 8 4 Exporting Log This section explains how to set up the system to export logs to a FTP server for archive purposes CONFIGURATION PROCEDURE Step 1 Login to SifoWorks via a read write account Step 2 From the left menu bar select Log gt Log Export Step 3 From the Log Export interface that is displayed check the Export Enable checkbox Step 4 Enter the domain name of the Ftp server full file Path to store the log files to the User name and Password used to login to the FTP server User Manual for SifoWorks D Series Firewall 179 OD1300UME01 1 3 Chapter 8 Log Management log storage Format and the Interval in terms of time or number of log items between each export operation Step 5 Click Save to save the configuration 8 5 Customizing Log Filter Criteria and Log Format By conf
123. e IP records For example 2 web servers providing HTTP services of up to 200M each are set up in the network When a hacker initiates a DOS DDOS attack on the server the large amount of fake IP rapidly takes up the server s bandwidth thus denying other accesses to the servers When SifoWorks DOS DDOS defense is deployed the system restricts all connections from the fake IPs thus ensuring that the server has sufficient bandwidth to provide services to legal users With the two mechanisms above SifoWorks greatly reduces the threat of DOS DDOS attacks SifoWorks is able to detect and protect your network against the following types of attacks User Manual for SifoWorks D Series Firewall SYN Flood TCP scan Ping Sweep Ping Flood UDP Flood UDP scan ARP Attack TearDrop Bonk Boink Nestea Newtear Syndrop J olt2 Oshare 1234 Ping of death Saihyousen Smurf Attack Land based Attack WinNuke OD1300UME01 1 3 Chapter 1 Product Overview 1 3 6 Content Filter Traditional firewalls Support access control on the TCP IP layer but not on application layer data Packets with legitimate TCP and IP information but containing illegitimate data will still be allowed to pass through the network Therefore other than control over packets on the TCP IP layer enterprises also wish to filter packets based on application data SifoWorks supports application layer content filtering for the following protocols e HTTP SifoWork
124. e QoS advanced rule option and select the priority level 1 for both the incoming and outgoing interfaces Action To Take Match i Action Accept Drop Advanced E C Log C TCP Window Tracking C Content Filtering NONE v aos Incoming Level 1 v Outgoing Level 1 v Max Concurrent Connections Netmask 255 255 255 255 C Limit Next gt Cancel REFERENCE Please refer to 4 2 Managing Filter Rules for more information on adding filter rules 7 3 Limiting IP Traffic This function allows you to limit the upload and download bandwidth of individual IP addresses or entire subnets This enables you to control the traffic of specific hosts or subnets preventing network bandwidth from being tied up by only a small number of hosts due to large network activities such as the usage of BT or P2P softwares SifoWorks IP rate limit function displays powerful performance as it is handled by the hardware IP rate limit targets can include e Specific Host Type Host This is a host corresponding to a specific IP address SifoWorks can restrict the upload and download bandwidth of this host e P Range Type Range All hosts with IP addresses within the specified IP range SifoWorks restricts the bandwidth available for all hosts in this group 152 User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 Subnet Type Subnet T
125. e WAN domain containing the web and mail servers The first hop gateway address between the firewall and the Internet is 211 192 98 217 The configuration plan is as follows User Manual for SifoWorks D Series Firewall 55 OD1300UME01 1 3 Chapter 3 Network Configuration Parameter Configuration Value Virtual Port Virtual Port 1 FEO Virtual Port 2 FEL Virtual Port 3 All other ports VLAN LAN Virtual Port 1 FEO Virtual Port 2 None Virtual Port 3 None WAN Virtual Port 1 None Virtual Port 2 FE1 Virtual Port 3 FE2 IP Address LAN 192 168 1 1 255 255 255 0 WAN 211 192 98 220 255 255 255 0 Static Routes Destination Netmask 0 0 0 0 0 0 0 0 Gateway 211 192 98 217 Outgoing Interface WAN The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account Step 2 Configuring Virtual Ports 1 From the left menu bar select Network gt Virtual Port Config 2 Click Virtual Port Config from the bottom of the virtual port list to view the Virtual Port Edit interface 3 Using the g oe buttons move FEO to Virtual Port1 FEL to Virtual Port2 and all other ports to Virtual Ports 4 Click Save to save the configuration and return to the Virtual Port list 56 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 Step 3 Configuring VLANs 1 From the left menu bar select Network gt VLAN Setting to display the
126. e defined using virtual ports thus allowing you to map multiple physical ports to a single rule For example the physical ports FEO FE2 are assigned to VPortl while FE3 FE5 are assigned to VPort2 To define a filter rule that matches traffic sent from FEO FE2 to FE3 FE5 simply select the incoming interface to be VPortl and the outgoing interface to be VPortz2 SifoWorks supports 3 virtual ports Virtual Port 1 VPort1 Virtual Port 2 VPort2 and Virtual Port 3 VPort3 All physical data ports FEO FE7 must be assigned to one of the 3 virtual ports Each data port can only be assigned to a single virtual port Each virtual port can contain multiple data ports User Manual for SifoWorks D Series Firewall 43 OD1300UME01 1 3 44 Chapter 3 Network Configuration VLAN Virtual Local Area Network Virtual local area networks VLAN define a logical separation of local area networks into individual network segments The main uses of VLANs include e Separates interfaces Interfaces assigned to different VLANs can be blocked from communicating with each other even if the interfaces are on the same switch Thus a single physical switch can be logically viewed as multiple switches e Enhances network security VLANs cannot communicate with each other thus reducing security risks due to broadcast packets e Facilitate management VLANs allow administrators to modify the network a user belongs to via software configuration inste
127. e of a network topology deploying SifoWorks in transparent mode is shown below Internet 210 192 98 220 Router 10 1 1 3 SifoWorks Layer 3 Switch Subnet 1 DN Server Domain 10 1 1 1 Subnet 2 E a g LAN LAN LAN Switch 1 Switch i Switch 10 1 1 0 24 10 1 1 0 24 10 1 1 0 24 16 User Manual for SifoWorks D Series Firewall Chapter 2 Getting started 2 1 2 Route Mode OD1300UME01 1 3 Route mode is suitable for networks that are made up of multiple domains with each domain using a different network segment All data transmitted between devices in different domains must pass through SifoWorks for routing or NAT The figure below shows an example of a network topology deploying SifoWorks in route mode 211 192 98 220 LAN Switch Subnet 1 192 168 1 0 24 User Manual for SifoWorks D Series Firewall Switch 192 168 1 0 24 Internet WAN SifoWorks Server Domain Subnet 2 10 1 1 0 24 17 OD1300UME01 1 3 Chapter 2 Getting started 2 1 3 Hybrid Mode Hybrid mode is suitable in networks that are made up of 2 or more network domains where some domains are from different network segments Data transmission between domains in different network segments is handled in the same way as in route mode The handling mechanism for data transmission for domains within the same network segment is identical to that for transparent mode An example network
128. e software used in this example is SafeNet SoftRemote Step 2 Configure the IPsec VPN connection Configure the IPsec VPN connection on your installed client ensuring that IKE settings are identical to that configured on SifoWorks The following shows an example of this configuration via the host 211 100 10 10 in the WAN domain that uses the client SafeNet SoftRemote 246 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 VPN Tunnel IE WAN VPort2 t 211 192 98 220 SifoWorks S Security Policy Editor SafeNet SoftRemote File Edit Options Help 2 8a o x fa Network Security Policy J My Connections Connection Security Secure My Identity pital Only Connect Manually Security Policy ck as Other Connections New Connection Remote Party Identity and Addressing ID Type IP Subnet Subnet 10 1 1 0 Mask 255 255 255 0 Protocol All E Port M X V Connect using Secure Gateway Tunnel ID Type IP Address 7 211 192 98 220 Click here to find out about program add ons S Security Policy Editor SafeNet SoftRemote File Edit Options Help alexm t Network Security Policy My Connections My Identity 8 G Hees Select Certificate Pre Shared Key jo Enter Key Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is
129. email address periodically Viewing Logs Describes how to view the various types of logs including admin system security and traffic logs Please refer to this chapter to understand log related operations User Manual for SifoWorks D Series Firewall 175 OD1300UME01 1 3 Chapter 8 Log Management SifoWorks records and displays comprehensive log information helping administrators monitor the system s status and identify abnormalities in the network SifoWorks provides 4 ways to store log records e Local Storage LocalDB Store logs using the SifoWorks inbuilt hard disk e Remote Server Server 1 Server 4 SifoWorks can be connected to up to 4 remote log servers at the Same time For each server you can specify the IP address listening port log format and the protocol used to transmit the log files You can also select the character encoding set used to record logs e Email Email Alert Send log records fulfilling certain criteria to specified email addresses e FTP Server Export Export log files into a FTP server by configuring the export path log format and time interval between each export operation Using the system s log filtering mechanism you can customize the log filter criteria and format of logs to be stored using each of the storage methods above 176 User Manual for SifoWorks D Series Firewall Chapter 8 Log Management OD1300UME01 1 3 SifoWorks categorizes logs based on both log type an
130. enu bar select Network gt DDNS Setting In the DDNS Configuration tab displayed check to Enable DDNS From the Service provider drop down menu select the DDNS service provider Enter your registered User Name Password and the device s Domain Name DDNS service provider includes www 3322 org and www dhs org Select the I nterface used for DDNS from the drop down menu If SifoWorks is using PPPoE fast mode to access the Internet please select ADSL _ HIGHSPEED in the Interface Name parameter Click Save to save the settings Optional You can click the DDNS Status tab to view DDNS related information Related tasks include e 3 5 Configuring PPPoE Connections e 6 2 Configuring IPsec VPN Connections User Manual for SifoWorks D Series Firewall 77 OD1300UME01 1 3 Chapter 3 Network Configuration 3 8 Managing IP MAC Bindings Binding IP addresses to specific MAC addresses reduces security risks as users will only be able to access the network via specific host machines Some concept explanations are detailed below MAC Address Also known as hardware address or link address MAC address refers to the physical address of a network card MAC address is written into the network card s EPROM Erasable Programmable Read Only Memory and acts as the identifier of a network card IP Spoofing This is a complicated network attack that attempts to access protected hosts illegally These attack
131. es to enhance system reliability Configuring IDS Services Explains how to configure the SifoWorks in built IDS service Also introduces the procedure to link SifoWorks to a third party IDS device to equip the firewall with the IDS function Upgrade Intelligent Recognized Protocols I RP Introduces how to update SifoWorks IRP module Reading this chapter is recommended if you are configuring the system to provide QoS IP rate limit HA IDS or IRP related services User Manual for SifoWorks D Series Firewall 147 OD1300UME01 1 3 Chapter 7 Advanced Functions SifoWorks advanced functions include QoS quality of service IP rate limit HA high availability IDS Intrusion Detection System and IRP Intelligent Recognized Protocol helping you better manage your network s bandwidth prevent well known attacks and enhance system reliability 7 2 Setting Up QoS Services This section explains the QoS function and guides you through an example on how to configure QoS to manage your network s bandwidth You can define QoS for the virtual ports independently on the SifoWorks system Hence please assign the device s data ports to each virtual port logically according to your actual network For further details on managing virtual ports please refer to 3 2 Setting up the Basic Network Settings Maximum Bandwidth This refers to the maximum bandwidth allocated to traffic transmitted via the corresponding virtu
132. ess mapping 4 Repeat steps 2 3 to add the other 3 address mappings The final configuration screen should be similar to the figure below Map Configure Original IF Translated IP Port sticky Operation 192 168 1 1 192 16 277 192 98 2290 211 19 Map List o 7 700 2 96 220 1025 65535 no 192 168 2 1 192 16 211 192 98 220 211 19 o 2 100 2 296 220 1025 65535 192 1686 3 1 192 16 210 82 98 220 210 82 9 6 3 100 6 220 1025 65535 192 168 4 1 192 16 210 682 958 220 210 82 9 8 220 1025 65535 Original IF Translated IP Translated Por From fs E Sticky 5 Click Return to return to the maplist object list User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 Step 4 From the left menu bar select Firewall gt NAT Rule The SNAT tab displaying the SNAT rule list will be shown Step 5 Adda SNAT rule 1 From the SNAT rule list click Add New SNAT 2 Configure the SNAT rule as follows Virtual Port From VPort1 Virtual Port To VPort2 VLAN From LAN VLAN To WAN Address From Specified All 3 Check the MapList checkbox at the bottom of this interface and select the maplist object LAN to WAN from the drop down menu The above configuration is illustrated in the figure below Add New SNAT Virtual Port From VPort1 Virtual Port To Porte w Predefine ALI Address To O Custom IF Oooo Netmask fs Predefine ALL i Service schedule Ac
133. esult screen by selecting Diagnostics gt Trace Route Result from the left menu bar Step 6 From the traceroute Result screen you can e Click Cancel to terminate the current traceroute command execution e Click Clear to clear the current result screen User Manual for SifoWorks D Series Firewall 213 OD1300UME01 1 3 Chapter 10 System Maintenance 10 5 Restoring System Settings This section includes restoring SifoWorks configurations to factory default settings retrieving the system s administrative IP address and resetting the default administrator account password helping you restore your system in the event of system failures AN Warning Restoring the system s configurations may disconnect all system operations from the network You may be required to reconfigure your system to re connect it to the network Therefore we recommend that you backup the current system s configurations before the restore operation CONFI GURATION PROCEDURE RESTORING THE SYSTEM VIA THE WEB UI Step 1 Step 2 Step 3 Step 4 214 This set of steps guide you through the method to restore your system to the default factory settings via the system s web interface Login to SifoWorks via the admin account LO Note If you do not remember the password for the default administrator admin account you can recover the password by pressing and holding the Reset button located between MG
134. et WAN 211 192 98 220 VPort2 Nl SifoWorks Subnet 1 Subnet 2 Server Domain TE G aj 10 1 1 3 10 1 1 0 24 DS Q amp Q DS LAN LAN X LAN Switch Switch Switch 192 168 1 0 24 192 168 1 0 24 D A system administrator wants to set up SifoWorks such that it is able to enforce the following access control e All external users in the WAN domain can access the web server in DMZ using the HTTP service e All internal LAN users can access the web server in DMZ via the HTTP service e All internal LAN users can access the SMTP server in DMZ via the SMTP service e Enable intelligent recognized protocol to prevent illegal data traffic e Log packets that matches any of these filter rules for analysis and future tracking purposes The configuration procedure is as follows Login to SifoWorks via a read write administrator account From the left menu bar select Firewall gt Filter Rule to view the current list of filter rules User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 Step 3 Add the filter rule to allow WAN users access to the web server 1 Click Add New Filter Rule to display the configuration interface for adding a new filter rule 2 Select Action as Accept Click Advanced to display the advanced options and select to enable Log for this rule 3 Click Next gt to display the Match tab interface and configure as
135. ewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 4 3 Managing Local Rules Local rules allow you to control accesses to the SifoWorks system via data ports Local rules configuration is not recommended if you do not require access to the SifoWorks system via data ports APPLICATION EXAMPLE The following network topology is used in this example Internet WAN 211 192 98 220 VPort2 SifoWorks LAN DMZ 192 168 1 1 1 Subnet 1 Subnet 2 Server Domain LAN LAN Switch Switch Switch 192 168 1 0 24 192 168 1 0 24 10 1 1 0 24 A SifoWorks system administrator wants to be able to manage SifoWorks via a workstation in the LAN domain The IP address of this workstation is 192 168 1 10 SifoWorks administrative IP is 192 168 1 1 The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account Step 2 From the left menu bar select Firewall gt Local Rule Step 3 The local rule list will be displayed From the bottom of this list click Add New Local Rule User Manual for SifoWorks D Series Firewall 99 OD1300UME01 1 3 Chapter 4 Firewall Rule Management Step 4 Select the rule s Action as Accept Action To Take Accept Drop Advanced Next gt Cancel Step 5 Click Next gt to view the Match tab interface and configure as follows Virtual Port From VPort1 VLAN From LAN Address From Custom
136. f SifoWorks connects to the Internet via PPPoE the IP address assigned to the system changes dynamically each time it establishes a PPPoE connection The DDNS service is thus used to resolve static domain names to dynamic IP addresses DDNS service requires cooperation between the server and the client Each time the client connects to the Internet and receives a new IP the client will inform the DNS server to update the domain name resolution database While this client is online other Internet users accessing this domain name can thus be pointed to the correct client IP address Dynamic VPN connections can be established once DDNS is configured For example in the figure below SifoWorks A accesses the Internet via a static IP SifoWorks B accesses the Internet via PPPoE Therefore e Without DDNS SifoWorks A will not be able to obtain the IP address of SifoWorks B Thus VPN connections can only be established if initiated by SifoWorks B e If DDNS is set up SifoWorks A can obtain the IP address of SifoWorks B via domain name resolution Hence either device will be able to establish VPN connection with the other VPN Tunnel SifoWorks A SifoWorks B 76 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 CONFI GURATI ON PROCEDURE REFERENCE Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Login to SifoWorks using a read write administrator account From the left m
137. face WAN IKE Name RemotelKE Remote Gateway Static Gateway IP Dynamic DNS Domain Dynamic Local ID domain name Remote ID NextHop 211 192 98 217 strict Algorithm Match Next gt Cancel 4 Click Next gt to display the Phase One Method tab Configure as follows Algorithm 3des md5 modp1536 Exchange main mode 5 Click Next gt to view the Authenticate Method tab Select PSK and enter 123456 as the Preshare Key Re enter this key in the Retype textbox to confirm 6 Click Next gt to display the Phase Two Proposal tab Enable Using ESP and select the esp 3des md5 ESP Algorithm Also select the Using PFS option Encapsulation Using ESP Algorithm CI Using AH Algorithm PFS Group is same as Phase one s Using PFS DH Group lt Back Next gt Cancel _ 7 Click Next gt to view the Advanced Setting tab Keep the default configuration for all parameters in this tab and click Save to save this IKE record User Manual for SifoWorks D Series Firewall 125 OD1300UME01 1 3 126 Chapter 6 Virtual Private Networks Step 5 Add address objects L Z 3 From the left menu bar select Object gt Address to display the list of address objects Click Add New Address and configure as follows Name Local IP 192 168 1 0 Netmask 255 255 255 0 Click Save to add the new address object Step 6 Add VPN connection 1
138. figuration OD1300UME01 1 3 Network configuration is a basic module of the SifoWorks system This module allows administrators to set up the system to connect to the network and provide network related services Administrators must complete the system s network configurations according to their actual network requirements To connect SifoWorks to your network correctly you must first set up the basic network settings to configure the device s virtual ports VLAN IP addresses and routes Please refer to 3 2 Setting up the Basic Network Settings for more information The remaining sections also describes the procedures to set up SifoWorks to provide NAT DHCP services DNS and DDNS services P MAC binding mechanism and manage the device s ARP tables You can also set up the device to connect to external networks via PPPoE 3 2 Setting up the Basic Network Settings This operation guides you through configuring the device s virtual ports VLANs IP addresses and routes necessary to connect SifoWorks correctly in your network Virtual Ports SifoWorks supports up to three virtual ports Virtual Port 1 Virtual Port 2 and Virtual Port 3 These are not physical ports on the device but are logical ports used to facilitate the management of the device s data ports Assigning physical data ports to virtual ports allow you to easily manage the ports when defining filter rules Filter rules incoming and outgoing interfaces ar
139. figuration Procedure These steps guide you through defining and managing the filter rules necessary to control network traffic according to the network requirements determined in 11 1 Network Topology and Company Requirements Step 1 Activate QoS status and specify the maximum bandwidth for each virtual port 1 Select Advance gt QoS Setting from the left menu bar In the interface that displays click the QOS Status tab Click the radio buttons to On QoS for VPort2 and VPorts3 Enter the maximum bandwidth assigned to each of these virtual ports as 100000 QoS State State Max Bandwidth State Max Bandwidth State Max Bandwidth 4 Click Save to save the QoS state setting User Manual for SifoWorks D Series Firewall 229 OD1300UME01 1 3 Chapter 11 Device Deployment Example Step 2 Define QoS priority levels for virtual ports 1 From the left menu select Advance gt QoS Setting In the interface displayed click to display the QOS List tab 2 Click the H icon corresponding to VPort2 to expand the list to display virtual port 2 s priority levels 3 Click the icon for VPort2 s priority level 1 In the interface that displays enter 60000 and 20000 in the Max Bandwidth and Guaranteed Bandwidth textboxes respectively 4 Click Save to save the setting and return to the QoS list Repeat steps 2 4 to configure the QoS priority level for VPort
140. figuration procedure guiding you through the steps to set up the device such that remote users are able to establish VPN connections with the internal network Phase 5 Setting up IDS Explains phase 5 of the configuration procedure guiding you through the steps to set up SifoWorks IDS function Please refer to this chapter when you want to completely deploy and configure your SifoWorks device to operate correctly in your network User Manual for SifoWorks D Series Firewall 217 OD1300UME01 1 3 Chapter 11 Device Deployment Example 11 1 Network Topology and Company Requirements This chapter guides you through the procedure to configure SifoWorks such that the device operates correctly and provides the necessary functions to meet the needs of the network shown in the topology below Internet WAN 211 192 98 220 Subnet 2 Server Domain LAN LAN Switch Switch Switch 192 168 1 0 24 192 168 1 0 24 10 1 1 0 24 SifoWorks is deployed in the network using route mode 218 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 An analysis of the network requirements and the corresponding configurations that should be made on SifoWorks is shown in the table below Network Settings Virtual Port VLAN IP Address Route e Virtual Port 1 FEO e Virtual Port 2 FE1 e Virtual Port 3 All other ports e LAN FEO e WAN FE1 e DMZ FE2 e LAN
141. figure IP addresses L From the left menu bar select Network gt IP Config The list of VLANs and their corresponding IP addresses will be displayed Click the icon corresponding to the VLAN LAN in the list to display the Show IP Configure interface Select Static IP Address and click Add New IP In the next interface enter the IP Address 192 168 1 1 and Netmask 255 255 255 0 Click Save to save this IP address and return to the Show IP Configure interface Click Return to return to the list of VLANs Repeat steps 2 6 to configure the IP address for the WAN and DMZ domains as follows WAN 211 192 98 220 255 255 255 0 DMZ 10 1 1 1 255 255 255 0 The resultant list of VLAN IP addresses should be identical to the figure below 0 e gt Win oO ration ADMIN 172 16 0 1 255 255 0 0 VLAN1 192 168 1 1 255 255 255 0 1 2 3 211 192 98 220 255 255 255 0 4 DED D K 10 1 1 1 255 255 255 0 User Manual for SifoWorks D Series Firewall 225 OD1300UME01 1 3 Chapter 11 Device Deployment Example Step 6 Add static routes 1 From the left menu bar select Network gt Route Setting 2 At the bottom of the static route list that displays click Clear Invalid Routes to remove all invalid static routes from the system Click Add New Static Route 4 In the Add New Static Route interface that appears configure Destination IP 0
142. foWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Step 4 Configure PPTP VPN access 1 From the left menu bar select VPN gt PPTP 2 Inthe PPTP VPN Access tab configure as follows State Start Encryption 128bit or 40bit IP Pool Select the IP pool object added in the previous step User Select the user group object added in step 2 or the user object added in step 1 An example of the above configuration is shown in the figure below Sata Eee Remote Client Parameters State Start Stop Encryption 128bit k IP Pool PPTP_IP_Pool k User PPTP_Users Group he Click Next gt to display the Remote Client Parameters tab 4 Optional Enter the addresses of DNS and WINS servers to be used by the remote PPTP VPN users 5 Click Save to save the PPTP VPN configurations User Manual for SifoWorks D Series Firewall 143 OD1300UME01 1 3 Chapter 6 Virtual Private Networks 6 4 Configuring L2TP VPN Connections Remote access users connected via a VPN connection over L2TP Layer 2 Tunneling Protocol accesses the internal network via an encrypted tunnel Configuration for L2TP VPN is simplified as all PCs running windows 2000 or later operating systems are installed with the L2TP client L2TP VPN connections can be established in various types of networks including IP X 25 ATM and frame relay networks etc Multiple tunnels can be established between two end poi
143. follows Virtual Port From VPort2 Virtual Port To VPort3 VLAN From WAN VLAN To DMZ Address From Predefine All Address To Custom I P Netmask 10 1 1 2 255 255 255 255 Service HTTP 4 Select to enable the Intelligent Recognized Protocol function and select http from the drop down menu The figure below shows the above configurations Virtual Port From VPort2 Virtual Port To Address From Custom IF MNetmask N Fredefine Authentication Address To Custom F 10 1 1 2 Netmask 255 255 255 255 Predefine AL Authentication HTTP Intelligent Recognized Protocols http Schedule none source Mar lt Back Save Cancel 5 Click Save to save the new filter rule and return to the filter rule list User Manual for SifoWorks D Series Firewall 89 OD1300UME01 1 3 Step 4 90 Chapter 4 Firewall Rule Management Add a filter rule to allow LAN users to access the web server L Virtual Port From VLAN From Address From Address To Schedule Click Add New Filter Rule to display the configuration interface to add a new filter rule Select Action as Accept Click Advanced to display the advanced options and select to enable Log for this rule Click Next gt to view the Match tab interface Configure as follows Virtual Port From VPort1 Virtual Port To VPort3 VLAN From LAN VLAN To DMZ Address From Custom I P Netmask 192 168 1
144. g Filter Rules The SifoWorks system uses a firewall rule list containing a series of firewall rules When a packet arrives at the SifoWorks device the system matches the packet against this list in a top down fashion When a particular rule matches the packet the system will either e Immediately allow the packet to pass through the firewall if the action of the matching rule is accept e Immediately discards the packet if the action of the matching rule is drop Therefore the positioning of rules in the list affects both the network operation and system s performance You should add and adjust the filter rule list according to the actual network requirements Generally you are recommended to configure filter rules as follows 1 Add accept filter rules for all external to internal accesses 2 Add accept filter rules for all internal to external accesses Please first set up content filtering rules and QoS settings if you intend to enable these options in any of your filter rules Please refer to 4 4 Managing Content Filtering Rules and 7 2 Setting Up QoS Services for information on setting up content filtering rules and QoS respectively User Manual for SifoWorks D Series Firewall 87 OD1300UME01 1 3 Chapter 4 Firewall Rule Management APPLICATION EXAMPLE 1 I NTELLIGENT PROTOCOL RECOGNITION 88 Step 1 Step 2 The network topology used in this example is shown below Intern
145. g interface When establishing IPsec VPN via PPPoE links e You do not need to specify an outgoing interface under PPPoE common mode Simply select PPPoE as the Local Interface when creating the IKE e Under PPPoE fast mode select ADSL HIGHSPEED as the outgoing interface L Note For details on configuring filter rules please refer to 4 2 Managing Filter Rules For details on IPsec VPN configurations please refer to 6 2 Configuring IPsec VPN Connections User Manual for SifoWorks D Series Firewall 73 OD1300UME01 1 3 Chapter 3 Network Configuration CONFIGURATION PROCEDURE COMMON MODE 74 Step 1 Step 2 Step 3 Step 4 Connect the network cable for PPPoE access to the MGT1 port Login to SifoWorks via a read write administrator account Select PPPoE mode 1 From the left menu bar select Advance gt PPPoE Mode 2 Select the Common Mode LLI Note Please jump to step 4 if SifoWorks is already working in PPPoE common mode PPPoE Mode PPPoE Mode Common Mode O Fast Mode Firewall amp Administrator LAN User LAN User Save Cancel 3 Click Save to save the settings SifoWorks will automatically restart Please re login to the system once the system reboots Establish the PPPoE connection 1 From the left menu bar select Network gt PPPoE Setting 2 In the Configuration tab enter the User Name and Password used to au
146. g started e Operation Window The right frame of the web UI is the operation window where you can configure the system monitor network activities etc Detailed information regarding the various system functions can be found in the later chapters of this manual The Menu Options Menu Home Displays various system status information and recent alerts You can select to manually refresh the displayed information or set up the system to automatically refresh the display periodically Admin Setting TO management the user accounts that can login to SifoWorks Ul This includes adding deleting accounts managing account access authority managing login security attributes etc Config File To import or export system configuration file Patch Setting To upgrade SifoWorks software version Common Setting To configure the system s basic settings such as web timeout Ul language system date and time web server CA etc This interface also allows you to reboot your device or reset the device s settings to factory default SNMP Setting If you want to manage SifoWorks using a network management system you must use this interface to complete the SNMP proxy configuration SNMP Trap and Auth Server are optional configurations SNMP Trap Set up SNMP Trap so that SifoWorks alerts the specified server if abnormalities in the device status are detected Timeout Setting Specify timeout values for various SifoWorks oper
147. g up mail alerts including parameters such as the email address used to receive the specified log records the time interval between the sending of each mail etc CONFIGURATION PROCEDURE Step 1 Login to SifoWorks via a read write administrator account Step 2 From the left menu column select Log gt Email Alert Step 3 In the Email Alert tab displayed enable Email Alert Step 4 Click Next gt to navigate to the SMTP Server Setting tab Step 5 Enter the SMTP Server IP address and the account information to login to the SMTP server User Mail Address Password Step 6 Click Next gt to navigate to the Email Setting tab Step 7 Enter the email address used to receive the log alerts in either Emaill1 or Email2 Specify the Interval in terms of time or number of log items between the sending of each alert Step 8 Click Save to save the configuration User Manual for SifoWorks D Series Firewall 181 OD1300UME01 1 3 Chapter 8 Log Management 8 7 Viewing Logs This section includes information on how to query and view the various log lists including admin log system log security log and traffic log CONFIGURATION PROCEDURE Step 1 Login to SifoWorks Step 2 From the left menu bar select the sub menu option under the menu Log corresponding to the type of log you wish to view For example to view administrative logs select Log gt Admin Step 3 At the top of the log list specify
148. guring IPsec VPN Connections for more information on IKE configuration Add VPN connection To add a VPN connection record used to implement L2TP VPN Please select the L2TP checkbox in the Add New VPN Connection interface For details on managing VPN connection records please refer to 6 2 Configuring IPsec VPN Connections Configure L2TP VPN access From the left menu bar select VPN gt L2TP 2 Inthe L2TP VPN Access tab configure as follows State Start IP Pool Select the IP pool object added in the step 4 VPN User Select the VPN user group object added in step 2 or the VPN user object added in step 1 Click Next gt to display the Remote Client Parameters tab 4 Optional Enter the addresses of DNS and WINS servers to be used by the remote L2TP VPN users 5 Click Save to save the L2TP VPN settings User Manual for SifoWorks D Series Firewall Chapter Advanced Functions The following functions are explained in this chapter Overview Briefly introduces the various advanced functions provided by SifoWorks including QoS HA IDS and IRP update Setting Up QoS Services Explains how to set up QoS service on SifoWorks to manage the bandwidth allocation of various data traffic Limiting IP Traffic Explains how to limit the upload and download speeds of individual IP addresses or subnets Activating High Availability Describes the procedure to enable HA using two SifoWorks devic
149. hat requests from the same host are processed by the same server e Round robin External connection requests will be assigned to the servers in a round robin manner If Sticky is enabled the system will establish a relationship between source and destination addresses using the hash algorithm The connection is then assigned to the next available server e Server priority All servers are assigned with a priority weight value External connection requests are then distributed to the servers according to their priority Servers with larger priority weight will be assigned with a larger number of requests APPLICATION EXAMPLE 1 60 Step 1 Step 2 According to the network topology in 3 2 Setting up the Basic Network Settings Application Example 2 Route Mode above you need to add the following NAT rules e Source NAT from LAN to WAN The translated source IP is 211 192 98 220 port range is 1025 65535 e Destination NAT from WAN to DMZ The translated destination IP is 10 1 1 2 Destination port number after translation is 80 The configuration procedure is as follows Login to SifoWorks using a read write administrator account From the left menu bar select Firewall gt NAT Rule The interface refreshes to display the source NAT rule list SNAT tab by default User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 Step 3 Adda source NAT rule 1
150. he Email Filter tab to display the email content filter rule list Click Add Mail Filtering from the bottom of the list In the Add Email Filtering Rule interface displayed configure Name forbid popular Prohibited Sender myMail Description forbid mail from sina sohu 163 Add Email Filtering Rule Save Cancel 5 Click Save to save the rule and return to the email filtering rule list 106 User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 Step 4 Add a new filter rule that applies the forbid popular content filtering rule as shown in the figure below For information on configuring filter rules please refer to 4 2 Managing Filter Rules Action Accept O Drop Advanced El CI Log C TCP Window Tracking Content Filtering forbid_popular smtp O aos Incoming Level 0 v Outgoing Level 0 v C Limit Max Concurrent Connections Netmask 1255255 255 255 Next gt Cancel Wildcards SifoWorks supports the use of specific characters as wildcards when specifying content filtering objects Wildcards include xk ldd Indicates a string of characters including the space character of arbitrary length Examples abc Matches any character string beginning with abc abc matches any character string ending
151. he company s network topology is shown below Internet 210 192 98 220 Router 10 1 1 2 AN 10 1 1 3 SifoWorks 10 1 1 1 Layer 3 Switch Subnet 1 Subnet 2 Server Domain f Ma LAN Switch Switch d Switch ee SS Qe 10 1 1 0 24 10 1 1 0 24 10 1 1 0 24 1 Note The IP address 10 1 1 3 in the figure below is used to configure SifoWorks via a data port You need not add this IP address if you are configuring the system via the monitor port only SifoWorks is connected to the switch via FEO SifoWorks is connected to the router via FE1 The configuration plan is as follows Parameter Configuration Value Virtual Port 1 FEO Virtual Port 2 FEL Virtual Port 3 All other ports VLAN1 FEO FEL 48 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 Parameter Configuration Value IP Address of VLAN1 10 1 1 3 255 255 255 0 Route Note This example does not require the addition of routes The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account Step 2 Configuring Virtual Ports 1 From the left menu bar select Network gt Virtual Port Config 2 In this interface click the Virtual Port Config button to display the Virtual Port Edit interface 3 Using the l and 7 buttons move port FEO to Virtual Portl1 and port FE1 to Virtual Port2 Move all other ports to Virtual Ports Virtua
152. he network Master Activate HA Activate HA on the master device Slave Activate HA Activate HA on the slave device Note The Set up Admin IP operation is a part of the Configure Basic Network Settings operation This flowchart separates the two for greater clarity 158 User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 APPLICATION EXAMPLE The network topology in this example is shown below Master LAN VPort1 192 168 1 1 WAN VPort2 211 192 98 220 Admin IP Heartbeat 172 16 0 10 Monitoring Cable i Internet LAN A Admin IP Switch 172 16 0 20 Switch In this network e Administrative IP of the master SifoWorks device SifoWorksA is 172 168 0 10 e Administrative IP of the slave SifoWorks device SifoWorksB is 172 168 0 20 e A standard network cable connecting the monitor port of both devices acts as the heartbeat monitoring cable e IP address of LAN domain connected to each devices FEO port is 192 168 1 1 e P address of the WAN domain connected to each devices FE1 port is 211 192 98 220 The configuration procedure is as follows Step 1 Disconnect all network cables from the master and slave devices You may skip this step if your devices are not yet connected to your network User Manual for SifoWorks D Series Firewall 159 OD1300UME01 1 3 160 Step 2 Step 3 Step 4 Step 5 Chapte
153. his refers to all hosts with IP addresses belonging to the specified subnet SifoWorks controls the bandwidth available for all hosts in this Subnet using one of two modes Single In this mode the upload and download limit is applicable to each host in the subnet individually Share In this mode the upload and download limit is the total bandwidth allocated to all hosts in the subnet Note that the range for both upload and download limit is 100kbit s to 100 000 000kbit s You can set either limit as 0 to represent unlimited bandwidth SifoWorks is able to limit the traffic flow for up to 400 hosts defined as either individual hosts Type Host or hosts within IP ranges Type Range The system is also able to limit traffic for up to 8 subnets each containing up to 512 hosts The total number of hosts supported by this function inclusive of all hosts in subnets IP ranges and individual hosts is 640 LLI Note SifoWorks IP rate limit function also supports SNAT That is the IP addresses defined for IP rate limit can be the source address of a host requiring SNAT DNAT is currently not supported by this function That is IP rate limit cannot include the destination addresses of hosts requiring DNAT SifoWorks IP rate limit can operate in conjunction with the IRP Intelligent Recognized Protocols and QoS functions providing comprehensive layer 3 intelligent flow control e Enable IRP and QoS fu
154. hold Alarm threshold total How to Configure threshold Alarm Enter the value in Threshold percentage the textbox This value is used by the Example 80 system to determine when attacks occur The system detects normal traffic no attack if packet rate is less than this value User Manual for SifoWorks D Series Firewall 169 OD1300UMEO01 1 3 Syn Proxy tab Chapter 7 Advanced Functions Configuration Field Name Syn Proxy Mode 170 Explanation _If SYN proxy is enabled SYN packets sent from the clients will not be _ forwarded Instead the _ packet to the client If the client replies with an ACK packet SifoWorks detects _ this connection to be valid and forwards an ACK _ packet to the server to _complete the three way _ handshake SYN Proxy modes include How to Configure Click the radio _ button to select the ke corresponding firewall will act as the option server and send a SYN ACK Range e Never Proxy e Proxy the first SYN packet e Always Proxy e Proxy only when detect SYN flood e Never Proxy Do not enable SYN proxy e Proxy the first SYN packet Enable SYN proxy only if there are no established connections in the connection list fromthe source address of the SYN packet SYN Proxy will also be enabled if a connection exists but the SYN Flood threshold is exceeded e Always Proxy Enable SYN Proxy for all TC
155. iaiccnatitndeeinidacteeeianteursiag ee prnndataaier AU 200 10 System Ma intenan E sisccscccssesecacsasensustsunausicvasnncesedonscius se secenaasesusesacoacessivvnsecesssoueesavensagetesensesnss 203 KEE OAN E eTA E E E E E E AE E E eae E E E E eaaGmetae 204 10 2 Monitoring Sessions and Online USerS sssseserererersrersrororrrrrrrrrrrrrrrrrrrrrrne 204 TOS VIEWING REDOCES custo EEEE a A ean E E A 206 10 4 Performing Network DiagnosSticS sssesererrererrererrrrerrrrrrrrerrrrrrerrrrerrrrrrerre 212 10 5 Restoring System Settings rareori ieai eraa AEEA ENa 214 1i Device Deployment Example ssessonssscnree ndas ovnihaeriaia ete 217 11 1 Network Topology and Company Requirements sssrerererererrrrrrrrrrerrrrrsrsrne 218 Wels Configuratio FOWCHa E eeren E E AE EE 222 11 3 Phase 1 Configuring the Basic Network Settings ssssssrerrerrrrrerersrrrsrsrne 223 tA PNaSEe Z cCOngurnNo NAT eenioroir ae a E T AN 227 CLES Phase 3 DETINING FIRE RUIS mirioni amine a a a E 229 11 6 Phase 4 Configuring VPN seeria riire ee NA A 243 Li Phase o Seno UD DS ereire AT E a 249 Chapter Product Overview This chapter includes the following sections e What is SifoWorks Briefly introduces the SifoWorks firewall device and lists the various device models in the product series e What does SifoWorks Look Like Displays the physical SifoWorks device box This section also introduces the various device ports and the LE
156. ibit C Multithreading Download Description forbid accesses to sina sohu 163 china chinaren google Save Cancel 4 Click Save to save the new rule and return to the web filtering rule list Step 4 Add a new filter rule that applies the forbid_popular content filtering rule as shown in the figure below For information on configuring filter rules please refer to 4 2 Managing Filter Rules Action To Take Action Accept O Drop Advanced El C Log C TCP Window Tracking Content Filtering forbid_popular web v C aos Incoming Level 0 v Outgoing Level 0 v C Limit Max Concurrent Connections Netmask 255 255 255 255 Next gt Cancel l 104 User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 APPLICATION EXAMPLE 2 MAIL CONTENT FILTERING Based on the enterprise s requirements a system administrator needs to configure SifoWorks to restrict all mails sent from the mail domains sina com sohu com and 163 com The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account Step 2 Add anew email content filtering object 1 From the left menu bar select Object gt Content Filtering Obj 2 Click the Email tab to view the email content filtering object list 3 Click Add Email Obj from the bottom of the list 4 Inthe Ad
157. ifoWorks supports all 3 SNMP versions SNMP Agent This refers to the network element being managed such as SifoWorks Community Community is a local SNMP proxy concept used to define the relationship between the SNMP manager the network management system and the SNMP agent SNMP vl and v2c incorporates this Community concept with the community name equivalent to being a password used to restrict accesses to the SNMP agent by the SNMP manager Multiple communities can be defined for each SNMP agent The name of each community must be unique Each SNMP community defines the authentication and access control communications between a SNMP agent and multiple SNMP managers SNMP Trap Configure SNMP Trap to enable the system to notify the specified server when errors occur in its operation status A SNMP Trap packet generally indicates an error or a warning status such as performance issues or interface abnormalities SifoWorks supports SNMP traps based on SNMP v1 and v2c By configuring SNMP Trap the specified server will be able to obtain prompt notice when any abnormalities occur in the SifoWorks device s operating status User Manual for SifoWorks D Series Firewall 193 OD1300UME01 1 3 Chapter 9 System Settings Registration Server This refers to the server on which the network management system is installed Configuring registration server allows the network management system such as O2Security s SifoView
158. igurations Action To Take Match VPort Virtual PortTo VPort3 rr VLAN To Virtual Port From VLAN From Address From 255 255 255 0 Custom Predefine Authentication IP IF Address To Custom Predefine Authentication Neimask au B 10113 Netmask 255 255 255 255 B Pi w SMTP Intelligent Recognized Protocols schedule source Mac LAN DMZ lt Back Save Cancel 5 Click Save to save this filter rule and return to the filter rule list User Manual for SifoWorks D Series Firewall 91 OD1300UME01 1 3 Chapter 4 Firewall Rule Management APPLICATION EXAMPLE 2 AAA AUTHENTICATION The network topology used in this example is shown below Internet WAN 211 192 98 220 VPort2 Mm SifoWorks Subnet 2 Server Domain LAN LAN Switch Switch 192 168 1 0 24 10 1 1 0 24 A system administrator wants to set up SifoWorks such that all users in the subnet 192 168 1 0 255 255 255 0 must be authenticated before they can access external networks via HTTP The users in this subnet and their authentication information are tabulated in a table similar to the one below User Name Password UserO1 123456 User02 123456 The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account 92 User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME0
159. iguring log filter criteria and format you can customize the logs that are stored using each storage method local storage remote server emails FTP server independently You can also specify the format of logs stored via each of this method CONFI GURATI ON PROCEDURE Step 1 Step 2 Step 3 Step 4 180 Login to SifoWorks using a read write administrator account From the left menu bar select Log gt Log Filter Optional Define customized log filter criteria Click the Log Filter tab Click the icon corresponding to the type of logs you want to customize filtering criteria for For example to configure filter criteria for logs stored to the remote serverl click the icon corresponding to serverl in this interface Select the log type from the Log Category field Then select the log Level s to include Also select the SifoWorks function Module s to store logs for Click Save to save the configuration and return to the Log Filter tab interface Optional Customize log format 1 From the Log gt Log Filter interface click to display the Customize Log Format tab Here select the function module from the Module field Next select the information to include in logs generated from the selected module Click Save to save the configuration User Manual for SifoWorks D Series Firewall Chapter 8 Log Management OD1300UME01 1 3 8 6 Setting up Email Alerts Settin
160. ilure of the O2Security products could lead to death bodily injury or property or environmental damage High Risk Activities O2Security hereby disclaims all warranties and O2S ecurity will have no liability to Customer or any third party relating to the use of O2Security products in connection with any High Risk Activities Any support assistance recommendation or information collectively Support that O2Security may provide to you including without limitation regarding the design development or debugging of your circuit board or other application is provided AS IS O2Security does not make and hereby disclaims any warranties regarding any such Support including without limitation any warranties of merchantability or fitness for a particular purpose and any warranty that such Support will be accurate or error free or that your circuit board or other application will be operational or functional O2Security will have no liability to you under any legal theory in connection with your use of or reliance on such Support Information in this document is subject to change without notice PO Securit n 2008 O2Security Ltd All rights reserved O2Security is a subsidiary of O2Micro International Ltd NASDAQ sf OIIM SEHK 0457 O2Security is a trademark and SifoWorks is a registered trademark of O2Micro International Ltd Table of Contents EP OOUE OV CT VOW acest acces ssc ds E EOE nese 25006 cs eee sass E E OE EE E E A OEE
161. ion Click Next gt to move to the interface for the Other Attacks tab Set up IDS defense against other types of attacks In this interface check the checkboxes corresponding to the Land Attack and ARP Spoof options Step 6 Click Save to save the IDS configurations 11 7 2 Testing the Configuration 250 After SifoWorks has been operating for a period of time in your network login to the system s web UI Select Log gt Security Log from the left menu bar to view IDS related logs You can also simulate an IDS attack on the device to check if the IDS function is operating normally User Manual for SifoWorks D Series Firewall
162. is interface Route Setting To add static and policy routes DHCP Setting To set up SifoWorks as a DHCP server or to specify DHCP relay servers to provide DHCP services PPPoE Setting To configure SifoWorks such that it is able to establish a connection to external networks via PPPoE Note that you must enable PPPoE mode from the Advance gt PPPoE Mode interface P MAC Binding To manage IP to MAC binding pairs This enhances security by preventing the misuse of IP addresses by illegal hosts ARP Setting To manage the system s ARP table including static ARP and dynamic ARP tables This reduces security risks caused by ARP spoofing or IP spoofing From this interface you can manually add static ARP records or select the records from the dynamic ARP table and add them to the static ARP table DNS Setting To specify the IP addresses of the DNS servers This equips SifoWorks with domain name resolution capability DDNS Setting To establish connection with DDNS Dynamic Domain Name System servers to provide the DDNS service This allows users to establish dynamic VPN connections via PPPoE User Manual for SifoWorks D Series Firewall 27 OD1300UME01 1 3 Chapter 2 Getting started Menu Firewall Filter Rule Local Rule NAT Rule Content Filtering TO manage a list of filter rules customized according to your network requirements These rules filter data transmitted through the firewall s data ports
163. isconnect all network cables from the device s data ports Login to SifoWorks via the admin account From the left menu bar select System gt Patch Setting Click Browse to select the update patch file Enter the Password for the selected file Click Save to begin the update Please wait until the update completes Re connect all data ports that were disconnected during Step 1 User Manual for SifoWorks D Series Firewall Chapter 9 System Settings OD1300UME01 1 3 9 6 Connect to a Network Management System SifoWorks uses the standard SNMP Simple Network Management Protocol to design its SNMP interface module allowing the system to be connected to a central network management system such as O2Security s SifoView system or other third party network management systems To enable management of SifoWorks via a network management system you must enable SNMP proxy and configure accordingly You can also select to configure SNMP Trap and the registration server if necessary SNMP Protocol The simple network management protocol is designed specifically for the management of network elements such as servers workstations routers switches etc within an IP network SNMP is an application layer protocol and is encapsulated within UDP There are three SNMP versions v1 v2c and v3 Version v2c s access capability is enhanced from vl while version v3 includes an additional encryption authentication mechanism S
164. ith larger priority weight will be assigned with a larger number of requests 1 3 10 Comprehensive Flow Control 12 SifoWorks IP rate limit can operate in conjunction with the IRP Intelligent Recognized Protocols and QoS functions providing a well rounded flow control comprising of 3 layers e Enable IRP and QoS functions in filter rules to achieve overall flow control based on protocols e In the IP rate limit function define a Subnet type limit This achieves a 2 level of flow control for entire subnets e n the IP rate limit function define Host type limits to achieve flow control over individual hosts User Manual for SifoWorks D Series Firewall Chapter 1 Product Overview OD1300UME01 1 3 1 3 11 High Availability HA SifoWorks includes a HA function to ensure network reliability supporting the HA AS Active Standby mode In AS mode configuration information such as rules objects routes and sessions will be synchronized on both master and slave device When the master device fails all network services will be automatically re directed to the slave device 1 4 System Specifications 1 4 1 Device Performance and Capacity The following table lists the various performance and capacity indexes of the SifoWorks device Index Value Firewall Performance e D100 200Mbps e D200 450Mbps e D300 600Mbps VPN Performance e D100 150Mbps e D200 D300 200Mbps Number of Concurrent 1 200 0
165. l Port Edit Available Ports selected Portis Virtual Portt FEO Virtual Fortz Virtual Port Setting 5 FET Virtual PortS 4 Click Save to save the configuration User Manual for SifoWorks D Series Firewall 49 OD1300UME01 1 3 Chapter 3 Network Configuration Step 3 Configuring VLANs 1 From the left menu bar select Network gt VLAN Setting to view the VLAN list Click the icon corresponding to VLAN1 in the list 3 The VLAN Configure interface will be displayed Configure as follows Virtual Ports FEO FE1 MTU 1500 Status On VLAN Configure Virtual Ports Virtual Port FEQ Virtual Port2 FE4 F Fe fF res P Fes F FES Cl Fes F FE 1500 Up Down Virtual Porta 4 Click Save to save the configurations Step 4 Setting up IP Addresses 1 From the left menu bar select Network gt IP Config 2 From the list of VLANs displayed click the icon corresponding to VLANI 3 The Show IP Configure interface will be displayed Select the Static IP Address option and click Add New IP Enter the IP 10 1 1 3 and Netmask 255 255 255 0 Click Save to save the new IP address and return to the Show IP Configure interface 6 Click Return to return to the VLAN IP list 50 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 APPLICATION EXAMPLE 2 ROUTE MODE In this example a company
166. l data 4 2 4 3 4 4 OD1300UME01 1 3 Chapter 2 Getting started Intrusion Detection and Prevention IDP Configuring and Enabling IDP Upgrade IDP rules When IDP is to be activated on SifoWorks oS A When the SifoWorks system s IDP is 5 3 based on the Snort system and you need to update the Snort version VPN Configuration Configuring IPsec VPN Connections Configuring PPTP VPN Connections Configuring L2TP VPN Connections Advanced Functions When you want to configure a site to site VPN connection or set up an IPsec VPN connection for remote accesses When you want to add PPTP VPN connections When you want to configure L2TP VPN connections Setting Up QoS Services Limiting IP Traffic Activating High Availability Configuring IDS Services Upgrade Intelligent Recognized Protocols 34 When you want to enable QoS specifying maximum and guaranteed bandwidth to ensure quality of service for all data traffic transmitted through the firewall To enable IP limit function such that the system restricts the upload and download speeds for specific IP addresses or subnets When two SifoWorks devices are to be set up in HA to ensure system reliability To activate SifoWorks IDS function or set up to use a 3 party IDS device Update the intelligent recognized protocols function User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01
167. l unused routes from the list Click Add New Static Route from the bottom of the list In the Add New Static Route interface that appears configure the following Destination IP 0 0 0 0 Destination Mask 0 0 0 0 Gateway 211 192 98 217 Dev WAN Add New Static Route Gateway 211 192 98 217 Weight Dev wan w Add new gateway Save Cancel 5 Click Save to save the route and return to the route list 54 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 APPLICATION EXAMPLE 3 HYBRID MODE In this example the company s network is separated into two domains e LAN Internal workstation PCs are located in this domain The subnet address is 192 168 1 0 255 255 255 0 e WAN This includes the Internet and a domain where various servers such as Web and Mail servers are located The subnet address is 211 192 98 0 255 255 255 0 For the security of the network and to manage network performance the company deploys SifoWorks as the external gateway and connects the LAN and server domain to the device The company s network topology is shown below Internet WAN SifoWorks m 211 192 98 220 VPort3 WAN VPort2 Subnet 1 Subnet 2 Server Domain gt LAN LAN Switch Switch 211 192 98 0 24 192 168 1 0 24 192 168 1 0 24 SifoWorks FEO is connected to the LAN network FE1 to the Internet and FE2 to th
168. lay etc Multiple tunnels can be established between any two end points of a L2TP VPN connection 1 Note SifoWorks should have already been connected to your network before configuring VPN You can refer to 3 2 Setting up the Basic Network Settings for details on setting up SifoWorks network configurations 6 2 Configuring IPsec VPN Connections 120 IPsec VPN is used to achieve two types of connection depending on the deployment of SifoWorks e Remote access SifoWorks is deployed only at one end of the VPN connection Such as the company s HQ network This type of VPN connection allows mobile employees to access the company s main network remotely e Site to site access Two SifoWorks devices are deployed one at each end of the VPN tunnel such as company HQ and company branch office Site to site VPN connections can be used to securely connect branch office networks to the main network LL Note If your network needs to support dynamic VPN connections based on DDNS please ensure that you have configured DDNS and PPPoE settings on SifoWorks Please refer to 3 7 Configuring DDNS and 3 5 Configuring PPPoE Connections for details on DDNS and PPPoE configurations respectively To ensure the reliability of VPN connections SifoWorks also supports a VPN backup connection function The backup connection will be automatically activated if the main connection is dropped The figure below shows an examp
169. le of a network that applies this function 1 Note When the main connection is reconnected the system will switch back to the main connection from the backup connection This function is also Supported for connections using the PPPoE access method User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 HQ Main Connection Branch SifoWorks A SifoWorks gt FE FEON Internet ezi FET 192 168 1 0 24 192 168 2 0 24 Backup Connection Note that you must add two IKE objects to enable the VPN backup connection function on SifoWorks Enable this function from the Add New VPN Connection interface as shown below Add New VPN Connection Connection Name L2TP Local Subnet Remote Subnet Using tunnel O Using Manual Using IKE IKE1 Stat Stop Route Backup Connection Using IKE User Manual for SifoWorks D Series Firewall 121 OD1300UME01 1 3 CONFIGURATION FLOWCHART 122 Chapter 6 Virtual Private Networks The flowchart below shows the steps to implement IPsec VPN using SifoWorks lt p Configuring Basic Network Settings Y Enable VPN Y Select Outgoing Interface Y Adding IKE Use Certificates Yes Adding Certificates Y Adding Y Adding VPN Connections ED No Address Objects g
170. lect the IP MAC Binding Table tab to view the current list of P MAC bindings From this list click Add New I P MAC Item In the configuration interface displayed enter IP as 192 168 1 10 and 00 14 22 B0 7A 9B in the MAC field Click Add new IP MAC Binding to add a new IP MAC pair Repeat step 3 and enter the IP MAC pair for IP 192 168 1 11 Repeat steps 4 5 to add all P MAC binding pairs according to your IP MAC information table created in step 1 above 7 Click OK to save the configuration Step 6 Enable the Update Neighbor s Cache function 1 Return to the Network gt IP MAC Binding interface and select the Update Neighbor s Cache tab 2 Select to Enable the update neighbor s cache function at an Interval of 10000 milliseconds IP MAC Binding Setting IP MAC Binding Table Update Neighbour s Cache Update Neighbour s Cache Setting Enable Update Neighbours Cache Interval 10000 Miliseconds 1 30000ms Ifthe Interval is too small 1000 updating neighbours cache can make system busy Save 3 Click Save to save the configuration User Manual for SifoWorks D Series Firewall 81 OD1300UME01 1 3 Chapter 3 Network Configuration 3 9 Managing the ARP Tables This operation helps you to manage your static and dynamic ARP tables reducing security risks due to ARP spoofing or IP spoofing The concepts relating to this function includes the following
171. ll previously saved data that were used to generated reports e Enable monitoring of the system using reports and select the types of reports to generate Select the Enable Reporter radio button to enable the Reporter module To enable all types of reports select the ALL radio button Otherwise select the Options radio button and check the checkboxes corresponding to the types of reports to generate Click Save to save the settings User Manual for SifoWorks D Series Firewall Chapter 10 System Maintenance OD1300UME01 1 3 10 3 2 System Status Reports These reports detail utilization of various system resources including CPU Memory and RAM utilization status Two reports are generated for each system resource including a report generated using statistics from the past 1 hour and a history report generated using statistics from any previous 7 days interval CONFIGURATION PROCEDURE The procedure below explains how to view the system status reports It also describes the various options available when viewing these reports Step 1 Login to SifoWorks via a read write or read only administrator account Step 2 From the left menu bar select Reporter gt System Status Step 3 By default the system displays the CPU Status report You can click the MEM Status or Ramdisk tabs to view the reports for memory or RAM utilization respectively Step 4 Select whether to view current reports statistics from the past
172. mail or keyword objects Adding Content Filtering Add the content filtering rules using the Rules content filtering objects Applying Content Apply the content filtering rule within an Filtering Rules accept Action filter rule For detailed information on managing filter rules please refer to 4 2 Managing Filter Rules User Manual for SifoWorks D Series Firewall 101 OD1300UME01 1 3 Chapter 4 Firewall Rule Management APPLICATION EXAMPLE 1 WEB CONTENT FILTERING 102 Step 1 Step 2 According to the company s policies the system administrator wants to set up SifoWorks to restrict accesses to the following URLs by hosts in specific subnets www sina com www sohu com www 163 com www china com www chinaren com www google cn The configuration procedure is as follows Login to SifoWorks via a read write administrator account Add a URL content filtering object L 2 From the left menu bar select Object gt Content Filtering Obj Using a text editor such as Notepad create a text file containing a list of all the above URLs Save the file as myURL txt as shown in the figure below E myURL txt Notepad Seles 3 4 5 51N com 50 u com 163 com china com chinaren com google cn Back in SifoWorks URL content filtering object list interface click Add URL Obj The Add URL interface will be displayed Configure as follows Name myURL
173. n from which an attack was detected The administrators must manually resolve the issue in the network SifoWorks supports third party IDS devices from the Venus and NSFOCUS manufacturers These devices can be linked to SifoWorks to provide IDS APPLICATION EXAMPLE 164 Step 1 Your company wants to activate SifoWorks IDS service to defend against attacks to the internal network The requirements are as follows Automatically drop connections that are detected to be transmitting attack packets Enable packet rate limit Use system default values for the various protocol connection packet establishment rates Disable SYN Proxy Enable defense against Land based attack and ARP spoof The configuration procedure is as follows Login to SifoWorks using a read write administrator account User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Configure IDS working mode 1 From the left menu bar select Advance gt IDS Setting The interface for the Anti Dos Working Mode tab will be displayed 2 Here select Defense Mode as your device s IDS Anti Flood Mode and check the Enable Packet Rate Limit checkbox Anti Dos Working Mode Source Destination oyn Proxy x Other Attacks Anti Flood Mode Stop Defense Mode Monitor Mode Enable Packet Rate Limit Enable Log Reset Anti Flood Next gt 0
174. nctions in filter rules to achieve overall flow control based on protocols e In the IP rate limit function define a Subnet type limit This achieves a 2 level of flow control for entire subnets e Inthe IP rate limit function define Host type limits to achieve flow control over individual hosts User Manual for SifoWorks D Series Firewall 153 OD1300UME01 1 3 Chapter 7 Advanced Functions APPLICATION EXAMPLE A system administrator needs to set up SifoWorks to achieve the following flow control Type Limit Subnet Share mode Bandwidth limit for the 192 168 1 0 255 255 255 0 entire subnet Is e Upload limit 2ZOMbit s e Download limit 40Mbit s IP Range For each host in this range 192 168 2 1 192 168 2 20 Upload limit 1Mbit s e Download limit 1Mbit s Host For this host 192 168 2 21 e Upload limit 2Mbit s e Download limit 2Mbit s The configuration procedure is as follows Step 1 Login to SifoWorks using a read write administrator account Step 2 From the left menu bar select Advance gt IP Rate Limit Step 3 Add a IP limit for the subnet 1 Click Add from the bottom of the list displayed 2 The Add IP Rate Limit interface will be displayed Here configure IP Address Type Subnet Address 192 168 1 0 Mask 255 255 255 0 Upload Limit 20000 Down Limit 40000 Mode Share Status On 154 User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME
175. ne ALL Authentication userQl Intelligent Recognized Protocols none k Schedule Source Mar lt Back Save Cancel 4 5 Click Save to save the filter rule User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UMEO01 1 3 Step 6 Add an address object From the left menu bar select Object gt Address In the Address tab click Add New Address The Add New Address interface will appear Configure as follows Address Name ExampleAddress IP 192 168 1 0 NetMask 255 255 255 0 Click Save to save the address object and return to the object list Step 7 Add authentication users L From the left menu bar select System gt Auth User From the bottom of the list displayed click Add New Auth User In the next Add New AuthUser interface configure as follows User Name User01 AuthServer LOCAL User Attribute Filterrule Status Enable Password 123456 Confirm Password 123456 Click Save to save the new authentication user and return to the user list Repeat 2 4 to add the other authentication users Step 8 Add authentication user group Select System gt Auth Group from the left menu Click Add New Auth User Group to view the Add New Authuser Group interface Enter the Auth Group Name ExampleGroup Check the Filterrule Attribute Select all authentication users added
176. next step If you are unable to access the server the LAN to DMZ filter rule may be incorrect Please check the rule and make any modifications required User Manual for SifoWorks D Series Firewall 241 OD1300UME01 1 3 Chapter 11 Device Deployment Example Step 4 Check LAN to WAN accesses 1 Using a host in the LAN domain 192 168 1 0 255 255 255 0 access the login interface http 192 168 1 1 The authentication interface for authentication users uses the same IP address as that of SifoWorks management UI However the HTTP protocol is used instead For example if SifoWorks management UI address is https 192 168 1 1 the address of the authentication interface will be http 192 168 1 1 LL Note For hosts in subnets that requires authentication before HTTP accesses is allowed entering any Internet address into the web browser will automatically direct the user to the system s authentication interface Upon successful authentication the user will then be automatically directed to the entered web address 2 In the authentication interface enter the UserName User01 and Password 123456 Welcome ExampleGroup User Authentication 3 Click Auth SifoWorks will attempt to authenticate the user A success message will be displayed if the authentication is successful 4 Attempt to access the URLs that are prohibited as set up in the web content filtering rule to check if the filter
177. nfigure Selection language Select from the drop down menu Range e Simplified Chinese e English e Traditional Chinese Date Setting tab Field Name Explanation Configuration Current Date and Configure the system s date How to Configure Time and time Enter the value in the textbox Example 2008 07 20 13 41 55 Web Server Cert tab Field Name Explanation Configuration New Cert File Full path of the certificate How to Configure file to be imported Enter the value in the textbox or click Browse and select the file Key File Full path of the key file How to Configure corresponding to the Enter the value in certificate to be imported the textbox or click Browse and select the file Passphrase Password used when How to Configure Retype Passphrase generating the certificate Enter the value in file to be imported the textbox 190 User Manual for SifoWorks D Series Firewall Chapter 9 System Settings OD1300UMEO01 1 3 9 4 Import Export Configuration File This function allows you to save the current system configurations into a backup file or restore the system configurations from a previously saved file Note that only the root user admin is able to import a previously saved configuration file to restore the system configurations All normal read write users will be able to export system configurations to a file CONFI GURATI ON PROCEDURE Step 1 Login to SifoWorks usi
178. ng the admin account Step 2 From the left menu column select System gt Config File Step 3 From this interface you can e To save the current system configurations to a file select the Save System Configuration to File tab and click Save To File Select the local directory path and file name to save the current system configurations to e To upload a previously saved configuration file to the current system select the Upload Configuration To System tab Click Browse and select the file to upload Click OK to begin uploading the file MAINTENANCE RECOMMENDATIONS You are recommended to backup system configurations periodically or before modifying any important configurations to facilitate the maintenance and handling of system errors User Manual for SifoWorks D Series Firewall 191 OD1300UME01 1 3 Chapter 9 System Settings 9 5 Upgrade System Software This function allows you to upgrade your system s software version Note that you must have first obtained the upgrade file and corresponding file password before performing this operation Only the root user admin can perform this operation CONFIGURATION PROCEDURE 192 Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 AN Warning Please do not perform any other operations on SifoWorks disconnect the device s power source or shutdown the device during the update process to prevent unpredictable system failures D
179. nline User To view all currently online users who have been successfully authenticated The information displayed includes user name source IP online time and authentication server You can also manually disconnect users from this list DHCP Lease To view all IP addresses assigned to client ends by DHCP servers the corresponding MAC addresses starting and ending time of the lease etc DHCP servers refer to the DHCP servers specified on SifoWorks network configuration interface User Manual for SifoWorks D Series Firewall 25 OD1300UME01 1 3 Chapter 2 Getting started Menu Object Address Add edit delete an IP address or IP address range object to facilitate the creation of filter rules or VPN connections Address Group Add edit delete a group of IP address or IP address range object to be used when defining filter rules or VPN connections Service Add edit delete TCP UDP or ICMP type service objects to be used when defining filter rules By default the system defines several hundred commonly used services You can add new services customized to your network requirements Service Group Manage service group objects to be used when defining filter rules MapList To add a table object made up of a series of address mappings This facilitates the formulation of source NAT rules Each map table can contain multiple address mappings Hence using map tables help to reduce the number of NAT rules This optimizes the
180. nnection interface configure as follows Connection Name BranchConnect Local Subnet Local Remote Subnet Remote Using Tunnel Using IKE Branchl KE State Start Add New VPN Connection Connection Name BranchConnect L2TP Local Subnet Local Remote Subnet Remote Using tunnel Using Manual Using IKE BranchlKE y State Stat Stop Route Backup Connection C Using IKE Save i Cancel 4 Click Save to add this VPN connection to the list User Manual for SifoWorks D Series Firewall 133 OD1300UME01 1 3 Chapter 6 Virtual Private Networks APPLICATION EXAMPLE 3 DYNAMIC VPN BASED ON DDNS The network topology used in this example is shown below VPN Tunnel Branch SifoWorks SifoWorks jong T jo WAN VPort2 ADSL_ 211 192 98 220 HIGHSPEED 192 168 1 0 24 192 168 2 0 24 To ensure that communications between the network at the HQ office and that at the branch office is secure the system administrators of each network needs to set up their SifoWorks to establish site to site VPN connections with the other network At the HQ office the first hop gateway address between SifoWorks and the Internet is 211 192 98 217 At the branch office SifoWorks is connected to the Internet using PPPoE fast mode The network s domain name registered with the DDNS service IS Wwww example com VPN connections uses pre shared key authentication with the pre shared key 12345678 IK
181. nt Step 7 Configure the firewall s administrative IP as 172 16 0 20 1 Select Network gt IP Config from the left menu bar 2 Click the icon corresponding to the Admin VLAN in the displayed list to set up the administrative IP Please refer to 3 2 Setting up the Basic Network Settings for detailed information on this configuration Step 8 Configure HA settings 1 From the left menu bar select Advance gt HA Setting 2 At the top right corner of the interface that displays click Edit to view the Edit HA interface 3 Here configure as follows Act As Secondary Local IP 172 16 0 20 Neighbor IP 172 16 0 10 IP Link Detection I nterface FEO FE1 Edit HA Act as Primary Secondary Local IP 172 16 0 20 v Neighbor IP 172 16 0 10 Available Port selected Port FEO FE1 IP Link Detection Interface 4 Click Save to save the HA configuration on SifoWorksB User Manual for SifoWorks D Series Firewall 161 OD1300UME01 1 3 Chapter 7 Advanced Functions SifoWorksA amp SifoWorksB Step 9 Connect the network cables 1 According to your deployment plan connect the master and slave devices data ports to the various network domains 2 Connect a network cable from the monitor port of the master device to the monitor port of the slave device This acts as the heartbeat monitoring cable SifoWorksA Step 10 Activate HA on the master device 1 Login to SifoWo
182. ntity e Control accesses of different users to different resources IPsec Internet Protocol Security VPN IPsec VPN is a commonly used method to establish VPN connections An IPsec VPN includes e Transport mode and tunnel mode Transport mode protects higher layer protocols while tunnel mode protects the entire IP data packet e Encryption algorithm SifoWorks supports the DES and 3DES encryption algorithms DES is a 64 bit encryption algorithm while 3DES is a 192 bit algorithm This also means that 3DES s encryption strength is three times that of DES e Private key exchange algorithm SifoWorks includes the DH Diffe Hellman key agreement and RSA Rivest Shamir and Adelman Signatures private key exchange algorithms These algorithms allow the two peers at each end of a connection to establish a secured shared encryption key via an unsecured communication tunnel 118 User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Verification algorithm SifoWorks supports the MD5 Message Digest 5 and SHA 1 Secure Hash Algorithm 1 verification algorithms These algorithms generate data of a fixed length by processing input data of arbitrary length HMAC MD5 and HMAC SHA are HMAC Hashed Message Authentication Codes strengthened variations of the MD5 and SHA algorithms HMAC MD5 generates an output of length 128 bits while HMAC SHA generates output of length 160 bits IKE Internet Key E
183. nts of a L2TP VPN connection CONFIGURATION FLOWCHART The flowchart below shows the steps to configure a L2TP VPN Start Activating VPN Adding VPN Users Adding VPN User Group Adding IP Pool Adding IKE Adding VPN Connections Configuring L2TP VPN Access End 144 User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 This table briefly introduces each of the configuration steps Operation Activating VPN Adding VPN Users Adding VPN User Groups Adding IP Pool Adding IKE Adding VPN Connection Configuring L2TP VPN Access CONFIGURATION PROCEDURE Step 1 Activate VPN Description N A To add L2TP VPN connection users To manage L2TP VPN connection users using group objects for configuration convenience To define a pool of IP addresses for L2TP VPN connections This prevents accesses to the network via L2TP VPN from illegal users To add the IKE used to establish L2TP VPN connections Please refer to 6 2 Configuring IPsec VPN Connections for details on IKE configuration To add a VPN connection that uses L2TP Please refer to 6 2 Configuring IPsec VPN Connections for information on how to add VPN connections N A 1 From the left menu bar select VPN gt IPSec Setting 2 In the IPSec Switch tab toggle the VPN module On 3 Click Save to s
184. orks Add SNAT Source Network Address Translation and DNAT Destination Network Address Translation rules according to your network requirements If you require a large number of SNAT rules you can apply MapList objects to the rules instead reducing the amount of SNAT rules to be added You can also achieve load balancing among multiple servers by applying server load balancing objects in DNAT rules Set up the filter rules used to control traffic in the network Common types of filter rules include e IRP Intelligent Recognized Protocol e AAA Authentication Control accesses by users to be authenticated by local or remote RADI US LDAP AD authentication servers e Content Filtering e QoS In each filter rule you can e Specify the incoming and outgoing interfaces a rule applies to by selecting Virtual Port and VLAN Specify the data packets to apply a rule using attributes such as IP address authentication user service or source MAC address etc Select whether to Accept or Drop data packets matching the rule 3 2 Setting up the Basic Network Settings 3 3 Configuring Network Address Translation 4 2 Managing Filter Rules 4 4 Managing Content Filtering Rules 7 2 Setting Up QoS Services 39 OD1300UME01 1 3 40 Operation Configuring VPN Settings Setting up IDS Chapter 2 Getting started Description e Optional Enable the Intelligent Re
185. orks Users can also be authenticated via remote RADIUS LDAP or AD servers CONFI GURATI ON PROCEDURE The procedure to view manage the lists of currently established session online users and DHCP lease via the SifoWorks interface is described in the steps below Step 1 Login to SifoWorks via an administrator account L Note If you are only intended to view the list of online users simply login to SifoWorks via a read only administrator account If you need to manually disconnect users please login with a read write account Step 2 From the left menu bar select Monitor gt Online Users The list of authenticated users currently online will be displayed Step 3 From this list you can e View various information for each online user e Click Refresh to refresh the list of online users e Click Disconnect from the Operation column to disconnect the corresponding user 10 2 3 DHCP Lease Refers to the list of IP addresses leased to clients by DHCP servers This list also displays each host s MAC address starting and ending lease time etc CONFI GURATI ON PROCEDURE The procedure to view manage the lists of currently established session online users and DHCP lease via the SifoWorks interface is described in the steps below Step 1 Login to SifoWorks via a read write or read only administrator account Step 2 From the left menu bar select Monitor gt DHCP Lease Step 3 The list of IP addresses lea
186. ort2 VLAN From WAN Address From Predefine ALL Address To Predefine ALL 3 Check the Server Load Balance checkbox at the bottom of this interface and select the Web Server object from the drop down menu Add New DNAT Virtual Port From VPort2 Virtual Port To AL VLAN From WAN w VLAN To 4 Predefine ALL w Address To Custom IP Netmask fs Predefine ALL w Service schedule Action Translated Address No Map Single IF Range IP Single Port fs RangePot Sticky Server Load Balance Save Cancel 4 Click Save to save the DNAT rule 68 User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 3 4 Setting up DHCP Service You must perform this configuration to set up SifoWorks to provide DHCP services by either setting up SifoWorks as a DHCP server or using the system as DHCP relay servers DHCP Server A DHCP server dynamically assigns and manages IP addresses and other related parameters such as DNS WINS and gateway to external hosts DHCP Relay Server DHCP relay servers point to a DHCP server located in another subnet allowing the server to provide DHCP service to hosts on this subnet Note that your system s basic network configurations should already be properly set up Please refer to 3 2 Setting up the Basic Network Settings for information on configuring SifoWorks basic network settings APPLICATION EXAMPLE 1 DHC
187. r and view various real time and or history reports detailing the various system statuses e Performing Network Diagnostics Explains the various network diagnostic tools including Ping and Traceroute supported by the system to check for network connectivity e Restoring System Settings Describes how to restore the system settings to factory default retrieve administrative IP address or restore the default administrator s password to help you restore SifoWorks in the event of system failures Please refer to this chapter when performing various system maintenance operations User Manual for SifoWorks D Series Firewall 203 OD1300UME01 1 3 Chapter 10 System Maintenance 10 1 Overview This chapter introduces the various system maintenance tools provided by SifoWorks to help administrators monitor and manage the system to ensure stability These tools include online sessions and user monitoring reports and system restoration methods 10 2 Monitoring Sessions and Online Users 10 2 1 Sessions This section explains how to monitor or manually terminate currently established sessions and authenticated online users and to view DHCP lease information Refers to the series of operations executed through a connection established between two peers SifoWorks supports access control based on session status Administrators can view various information of all sessions currently established and monitored by SifoWorks including source and
188. r 7 Advanced Functions SifoWorksA Master Device Login to SifoWorksA via a read write account Configure the firewall s administrative IP as 172 16 0 10 1 Select Network gt IP Config from the left menu bar 2 Click the icon corresponding to the Admin VLAN in the displayed list to set up the administrative IP Please refer to 3 2 Setting up the Basic Network Settings for detailed information on this configuration Configure the basic network settings Configure SifoWorksA s virtual ports VLAN IP address and route settings according to your network requirements You can refer to 3 2 Setting up the Basic Network Settings for details on this configuration Configure HA settings From the left menu bar select Advance gt HA Setting 2 At the top right corner of the interface that displays click Edit to view the Edit HA interface 3 Here configure as follows Act As Primary Local IP 172 16 0 10 Neighbor IP 172 16 0 20 IP Link Detection I nterface FEO FE1 Edit HA Act as Primary Secondary Local IP 172 16 0 10 a Neighbor IP 172 16 0 20 Available Port Selected Port IP Link Detection Interface 4 Click Save to save the HA configuration on SifoWorksA User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 SifoWorksB Slave Device Step 6 Login to SifoWorksB using a read write administrator accou
189. radio button In the From and TO date time textboxes that appear specify the Starting and ending time of the desired time interval to view the history report generated based on statistics collected during this period Note that the maximum time interval you can enter is 7 days Step 5 Click Go to refresh the report to display the graph according to your settings 208 User Manual for SifoWorks D Series Firewall Chapter 10 System Maintenance OD1300UME01 1 3 10 3 4 IP Traffic Statistics Reports This report lists all IP addresses of hosts whose upload and or download bandwidth are restricted by SifoWorks IP rate limit function You can view each IP address and their current upload download and total bandwidth utilization in this report From the Operation column click the icon to view the IP rate limit rule defined for the corresponding IP address You can directly edit the IP rate limit rule from this interface CONFI GURATI ON PROCEDURE Step 1 Login to SifoWorks via a read write or read only administrator account LLI Note If you are intending to edit the IP rate limit rule for one or more IP addresses please login using a read write administrator account If you are viewing the report only and not modifying any configurations simply login with a read only account Step 2 From the left menu bar select Reporter gt IP Traffic Statistics Step 3 The list of IP addresses whose bandwidth is limited will be displayed
190. raffic logs User Manual for SifoWorks D Series Firewall 31 OD1300UME01 1 3 Chapter 2 Getting started Menu Reporter Reporter Setting To enable disable the report monitoring function and select the elements to be monitored System Status To view current and history firewall status report including CPU status content status and Ramdisk status information Traffic To view current and history reports on traffic flow for each data port including each port s outgoing incoming and total traffic flow IP Traffic Statistics To view statistical reports on traffic for each IP address These reports allow you to understand the upload speed download speed and total traffic generated by each IP address You can click the icon on the report to navigate to the interface where you can change the traffic limit for a particular IP address Session Number To view current and history reports on the number of system session You can also view the distribution of sessions based on protocols used Session Rate To view current and history reports showing the rate of session establishment in seconds Menu Logout To logout from SifoWorks 32 User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 Ae fad WKY ag BY The table below contains a list of possible tasks an administrator may need to perform when configuring or monitoring the SifoWorks system Network Configuration Setting
191. rated by SifoWorks It also describes the various options available when viewing these reports Step 1 Login to SifoWorks via a read write or read only administrator account Step 2 From the left menu bar select Reporter gt Traffic Step 3 Select whether to view traffic reports for the overall system all interfaces or for individual interfaces e View traffic reports for individual interfaces Click the Interface Traffic radio button and select the corresponding Interface from the adjacent drop down menu Also select whether to include the charts for inbound outbound and or total traffic in the report Click Go to generate the corresponding report e View overall traffic reports Select the Total Traffic radio button From the options that appear select whether to view the chart for bi directional traffic Over incoming traffic Inbound or outgoing traffic Outbound Step 4 Select whether to view current reports statistics from the past 1 hour or history reports statistics from any past interval of up to 7 days e View report generated using statistics for the last 1 hour Click the Current Monitor Listen Current lHours radio button to view the chart generated from statistics collected in the past 1 hour e View report generated using statistics from any past interval up to 7 days Manually select the time interval to generate the report for by selecting the History Query Listen Past 7Days
192. rity s technical support personnel 11 7 Phase 5 Setting up IDS 11 7 1 Configuration Procedure Step 1 Step 2 Step 3 Follow the steps below to set up SifoWorks inbuilt IDS function according to the network requirements determined in 11 1 Network Topology and Company Requirements Configure IDS working mode 1 From the left menu bar select Advance gt IDS Setting The interface for the Anti Dos Working Mode tab will be displayed 2 Here select Defense Mode as your device s IDS Anti Flood Mode and check the Enable Packet Rate Limit checkbox Anti Dos Working Mode Source Destination oyn Proxy x Other Attacks Anti Flood Mode Stop Defense Mode Monitor Mode Enable Packet Rate Limit Enable Log Reset Anti Flood Next gt Reset 3 Click Next gt to move to the Source tab Configure the defense settings based on source addresses In the Source tab keep all default settings for each field and click Next gt to display the Destination tab Configure the defense settings based on destination addresses In the Destination tab keep all default settings for each field and click Next gt to display the Syn Proxy tab User Manual for SifoWorks D Series Firewall 249 OD1300UME01 1 3 Chapter 11 Device Deployment Example Step 4 Configure SYN Proxy mode Step 5 In the Syn Proxy interface select the Never Proxy opt
193. rk Settings Explains the various network configurations needed to successfully connect SifoWorks to your network including virtual port VLAN IP address and route configurations Configuring Network Address Translation Describes how to add source and or destination network address translations Setting up DHCP Service Introduces the procedure to set up SifoWorks to act as a DHCP server or DHCP relay server to provide DHCP services Configuring PPPoE Connections Explains in detail how to set up SifoWorks to connect to external networks via PPPoE Specifying DNS Servers Explains how to specify IP addresses of DNS servers to equip SifoWorks with domain name resolution capabilities Configuring DDNS Describes the procedure to connect SifoWorks to DDNS servers to provide DDNS services This allows users to establish dynamic VPN connections using the PPPoE access methods User Manual for SifoWorks D Series Firewall 41 OD1300UME01 1 3 42 Chapter 3 Network Configuration e Managing IP MAC Bindings Introduces the system s IP MAC binding function preventing IP addresses from being used by illegal hosts e Managing the ARP Tables Describes how to manage the static and dynamic ARP tables to reduce security risks due to ARP IP spoofing Administrators can refer to this chapter when they need to configure related network settings on the SifoWorks system User Manual for SifoWorks D Series Firewall Chapter 3 Network Con
194. rksA via a read write administrator account From the left menu bar select Advance gt HA Setting Click Start from the bottom of this interface to activate HA A success message should be displayed SifoWorksB Step 11 Repeat step 10 to activate HA on SifoWorksB SifoWorksB will automatically synchronize its configurations with the master device and reboot after activating HA Both devices should be operating normally once the system restarts 162 User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions 7 5 Configuring IDS Services OD1300UME01 1 3 You can configure and enable SifoWorks own IDS function or set up the system to access a third party IDS system to provide IDS service SifoWorks IDS function defends against the following types of attacks SYN Flood TCP Scan Ping Sweep Ping Flood UDP Flood UDP Scan ARP Attack TearDrop Bonk Boink Nestea Newtear SYNDrop Jolt2 Oshare 1234 Ping of Death Saihyousen Smurf Attack Land based Attack WinNuke User Manual for SifoWorks D Series Firewall 163 OD1300UMEO01 1 3 Chapter 7 Advanced Functions SifoWorks I DS Working Modes Defense Mode When an attack is detected that is packet transmission rate exceeds the threshold value SifoWorks automatically drops the connection ensuring the security of the protected network Monitor Mode SifoWorks sends a notification to administrators but does not drop the connectio
195. rt3 Virtual Portt Virtual Port G G Virtual Port3 Virtual Port Virtual Port2 GG Virtual Port3 Virtual Portt Virtual Port2 QG V irtual Port3 User Manual for SifoWorks D Series Firewall 53 OD1300UME01 1 3 Chapter 3 Network Configuration Step 4 Setting up IP Addresses L A From the left menu bar select Network gt IP Config From the list displayed click the icon corresponding to LAN The system will display the Show IP Configure configuration interface Select Static IP Address and Click Add New IP In the next interface configure IP as 192 168 1 1 and netmask 255 255 255 0 Click Save to save the new IP address and return to the Show IP configure interface Click Return to return to the VLAN IP list Repeat steps 2 6 and configure 211 192 98 220 255 255 255 0 for the WAN VLAN and 10 1 1 1 255 255 255 0 for the DMZ VLAN The resulting VLAN IP list is shown below index VLAN Name viani IP Address Netmask Operation 0 ADMIN 0 172 16 0 1 255 255 0 0 VLAN4 1 192 168 1 1 255 255 255 0 D 211 192 98 220 255 255 255 0 a 10 1 4 1 255 255 255 0 Step 5 Managing Routes 1 From the left menu bar select Network gt Route Setting to view Destination IP 0 0 0 0 Destination Mask 0 0 0 0 Gateway Outgoing Device Enable Yes ONo the system s route list Click Clear Invalid Route to remove al
196. s is within the Same subnet as the IP address of SifoWorks administrative interface In the address bar enter SifoWorks administrative IP address If this is the initial login to the system via the management port please enter the factory default address https 172 16 0 1 in your web browser For information on modifying SifoWorks administrative IP address please refer to 3 2 Setting up the Basic Network Settings A login dialog window will appear Enter your user name and select OTP User A challenge string will be generated and displayed Copy the string of characters between otp md5 and ext into the Challenge textbox below For example the challenge value is 498 lol in the figure below UserName admin Traditional User OTP User Challenge otp md5 498 lo1 ex Challenge e g 55 latourd 498 lo1 Secret Password One Time Password ALLY CHEN I OIL TANK JUG Enter your account Password Click compute with MD5 The system will generate a string of characters in the One Time Password textbox below Copy the one time password generated into the Response textbox above Click Login to login to SifoWorks User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 2 2 2 System Logout From the administrative interface select Logout from the left or click 5 from the top right corner of the page 2 2 3 Add Record This
197. s supports filtering of HTTP content based on URL commands and keywords is able to restrict multi thread downloading and supports removal of scripts such as Active xX Javascripts Java applet and cookie e Email SifoWorks supports email content filtering based on SMTP server recipient mail addresses sender mail addresses email subject mail body keywords mail attachment mail size and the number of recipients e FTP SifoWorks supports the filtering of FTP data based on file name keywords and commands Multi thread downloading of FTP files can also be denied 10 User Manual for SifoWorks D Series Firewall Chapter 1 Product Overview OD1300UME01 1 3 1 3 7 Routing Capability SifoWorks is also equipped with rich routing capabilities including Strong forwarding functionality at the 3 network layer SifoWorks route module supports up to 512 static routes and 247 policy routes Policy routing can not only determine the outgoing interface using the destination IP but can also determine the next hop address using the source IP and port number For example an enterprise has 2 outgoing WAN interfaces ADSL and optic fiber The enterprise s research department relies heavily on the Internet service IT personnel can thus configure SifoWorks such that the accesses to the Internet from the research department are routed to the optic fiber interface while accesses by other departments are routed to ADSL SifoWorks determines
198. s the set of special characters that can be used when defining in the content filtering function We recommend reading this chapter if you want to manage the system s firewall rules User Manual for SifoWorks D Series Firewall 85 OD1300UME01 1 3 Chapter 4 Firewall Rule Management SifoWorks define 3 types of firewall access control rules Filter Rules These rules determine if packets are allowed to pass through the firewall Each filter rule e Identifies the incoming and outgoing interfaces of packets based on virtual port and VLAN e Identifies the data flow according to the packet s IP address authentication user service or MAC address etc e Specify whether to accept or drop specific traffic using an Action parameter e Prevents illegal traffic by enabling an optional intelligent recognized protocol function e Can be configured with content filter rules to filter the contents of the traffic This is only configurable if Action is accept e Is able to enable QoS to control the guaranteed and maximum bandwidth allocated to each incoming and outgoing data port This is only configurable if Action is accept e Is able to limit the number of maximum concurrent connections for each host or network segment This is only configurable if Action is accept e Can be configured with a schedule object specifying when this rule is effective For example a rule can be set up to be effective only between
199. save the settings and return to the port list User Manual for SifoWorks D Series Firewall 223 OD1300UME01 1 3 224 Step 4 Configure VLANs Chapter 11 Device Deployment Example 1 Select Network gt VLAN Setting from the left menu bar 2 Click the icon corresponding to the system default VLANI In the VLAN Configure interface that appears unselect all data ports from this VLAN Click Save to save the modification and return to the VLAN list Click Add New VLAN from the bottom of the list 5 The Add New VLAN configuration interface will be displayed Here configure Name LAN VLAN ID 2 Select the port FEO MTU 1500 Status Up Name VLAN ID Virtual Ports Virtual Portt Virtual Fortz Virtual Ports Add New VLAN FED F FE1 F rez P res Fl res F Fes F res P eer 1500 Down 6 Click Save to save the new VLAN 7 Repeat 4 6 to add 2 other VLANs for the WAN and DMZ domains The final VLAN list should be similar to the figure below mu o vian wame vo veon O user pons O J operation 0 ADMIN VLAN1 1 N A Virtual Port1 Virtual Port2 Virtual Port3 Virtual Port1 Virtual Port Virtual Port3 Virtual Port1 Virtual Port2 Virtual Port3 Virtual Portt Virtual Port2 Virtual Port3 MGTO QO 8 amp 0 User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 Step 5 Con
200. section explains how to add a record such as an administrator account an address object a service object or a filter rule etc into the system LLI Note This section gives an overall explanation to the procedure to add a record entry into the system For detailed information on the various kinds of records that can be added please refer to the appropriate sections later in this manual For example you can refer to 9 2 Managing Administrator Accounts for information on user account records or 4 2 Managing Filter Rules for details on filter rule records CONFI GURATI ON PROCEDURE Step 1 Navigate to the configuration page for the particular type of record from the left menu bar Step 2 Click Add XX XX depends on the type of record you are adding Step 3 In the Add XX interface displayed configure the settings accordingly Step 4 Click Save The system will add a new record to the corresponding list User Manual for SifoWorks D Series Firewall 21 OD1300UME01 1 3 Chapter 2 Getting started 2 2 4 Edit Record This section explains how to edit an existing record LL Note This section gives an overall explanation to the procedure to modify a record entry in the system For detailed information on the various kinds of records please refer to the appropriate sections later in this manual For example you can refer to 9 2 Managing Administrator Accounts for information on user account records or
201. sed to various hosts by the DHCP server s will be displayed You can view DHCP lease information directly from this list User Manual for SifoWorks D Series Firewall 205 OD1300UME01 1 3 Chapter 10 System Maintenance 10 3 Viewing Reports This section describes how to enable disable the SifoWorks reporter module and view various real time and history reports detailing the system s operating status SifoWorks generates reports for 5 different types of statistics including system resource status traffic IP traffic statistics number of sessions and session establishment rate The following sections explain each of these reports in detail L Note Your administrative host must be installed with JRE 1 6 0 or above to view the reports generated by SifoWorks using the system s Ul 10 3 1 Reporter Configuration You can configure whether to enable or disable the system to generate the various reports for monitoring purposes CONFI GURATI ON PROCEDURE Step 1 Step 2 Step 3 Step 4 206 The following steps explain how to configure the system s Reporter module Login to SifoWorks via a read write administrator account From the left menu bar select Reporter gt Reporter Setting In the Reporter Setting interface that displays you can e Disable monitoring of system activities using reports Select the Disable Reporter radio button to disable SifoWorks Reporter module The system will discard a
202. separates its network into 3 domains e LAN Internal workstation PCs are located in this domain The subnet address is 192 168 1 0 255 255 255 0 e WAN The external network Internet with IP address 211 192 98 220 e DMZ Internal servers such as web and FTP servers are located in this domain The subnet address is 10 1 1 0 255 255 255 0 For the security of the network and to manage network performance the company deploys SifoWorks as the external gateway and connects the 3 network domains to the device The company s network topology is shown below Internet WAN 211 192 98 220 SifoWorks LAN WH DMZ 192 168 1 1 10 1 1 1 LAN Switch Subnet 1 Subnet 2 Server Domain f a LAN LAN Switch Switch Switch 192 168 1 0 24 192 168 1 0 24 Q 10 1 1 0 24 SifoWorks is connected to LAN via FEO WAN via FE1 and DMZ via FE2 The first hop address from the firewall to the Internet is 211 192 98 217 The configuration plan is shown in the following table User Manual for SifoWorks D Series Firewall 51 OD1300UME01 1 3 Chapter 3 Network Configuration Parameter Configuration Value Virtual Port Virtual Port 1 FEO Virtual Port 2 FE1 Virtual Port 3 All other ports VLAN LAN Virtual Port 1 FEO Virtual Port 2 None Virtual Port 3 None WAN Virtual Port 1 None Virtual Port 2 FE1 Virtual Port 3 None DMZ Virtual Port 1 None Virtual Port 2 None Virtual Port 3 FE2 IP Address LAN 192 168 1 1 255 255 255 0 W
203. ses to avoid exposing their internal network structure to attacks by hackers SifoWorks resolve the above 2 issues using the NAT and PAT technologies SifoWorks allows users to define SNAT DNAT and Double NAT rules using an optimization algorithm to enhance the utilization of ports and IP addresses User Manual for SifoWorks D Series Firewall 7 OD1300UME01 1 3 Chapter 1 Product Overview 1 3 4 Intelligent Protocol Recognition There are standardized ports for application layer services such as port 80 for HTTP port 21 for FTP etc For enterprises wishing to restrict their employees from accessing the Internet the simplest method would be to close port 80 thus denying HTTP packets However new developments now enable users to customize the port number used for HTTP applications Furthermore several P2P software dynamically determines which port number to use Thus allowing and denying the transmission of specific data through the firewall is now no longer a simple issue SifoWorks thus introduces an intelligent protocol recognition function Intelligent protocol recognition effectively identifies and controls services transmitting data over a non standard port such as replacing port 80 with port 90 for HTTP This enforces effective control over the use of such services For example preventing the transmission of packets sent via port 80 but are not using the HTTP protocol effectively restricts services from using port 80 such as P2P
204. st according to actual network situation to achieve better performance To adjust the position of an IP rate limit in the list simply enter the current index of the limit in the Move From textbox at the bottom of the list Enter the position to move this limit to in the adjacent TO textbox and click OK For example to move the limit at index 1 to index 3 simply enter 1 in the Move From textbox 3 in the TO textbox and click OK Enable IP rate limit At top of the IP rate limit list select On for the Switch parameter and click OK to enable this function From the system generated bandwidth reports you can adjust the IP rate limit configuration according to the network situation For details on viewing reports please refer to 10 3 Viewing Reports User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 7 4 Activating High Availability You can set up two SifoWorks device in HA High availability to enhance the reliability of the network SifoWorks HA function supports the Active Standby AS mode In AS mode information such as rules objects routes and sessions are synchronized between the master and slave devices When the master device fails network services are automatically routed to the slave device CONFIGURATION FLOWCHART AS MODE The following flowchart shows the procedure to set up two SifoWorks devices to work in HA AS mode
205. t Setting region of this interface check the Enable checkbox 2 Enter the maximum number of logs that can be stored per second in the Item s field Enable and configure syslog Server1 setting 1 In the G Server List area of the Log gt Log Server interface click the 2 Enter the Server Name IP address listening Ports log Format and Protocol used to export logs from SifoWorks to the server icon corresponding to serverl1 Select the Charset format used to store the logs Check the Enable checkbox to enable the use of this remote server Click Save to save the configuration Optional Repeat step 4 to configure Server2 Server 4 User Manual for SifoWorks D Series Firewall Chapter 8 Log Management OD1300UME01 1 3 8 3 Configuring Log Attributes Here you can set up specific log attributes such as the maximum number of log records to store for each log type when and which logs to delete whether to log DNS ICMP requests etc Note The policy to delete logs sets up the system such that when the number of log records exceeds the specified maximum the system will automatically delete a percentage of the logs Logs are deleted according to their generated date The earliest logs will be deleted first CONFIGURATION PROCEDURE Step 1 Login to SifoWorks via a read write administrator account Step 2 From the left menu bar select Log gt Log Global Step 3 In the displayed interfac
206. t2 WAN VPort2 211 192 98 220 202 112 11 222 192 168 1 0 24 192 168 2 0 24 In the HQ network SifoWorksA is deployed The first hop gateway address from SifoWorksA to the Internet is 211 192 98 217 SifoWorksB is deployed at the branch network and the first hop gateway address connecting SifoWorksB to the Internet is 202 112 11 1 The site to site VPN connection uses pre shared key authentication The pre shared key is 12345678 IKE phase one algorithm is 3des md5 modp1536 and the phase two algorithm is esp 3des md5 The configuration procedure is as follows User Manual for SifoWorks D Series Firewall 127 OD1300UME01 1 3 128 Step 1 Step 2 Step 3 Step 4 Chapter 6 Virtual Private Networks SifoWorksA HQ Network Login to SifoWorksA via a read write administrator account Activate VPN on SifoWorksA 1 From the left menu bar select VPN gt IPSec Setting 2 Toggle the VPN module On 3 Click Save to confirm the setting Select the outgoing interface for SifoWorksA 1 From the VPN gt IPSec Setting interface click the IPSec Interface IP tab Select the VLAN WAN as the outgoing interface Click Save to save the configuration Adding IKE for SifoWorksA 1 From the left menu bar select VPN gt IKE 2 From the bottom of the IKE list displayed click Add New I KE 3 The Add New IKE interface will be displayed Configure as follows I
207. te Configuring NAT rules Configuring filter rules IRP QoS AAA authentication content filter Setting up VPN Setting up IDS Hi End User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 11 3 Phase I Configuring the Basic Network Settings 11 3 1 Configuration Procedure This section provides a step by step guide to setting up SifoWorks basic network settings AN Warning The steps shown below assume that your SifoWorks device has been powered on but not yet connected to the network If SifoWorks has already been connected to the network you may still carry out these steps as normal but certain traffic may be disconnected before completing 11 5 Phase 3 Defining Filter Rules below Step 1 Connect SifoWorks administrative interface to your PC via a network cable Step 2 Login to the system using the admin administrator account L Note Please refer to 2 2 1 System Login for an explanation on how to login to the system s Ul Step 3 Configure the virtual ports 1 From the left menu bar of the interface select Network gt Virtual Port Config 2 At the bottom of the list of ports click Virtual Port Config 3 Using the gt and buttons move FEO to Virtual Port 1 FEL to Virtual Port 2 and all other ports to Virtual Port 3 4 Click Save to
208. thenticate SifoWorks when establishing the connection L Note You can also select a schedule weekly schedule object in the Schedule drop down menu The system will attempt to establish disconnect the PPPoE connection according to the schedule automatically 3 Click Save to save the settings 4 Click Next gt to view the Connection tab Here you can Click Start The system will begin to dial the connection Once connected you can view various connection information such as IP address gateway etc from the Monitor tab Click Stop to disconnect the connection User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD1300UME01 1 3 CONFIGURATION PROCEDURE FAST MODE Step 1 Step 2 Step 3 Step 4 Step 5 Connect the network cable for PPPoE access to the MGT1 port Connect a network cable from MGTO to FE7 From an available data port FEO FE6 login to SifoWorks using a read write administrator account Select the PPPoE mode 1 From the left menu bar select Advance gt PPPoE Mode 2 Select Fast Mode 1 Note Please jump to step 5 if SifoWorks is already working in PPPoE fast mode 3 Click Save to save the configuration SifoWorks will automatically restart Please re login to the system once the system reboots Establish the PPPoE connection 1 From the left menu bar select Network gt PPPoE Setting 2 In the Configuration
209. this address object Step 6 Add VPN connection on SifoWorksA 1 From the left menu bar select VPN gt VPN Connection to view the list of VPN connections Click Add New VPN In the Add New VPN Connection interface configure as follows Connection Name HQConnect Local Subnet Local Remote Subnet Remote Using Tunnel Using IKE HQIKE State Start User Manual for SifoWorks D Series Firewall Chapter 6 Virtual Private Networks OD1300UME01 1 3 Add New VPN Connection Connection Name HOConnect L TP Local Subnet Remote Subnet Using tunnel Using Manual State stat O stop Route Backup Connection F Using IKE Save Cancel 4 Click Save to add this VPN connection to the list SifoWorksB Branch Network Step 7 Login to SifoWorksB via a read write administrator account Step 8 Activate VPN on SifoWorksB 1 From the left menu bar select VPN gt IPSec Setting 2 Toggle the VPN module On 3 Click Save to confirm the setting Step 9 Select the outgoing interface for SifoWorksB 1 From the VPN gt IPSec Setting interface click the IPSec Interface IP tab 2 Select the VLAN ADSL HIGHSPEED as the outgoing interface wh PSec Interface IP Interface ADSL_HIGHSPEED w IF 210 82 10 17 v Save Reset 3 Click Save to save the configurations User Manual for SifoWorks D Series Firewall 137 OD1300UME01 1 3 Chapter 6 Virtual Pri
210. thm Match Next gt Cancel 4 Click Next gt to display the Phase One Method tab Configure according to the following Algorithm 3des md5 modp1536 Exchange main mode 5 Click Next gt to view the Authenticate Method tab Select PSK and enter 12345678 as the Preshare Key Re enter this key in the Retype textbox to confirm 6 Click Next gt to display the Phase Two Proposal tab Enable Using ESP and select the esp 3des md5 ESP Algorithm Also select the Using PFS option Encapsulation Using ESP Algorithm O using AH Algorithm p T PFS Group is same as Phase one s Using PFS DH Group lt Back Next gt Cancel 7 Click Next gt to view the Advanced Setting tab Keep the default configuration for all parameters in this tab and click Save to save this IKE record User Manual for SifoWorks D Series Firewall 135 OD1300UME01 1 3 136 Chapter 6 Virtual Private Networks Step 5 Add address objects on SifoWorksA L From the left menu bar select Object gt Address to display the list of address objects Click Add New Address and configure as follows Name Local IP 192 168 1 0 Netmask 255 255 255 0 Click Save to add the new address object Back at the address object list click Add New Address to add another address object with the following configuration Name Remote IP 192 168 2 0 Netmask 255 255 255 0 Click Save to save
211. tion Translated Address No Map Single IF Range IP Single Port Range Port Sticky Map List LAN to WAN 4 Click Save to save the SNAT rule User Manual for SifoWorks D Series Firewall 65 OD1300UME01 1 3 Chapter 3 Network Configuration APPLICATION EXAMPLE 3 LOAD BALANCING 66 The network topology of a company is shown in the figure below In the DMZ domain 5 web servers providing services externally are deployed SifoWorks must distribute traffic among these servers according to a priority weight system Traffic should be distributed of traffic among Web Serverl to Web Server5 according to the following percentage Server 1 Server 2 Server 3 Server 4 Server 5 20 20 25 25 10 The Sticky option should also be enabled Internet WAN 211 192 98 220 SifoWorks LAN DMZ 192 168 1 1 10 1 1 1 Workstation Domain Server Domain LAN Switch Web Server 1 5 10 1 1 10 10 1 1 14 QD 192 168 1 0 24 The company also requires DNAT to be performed on all accesses from external sources External hosts access the HTTP service via the IP 211 192 98 220 80 VPort1 VPort2 and VPort3 correspond to the LAN WAN and DMZ domains respectively The configuration procedure is as follows Step 1 Login to SifoWorks via a read write account Step 2 From the left menu bar select Object gt Server Load Balance User Manual for SifoWorks D Series Firewall Chapter 3 Network Configuration OD
212. to automatically discover and manage the SifoWorks device L Note Please ensure that your device s network configuration has been properly set up before attempting to connect SifoWorks to a network management system Please refer to 3 2 Setting up the Basic Network Settings for details on configuring SifoWorks network settings APPLICATION EXAMPLE 194 The company uses the SifoView network management system to manage all network devices deployed within its network A new SifoWorks device is then deployed into the network The SifoWorks system administrator wants to set up the device such that it can be managed via SifoView The topology of this network is illustrated in the figure below Internet WAN 210 192 98 220 Ht SifoWorks LAN DMZ 192 168 1 1 10 1 1 1 LAN Switch Subnet 1 Subnet 2 Server Domain gt LAN B Switch Switch 10 1 1 0 24 192 168 1 0 24 In this network e P address of the SifoView server is 10 1 1 7 e The SifoView server is located in DMZ e P address of the SifoWorks VLAN representing DMZ is 10 1 1 1 User Manual for SifoWorks D Series Firewall Chapter 9 System Settings OD1300UME01 1 3 Enable SNMP v3 with security level AuthPriv This allows administrators to configure SifoWorks via SifoView SNMP Trap is not needed The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account Step 2 Add SNMP Proxy L
213. tomized rules Enable the IP Defragmentation pre processor with default settings The configuration procedure is as follows Login to SifoWorks using a read write administrator account Configure the IDP network variables L 2 From the left menu bar select IDP gt Network Variables In the Home Net tab select the User Input radio button to manually manage the list of internal networks Click Add New Home Net 4 The Add Home Net interface will be displayed Configure as follows IP 192 168 1 0 Netmask Length 24 Add Home Net 192 168 1 0 Netmask Length Click Save to save the setting and return to the Home Net list Repeat steps 3 5 to add another internal network DMZ with I P Netmask Length 10 1 1 0 24 Select the External Net tab to view the list of external networks From the top of the list select the Not Home Net radio button External Net O Any NotHome Net User Input 1 0 0 0 0 0 User Manual for SifoWorks D Series Firewall Chapter 5 Intrusion Detection and Prevention OD1300UME01 1 3 Step 3 Select the IDP rules 1 From the left menu bar select IDP gt Rule Group Control 2 Check the Enable column to select the pre defined IDP rule groups that you need to enable 3 Click Save to save the settings Step 4 Set up the pre processor 1 From the left menu bar select IDP gt Preprocessors to view the interface for th
214. traffic before matching them against the IDP rules to raise system s performance and precision The pre processors include 110 User Manual for SifoWorks D Series Firewall Chapter 5 Intrusion Detection and Prevention OD1300UME01 1 3 e P Defragmentation This pre processor assembles the fragments of a network packet e TCP Stream Reassembly This pre processor assembles the payload of multiple packets belonging to the same TCP connection into one large packet before performing IDP analysis e Port Scan This pre processor detects scan attacks on the protected ports It automatically sends an alert to the system when such activities are detected Before enabling IDP please ensure that your SifoWorks system has been successfully connected to your network by completing the basic network configuration operation Please refer to 3 2 Setting up the Basic Network Settings for details CONFI GURATI ON FLOWCHART The configuration steps to configure and activate IDP are illustrated in the flowchart below User Manual for SifoWorks D Series Firewall 111 OD1300UME01 1 3 112 Chapter 5 Intrusion Detection and Prevention Start Configuring Network Variables Manage Rule Groups Define Customized Rules Customized Rules Configure the Pre processors Select IDP Work Mode End User Manual for SifoWorks D Series Firewall Chapter 5
215. try Times Timeout Bind IP Freeze Duration 188 Explanation The maximum number of times a user s login attempt can fail If the user fails to login successfully within this number of tries his account will be locked for a period of time The amount of time allowed during each login retry after which the login attempt will timeout This field is used in conjunction with the Retry Times field above Select whether to bind a user s login retries to the IP address If enabled the number of retries will be computed for the same IP address only Otherwise the number of retries is applicable to all IP addresses That is login failure will count towards the number of retries regardless of the IP address from which the user is logging in Period of time an account will be locked by the system Configuration How to Configure Enter the value in the textbox Range 2 100 Default 3 How to Configure Enter the value in the textbox Range 30 300s Default 120 How to Configure Check the checkbox to enable bind IP Default Disabled How to Configure Enter the value in the textbox Range 30 600s Default 180 User Manual for SifoWorks D Series Firewall Chapter 9 System Settings OD1300UME01 1 3 9 3 Setting Up Basic System Configuration Basic system configurations include selecting the UI display language setting up system date time enabling the
216. ul Failure Message Authentication Failed Please retry or contact the system administrator 4 Click Save to save the settings User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 Step 11 Add URL filtering object 1 Create a text file myURL txt containing a list of all target URLs to be filtered Each URL should be separated using a new line as shown below myURL txt Notepad File Edit Format View Help www 510A Com www SOAU com www L63 com waw China com www chinaren com www google cn 2 From the left menu bar of the SifoWorks web UI select Object gt Content Filtering Obj 3 In the URL tab click Add URL Obj from the bottom of the list displayed 4 The Add URL interface will be displayed Configure as follows Name myURL Description sina sohu 163 china chinaren google 5 Select File Click Browse and select the text file containing the list of URLs created earlier myURL txt Add URL Description URL List File List Keyword File Pattern Wildcards Regular Expression Save Retum 6 Click Save The interface will refresh to display a new entry in the File List 7 Click Return to save this URL object and return to the URL content filtering object list User Manual for SifoWorks D Series Firewall 237 OD1300UME01 1 3 Chapter 11 Device Deployment Example
217. vate Networks Step 10 Add IKE for SifoWorksB 138 1 From the left menu bar select VPN gt IKE 2 From the bottom of the IKE list displayed click Add New I KE 3 The Add New IKE interface will be displayed Configure as follows IKE Name Branchl KE Remote Gateway Static Gateway IP 211 192 98 220 Add New IKE New IKE Phase One Method i Authenticate Method Phase Two Proposal Advanced Setting Local Interface ADSL HIGHSPEED IKE Name BranchlKE Remote Gateway Static Gateway IP 211 192 983 270 Dynamic DNS Domain ee Dynamic P dl Local ID Remote ID es ty NextHop 0 0 0 0 Strict Algorithm Match Next gt Cancel 4 Click Next gt to display the Phase One Method tab The configuration is as follows Algorithm 3des md5 modp1536 Exchange main mode 5 Click Next gt to view the Authenticate Method tab Select PSK and enter 12345678 as the Preshare Key Re enter this key in the Retype textbox to confirm 6 Click Next gt to display the Phase Two Proposal tab Enable Using ESP and select the esp 3des md5 ESP Algorithm Also select the Using PFS option Add New IKE Phase One Mathod Authenticate Method Phase Two Proposal Encapsulation Using ESP Algorithm esp 3des md5 a an a PF Group is same as Phase one s Using PFS DH Group lt Back Next gt Cancel _ 7 Click Next gt to view the Advanced
218. ve IP or restore the default administrator password to the default setting This operation is normally performed if you need to restore the system due to system failures 37 OD1300UME01 1 3 Chapter 2 Getting started 2 5 Device Quick Configuration Guide The flowchart below shows the recommended configuration procedure to deploy SifoWorks in your existing network such that the device s main functionalities operate properly L Note An application example using this procedure can be found at 11 Device Deployment Example For details on each configuration task in the following procedure please refer to 2 4 Task List where you can find links to the corresponding tasks Start t Configuring basic network VPort VLAN IP address route settings Configuring SNAT DNAT Wis paves Configuring filter rules IRP AAA authentication content filter QoS IPSec VPN PPTP L2TP VPN Setting up VPN Setting up IDS Hi End 38 User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UME01 1 3 Each operation in this flowchart is briefly explained in the table below Reference Operation Configuring Basic Network Parameters Configuring NAT Setting up Filter Rules User Manual for SifoWorks D Series Firewall Description Configure the device s VPort VLAN IP address and route settings to connect SifoWorks to the netw
219. via a read write or read only administrator account From the left menu bar select Reporter gt Session Number The session number report will be displayed Here you can select whether to view current reports statistics from the past 1 hour or history reports statistics from any past interval of up to 7 days e View report generated using statistics for the last 1 hour Click the Current Monitor Listen Current lHours radio button to view the chart generated based on statistics collected from the past 1 hour e View report generated using statistics from any past interval up to 7 days Manually select the time interval to generate the report for by selecting the History Query Listen Past 7Days radio button In the From and TO date time textboxes that appear specify the Starting and ending time of the desired time interval to view the history report generated based on statistics collected during this period Note that the maximum time interval you can enter is 7 days Select to view the graph for Established Session New Session or Total Session Click Go to refresh the report to display the graph according to your settings Optional Click the Distribution tab to view a pie chart showing the distribution of sessions according to the various types of protocols From this interface you can e View the distribution for established sessions Select the Established sessions radio button to view the pie chart Sho
220. virtual port IP Rate Limit To enable the IP limit function limiting the upload and download speeds available for an individual IP address or a subnet HA Setting To enable disable HA between two SifoWorks device Two SifoWorks devices work in AS mode if HA is enabled IDS Linkage To provide IDS by setting up the system to link SifoWorks with a third party IDS device Currently SifoWorks supports IDS devices from Venus and NSFOCUS IDS Setting To set up SifoWorks own IDS function PPPoE Mode Select the PPPoE mode to enable SifoWorks to connect to external networks via PPPoE After enabling PPPoE here you must then configure the PPPoE settings accordingly from the Network gt PPPoE Setting interface IRP Upgrading To import an upgrade file to update the IRP Intelligent Recognition Protocol module IRP recognizes which protocol is being used by a particular connection Applying IRP on filter rules and QoS allows the system to block or limit traffic from specific protocols However network protocols are constantly evolving Hence for IRP to be effective the system s IRP module should be regularly updated to recognize new or modified protocols You can obtain the IRP upgrade patch from O2Security 30 User Manual for SifoWorks D Series Firewall Chapter 2 Getting started OD1300UMEO01 1 3 Menu Diagnostics Ping Executes the Ping command to check connectivity between SifoWorks and external networks
221. w the advanced rule options 4 Enable Log and Content Filtering Select the content filtering rule forbid popular from the adjacent drop down menu Action To Take Match N Accept Drop Advanced El Log C TCP Window Tracking Content Filtering forbid_popular web Incoming Level Outgoing Level LI Limit Max Concurrent Connections Netmask 255 255 255 255 User Manual for SifoWorks D Series Firewall 239 OD1300UME01 1 3 240 Chapter 11 Device Deployment Example 5 Click Next gt to navigate to the Match tab and configure as follows Virtual Port From VPort1 Virtual Port To VPort2 VLAN From LAN VLAN To WAN Address From Authentication ExampleGroup Address To Predefine ALL Service HTTP 6 Check the Intelligent Recognized Protocols checkbox and select http from the adjacent drop down menu Virtual Port To Virtual Port From VLAN From Address From Netmask Predefine ALL Authentication Address To custom Netmask Predefine ALL v HTTP v Intelligent Recognized Protocols http none a Authentication schedule source Mac lt Back Save Cancel 7 Click Save to save the filter rule User Manual for SifoWorks D Series Firewall Chapter 11 Device Deployment Example OD1300UME01 1 3 11 5 2 Testing the Configuration The steps below guide you through a test to ensure that SifoWorks
222. were made If the problem persists please contact O2Security technical support 1 Using any PC within the 192 168 1 0 255 255 255 0 subnet and access the authentication interface The authentication interface for authentication users uses the same IP address as that of SifoWorks management Ul However the HTTP protocol is used instead For example if SifoWorks management UI address is https 192 168 1 1 the address of the authentication interface will be http 192 168 1 1 1 Note For hosts in subnets that requires authentication before HTTP accesses is allowed entering any Internet address into the web browser will automatically direct the user to the system s authentication interface Upon successful authentication the user will then be automatically directed to the entered web address 2 Inthe authentication interface enter the UserName and Password Welcome ExampleGroup Oy Micro Ly a hae User Authentication 3 Click Auth SifoWorks will attempt to authenticate the user A success message will be displayed if the authentication is successful 4 Access other web pages to check that the filter rule is correctly set up User Manual for SifoWorks D Series Firewall Chapter 4 Firewall Rule Management OD1300UME01 1 3 REFERENCE Intelligent Protocol Recognition SifoWorks intelligent recognized protocol function supports the following types of protocols e HTTP FTP SOCKS SSH Telnet
223. wing the distribution of established sessions according to the various protocols e View the distribution for new sessions Select the New sessions radio button to view the pie chart showing the distribution of new sessions according to the various protocols User Manual for SifoWorks D Series Firewall Chapter 10 System Maintenance OD1300UME01 1 3 10 3 6 Session Rate These reports show the rate at which sessions are established or new sessions are created You can select to view session reports for specific protocols such as TCP UDP and ICMP etc only SifoWorks generates session rate reports using statistics collected from the past 1 hour You can also view history session rate reports that were generated using Statistics from any previous 7 days interval CONFI GURATI ON PROCEDURE Each step below explains how to view each type of reports via the SifoWorks Ul Step 1 Login to SifoWorks via a read write or read only administrator account Step 2 From the left menu bar select Reporter gt Session Rate Step 3 In this interface select whether to display the chart showing the rate at which established sessions are created or the rate at which new sessions are created Options Step 4 Select the Protocol of the sessions that you want to view the graph for Step 5 Select whether to view the graph for the last 1 hour or for any previous time interval up to 7 days e To view report generated using statistics for the last
224. with abc abc matches any character string containing abc sae ai Indicates any single character Example abc Matches all strings containing 4 characters that begins with abc User Manual for SifoWorks D Series Firewall 107 OD1300UME01 1 3 Chapter 4 Firewall Rule Management Special Character Expressions SifoWorks also supports a set of special character expressions that allows administrators to express complicated contents These expressions normally made up of a combination of normal and wildcard characters matching one more multiple character strings The table below lists and explains all special character expressions Supported by SifoWorks Expression Explanation Indicates that the character is to be matched as it is and not as a special character E Matches the starting position of the character string Matches the ending position of the character string X x The characters enclosed in in front of can appear O or more times For example z o will match z zo zoo etc X x The characters enclosed in in front of can appear one or more times For example z 0 will match zo zoo etc However it will not match z X x The characters enclosed in in front of can appear O or 1 time For example do es will match do or does Matches any single character except n To match the character set in
225. work attacks and enables SifoWorks to dynamically allow related connections to pass through the system 1 3 2 Dynamic I nterface Analysis Certain protocols establish multiple independent data links For example the FTP protocol establishes separate data tunnels and command tunnels First a command tunnel is established When users send a file request command via this tunnel the FTP server and client negotiate the data tunnel s attributes including source and destination interfaces via the command tunnel A data tunnel will then be established between server and client Since the source and destination interfaces are dynamically assigned the firewall cannot be pre configured to accept such connections Furthermore the firewall must also be able to accept all related connections SifoWorks Helper module effectively identifies the attributes of related connections and notifies the security chip to establish a sub data link Packets received by SifoWorks through the data tunnel will thus be accepted The Helper module also performs NAT on the packet s payload SifoWorks Helper module includes support for various application layer protocols such as RTSP H 323 FTP PPTP etc 1 3 3 Internal Address Masking Capability Based on NAT and PAT For most enterprises the number of public IP addresses allocated is far less than the number required to assign an IP to each internal PC Also enterprises want to mask their internal IP addres
226. xample admin1 How to Configure Select the server from the drop down menu Range All authentication servers added in the System gt Auth Server interface Default LOCAL How to Configure Enter the value in the textbox Range Character string of length 6 15 Example 12345678 User Manual for SifoWorks D Series Firewall Chapter 9 System Settings Field Name Level Active Enable OTP Explanation Access authority for this account The options include e read only Able to view but not modify any system configurations e readwrite Able to view and modify system configurations except for management of other administrator accounts Note This is only available in the Add New AdminUser interface Whether this administrator account can login to the system Whether this account can login via OTP method For more information on OTP login please refer to 22 System Login Configuration Procedure OTP Login User Manual for SifoWorks D Series Firewall OD1300UME01 1 3 Configuration How to Configure Select the access level from the drop down menu Range e read only e readwrite Default read only How to Configure Check the checkbox to enable this account How to Configure Check the checkbox to enable OTP login 187 OD1300UME01 1 3 Chapter 9 System Settings Login Management tab Field Name Re
227. xchange Used to verify the peer host at the end of the IPsec connection and negotiate IKE SA and IPsec SA security policies SA Security Association The security association negotiated between two end points of a connection determines how to securely transmit data within the connection via secured services An IPsec VPN session goes through 5 main stages Ls Determines the data packets that must be transmitted via the secured tunnel IKE phase one negotiation The two peers of a connection negotiate an IKE SA to verify the two peers establishing the IPsec connection During this phase a secured tunnel is also created to be used to negotiate the IPsec SA during IKE phase two IKE phase two negotiation IKE negotiates the IPsec SA parameters and establishes the IPsec SA between the two connection ends Data transfer Establishes the IPsec tunnel for data to be securely transmitted between the two ends of the connection Terminate the IPsec VPN connection User Manual for SifoWorks D Series Firewall 119 OD1300UME01 1 3 Chapter 6 Virtual Private Networks PPTP Point to Point Tunneling Protocol VPN Implements VPN using the PPTP protocol PPTP VPN is only suitable for IP networks Only 1 tunnel exists between any two end points of a PPTP VPN connection L2TP Layer 2 Tunneling Protocol VPN Implements VPN using the L2TP protocol L2TP VPN is suitable for various types of networks including IP X 25 ATM and frame re
228. y Applying QoS in Filter Rules User Manual for SifoWorks D Series Firewall Description Activate QoS for some or all virtual ports Specify the maximum bandwidth for each virtual port Set up the bandwidth of each QoS priority level for the virtual ports Select the incoming and outgoing interfaces QoS priority level in filter rules For details on configuring filter rules please refer to 4 2 Managing Filter Rules 149 OD1300UME01 1 3 Chapter 7 Advanced Functions APPLICATION EXAMPLE 150 In the network topology shown below a system administrator wants to apply QoS on all traffic from WAN to DMZ The maximum and guaranteed bandwidth for Virtual Port 2 and Virtual Port 3 are 60Mbps and 20Mbps respectively Internet WAN 211 192 98 220 SifoWorks LAN DMZ Subnet 1 Subnet 2 Server Domain DHCP Servera D gt 10 1 1 3 5 8 LAN LAN Switch Switch Switch 192 168 1 0 24 192 168 1 0 24 10 1 1 0 24 The configuration procedure is as follows Step 1 Login to SifoWorks via a read write administrator account User Manual for SifoWorks D Series Firewall Chapter 7 Advanced Functions OD1300UME01 1 3 Step 2 Enable QoS state for the virtual ports and specify the maximum bandwidth From the left menu bar select Advance gt QoS Setting 2 Click the QOS Status tab to view the QoS State interface Here select the On State for VPort2 and VPort3 Set the
Download Pdf Manuals
Related Search