Sidewinder G2 6.1.2 Administration Guide - Glossary of Technical ...

ADMINISTRATION GUIDE

ADMINISTRATION GUIDE

Copyright
© 2006 Secure Computing Corporation. All rights reserved. No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written
permission of Secure Computing Corporation.
Trademarks
Secure Computing, SafeWord, Sidewinder, Sidewinder G2, SmartFilter, Type Enforcement, SofToken, Enterprise Strong,
Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess and Strikeback are trademarks of Secure
Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Enterprise Manager,
SmartReporter, On-Box, Application Defenses, RemoteAccess, Sentian, Securing connections between people, applications
and networks are trademarks of Secure Computing Corporation. All other trademarks, tradenames, service marks, service
names, product names, and images mentioned and/or used herein belong to their respective owners.
Software License Agreement
The following is a copy of the Software License Agreement as shown in the software:
CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. BY CLICKING
“I ACCEPT” BELOW, OR BY INSTALLING, COPYING, OR OTHERWISE USING THE SOFTWARE, YOU ARE SIGNING
THIS AGREEMENT, THEREBY BECOMING BOUND BY ITS TERMS. IF YOU DO NOT AGREE WITH THIS AGREEMENT,
THEN CLICK “I DO NOT ACCEPT” BELOW AND RETURN ALL COPIES OF THE SOFTWARE AND DOCUMENTATION
TO SECURE COMPUTING CORPORATION (“SECURE COMPUTING”) OR THE RESELLER FROM WHOM YOU
OBTAINED THE SOFTWARE.
1. SOFTWARE PRODUCTS DEFINITION. “Software Product(s)” means (i) the machine-readable object-code versions of
the Sidewinder software contained in the media (the “Software”), (ii) the published user manuals and documentation that are
made available for the Software (the “Documentation”), and (iii) any updates or revisions of the Software or Documentation
that you may receive (the “Update”). Under no circumstances will you receive any source code of the Software.
2. GRANT OF LICENSE. Secure Computing grants to you, and you accept, a non-exclusive, and non-transferable license
(without right to sub-license) to use the Software Products as defined herein on a single machine.
3. LIMITATION OF USE. You may not: 1) copy, except to make one copy of the Software solely for back-up or archival
purposes; 2) transfer, distribute, rent, lease or sublicense all or any portion of the Software Product to any third party; 3)
translate, modify, adapt, decompile, disassemble, or reverse engineer any Software Product in whole or in part; or 4) modify
or prepare derivative works of the Software Products. You agree to keep confidential and use your best efforts to prevent and
protect the contents of the Software Product from unauthorized disclosure or use. Secure Computing reserves all rights that
are not expressly granted to you.
4. LIMITED SOFTWARE PRODUCT WARRANTY. Secure Computing warrants that the medium/media on which its
Software is recorded is/are free from defects in material and workmanship under normal use and service for a period of
ninety (90) days from the date of shipment to you.
Secure Computing does not warrant that the functions contained in the Software will meet your requirements or that
operation of the program will be uninterrupted or error-free. The Software is furnished “AS IS” and without warranty as to the
performance or results you may obtain by using the Software. The entire risk as to the results and performance of the
Software is assumed by you. If you do not receive media which is free from defects in materials and workmanship during
the 90-day warranty period, you will receive a refund for the amount paid for the Software Product returned.
5. DISCLAIMER OF WARRANTY AND LIMITATION OF REMEDIES. THE WARRANTIES STATED HEREIN ARE IN LIEU
OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE. SOME STATES AND COUNTRIES DO NOT ALLOW THE EXCLUSION OF
IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU
SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS WHICH VARY BY STATE OR COUNTRY.
SECURE COMPUTING'S AND ITS LICENSORS ENTIRE LIABILITY UNDER, FOR BREACH OF, OR ARISING OUT OF
THIS AGREEMENT, IS LIMITED TO A REFUND OF THE PURCHASE PRICE OF THE PRODUCT OR SERVICE THAT
GAVE RISE TO THE CLAIM. IN NO EVENT SHALL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR YOUR
COST OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING OR ITS LICENSORS BE
LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES
WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
6. TERM AND TERMINATION. This license is effective until terminated. You may terminate it at any time by destroying the
Software Product, including all computer programs and documentation, and erasing any copies residing on computer
equipment. This Agreement also will automatically terminate if you do not comply with any terms or conditions of this
Agreement. Upon such termination you agree to destroy the Software Product and erase all copies residing on computer
equipment.
i

ii
7. PROTECTION OF CONFIDENTIAL INFORMATION. The Software Product is delivered to you on a confidential basis and
you are responsible for employing reasonable measures to prevent the unauthorized disclosure or use thereof, which
measures shall not be less than those measures employed by you in protecting its own proprietary information. You may
disclose the Software Product to your employees as necessary for the use permitted under this Agreement. You shall not
remove any trademark, trade name, copyright notice or other proprietary notice from the Software Product.
8. OWNERSHIP. This Software is licensed (not sold) to you. All intellectual property rights including trademarks, service
marks, patents, copyrights, trade secrets, and other proprietary rights in or related to the Software Products are and will
remain the property of Secure Computing or its licensors, whether or not specifically recognized or protected under local law.
You will not remove any product identification, copyright notices, or other legends set forth on the Software Product.
9. EXPORT RESTRICTIONS. You agree to comply with all applicable United States export control laws, and regulations, as
from time to time amended, including without limitation, the laws and regulations administered by the United States
Department of Commerce and the United States Department of State. You have been advised that Software Products are
subject to the U.S. Export Administration Regulations. You shall not export, import or transfer Software Products contrary to
U.S. or other applicable laws, whether directly or indirectly, and will not cause, approve or otherwise facilitate others such as
agents or any third parties in doing so. You represent and agree that neither the United States Bureau of Export
Administration nor any other federal agency has suspended, revoked or denied your export privileges. You agree not to use
or transfer the Products for end use relating to any nuclear, chemical or biological weapons, or missile technology unless
authorized by the U.S. Government by regulation or specific license.
10. U.S. GOVERNMENT RIGHTS. Software Products furnished to the U.S. Government are provided on these commercial
terms and conditions as set forth in DFARS 227.7202-1(a).
11. ENTIRE AGREEMENT. This Agreement is our offer to license the Software Product to you exclusively on the terms set
forth in this Agreement, and is subject to the condition that you accept these terms in their entirety. If you have submitted (or
hereafter submit) different, additional, or other alternative terms to Secure Computing or any reseller or authorized dealer,
whether through a purchase order or otherwise, we object to and reject those terms. Without limiting the generality of the
foregoing, to the extent that you have submitted a purchase order for the Software Product, any shipment to you of the
Software Product is not an acceptance of your purchase order, but rather is a counteroffer subject to your acceptance of this
Agreement without any objections or modifications by you. To the extent that we are deemed to have formed a contract with
you related to the Software Product prior to your acceptance of this Agreement, this Agreement shall govern and shall be
deemed to be a modification of any prior terms in their entirety.
12. GENERAL. Any waiver of or modification to the terms of this Agreement will not be effective unless executed in writing
and signed by Secure Computing. If any provision of this Agreement is held to be unenforceable, in whole or in part, such
holding shall not affect the validity of the other provisions of this Agreement. You may not assign this License or any
associated transactions without the written consent of Secure Computing. This License shall be governed by and construed
in accordance with the laws of California, without regard to its conflicts of laws provisions.

Other Terms and Conditions
This product contains software developed by the Net-SNMP project. Copyright © 1989, 1991, 1992 by Carnegie Mellon
University. Copyright © 1996, 1998-2000 The Regents of the University of California. All Rights Reserved. Copyright © 2001-
2002, Networks Associates Technology, Inc. All rights reserved. Portions of this code are copyright © 2001-2002, Cambridge
Broadband Ltd. All rights reserved.
This product contains software developed through the Internet Software Consortium (http://www.isc.org).
Copyright © 1996-2001 Internet Software Consortium. Portions Copyright © 1996-2001 Nominum, Inc.
This product contains software developed by Sendmail, Inc. Copyright © 1998-2001 Sendmail, Inc. All rights reserved.
This product includes software and algorithms developed by RSA Data Security Inc.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org) Copyright © 1998-2000 The OpenSSL Project. All rights reserved.
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product utilizes MySQL (http://www.mysql.com/). Copyright © 1995, 1996, 2000 TcX AB & Monty Program KB & Detron
Stockholm SWEDEN, Helsingfors FINLAND and Uppsala SWEDEN. All rights reserved.
This product incorporates compression code from the Info-ZIP group. There are no extra charges or costs due to the use of
this code, and the original compression sources are freely available from http://www.cdrom.com/pub/infozip/ or
ftp://ftp.cdrom.com/pub/infozip/ on the Internet.
This product includes software developed at the Information Technology Division, US Naval Research Laboratory. Copyright
1995 US Naval Research Laboratory (NRL). All Rights Reserved.
This product includes software developed by the University of California, Berkeley and its contributors.
Copyright © 1991, 1992, 1993, 1994, 1995, 1996 Berkeley Software Design Inc. Copyright © 1997, 1998, 1999, 2000, 2001
Berkeley Software Design Inc. All rights reserved. Copyright © 2001 Wind River Systems, Inc. All rights reserved.
This product uses unmodified GNU software. GNU source code is available on request by contacting Secure Computing.
Pine and Pico are registered trademarks of the University of Washington. No commercial use of these trademarks may be
made without prior written permission of the University of Washington. Pine, Pico, and Pilot software and its included text are
Copyright 1989-1996 by the University of Washington.
iii

Technical Support information
Secure Computing works closely with our Channel Partners to offer worldwide Technical Support services. If you purchased
this product through a Secure Computing Channel Partner, please contact your reseller directly for support needs.
iv
To contact Secure Computing Technical Support directly, telephone +1.800.700.8328 or +1.651.628.1500. If you prefer, send
an e-mail to support@securecomputing.com. To inquire about obtaining a support contract, refer to our “Contact Secure” Web
page for the latest information at www.securecomputing.com.
Customer Advocate information
To suggest enhancements in a product or service, or to request assistance in resolving a problem, please contact a Customer
Advocate at +1.877.851.9080. If you prefer, send an e-mail to customer_advocate@securecomputing.com.
If you have comments or suggestions you would like to make regarding this document or any other Secure Computing
document, please send an e-mail to techpubs@securecomputing.com.
Printing history
Date Part number Software release
February 2004 SWOP-MN-ADMN61-A Sidewinder G2, Version 6.1
May 2004 SWOP-MN-ADMN61-B Sidewinder G2, Version 6.1.0.02
February 2005 SWOP-MN-ADMN61-C Sidewinder G2, Version 6.1.1
March 2006 SWOP-MN-ADMN61-D Sidewinder G2, Version 6.1.2

CONTENTS
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Who should read this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Where to find additional information . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Reference materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
CHAPTER 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
What is the Sidewinder G2 Security Appliance? . . . . . . . . . . . . . . . . . .2
Sidewinder G2 management options . . . . . . . . . . . . . . . . . . . . . . . . . . .3
The Type Enforced environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Sidewinder G2 kernels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
How Type Enforcement works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Type Enforcement’s effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Additional Sidewinder G2 operating characteristics . . . . . . . . . . . . . . . .8
Burbs and network stack separation . . . . . . . . . . . . . . . . . . . . . . . . . .8
Proxy software and access control . . . . . . . . . . . . . . . . . . . . . . . . . .10
IP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
daemond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Network Services Sentry (NSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
CHAPTER 2 Administrator’s Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Administration interface options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Admin Console basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Starting and exiting the Admin Console . . . . . . . . . . . . . . . . . . . . . .19
Adding a Sidewinder G2 to the Admin Console . . . . . . . . . . . . . . . .20
Connecting to a Sidewinder G2 via the Admin Console . . . . . . . . . .21
About the main Admin Console window . . . . . . . . . . . . . . . . . . . . . .23
Admin Console conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Using the Admin Console File Editor . . . . . . . . . . . . . . . . . . . . . . . . . .26
Opening and saving files in the File Editor . . . . . . . . . . . . . . . . . . . .27
Creating a backup file in the File Editor . . . . . . . . . . . . . . . . . . . . . .27
Restoring a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Using the Find/Replace option . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Administering Sidewinder G2 using Secure Shell . . . . . . . . . . . . . . . .30
v

Table of Contents
vi
Configuring the Sidewinder G2 as an SSH server . . . . . . . . . . . . . . 30
Configuring and using the Sidewinder G2 as an SSH client . . . . . . 33
Configuring the SSH using the Admin Console . . . . . . . . . . . . . . . . 35
Tips on using SSH with Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . 36
Administering Sidewinder G2 using Telnet . . . . . . . . . . . . . . . . . . . . . 36
Setting up an internal (trusted) Telnet server . . . . . . . . . . . . . . . . . . 36
Setting up an external Telnet server . . . . . . . . . . . . . . . . . . . . . . . . 37
Connecting to the Sidewinder G2 using Telnet . . . . . . . . . . . . . . . . 38
CHAPTER 3 General System Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Restarting or shutting down the system . . . . . . . . . . . . . . . . . . . . . . . 40
Powering on the system to the Operational kernel . . . . . . . . . . . . . 40
Rebooting or shutting down using the Admin Console . . . . . . . . . . 41
Rebooting or shutting down using a command line interface . . . . . . 42
Setting up and maintaining administrator accounts . . . . . . . . . . . . . . . 43
Viewing administrator accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Adding or modifying an administrator account . . . . . . . . . . . . . . . . . 45
Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Setting the system date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Viewing/changing the date and time . . . . . . . . . . . . . . . . . . . . . . . . 47
Changing the date or time using the config_time utility . . . . . . . . . . 48
Using system roles to access type enforced domains . . . . . . . . . . . . 49
Checking which kernel you are running (uname) . . . . . . . . . . . . . . . 49
Checking which domain you are using (whereami) . . . . . . . . . . . . . 49
Changing your domain access using the srole command . . . . . . . . 49
Configuration file backup and restore . . . . . . . . . . . . . . . . . . . . . . . . . 50
Overview of configuration file backup and restore . . . . . . . . . . . . . . 50
Backing up and restoring config files using the Admin Console . . . 52
Activating the Sidewinder G2 license . . . . . . . . . . . . . . . . . . . . . . . . . 55
Licensing from a Sidewinder G2 connected to the Internet . . . . . . . 56
Licensing from a Sidewinder G2 on an isolated network . . . . . . . . . 56
Configuring the Firewall License tabs . . . . . . . . . . . . . . . . . . . . . . . 58
Displaying the status of features on Sidewinder G2 . . . . . . . . . . . . 62
Protected host licensing and the Host Enrollment List . . . . . . . . . . . . 62
How hosts are calculated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Displaying and modifying the Host Enrollment List . . . . . . . . . . . . . 64
Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring the synchronization server . . . . . . . . . . . . . . . . . . . . . . . . 68
Configuring virus scanning services . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring the shund server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Loading and installing patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Viewing currently installed patches . . . . . . . . . . . . . . . . . . . . . . . . . 77
Loading a patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Installing a patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Modifying the burb configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Modifying the interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Table of Contents
Modifying the static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Configuring Admin Console access . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Configuring the Sidewinder G2 to use a UPS . . . . . . . . . . . . . . . . . . .93
Configuring the Sidewinder G2 to use a UPS . . . . . . . . . . . . . . . . . .93
Enabling/disabling the UPS server . . . . . . . . . . . . . . . . . . . . . . . . . .95
Enforcing FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
CHAPTER 4 Understanding Policy Configuration . . . . . . . . . . . . . . . . . . .97
Policy configuration basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
An example of traffic being processed by the active rules . . . . . . .100
Ordering proxy rules within a rule group . . . . . . . . . . . . . . . . . . . . .101
Rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Planning for rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Proxy rule basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Basic criteria used to allow or deny a connection . . . . . . . . . . . . . .112
Optional criteria used to allow or deny a connection . . . . . . . . . . .113
Using NAT and redirection in proxy rules . . . . . . . . . . . . . . . . . . . .114
Simple proxy rule examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Example of proxy rules using netgroups . . . . . . . . . . . . . . . . . . . . .116
Advanced proxy rule example using service groups . . . . . . . . . . . .118
Default rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
IP Filter rule basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
How traffic is filtered if stateful packet inspection is enabled . . . . .122
How traffic is filtered if stateful packet inspection is not enabled . .124
Using NAT and redirection for IP Filter rules . . . . . . . . . . . . . . . . .125
Sharing IP Filter sessions in an HA cluster . . . . . . . . . . . . . . . . . . .128
Specifying the number of TCP or UDP IP Filter sessions . . . . . . . .129
CHAPTER 5 Creating Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Creating users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Configuring users or user groups . . . . . . . . . . . . . . . . . . . . . . . . . .133
Managing user group membership . . . . . . . . . . . . . . . . . . . . . . . . .138
Creating network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Displaying network objects and netgroups . . . . . . . . . . . . . . . . . . .139
Configuring domain objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Configuring host objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Configuring IP address objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Configuring netmaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Configuring subnet objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Configuring netgroup objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Managing netgroup membership . . . . . . . . . . . . . . . . . . . . . . . . . .149
Creating service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
vii

Table of Contents
CHAPTER 6 Configuring Application Defenses . . . . . . . . . . . . . . . . . . . 153
Viewing Application Defense information . . . . . . . . . . . . . . . . . . . . . 154
Creating Web or Secure Web Application Defenses . . . . . . . . . . . . . 156
Configuring the Web/Secure Web Enforcements tab . . . . . . . . . . 156
Configuring the Web/Secure Web URL Control tab . . . . . . . . . . . . 160
Configuring the Web/Secure Web HTTP Request tab . . . . . . . . . . 162
Configuring the Web/Secure Web HTTP Reply tab . . . . . . . . . . . . 163
Configuring the Web/Secure Web MIME/Virus/Spyware tab . . . . . 165
Configuring the Web/Secure Web Content Control tab . . . . . . . . . 168
Configuring the Web/Secure Web SmartFilter tab . . . . . . . . . . . . . 169
Configuring the Web/Secure Web Connection tab . . . . . . . . . . . . 169
Creating Web Cache Application Defenses . . . . . . . . . . . . . . . . . . . 170
Creating Mail (Sendmail) Application Defenses . . . . . . . . . . . . . . . . 172
Configuring the Mail (Sendmail) Control tab . . . . . . . . . . . . . . . . . 172
Configuring the Mail (Sendmail) Size tab . . . . . . . . . . . . . . . . . . . . 174
Configuring the Mail (Sendmail) Keyword Search tab . . . . . . . . . . 174
Configuring the Mail (Sendmail) MIME/Virus/Spyware tab . . . . . . 177
Creating Mail (SMTP proxy) Defenses . . . . . . . . . . . . . . . . . . . . . . . 181
Configuring the Mail (SMTP proxy) Enforcements tab . . . . . . . . . . 181
Configuring the Mail (SMTP proxy) Commands tab . . . . . . . . . . . . 182
Configuring the Mail (SMTP proxy) Destination Address tab . . . . . 183
Configuring the Mail (SMTP proxy) Connections tab . . . . . . . . . . . 184
Creating Citrix Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . 185
Configuring the Citrix Enforcements tab . . . . . . . . . . . . . . . . . . . . 185
Configuring the Citrix Filters tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Configuring the Citrix Connections tab . . . . . . . . . . . . . . . . . . . . . . 186
Creating FTP Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configuring the FTP Enforcements tab . . . . . . . . . . . . . . . . . . . . . 187
Configuring the FTP Command Filter tab . . . . . . . . . . . . . . . . . . . 187
Configuring the FTP Virus/Spyware tab . . . . . . . . . . . . . . . . . . . . . 188
Configuring the FTP Connection tab . . . . . . . . . . . . . . . . . . . . . . . 190
Creating IIOP Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . 191
Creating Multimedia Application Defenses . . . . . . . . . . . . . . . . . . . . 192
Configuring the Multimedia General tab . . . . . . . . . . . . . . . . . . . . . 192
Configuring the H.323 Filter tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Configuring the T120 Filter tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Configuring the Multimedia Connection tab . . . . . . . . . . . . . . . . . . 194
Creating Oracle Application Defenses . . . . . . . . . . . . . . . . . . . . . . . 194
Configuring the Oracle Enforcements tab . . . . . . . . . . . . . . . . . . . 195
Configuring the Service Name (SID) tab . . . . . . . . . . . . . . . . . . . . 195
Configuring the Oracle Connection tab . . . . . . . . . . . . . . . . . . . . . 196
Creating MS SQL Application Defenses . . . . . . . . . . . . . . . . . . . . . . 196
Creating SOCKS Application Defenses . . . . . . . . . . . . . . . . . . . . . . 197
Configuring the SOCKS 5 Filter tab . . . . . . . . . . . . . . . . . . . . . . . . 197
Configuring the SOCKS Connections tab . . . . . . . . . . . . . . . . . . . 197
Creating SNMP Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . 198
viii

Table of Contents
Configuring the SNMP Filter tab . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Configuring the SNMP v1 tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Configuring the SNMP Connection tab . . . . . . . . . . . . . . . . . . . . . .201
Creating Standard Application Defenses . . . . . . . . . . . . . . . . . . . . . .201
Configuring the Standard Connections tab . . . . . . . . . . . . . . . . . . .201
Configuring Application Defense groups . . . . . . . . . . . . . . . . . . . . . .202
Configuring the Application Defense groups window . . . . . . . . . . .202
Configuring connection properties . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Configuring connection ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
CHAPTER 7 Configuring Network Defenses . . . . . . . . . . . . . . . . . . . . . . .207
Viewing Network Defense information . . . . . . . . . . . . . . . . . . . . . . . .208
Configuring the TCP Network Defense . . . . . . . . . . . . . . . . . . . . . . .210
Configuring the IP Network Defense . . . . . . . . . . . . . . . . . . . . . . . . .212
Configuring the UDP Network Defense . . . . . . . . . . . . . . . . . . . . . . .213
Configuring the ICMP Network Defense . . . . . . . . . . . . . . . . . . . . . .215
Configuring the ARP Network Defense . . . . . . . . . . . . . . . . . . . . . . .217
CHAPTER 8 Creating Rules and Rule Groups . . . . . . . . . . . . . . . . . . . . .219
Viewing rules and rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Creating proxy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Creating IP Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Creating and managing rule groups . . . . . . . . . . . . . . . . . . . . . . . . . .236
Creating a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Managing rules and nested groups within a rule group . . . . . . . . .237
Selecting your active policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Viewing the active policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Modifying the active rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Viewing and modifying general IP Filter properties . . . . . . . . . . . . .241
CHAPTER 9 Configuring Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Proxy basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Configuring advanced proxy parameters on a per-rule basis using
Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Improving performance using Fast Path Sessions . . . . . . . . . . . . .245
Proxy session limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
Redirected proxy connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Address redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Port redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
Standard Sidewinder G2 proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Using other proxies on the Sidewinder G2 . . . . . . . . . . . . . . . . . . . . .254
Transparent & non-transparent proxies . . . . . . . . . . . . . . . . . . . . . . .254
Notes on selected proxy configurations . . . . . . . . . . . . . . . . . . . . . . .255
Notes on using the Telnet proxy . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Notes on using the FTP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
HTTP/HTTPS considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
ix

Table of Contents
x
ICA proxy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Sun RPC proxy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Usenet News proxy configurations . . . . . . . . . . . . . . . . . . . . . . . . . 260
T.120 and H.323 proxy considerations . . . . . . . . . . . . . . . . . . . . . 262
Notes on using the DNS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Configuring proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Setting up a new proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Configuring connection ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring an SNMP port definition . . . . . . . . . . . . . . . . . . . . . . . 271
TCP maximum segment size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
CHAPTER 10 Setting Up Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Proxy authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Administrator authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Weak versus strong authentication . . . . . . . . . . . . . . . . . . . . . . . . 275
Supported authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Standard password authentication . . . . . . . . . . . . . . . . . . . . . . . . . 278
SafeWord authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
LDAP/Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Windows Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
SNK (SecureNet Key)/Symantec Defender authentication . . . . . . 281
SecurID authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Authentication process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Users, groups, and authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Configuring authentication services . . . . . . . . . . . . . . . . . . . . . . . . . 284
Setting up LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Setting up password authentication . . . . . . . . . . . . . . . . . . . . . . . . 291
Setting up RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . 292
Setting up SafeWord authentication . . . . . . . . . . . . . . . . . . . . . . . . 294
Setting up SecurID authentication . . . . . . . . . . . . . . . . . . . . . . . . . 295
Setting up SecureNet Key (SNK) authentication . . . . . . . . . . . . . . 296
Setting up Windows Domain authentication . . . . . . . . . . . . . . . . . . 298
Configuring SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Setting up authentication for services . . . . . . . . . . . . . . . . . . . . . . . . 303
Special authentication notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Setting up authentication for Web sessions . . . . . . . . . . . . . . . . . . . 305
Setting up authentication for administrators . . . . . . . . . . . . . . . . . . . 306
Allowing users to change their passwords . . . . . . . . . . . . . . . . . . . . 306
How users can change their own password . . . . . . . . . . . . . . . . . . . 308
CHAPTER 11 DNS (Domain Name System) . . . . . . . . . . . . . . . . . . . . . . . . 311
What is DNS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
About transparent DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
About Sidewinder hosted DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Table of Contents
About mail exchanger records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Configuring the internal network to use hosted DNS . . . . . . . . . . . . .315
Enabling and disabling your DNS server(s) . . . . . . . . . . . . . . . . . . . .316
Using master and slave servers in your network . . . . . . . . . . . . . .316
Determining the number of DNS servers defined on Sidewinder G2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Enabling and disabling hosted DNS servers . . . . . . . . . . . . . . . . .317
Advanced configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Managing your current DNS configuration . . . . . . . . . . . . . . . . . . . . .318
Configuring transparent name servers . . . . . . . . . . . . . . . . . . . . . . . .318
Configuring hosted DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
Configuring the Server Configuration tab . . . . . . . . . . . . . . . . . . . .322
Configuring the Zones tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Using the Master Zone Attributes tab . . . . . . . . . . . . . . . . . . . . . . .329
Using the Master Zone Contents tab . . . . . . . . . . . . . . . . . . . . . . .333
Reconfiguring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Reconfiguring transparent DNS . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Reconfiguring single server hosted DNS . . . . . . . . . . . . . . . . . . . .339
Reconfiguring split server hosted DNS . . . . . . . . . . . . . . . . . . . . . .340
Manually editing DNS configuration files . . . . . . . . . . . . . . . . . . . . . .342
DNS message logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
CHAPTER 12 Electronic Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Overview of e-mail on Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . .346
Mail server configuration options . . . . . . . . . . . . . . . . . . . . . . . . . .346
Mail filtering services on Sidewinder G2 . . . . . . . . . . . . . . . . . . . . .348
Sendmail differences on Sidewinder G2 . . . . . . . . . . . . . . . . . . . . .349
Administering mail on Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . .350
Viewing administrator mail messages on Sidewinder G2 . . . . . . . .350
Reconfiguring mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Managing sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Editing the mail configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Configuring advanced anti-spam and anti-fraud options . . . . . . . . . .356
Configuring the Whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Configuring the policy.cfg file . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Redirecting mail to a different destination . . . . . . . . . . . . . . . . . . . . .364
Creating a .forward file in a user’s home directory . . . . . . . . . . . . .364
Creating a .forward file in the root directory . . . . . . . . . . . . . . . . . .365
Other sendmail features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Configuring sendmail to strip message headers . . . . . . . . . . . . . . .366
Configuring sendmail to use the RealTime Blackhole list . . . . . . . .367
Sendmail and promiscuous relaying . . . . . . . . . . . . . . . . . . . . . . . .368
Allowing or denying mail on a user basis . . . . . . . . . . . . . . . . . . . .369
Changing mail aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Managing mail queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
xi

Table of Contents
CHAPTER 13 Setting Up Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
An overview of Web services on Sidewinder G2 . . . . . . . . . . . . . . . . 374
Web access for users on your internal network . . . . . . . . . . . . . . . 374
Access to your Web server by untrusted external users . . . . . . . . 374
Access to your internal network by trusted external users . . . . . . . 375
Implementation options for Web access . . . . . . . . . . . . . . . . . . . . . . 376
Using the HTTP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Setting up Web access using the HTTP proxy . . . . . . . . . . . . . . . . 379
Setting up clientless VPN access for trusted remote users . . . . . . 379
Using the Web proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Setting up Web access using the Web proxy server . . . . . . . . . . . 382
Error messages when using the Web proxy server . . . . . . . . . . . . 382
Configuring the Web proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Configuring caching options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Configuring HTTP filtering options . . . . . . . . . . . . . . . . . . . . . . . . . 386
Manually editing the configuration file . . . . . . . . . . . . . . . . . . . . . . 387
Configuring browsers for the Web proxy server . . . . . . . . . . . . . . . . 389
Mozilla Firefox 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Internet Explorer 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Internet Explorer 5.x/6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Netscape version 6.x/7.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Certain browsers on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
CHAPTER 14 Configuring Virtual Private Networks . . . . . . . . . . . . . . . . . 393
Sidewinder G2 VPN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
An introduction to IPSec technology . . . . . . . . . . . . . . . . . . . . . . . 395
VPN configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Configuring hardware acceleration for VPN . . . . . . . . . . . . . . . . . . 398
Configuring a VPN client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Extended Authentication for VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 399
What type of VPN authentication should I use? . . . . . . . . . . . . . . . 400
Configuring the ISAKMP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Allowing access to the ISAKMP server . . . . . . . . . . . . . . . . . . . . . 403
Configuring the Certificate server . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Understanding virtual burbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Creating and using a virtual burb with a VPN . . . . . . . . . . . . . . . . 407
Configuring client address pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Configuring a new client address pool . . . . . . . . . . . . . . . . . . . . . . 408
Configuring the Subnets tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Configuring the DNS and/or WINS servers . . . . . . . . . . . . . . . . . . 411
Configuring the fixed IP map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Configuring Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . 415
Understanding Distinguished Name syntax . . . . . . . . . . . . . . . . . . 416
Selecting a trusted source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuring and displaying CA root certificates . . . . . . . . . . . . . . . 420
Configuring and displaying Remote Identities . . . . . . . . . . . . . . . . 422
xii

Table of Contents
Configuring and displaying firewall certificates . . . . . . . . . . . . . . . .424
Configuring and displaying remote certificates . . . . . . . . . . . . . . . .427
Assigning new certificates for Admin Console and synchronization
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430
Importing and exporting certificates . . . . . . . . . . . . . . . . . . . . . . . . . .431
Loading manual remote or firewall certificates . . . . . . . . . . . . . . . .431
Importing a firewall certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
Importing a remote certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Exporting remote or firewall certificates . . . . . . . . . . . . . . . . . . . . .435
Configuring VPN Security Associations . . . . . . . . . . . . . . . . . . . . . . .438
Displaying and configuring a VPN Security Association . . . . . . . . .438
Defining a VPN Security Association . . . . . . . . . . . . . . . . . . . . . . .440
Example VPN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .450
Scenario 1: G2-to-G2 VPN via shared password . . . . . . . . . . . . . .451
Scenario 2: Simple deployment of remote users . . . . . . . . . . . . . .452
Scenario 3: Large scale deployment of clients . . . . . . . . . . . . . . . .456
CHAPTER 15 Configuring the SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . .463
SNMP and Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
SNMP basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
Setting up the SNMP agent on Sidewinder G2 . . . . . . . . . . . . . . . . .467
Enabling/disabling the SNMP server . . . . . . . . . . . . . . . . . . . . . . .469
About the management station . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470
Communication with systems in an external network . . . . . . . . . . . .471
CHAPTER 16 One-To-Many Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474
Considerations when using One-To-Many . . . . . . . . . . . . . . . . . . .475
Example scenario using a One-To-Many cluster . . . . . . . . . . . . . . . .476
Example scenario requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .476
Configuring One-To-Many . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
Configuring a dedicated cluster burb for each Sidewinder G2 . . . .477
Configuring the primary in a new One-To-Many cluster . . . . . . . . .478
Adding a secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Joining a secondary to an existing One-To-Many cluster . . . . . . . .480
Viewing the status of a One-To-Many cluster . . . . . . . . . . . . . . . . .481
Changing the primary in a One-To-Many cluster . . . . . . . . . . . . . .482
Removing Sidewinder G2s from a One-To-Many cluster . . . . . . . .483
Understanding the One-To-Many tree structure . . . . . . . . . . . . . . . .484
CHAPTER 17 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487
How High Availability works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
HA configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Load sharing HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489
Failover HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490
Configuring HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
xiii

Table of Contents
xiv
Configuring the heartbeat burbs . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Configuring Sidewinder G2 for HA . . . . . . . . . . . . . . . . . . . . . . . . . 493
Joining a Sidewinder G2 to an existing HA cluster . . . . . . . . . . . . 498
Enabling and disabling load sharing for an HA cluster . . . . . . . . . . 500
Removing a Sidewinder G2 from an HA cluster . . . . . . . . . . . . . . . 501
Understanding the HA cluster tree structure . . . . . . . . . . . . . . . . . . . 502
Managing an HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Modifying HA common parameters . . . . . . . . . . . . . . . . . . . . . . . . 504
Modifying HA local parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Scheduling a soft shutdown for an HA cluster Sidewinder G2 . . . . 510
Connecting directly to a secondary/standby . . . . . . . . . . . . . . . . . 511
CHAPTER 18 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Monitoring Sidewinder G2 status using the dashboard . . . . . . . . . . . 514
Viewing device information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Viewing network traffic information . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Viewing IPS attack and system event summaries . . . . . . . . . . . . . . . 521
Understanding audit event severities . . . . . . . . . . . . . . . . . . . . . . . 521
Viewing the summary statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Monitoring Sidewinder G2 status using the command line . . . . . . . . 525
Checking system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Checking network status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
CHAPTER 19 Auditing and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Overview of the audit process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Auditing on the Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Understanding audit file names . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Viewing audit information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Exporting audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Filtering audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Creating custom audit filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Understanding audit messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Logging application messages using syslog . . . . . . . . . . . . . . . . . . . 548
Redirecting audit output to a syslog server . . . . . . . . . . . . . . . . . . 549
Viewing syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Generating reports using the Admin Console . . . . . . . . . . . . . . . . . . 551
About the Reports window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Viewing auto-generated reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Generating exportable reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Generating reports using Sidewinder G2 Security Reporter . . . . . . . 559
Formatting & exporting audit data for use with external tools . . . . . . 560
Overview of supported log file formats . . . . . . . . . . . . . . . . . . . . . . 560
Using Sidewinder G2 formatting and exporting tools . . . . . . . . . . . 561

Table of Contents
CHAPTER 20 IPS Attack and System Event Responses . . . . . . . . . . . . . .563
Overview of attack and system event responses . . . . . . . . . . . . . . . .564
Creating IPS attack responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
Modifying an IPS attack response . . . . . . . . . . . . . . . . . . . . . . . . .566
Configuring the e-mail settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .571
Creating system responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572
Modifying a system response . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573
Configuring the e-mail settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .577
Configuring new event types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .578
Ignoring network probe attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . .578
Sidewinder G2 SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579
APPENDIX A Command Line Reference . . . . . . . . . . . . . . . . . . . . . . . . . . .583
Overview of cf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Summary of cf structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Working with files on the Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . .594
Changing your default editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
About editing Sidewinder G2 files . . . . . . . . . . . . . . . . . . . . . . . . . .595
Checking file and directory permissions (ls) . . . . . . . . . . . . . . . . . .595
Changing a file’s type (chtype) . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Creating your own scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
Understanding automatic (cron) jobs . . . . . . . . . . . . . . . . . . . . . . . . .598
/etc/daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
/etc/weekly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
/etc/monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Rollaudit cron jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Spamfilter cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
SmartFilter 3.x cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
Monitor data retrieval cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
Report generating cron jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
Squid log rotation cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
CRL and certificate retrieval cron job . . . . . . . . . . . . . . . . . . . . . . .601
Anti-virus DAT file cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601
Package download cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601
Export utility cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601
Logcheck cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601
APPENDIX B Setting Up Network Time Protocol . . . . . . . . . . . . . . . . . . . .593
Overview of NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
NTP servers and clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594
The Sidewinder G2 as an NTP client . . . . . . . . . . . . . . . . . . . . . . .595
The Sidewinder G2 as an NTP server . . . . . . . . . . . . . . . . . . . . . .595
Configuring NTP on a Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . .597
Configuring the Sidewinder G2 as an NTP client . . . . . . . . . . . . . .597
Configuring the Sidewinder G2 as an NTP server . . . . . . . . . . . . .598
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
xv

Table of Contents
xvi
Internet Request For Comments (RFC) . . . . . . . . . . . . . . . . . . . . . 599
Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
On-line manual (man) pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
APPENDIX C Configuring Dynamic Routing with OSPF . . . . . . . . . . . . . . 601
Overview of OSPF routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
A closer look at OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
OSPF routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
OSPF processing on a Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . 604
Sidewinder G2 in an OSPF network topology . . . . . . . . . . . . . . . . 605
Interoperability with other OSPF routers . . . . . . . . . . . . . . . . . . . . 606
Other routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Setting up OSPF routing on the Sidewinder G2 . . . . . . . . . . . . . . . . 606
Configuring OSPF properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Configuring OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Configuring Advanced options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Configuring "passive" OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Other implementation details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
APPENDIX D Configuring Dynamic Routing with RIP. . . . . . . . . . . . . . . . 613
RIP with standard IP routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
RIP processing on the Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . 615
RIP with Sidewinder G2 using transparent IP addressing . . . . . . . . . 616
RIP with Sidewinder G2 not using transparent IP addressing . . . . . . 619
Configuring RIP on the Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . 622
Rule list support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Enabling/disabling the routed server . . . . . . . . . . . . . . . . . . . . . . . . . 625
Trace and log information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
A note about flushing filter routes . . . . . . . . . . . . . . . . . . . . . . . . . . 625
APPENDIX E Setting Up SmartFilter Services . . . . . . . . . . . . . . . . . . . . . . 627
Overview of SmartFilter for Sidewinder G2 . . . . . . . . . . . . . . . . . . . . 628
Controlling Web access using the SmartFilter Control List . . . . . . . . 628
Evaluating the SmartFilter Control List . . . . . . . . . . . . . . . . . . . . . . 628
Subscribing to the SmartFilter Control List . . . . . . . . . . . . . . . . . . . 629
Configuring SmartFilter for HTTP/HTTPS . . . . . . . . . . . . . . . . . . . . . 630
Configuring the SmartFilter for Web and Secure Web tab . . . . . . . 631
Configuring proxy rules for SmartFilter version 4.0.2 . . . . . . . . . . . 632
Category codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Table of Contents
APPENDIX F Basic Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
Powering up the system to the Administrative kernel . . . . . . . . . . . .636
Enabling and disabling authentication for the administrative
kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636
Restoring access to the Admin Console . . . . . . . . . . . . . . . . . . . . . .637
Backing up system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638
Performing a full system backup (level0) . . . . . . . . . . . . . . . . . . . .638
Performing an incremental backup . . . . . . . . . . . . . . . . . . . . . . . . .639
Restoring system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641
Performing a full system restore . . . . . . . . . . . . . . . . . . . . . . . . . . .642
Performing an incremental restore via the do.restore script . . . . . .643
Restoring configuration files using the command line . . . . . . . . . . .646
Adding hardware to an active Sidewinder G2 . . . . . . . . . . . . . . . . . .647
Recovering when the licensed NIC fails . . . . . . . . . . . . . . . . . . . . . . .649
Replacing and relicensing a network interface card . . . . . . . . . . . .649
Troubleshooting licensing problems . . . . . . . . . . . . . . . . . . . . . . . .650
What to do if the boot process fails . . . . . . . . . . . . . . . . . . . . . . . . . .651
System reboot messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
Re-imaging your Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . .652
If you forget your administrator password . . . . . . . . . . . . . . . . . . . . .653
Changing your password in the administrative kernel . . . . . . . . . .653
Using maintenance mode to disable authentication when you have forgotten
your password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .653
Manually clearing an authentication failure lockout . . . . . . . . . . . .654
Interpreting beep patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
If a patch installation fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
Troubleshooting proxy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657
Failed connection requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657
Monitoring allow and deny rule audit events . . . . . . . . . . . . . . . . . .659
Active rules and the DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660
Understanding FTP and Telnet connection failure messages . . . . . .661
Troubleshooting High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . .662
Viewing configuration-specific information . . . . . . . . . . . . . . . . . . .662
Viewing status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662
Identifying load sharing addresses in netstat and ifconfig . . . . . . .665
Interface configuration issues with HA . . . . . . . . . . . . . . . . . . . . . .666
Troubleshooting remote interface test failover for peer-to-peer HA 666
Troubleshooting NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666
Why did NTP stop? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667
Why does NTP appear to be inaccurate? . . . . . . . . . . . . . . . . . . . .667
NTP clients will not synchronize with the Sidewinder G2 . . . . . . . .667
Restarting NTP from the UNIX prompt . . . . . . . . . . . . . . . . . . . . . .667
Troubleshooting VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .669
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .683
xvii

Table of Contents
xviii

PREFACE
Who should read
this guide
Where to find
additional
information
This guide is intended for a Sidewinder G2 administrator. You should read this
guide if you are responsible for configuring and managing a Sidewinder G2
Security Appliance.
This guide assumes you have:
• A working knowledge of UNIX and Windows operating systems.
• A basic understanding of system administration.
• A working knowledge of the Internet and its associated terms and
applications.
• An understanding of networks and network terminology, including TCP/IP
protocols.
The Management Tools CD includes the Sidewinder G2 documentation in .pdf
format. When you install the Management Tools on a Windows-based system,
the documents are automatically loaded onto your hard drive. You can view
them by selecting Start > Programs > Secure Computing > Sidewinder G2 3.0
Admin Console > Documentation.
Note: To view Sidewinder G2 documents prior to installing the Windows-based
tools, browse to the \Manuals directory on the Management Tools CD.
xix

Preface
xx
Table 1: Summary of Sidewinder G2 documentation
Document Description
Startup Guide Steps you through setting up your initial Sidewinder
G2 configuration.
Administration Guide This is the guide you are currently reading. It provides
complete administration information on all Sidewinder
G2 functions and features. You should read this guide
if you are responsible for configuring and managing a
Sidewinder G2 Security Appliance.
Enterprise Manager
Startup Guide
Enterprise Manager
Administration Guide
Steps you through setting up your initial Sidewinder
G2 Enterprise Manager configuration. You should
read this guide if you are responsible for configuring
and managing a G2 Enterprise Manager.
Provides complete administration information on all
Sidewinder G2 Enterprise Manager functions and
features. You should read this guide if you are
responsible for configuring and managing Sidewinder
G2 using the Enterprise Manager.
Online help Online help is built into Sidewinder G2. The Quick
Start Wizard provides help for each configuration
window. The Admin Console program provides
detailed screen-based online help as well as topicbased
online help.
Application notes Detailed instructions for setting up specific
configurations, such as setting up Sidewinder G2 to
work with another vendor's product or environment.
Application notes are located at:
www.securecomputing.com/goto/appnotes
Knowledge Base Supplemental information for all other Sidewinder G2
documentation. Articles include helpful
troubleshooting tips and commands. The Knowledge
Base is located at: www.securecomputing.com/
supportkb.cfm
For the latest information regarding Sidewinder G2 and other Secure
Computing products, refer to our Web site at: www.securecomputing.com.

Online help
Preface
The Sidewinder G2 graphical user interface (known as the Admin Console)
provides comprehensive online help. To access online help, click the help icon
in the toolbar.
Man (or “manual”) pages provide additional help on Sidewinder G2-specific
commands, file formats, and system routines. To view the available information
for a specific topic, enter one of the following commands:
man -k topic
or
apropos topic
where topic is the subject that you want to look up.
Reference materials
If you are new to system administration, you may find the following resources
useful:
Note: Some of these resources are referenced throughout this guide.
• UNIX System Administration Handbook, 3rd Edition, by Nemeth, et al.
(Prentice Hall).
• Managing Internet Information Services by Liu, et al. (O’Reilly and
Associates, Inc.)
• A standard reference on computer security is Firewalls and Internet
Security by Cheswick and Bellovin (Addison-Wesley).
• For network management information, see TCP/IP Network Administration
by Craig Hunt (O’Reilly & Associates, Inc.).
• For information on handling mail on UNIX networks, see Sendmail by Bryan
Costales, with Eric Allman and Neil Rickert (O’Reilly & Associates, Inc.).
• For Domain Name System information, see DNS and Bind by Cricket Liu
and Paul Albitz (O’Reilly & Associates, Inc.).
• For information about Internet Review for Comment (RFC) documents,
refer to one of the following Web sites:
http://www.cse.ohio-state.edu/cs/Services/rfc/index.html
http://www.ietf.org/rfc.html
xxi

Preface
Typographical
conventions
xxii
This guide uses the following typographic conventions:
Table 2: Conventions used in this guide
Convention Description
boldface courier Commands and keywords you type at a system prompt
are in boldface.
\
(backslash character
in a command string)
When a command does not fit on the same line in this
document, the backslash (\) character is used to
indicate continuation. Enter the command as shown,
ignoring the backslash.
courier italic Place holders for text you type. Words that appear in
square angle brackets are placeholders for
optional text.
courier plain Text displayed by this product on a computer screen.
plain text italics Names of files and directories.
Body Text Highlight Buttons, field names, and tabs in procedures that
require user interaction.
Note:
Tip:
Important:
Caution:
Security Alert:
Means reader take note. Notes contain helpful
suggestions or references to material not covered
elsewhere in the manual.
Means the following information will describe a timesaving
action or help you solve a problem.
Means the following text will provide information
essential to the successful completion of a task or
procedure.
Means reader be careful. In this situation, you might do
something that could result in loss of data or an
unpredictable outcome.
Emphasizes information that is critical to maintaining
product integrity or security.
127.10.3.4 IP addresses, screen captures, and graphics within
this document are intended as examples. They do not
127.10.3.2
necessarily represent a proper or complete
127.9.7.72
configuration or the configuration that is appropriate to
your needs. Often features are enabled so they are
clear in the screen capture. Not all features are
appropriate or desirable for your Sidewinder G2 setup.

1 CHAPTER
Introduction
In this chapter...
What is the Sidewinder G2 Security Appliance? ..............................2
Sidewinder G2 management options ...............................................3
The Type Enforced environment ......................................................4
Additional Sidewinder G2 operating characteristics .........................8
1

Chapter 1: Introduction
What is the Sidewinder G2 Security Appliance?
What is the
Sidewinder G2
Security
Appliance?
2
Figure 1:
Sidewinder G2 protecting
your organization’s
network
The Sidewinder G2 Security Appliance is a network security gateway that
allows you to connect your organization to the Internet while protecting your
network from unauthorized users and network attackers. It combines an
application-layer firewall, IPSec VPN capabilities and clientless VPN access,
anti-spam/anti-fraud and anti-virus/anti-spyware filtering engines, and SSL
decryption in to one Unified Threat Management (UTM) security appliance,
designed to offer centralized perimeter security.
The Sidewinder G2 provides a high level of security by using SecureOS®, an
enhanced UNIX operating system that employs Secure Computing’s patented
Type Enforcement® security technology. SecureOS removes the inherent
security risks often found in a network application running on non-security
focused commercial operating systems, resulting in superior network security.
Tip: For more information regarding the Sidewinder G2 Security Appliance and its
benefits, refer to our Web page at www.securecomputing.com/hardware. Information
about the hardware warranty is available at www.securecomputing.com/goto/
warranty.
The Sidewinder G2 prevents host identification masquerading (IP spoofing),
making it very difficult for attackers to infiltrate your protected network(s). The
Sidewinder G2 also offers advanced authentication and encryption software.
Encryption allows authorized users on the Internet access to your protected
network without fear of attackers eavesdropping (IP sniffing) or stealing access
credentials and other valuable information.
The Sidewinder G2 allows public services such as e-mail, a public file archive
(FTP), and World Wide Web (Web) access while protecting the other
computers on your protected network(s). The Sidewinder G2 also provides
powerful configuration options that allow you to control access by your
employees to almost any publicly available service on the Internet.
A minimum Sidewinder G2 configuration supports two network interfaces.
However, you can add additional network interfaces for a total of up to 64
network connections. Sidewinder G2 can be used as a gateway between your
internal network and the Internet, or between any networks with different
security needs. Figure 1 shows Sidewinder G2 protecting a company’s internal
network.
protected network
Sidewinder G2
R
router
Internet
?

Figure 2: Protecting
multiple networks with
Sidewinder G2
Sidewinder G2
management
options
Chapter 1: Introduction
Sidewinder G2 management options
The configuration shown in Figure 2 is useful in providing protection for two
otherwise separate networks within your organization, or between your
organization and a strategic business partner. This configuration uses three
network interfaces.
your
network
protected networks
trusted
network
Sidewinder G2
R
router
Internet
The Sidewinder G2 provides interface flexibility that allows multiple
management options:
• Admin Console—You can install and use the graphical user interface
software, referred to as the Admin Console, on a Windows ® operating
system, allowing you to easily connect to and manage your Sidewinder G2.
The Admin Console displays the Sidewinder G2 dashboard, a centralized
way to view system status, from current patch level and uptime to recent
attempted attacks. All Admin Console sessions are encrypted.
• SSH session—You can establish a secure shell (SSH) session to
administer the Sidewinder G2 via the command-line interface from a
Windows, UNIX, or other workstation capable of running an SSH client.
• Telnet session—You can also establish a Telnet connection to establish a
command line session with Sidewinder G2. Telnet is not encrypted and
therefore not secure; only use Telnet sessions to your Sidewinder G2 when
on a secure network.
Tip: See Chapter 2 for details on using each management option.
?
3

Chapter 1: Introduction
The Type Enforced environment
The Type
Enforced
environment
4
As mentioned earlier in this chapter, Sidewinder G2 runs under SecureOS, a
version of BSD/OS that Secure Computing has enhanced with a patented
security technology called Type Enforcement. Type Enforcement was originally
developed by Secure Computing Corporation for the Secure Network Server, a
product which meets strict U.S. government standards for computer security.
For the most part, Type Enforcement does not require any extra effort on your
part. The following subsections describe areas that affect how you use the
system and access files of which you should be aware.
Sidewinder G2 kernels
The Sidewinder G2 contains two separate UNIX kernels that each serve a
specific purpose:
• Operational kernel
This is the kernel that is running during normal operation. By default, the
system boots to the Operational kernel. In this mode, the Sidewinder G2 is
connected to the Internet and to your internal networks, and all network services
are operational. Most importantly, the system is fully protected by the
Type Enforcement security software.
For information on booting to the Operational kernel, refer to “Restarting or
shutting down the system” on page 40.
• Administrative kernel
This kernel is used only when an administrator needs to perform special
tasks on the Sidewinder G2, such as installing or restoring Sidewinder G2
software. When the Administrative kernel is running, all network connections
are disabled and Internet services are not available; the Type Enforcement
security software is also disabled. Access to the Administrative kernel
is tightly controlled and cannot be granted remotely.
Important: When you boot to the Administrative kernel, the system can be
accessed only by attaching a monitor and keyboard (or a laptop) directly to your
Sidewinder G2. For information on booting to the Administrative kernel, refer to
“Powering up the system to the Administrative kernel” on page 636.

Chapter 1: Introduction
The Type Enforced environment
Table 3 lists the major differences between the two kernels. The Operational
kernel features are described in the section immediately following this table.
Table 3: Sidewinder G2 kernels
Operational kernel Administrative kernel
SecureOS is protected by Type
Enforcement. (Type Enforcement is
used at every critical system call and
cannot be turned off.)
Normal operating state—The
Sidewinder G2 will automatically boot
to this kernel.
Network connections are enabled;
Internet services are available. Traffic
flows through the Sidewinder G2.
Divided into many application
domains; domain restrictions are
enforced.
Administrator access is controlled by
authenticated login and access rules.
Access to files by a process is
restricted based on Domain Definition
Table.
How Type Enforcement works
Type Enforcement is disabled. File
types and domains exist, but are not
enforced.
Used when performing certain
administrative tasks or installing
software on the Sidewinder G2.
No traffic passes through the
Sidewinder G2.
Domain restrictions are not enforced.
Administrator access is limited to a
keyboard and monitor attached
directly to the Sidewinder G2. By
default, login and access rules do not
apply. (You can configure the
administrative kernel to require
authentication, if desired.)
Access to files by a process is
restricted only by standard UNIX
permissions.
UNIX is not known to be a particularly secure operating system. Logging in as
super-user (root) gives you access to all system files; an intruder who knows
how to acquire root privileges can access any files or applications on a system.
In addition, UNIX does not have tight control over how data files are shared
among the processes running on a system. This means that an intruder who
managed to break into one area of a system, such as e-mail, may be able to
easily gain access to other files on the system.
5

Chapter 1: Introduction
The Type Enforced environment
6
Figure 3: Example of
domain separation
structure on the
Sidewinder G2
The Type Enforcement software in the Sidewinder G2 Operational kernel is
designed to plug these security holes. This is done by using the following
mechanisms (each of the mechanisms is described below):
• provides maximum network protection
• provides Type Enforced domain processes
• controls Type Enforced attributes applied to files and sockets
• controls inter-domain operations, such as signals
• controls access to system calls
• controls the files a process can access
Maximum network protection
Secure Computing's patented Type Enforcement technology provides network
security protection that is unique to the industry. By using Type Enforcement
within the operating system, the Sidewinder G2 provides the highest level of
security.
Type Enforcement is based on the security principle of least privilege: any
program executing on the system is given only the resources and privileges it
needs to accomplish its tasks. On the Sidewinder G2, there is no concept of a
root super-user. Type Enforcement controls all interactions between domains
and file types. Domains must have explicit permission to access specific file
types, communicate with other domains, or access system functions. Any
attempts to the contrary fail as though the files do not exist.
Type Enforced domain processes
A standard UNIX system separates processes with user and group identities.
Therefore, UNIX identities can be completely subverted by users who obtain
root privileges. The Sidewinder G2 prevents this by providing separate, Type-
Enforced domains for each process running on the system. Type-enforced
domains provide more intricate control over what each process is allowed to do
(see Figure 3).
SMTP Audit
User Kernel Network
News Telnet

Type Enforced attributes
Chapter 1: Introduction
The Type Enforced environment
When an administrator initially logs into the Sidewinder G2 at a command line
prompt, they are automatically placed in the User domain, which allows no
access to sensitive files. An administrator may then switch to their defined
administrative role’s domain using the srole command (for Admn) or srole
adminro (for AdRO). The Admn domain allows an administrator to access to
all administrative functions. The AdRO domain allows read-only access to the
system configuration areas, as well as the ability to generate reports. An
administrator with read-only access cannot make system modifications.
This guide assumes that most commands will be issued by administrators with
read/write access, and therefore only includes the srole command. If you are
a read-only administrator and have reason to access the command line,
always use srole adminro instead of srole alone.
For information on assigning administrator roles, see “Setting up and
maintaining administrator accounts” on page 43.
Inter-domain operations
Interactions between domains, such as signalling, are also controlled by Type
Enforcement. For example, a process running in the SMTP domain cannot
send a signal to the Telnet server running in the Telnet domain.
Access to system calls
A typical UNIX system has many privileged system calls that could enable
malicious users to access the kernel directly and compromise the system. The
Sidewinder G2 solves this problem with a set of flags for each domain that
indicate which system calls can be made from that domain.
Files available to a process
Process-to-file access is controlled by a Domain Definition Table that maps out
the various classes of data files and processes that may be running on the
Sidewinder G2. The table specifies which process domains can access
different types of files and what type of access is allowed (such as read/write/
execute). This table cannot be circumvented.
Your system is pre-configured so that domains have access only to the files
they need. The Domain Definition Table cannot be changed while the
Operational kernel is running. This prevents intruders from tricking the kernel
into modifying the table. Also, Type Enforcement prevents intruders from
installing software that may be used to circumvent Sidewinder G2 security
mechanisms.
7

Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
Additional
Sidewinder G2
operating
characteristics
8
Type Enforcement’s effects
The previous section outlined how Type Enforcement works. Listed below are
the major ways in which Type Enforcement affects you and other users:
• Non-administrative users will not be aware of Type Enforcement (unless
they try to perform unauthorized activities).
• In the Operational kernel, there is no concept of a super-user who can have
complete system control. The “root” account has no special privileges. The
Admin role operating in the Admn domain has access to most system files,
but is still not as powerful as root on a standard UNIX system.
• Domains make it difficult for an intruder to do damage. Breaking into the
domain in which an application is executing does not provide access to the
files required for administering that application.
• Some system administration cannot be performed in the Operational kernel
and must be done in the Administrative kernel. While in the Administrative
kernel, the Sidewinder G2 is not accessible to any other user or the
Internet. When the Administrative kernel is running, Type Enforcement is
turned off, which allows you to perform procedures such as a software
upgrade or a full system backup and restore.
This section lists additional significant differences between Sidewinder G2 and
a standard UNIX system.
Burbs and network stack separation
While installing or managing the Sidewinder G2, you will notice the use of the
term burb. Burb is a term that refers to an interface and all the systems it
connects. Each burb must a unique name (for example, internal, external).
As an example of how burbs are used, suppose your organization has two
internal (protected) networks that need to be connected to the external network
(Internet), but the corporate security policy requires that there be limited or no
information flow between the two internal networks. In this scenario, you would
configure three burbs for your Sidewinder G2, as shown in Figure 4. The
security policy must be defined to enforce the required control over information
flow between the two internal security burbs and between the external burb
and the individual internal burbs, while also protecting the internal burbs from
unauthorized access from the Internet.

Figure 4: Multiple Type
Enforced areas (burbs) on
Sidewinder G2
trusted networks
Sidewinder G2
showing Type
Enforced network
areas (burbs)
Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
R
router
Internet
One of the unique aspects of the SecureOS is the use of multiple logical
network stacks to strengthen the enforcement of the inter-burb aspects of the
system security policy. A network stack consists of different layers of software
responsible for different aspects of the communications. For example, one
layer checks a message’s routing information to ensure that it is transmitted to
the correct network. Normal computing systems, and firewalls that operate on
an unsecured OS, have only one network stack.
The SecureOS includes modifications that provide stronger separation of
communication between different burbs. There are checks at all layers of the
software to ensure that the network stack data from one burb is not mixed with,
or impacted by, data associated with another burb. This logical separation of
the network stacks by the security burb is augmented by the Type Enforcement
security policy, which is integral to SecureOS. It controls all operational aspects
of the system, including enforcement of the separation data processing by the
security burb. This ensures that information passes from one burb to another
only if the network security policy says the specific information flow is allowed.
Figure 5 shows this logical network separation and the processing elements
involved in the transfer of data between the network stacks associated with
each burb. Before a process can interact with a network stack, the Type
Enforcement security policy must indicate that the process is allowed to
interact with that burb’s network stack.
9

Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
10
Figure 5: Logical
network protocol stacks
provide network
separation
trusted
network
Sidewinder G2
logical network
protocol stacks
Proxy software and access control
Internet
The Sidewinder G2 uses special programs, called proxies, to forward
application data between two burbs, such as your network and the Internet.
Proxies essentially provide a go-between that can communicate with the burbs
on Sidewinder G2. For example, when a user on an internal burb tries to
establish an Internet connection, Sidewinder G2 intercepts the connection
attempt and opens the connection on the user’s behalf. All Internet
connections are made by the Sidewinder G2 so that the internal network never
communicates directly with the Internet burb. You can configure transparency
on a per-rule basis, allowing it to appear from a user’s perspective as if they
are connecting directly to the destination and not connecting to the Sidewinder
G2 first.
Important: Proxies communicate between two Type Enforced network areas in
Sidewinder G2. Therefore, proxies are not used to control an external (Internet)
user’s access to the external side of the Sidewinder G2. For example, when an
external user accesses a Telnet server that you have made publicly available on
the external side of the Sidewinder G2, there will be no proxy to intervene. For
users on the Internet, proxies are only used when they try to access an internal
burb on the Sidewinder G2.
The Sidewinder G2 supports Web (HTTP), Telnet, and many other TCP-based
proxies. The Sidewinder G2 also supports proxies for routing SNMP, NTP,
DNS, and other types of services that require UDP transmissions. You can also
create your own special proxies for other services. In addition, the Sidewinder
G2 provides proxies that use multiple TCP and/or UDP sessions such as FTP,
Real Media, and Oracle SQLNet.

Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
Most proxies are disabled by default and must be enabled on the
Services Configuration > Proxies window before that type of traffic can pass
through Sidewinder G2. Once a proxy is enabled, you can configure which
internal users can use each type of proxy by creating proxy rules and
organizing them into rule groups that enforce your site’s security policy. For
example, you can configure rules that allow all internal users to access all
Internet Web sites, or you can prohibit users from accessing the Web from
specific internal systems or from accessing specific Web sites. can configure
advanced, application-specific properties for your proxy rules using Application
Defenses.
Note: See Chapter 4 for a detailed description of proxy rules and Application
Defenses. See Chapter 9 for a detailed description of the Sidewinder G2 proxies
and procedures for configuring them.
IP filtering
You can configure the Sidewinder G2 to securely forward IP packets between
networks using IP Filter rules. Unlike proxies, which operate at the application
layer and in most cases on TCP or UDP traffic, IP Filter operates directly on IP
packets allowing non-TCP/UDP (as well as TCP/UDP) traffic to pass between
the networks. For example, with IP Filter you can pass encrypted VPN
sessions through the Sidewinder G2.
IP Filter works by inspecting many of the fields within a packet, including the
source and destination IP address, port, and protocol. Each packet that arrives
at the Sidewinder G2 will be inspected and compared to an active IP Filter rule
group that you have configured. Matching packets will then be forwarded on to
the destination network.
You can configure IP Filter to inspect TCP, UDP, and many other protocols.
With TCP, UDP, and ICMP, the Sidewinder G2 can actively track individual
sessions by performing stateful inspection. This ensures that only packets valid
for a new session or a portion of an existing session are sent on to the final
destination. In addition, the Sidewinder G2 supports the ability to perform
Network Address Translation (NAT) and redirection when using IP Filter.
Using NAT, the source address of outgoing IP packets is translated from the
client's IP address to the external address of the Sidewinder G2. Using
redirection, the destination address of an incoming packet is rewritten to a
redirect host. Using NAT and/or redirection allows the IP addresses of
machines behind the Sidewinder G2 to be hidden. You can also allow a private,
non-routeable network (such as 10.0.0.0) to access the Internet using NAT.
Note: See Chapter 4 for information on using IP Filter rules.
11

Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
12
daemond
The daemond (pronounced demon-dee) process is a powerful component that
enhances overall security. It monitors and controls all of the major software
components on Sidewinder G2. It also detects and audits some classes of
attacks against the Sidewinder G2.
For example, should someone try to attack a Sidewinder G2 service (such as
sendmail), causing the component to crash, the daemond process will detect
the failure, immediately restart the failed component, and create a critical event
audit entry (allowing the administrator to be notified and respond to the attack).
daemond starts during the Sidewinder G2 boot process. On start up, it reads
the /etc/sidewinder/daemond.conf file to determine its configuration options. As
a Sidewinder G2 administrator, there are two daemond options you should be
aware of: default memory size and failure mode.
About the default memory size option
If no memory size is specified for a service in the /etc/server.conf or
/etc/sidewinder/nss.common.conf files, the default memory size option
specifies the size (in MB) that daemond will give each of the services it starts.
The default size is 128 MB. If there is no value present in the daemond
configuration file, it will use the default value from /etc/login.conf.
About the failure (safe) mode option
By default, daemond will run in its normal mode (that is, failure mode is not
configured and daemond will run in its normal, operational mode). This means
that daemond will attempt to start all enabled components in the /etc/
server.conf and /etc/sidewinder/nss.common.conf files. When failure mode is
enabled in the /etc/sidewinder/daemond.conf file, and a failure event has
occurred, daemond will start in failure mode (also called safe mode). This
means that daemond will only start the components that are enabled for failure
mode in the /etc/server.conf and /etc/sidewinder/nss.common.conf files.
Components that are NOT enabled for failure mode will not be started.
Failure mode is set under any of the following circumstances:
• a license check fails
• the audit partition overflows
• an error occurs while installing a patch
Note: If a patch fails for any reason, the patch process will configure daemond to
start in failure mode. This is done in order to secure the system and provide only
necessary administrator access to the Sidewinder G2.

Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
If you configure a failover High Availability (HA) cluster, the standby Sidewinder
G2 will run in failure mode. If the primary Sidewinder G2 becomes unavailable
and the standby is required to take over as the primary Sidewinder G2,
daemond will start all services for that Sidewinder G2.
If the primary Sidewinder G2 in an HA cluster goes into failure mode and the
secondary/standby Sidewinder G2 is not available, the primary Sidewinder G2
will remain as the primary Sidewinder G2, but the priority value for that
Sidewinder G2 will change to one, ensuring that if a secondary/standby
Sidewinder G2 becomes available, it can take over as the primary Sidewinder
G2. For information on HA, see Chapter 17.
daemond and run levels
When running in either normal mode or failure mode, daemond starts
components according to their run level. After each component in a run level
has started, daemond “sleeps” for the run level interval specified in the /etc/
daemond.conf file. After the sleep completes, daemond starts the components
in the next run level. There are five different run levels. Each run level contains
the following components:
Table 4: daemond run levels
Run level Component
0 auditd, auditsql, aclsql, swedesql
1 acld, auditbotd, resolverd, upsd
2 auditdbd, named-unbound, named-internet, randomd
3 nss
4 All remaining proxies and servers. This is also the default run level.
There are four key components that must be enabled and running before
daemond will successfully boot the Sidewinder G2. These are: auditd,
auditsql, aclsql, and acld.
Whether running in normal or failure mode, daemond will fail to bring the
Sidewinder G2 up completely if any of the following situations occur:
• A configuration file error exists in any of the three files daemond parses:
/etc/daemond.conf, /etc/server.conf, and /etc/sidewinder/nss.common.conf.
• The system has not been properly licensed or activated.
• A key component failed to start up or was not properly enabled.
• A patch installation failed.
13

Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
14
If one of these error conditions occur, a message appears notifying you that
your system has booted to failure mode along with the reason why it booted to
failure mode. The reason for the failure will be logged in /var/log/daemond.log.
If none of the above situations occur, daemond will bring the system up without
error.
Once the Sidewinder G2 has finished booting and the system is operational,
daemond becomes responsible for monitoring, stopping and starting all the
components in /etc/server.conf and /etc/sidewinder/nss.common.conf. While
daemond is monitoring the enabled and running components, it is also
responsible for keeping an instance of that component running.
Restarting processes
If a component dies unexpectedly, daemond will restart that component and
audit the event in both the audit log and the daemond log. The message in
/var/log/daemond.log will look similar to this:
Nov 7 16:05:22 fiji : restarting /usr/libexec/syncd (2686)
due to unexpected death
If a component quits within five seconds of starting three times in a row,
daemond will not attempt to restart it until the next time daemond rereads its
configuration files. This event will also be audited to both the audit log and the
daemond log. The message in /var/log/daemond.log will look similar to this:
Nov 5 18:13:03 fiji : /usr/contrib/sbin/sshd will not be
restarted due to possible startup errors
Stopping processes
daemond is also responsible for stopping processes. If a Sidewinder G2
administrator chooses to disable a process (using the Admin Console or cf
commands), the configuration files are changed and a SIGHUP command is
sent to daemond. The SIGHUP command signals daemond to reread the
configuration files. If daemond finds an entry associated with a currently
running process that is now marked as disabled, daemond will stop that
process. The process will not be started again until it is re-enabled by an
administrator. Re-enabling a process will cause another SIGHUP command to
be sent to daemond, which will reread the configuration files and attempt to
restart the process.
All component failure events are logged in the /var/log/daemond.log file. If
daemond fails during system start-up, the daemond log file will record the
reason for this failure. It will also record information each time daemond
restarts a process that died unexpectedly. This is useful for tracking attacks on
a particular component.

Network Services Sentry (NSS)
Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
If you have administered a standard UNIX system, you are probably familiar
with inetd, which manages daemons for network services. Daemons are
server processes that run continuously in the background and wait until they
are needed. On the Sidewinder G2, inetd has been replaced with the Network
Services Sentry (NSS), which manages most of the server and proxy services.
There is an NSS configuration file for each burb defined on your Sidewinder
G2. The NSS configuration files are updated for you when you make changes
to services. For example, the files are updated whenever you enable or disable
a proxy.
NSS regulation of valid ports for the Admin Console
For the Admin Console and synchronization services, NSS regulates the ability
to change the default port. You may use the Admin Console or the command
line to edit the default ports for these services. For example, you might want to
alter ports when the default conflicts with the port of another service, or when
you want to create a portlist with non-continuous numbers.
You can edit the port fields using the Admin Console Firewall Administration >
UI Access Control window. See “Backing up and restoring config files using
the Admin Console” on page 52 and “Configuring Admin Console access” on
page 91 for details.
When changing the port for a service, be sure to consider the criteria listed in
Table 5 below.
Table 5: Criteria for modifying a service port
Port type Criteria
Valid ports must be . . . • between 1–65535 when using the Admin
Console, and for all other services
• unique within ports assigned to other
services of the same type (server, t_proxy,
nt_proxy)
Valid port ranges must be . . . • two valid ports separated by a single hyphen
(may be non-continuous)
• listed in ascending order
• a maximum of 1995 ports
• between 1–65535 when using the Admin
Console, and for all other services
• unique within ports assigned to other
services of the same type (server, t_proxy,
nt_proxy)
Valid portlists must be. . . valid ports and/or valid ranges separated by
spaces
15

Chapter 1: Introduction
Additional Sidewinder G2 operating characteristics
16

2 CHAPTER
Administrator’s
Overview
In this chapter...
Administration interface options .....................................................18
Admin Console basics....................................................................19
Admin Console conventions...........................................................25
Using the Admin Console File Editor..............................................26
Administering Sidewinder G2 using Secure Shell ..........................30
Administering Sidewinder G2 using Telnet.....................................36
17

Chapter 2: Administrator’s Overview
Administration interface options
Administration
interface options
18
Figure 6: Sidewinder G2
administration options
You can manage Sidewinder G2 in one of two ways:
• Admin Console—The Administration Console (or Admin Console) is the
graphical software program that runs on a Windows system within your
network. The Admin Console is installed using the Management Tools CD.
This CD also installs the Quick Start Wizard, which is used to initially
configure your Sidewinder G2.
Note: The Admin Console is occasionally referred to as “cobra” in some
command line tools.For information on installing the Admin Console software,
see the Sidewinder G2 Startup Guide. For information on using the Admin
Console, see “Admin Console basics” on page 19.
• command line interface—If you are experienced with UNIX, you can also
use the command line interface to configure and manage Sidewinder G2.
Command line interface refers to any UNIX prompt. The command line
interface supports many Sidewinder G2-specific commands as well as
standard UNIX commands you can enter at a UNIX prompt. For example,
the cf (configurator) command can perform a wide range of configuration
tasks.
Tip: For help using command line interface instead of the Admin Console to
manage your Sidewinder G2, refer to Appendix A. You can also use the
extensive manual (man) pages included on Sidewinder G2. To do so, log into
Sidewinder G2 at a command prompt, type man followed by the name of a
command, and then press Enter.
For most administrative tasks, use the Admin Console as the primary
Sidewinder G2 interface. For troubleshooting, connect via SSH or Telnet and
use the command line interface.
Whether you use the Admin Console or the command line interface, you can
manage Sidewinder G2 from a number of locations. Figure 6 highlights the
administration interface options available to you.
Note: Normal administration is possible only when the Operational kernel is
booted. When the Administrative kernel is running, all administration must be done
directly at the Sidewinder G2 by connecting a monitor and keyboard (or laptop).
Admin Console
running
on a Windows
workstation
Command line
interface via a
Telnet connection
on a Windows or
UNIX workstation
Sidewinder G2
Internet
Remote Admin Console
or command line
interface via an SSH
connection

Admin Console
basics
Chapter 2: Administrator’s Overview
Admin Console basics
This section describes how to start the Admin Console, and explains how to
add a new Sidewinder G2. It also provides general guidelines for using the
Admin Console. For information on installing the Admin Console software on a
Windows PC, see the Sidewinder G2 Startup Guide.
Note: This version of the Admin Console supports backwards compatibility.
Therefore, if you have a current version of the Admin Console installed, you can still
connect to a remote Sidewinder G2 that is running at 6.0.0.00 or higher, and the
window will automatically update to display the earlier version of the Admin
Console. You will also receive online help that is appropriate to the version at which
the Sidewinder G2 is running.
Starting and exiting the Admin Console
The Admin Console can only access Sidewinder G2 if Sidewinder G2 is
configured to allow secure sessions for the burb in which the Admin Console’s
workstation resides. By default, access is enabled on the Sidewinder G2’s
internal burb. For information on changing Admin Console access on an active
Sidewinder G2, see “Configuring Admin Console access” on page 91.
Starting the Admin Console
To start the Admin Console on a Windows workstation, do one of the following:
• Click the Sidewinder G2 Admin Console icon
located on the desktop.
• Select Start > Programs > Secure Computing > Sidewinder G2 Admin
Console 3.0 > Firewall Admin Console.
If you are starting the Admin Console for the first time, you will need to add the
Sidewinder G2(s) that you want to manage. See “Adding a Sidewinder G2 to
the Admin Console” on page 20 for information on creating a new Sidewinder
G2.
Exiting the Admin Console
To exit the Admin Console, do one of the following:
Important: If you have any active connections when you exit the Admin Console,
those connections, as well as any unsaved changes, will be lost. You will not be
prompted to save before exiting.
• In the File menu, select Exit.
• Simultaneously press Alt+x.
• Click the icon in the upper right corner of the Admin Console window.
19

Chapter 2: Administrator’s Overview
Admin Console basics
20
Adding a Sidewinder G2 to the Admin Console
Before you can manage a Sidewinder G2 using the Admin Console, you must
first identify it in the Admin Console. Follow the steps below.
1 In the Admin Console window, click the
Firewall). The Add Firewall window appears.
icon, (or click File > New
2 In the Name field, type a descriptive name for the Sidewinder G2 you are
adding. For example, you might specify the host name you used during the
installation process. Only alphanumeric characters and dashes can be
used; spaces are not allowed.
3 In the IP Address field, type the IP address you want to use to access the
Sidewinder G2. The address must be a valid IP address for an interface on
the Sidewinder G2. Also, the interface must be contained within a burb for
which remote administration has been enabled.
Tip: To view the current mapping of interfaces and burbs, use ifconfig -a
via the command line.
4 Click Add to save the information and exit this window. Each Sidewinder G2
you add is displayed in the Admin Console tree (in the left portion of the
window).
5 Click the appropriate icon listed under Firewalls. The properties appear in
the right portion of the window.
6 [Conditional] The Port field displays the default port number (9003) on
which the Sidewinder G2 will listen. You will generally not need to modify
this field.
7 To log in and connect to a Sidewinder G2, see “Connecting to a Sidewinder
G2 via the Admin Console” on page 21.

Figure 7: Admin Console
Login window
Chapter 2: Administrator’s Overview
Admin Console basics
Connecting to a Sidewinder G2 via the Admin Console
To connect to a specific Sidewinder G2, select the appropriate icon from the
Admin Console tree and then click Connect. The login window appears.
Connecting to a Sidewinder G2
The first time you attempt to connect to a Sidewinder G2 using the Admin
Console, a pop-up window appears presenting you with the firewall certificate
that will be used for all subsequent administrative connections. To accept the
certificate, click Yes.
If you want to verify the certificate before accepting it, you will need to obtain
the certificate fingerprint before you log into the Admin Console. To obtain the
certificate fingerprint, log into the Sidewinder G2 via command line and enter
the srole command to change to the admin role. (If you have not configured
remote access, you will need to attach a monitor and keyboard directly to your
Sidewinder G2.) Enter the following command:
cf cert view fw name=cert_name
The contents of the certificate are displayed. The certificate fingerprint is
located at the bottom of the certificate directly beneath the
END CERTIFICATE identifier. This fingerprint can be used to verify the
fingerprint that is displayed when you initially connect to the Sidewinder G2 via
the Admin Console.
To log into a Sidewinder G2, follow the steps below.
1 In the Username field, enter your Sidewinder G2 user name.
2 In the Authentication Method drop-down list, select the appropriate
authentication method for the Sidewinder G2 to which you are connecting.
Valid options include a simple password or a more sophisticated method
such as SafeWord, SecurID, SNK, RADIUS, LDAP, or Microsoft NT.
Note: All methods other than the password method require access to a
separate authentication server.
21

Chapter 2: Administrator’s Overview
Admin Console basics
22
Figure 8: Feature
Notification window
3 Click OK. An authentication window appears. Enter the appropriate
response, and then click OK. When you connect for the first time, the
Feature Notification window appears displaying the status of each licensed
feature.
Tip: If you do not want this window to appear each time you connect, select the
Don’t show this again check box.
4 When you are finished viewing the window, click Close.
The main Admin Console window appears.
Note: For information on using the main Admin Console window, see “About
the main Admin Console window” on page 23.For an overview of the tasks you
can perform using the Admin Console, see “Admin Console conventions” on
page 25.
Disconnecting from the Sidewinder G2 via the Admin Console
To end an Admin Console session for a Sidewinder G2, do one of the following:
• Right-click the Sidewinder G2 icon, and select Disconnect from the menu
that appears.
• Select the Sidewinder G2 icon, and click Disconnect in the main Admin
Console window.

Figure 9: Main Admin
Console menu
Main Admin Console
window
About the main Admin Console window
Chapter 2: Administrator’s Overview
Admin Console basics
When you start the Admin Console, a window similar to the following appears.
From this window you can connect to and manage one or more Sidewinder
G2s. The main Admin Console window is divided into three areas: top, left, and
right, as described in the sections below.
About the top portion of the Admin Console window
The top portion of the Admin Console window contains five icons that
represent various shortcut actions, shown in the table below.
Click this icon to add a Sidewinder G2. For more information on
adding a new Sidewinder G2, see “Adding a Sidewinder G2 to the
Admin Console” on page 20.
Click this icon to save changes you make in the Admin Console to the
Sidewinder G2.
Click this icon to cancel (or ‘rollback’) any unsaved changes in the
Admin Console.
Click this icon to refresh (or update) the screen.
Click this icon to launch the State Change Wizard. (If you are
connected to an HA or One-To-Many cluster, clicking this button will
take you to the appropriate cluster management window.)
Click this icon to access context-sensitive online help for the current
Admin Console window that is displayed.
23

Chapter 2: Administrator’s Overview
Admin Console basics
24
The top portion of the window also contains the following menu options:
• File—The following options and information about their respective short
cuts keys are available under this menu:
– New Firewall (Ctrl-N): Add a Sidewinder G2 that can be managed using
the Admin Console.
– Save (Ctrl-S): Save changes.
– Cancel (Ctrl-E): Cancel changes.
– Exit (Alt-X): Exit the Admin Console application.
• Help—The following options are available under this menu:
– Context-sensitive Help: Display specific information for an Admin
Console window. The title for this option correlates to the specific
window for which you will receive help.
– About (Ctrl-H): Display information about the current version of the
Admin Console software.
About the left portion of the Admin Console window
The left portion of the window contains the Admin Console tree. The Admin
Console tree is not active unless you are connected to a Sidewinder G2. Once
you are connected to a specific Sidewinder G2, you can click any of the items
in the Admin Console tree to manage that area of your Sidewinder G2.
You can also right-click a Sidewinder G2 in the Admin Console tree to perform
the following actions:
• Delete a Sidewinder G2 from the Admin Console.
• Connect or disconnect a Sidewinder G2 from the Admin Console.
• Add a Sidewinder G2 to an enterprise or cluster or create a cluster by
clicking Promote Firewall to start the State Change Wizard.
• Expand or collapse all or sections of the branch items beneath a
Sidewinder G2 icon.
About the right portion of the Admin Console window
The right portion of the Admin Console window initially displays configuration
information for the Sidewinder G2 to which you are currently connected, as
follows:
• Name—Defines the name of the Sidewinder G2 to which you are
connected.
• IP Address—Identifies the IP address of the Sidewinder G2 to which you
are connected.
• Port—Identifies the port number that will be used to connect to the
Sidewinder G2.
• Version—This is a read-only field that displays the current Sidewinder G2
version after connecting to the Sidewinder G2.

Admin Console
conventions
Chapter 2: Administrator’s Overview
Admin Console conventions
• Sidewinder G2 State—This is a read-only field that displays the current
Sidewinder G2 state (whether it is a standalone, part of an HA or One-To-
Many cluster, or part of an enterprise managed environment).
• Connect—Establishes a connection with the selected Sidewinder G2.
When using the Admin Console, the following conventions and tips will help
you avoid common mistakes:
• To filter a table based on the contents of a single column, right-click a
column heading and select the filter criteria for which you want to filter. (To
customize a filter, select the Custom Filter option.) To view all items in a
table, select the No Filter option.
You can also reverse the order of the table within a column by clicking the
appropriate column heading. To return the table to its original order, click
the column heading a second time.
– Right–click a column heading and use the Filter By option to filter on a
particular item or create a custom filter.
– Click the appropriate column heading to sort rules by a particular field
(column). Click the heading a second time to sort the list in reverse
order. You can select an item to modify from a list by double clicking on
it or by clicking on it once to highlight it, and then clicking Modify.
• When a box preceding an option is filled in or contains a check mark, it is
enabled or selected. When the box is empty (a check mark does not
appear), the option is disabled.
• On some windows, you need to use the scroll bar to view all of the
information or options.
• In the Rules window, you can reposition rules and groups by clicking and
dragging an entry to a new location.
• To delete an item from a list or table in an Admin Console window, click the
item to select it, and then click Delete.
• When you leave a window that you have modified, you will automatically be
prompted to save your changes before you exit the window. You can also
save your modifications at any time by clicking the Save icon in the toolbar
(or an OK button for some pop-up windows).
• When you exit a window and do not want to save your changes, click No
when prompted to save your changes. You can also cancel your changes at
any time by clicking the Rollback icon (or the Cancel button in some
windows) to restore the current window’s settings to the last saved version.
• For assistance on any of the Admin Console windows, click the Help icon
located in the top portion of the window. The online help provides
information about each of the Admin Console windows. To view the entire
list of available help topics, click the TOC button from within the help
system.
25

Chapter 2: Administrator’s Overview
Using the Admin Console File Editor
Using the Admin
Console File
Editor
About the File Editor
main window
26
Figure 10: File Editor
window
About the File Editor
window
While administering Sidewinder G2, you may find it necessary to modify a text
file or a configuration file. Although the typical UNIX editors are available for
you to use (vi, emacs, and pico), you may find it easier to use the File Editor
provided with the Admin Console. The File Editor is an easy-to-use editor that
is available directly from the Admin Console. The File Editor simplifies the
editing process, enabling you to perform virtually every necessary editing task
from the Admin Console instead of using a command line.
The File Editor also provides some additional conveniences such as unique file
backup and restore features. (Of course, UNIX aficionados are still welcome to
use the editor of their choice if they prefer.) In addition, using the File Editor
through the Admin Console provides a secure connection.
To access the File Editor, log into the Admin Console, select File Editor, and
then click Start File Editor. The following window appears:
The File Editor window contains three different menu options:
• File—This menu contains the basic action options. Use it to open new or
existing files, and to save files. The File menu also provides two unique
capabilities: it enables you to create a backup copy of a file, and it enables
you to restore a file from a previously saved backup copy. See “Creating a
backup file in the File Editor” on page 27 and “Restoring a file” on page 28
for details.
• Edit—This menu enables you to perform typical functions such as cutting,
copying, pasting, and finding/replacing text. See “Using the Find/Replace
option” on page 29 for information on finding and replacing text.
• Help—The following options are available under this menu:
– File Editor Help: Displays specific information for the File Editor window.
– About Help: Displays information about the current version of the Admin
Console software.

Figure 11: Open File
window
Opening or saving a
file using File Editor
window
Opening and saving files in the File Editor
Chapter 2: Administrator’s Overview
Using the Admin Console File Editor
When you select File > Open or File > Save As a window similar to the
following appears.
To open or save a file, follow the steps below.
1 [Conditional] In the Source field, specify where the source is located. The
options are:
• Local File—Indicates the file is located on the local Windows
workstation or on a network connected to the workstation.
• Firewall File—Indicates the file is located on the Sidewinder G2.
2 In the File field, type the full path name of the file.
If you do not know the full path name, click Browse to browse the available
directories. When you locate the file, click OK. The file name appears in the
File field.
3 Click OK to open or save the file, or click Cancel to cancel the request.
Creating a backup file in the File Editor
When modifying the Sidewinder G2 configuration files, it is normally a good
practice to create a backup copy of the file before you begin editing the file.
That way, if you make a mistake while editing the file you have the option to
revert to the original file. The File Editor provides an easy method for creating a
backup copy of a file. You can even make a backup after you begin modifying a
file. The key is to create the backup before you save your changes. Once you
save your changes you will not be able to create a backup file that mirrors the
original file.
To make a backup copy of a file, open the file with the File Editor, then select
File > Backup. The following window appears:
27

Chapter 2: Administrator’s Overview
Using the Admin Console File Editor
28
Figure 12: Backup File
window
Entering information
on the Backup File
window
Figure 13: Restore
window
Entering information
in the Restore File
window
To make a backup copy of the last saved version of the file currently open
within the File Editor, follow the steps below.
1 In the Name of Backup File field, specify a name for the backup file. By
default, the file is given the same name as the original file but with a .bak
extension.
The backup file will be created in the directory listed in the Current Directory
field. This is the directory in which the original file currently resides,
and cannot be modified.
2 Click OK to save the information and exit the window, or click Cancel to exit
the window without saving the backup file.
Restoring a file
In order to restore a file, the file must be open within the File Editor. Select
File > Restore and the following window appears.
This window enables you to restore a file to its original contents. You can do
this only if you have previously created a backup copy of the file. Follow the
steps below.
1 In the Restore From File field, specify the name of the backup file to use
when restoring the file to its original condition. If you do not know the name
of the backup file, click Select to browse the available files. When you
locate the file, click Open. The file name appears in the Restore From File
field.
Note: If a backup file exists, it will appear in the same directory as the current
file, because you are only allowed to create a backup in the same directory. The
Current Directory field displays the name of that directory and cannot be
modified.
2 Click OK to save the information and exit the window, or click Cancel to exit
the window without saving the backup file.

Figure 14: Find/Replace
window
Entering information
on the Find/Replace
window
Using the Find/Replace option
Chapter 2: Administrator’s Overview
Using the Admin Console File Editor
You can use the Find/Replace option on the Edit menu to perform advanced
editing of files. To use the Find/Replace option, select
Edit > Find/Replace. The following window appears.
This window enables you to locate a character string within the file and to
replace the character string with a different character string. Follow the steps
below.
1 In the Find what field, specify the character string you want to search for
within the file.
2 [Optional] If you want to replace the character string specified in the Find
what field with a different character string, type the new string in the
Replace with field.
3 In the Search field, specify which direction in the file the search should be
performed. There are two options:
• Down—From your current position within the file, the File Editor will
search down (forward) in the file for the specified character string.
• Up—From your current position within the file, the File Editor will search
up (backward) in the file for the specified character string.
4 In the Case field, specify whether the File Editor should find any matching
character string, or if it should consider upper and lower case when
performing the search. There are two options:
• Match—Find only those character strings that exactly match the case as
specified in the Find what field.
• Ignore—Find all matching character strings regardless of upper and
lower case.
5 Click Find Next to initiate the character search and to locate the next
occurrence within the file.
29

Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Secure Shell
Administering
Sidewinder G2
using Secure
Shell
30
6 [Optional] If the character search locates a match, you can click Replace to
replace the found character string with the character string specified in the
Replace with field. To replace all occurrences of the character string, click
Replace All. An Info window will appear indicating how many times the
character string was replaced. Click OK to close the Info window.
7 To find additional occurrences of the character string, continue to click Find
Next for each occurrence. When there are no additional occurrences, a
message will appear telling you that the search is complete.
8 When you are finished searching, click Close to exit this window.
Secure Shell (SSH) provides secure encrypted communication between two
hosts over an insecure network, allowing you to securely manage your
Sidewinder G2 from a remote location. This section describes how to configure
and use the Sidewinder G2 as an SSH server and/or an SSH client.
• The procedures covered in the following sections are based on OpenSSH
version 3.8.1p1. It provides support for SSH version 1.5 and 2.0 sessions.
• sftp and sftp-server are included in OpenSSH and installed on the
Sidewinder G2.
Configuring the Sidewinder G2 as an SSH server
On the Sidewinder G2, SSH is typically used by administrators to log into the
Sidewinder G2 securely from a remote machine. In this case the Sidewinder
G2 acts as the SSH server.
When configuring the SSH server you have the option to use
RSA/DSA authentication. If you use RSA/DSA authentication, the
authentication is accomplished via an exchange of public and private keys
between the server and the client. The downside of RSA/DSA authentication is
that it requires a bit more of an administrative effort. If you elect NOT to use
RSA/DSA authentication, the SSH clients must enter their Sidewinder G2 user
name and authentication information when initiating the SSH connection.
The following sub-sections provide specific information on configuring the
Sidewinder G2 as an SSH server using RSA or DSA authentication, as well as
general information on configuring the SSH server.

Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Secure Shell
Configuring SSH when not using RSA/DSA authentication
If you are not using RSA/DSA authentication, follow the steps below to
configure SSH.
1 In the Admin Console, select Services Configuration > Servers.
2 Select sshd in the list of server names, and click the Configuration tab.
3 Ensure that the Allow RSA Authentication field is disabled.
4 Rather than using RSA/DSA authentication, each client will be required to
log in using their Sidewinder G2 user name and authentication information.
5 Click the Control tab.
6 Enable the SSH server in the desired burbs, then click the Save icon.
7 [Conditional] If a Host Key Pair does not exist, you will be prompted by the
Admin Console to confirm that the Admin Console will create an SSH host
key. Click Yes.
8 Configure and enable the authentication method you want to use to
authenticate SSH sessions. See Chapter 10 for information.
9 Create an SSHD rule that allows SSH clients to log into this Sidewinder G2
using SSH.
In the rule, select the following options: Service Type= server,
Service = sshd. You will also need to select the authentication method you
enabled in step 8. See “Creating proxy rules” on page 222 for information
on creating a proxy rule using the Admin Console.
Note: If the client has previously established an SSH connection to the
Sidewinder G2, the information associated with the previous connection must
be deleted from the client.
The Sidewinder G2 is now ready to accept SSH connection requests.
Remember that a client must have an administrator account on the Sidewinder
G2 in order to log in.
Configuring SSH when using RSA/DSA authentication
If you are using RSA /DSA authentication to configure SSH, follow the steps
below.
1 Connect to the Sidewinder G2.
2 Select Services Configuration > Servers.
3 Select sshd in the list of server names, and click the Configuration tab.
4 Enable the Allow RSA Authentication field.
31

Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Secure Shell
32
5 If you do not currently have an SSH host key pair, click Generate New Host
Key. Click OK to acknowledge that the new key pair has been created.
You must have at least one SSH host key pair for the SSH daemon to operate.
If you have an existing key pair, you do not need to create a new one.
The host key pairs are stored in the /etc/ssh directory and have the following
file names:
ssh_host_key
ssh_host_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
ssh_host_dsa_key
ssh_host_dsa_key.pub
6 Click the Control tab.
7 Enable the SSH server in the desired burbs, and then click the Save icon.
8 From a command line prompt, create a subdirectory named /.ssh in each
administrator’s home directory.
Example: If an administrator named lloyd has a home directory named
/home/lloyd, create the /.ssh subdirectory by typing the following commands:
srole
cd /home/lloyd
mkdir .ssh
SSH version 1.5 rsa private key
SSH version 1.5 rsa public key
SSH version 2.0 rsa private key
SSH version 2.0 rsa public key
SSH version 2.0 dsa private key
SSH version 2.0 dsa public key
9 Use a text editor to create a file named authorized_keys in each
administrator’s /.ssh directory.
Do this using the File Editor provided in the Admin Console, or your favorite
UNIX editor.
10 Paste each user’s public key into the respective authorized_keys file.
The method you use to get the public keys onto the Sidewinder G2 is up to
you. You might use FTP, or you might copy/paste from one window to
another.
11 Create an SSHd rule that allows SSH clients to log into this Sidewinder G2
using SSH. See “Creating proxy rules” on page 222 for information on
creating a rule using the Admin Console.
The Sidewinder G2 is now ready to accept connections from SSH clients.
Remember that an administrator must have an account on the Sidewinder G2
in order to log in.

Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Secure Shell
Configuring and using the Sidewinder G2 as an SSH
client
It is also possible for the Sidewinder G2 to act as an SSH client. For example,
you might want to establish an SSH connection between two Sidewinder G2s.
In this case one Sidewinder G2 operates as the server (via the SSH daemon),
and the other operates as an SSH client. You have the option to use RSA/DSA
authentication with the SSH client.
Note: On non-Sidewinder G2 systems, an SSH client that is run from root will bind
to a reserved port. As a security feature, the Sidewinder G2 SSH client is not
allowed to bind to a reserved port. This is prevented by Type Enforcement.
If not using RSA/DSA authentication
There is nothing to configure on the Sidewinder G2 if you are not using RSA/
DSA authentication. To use the Sidewinder G2 as an SSH client, follow the
steps below:
1 Log into the Sidewinder G2 and type the following command to switch to
the Admn domain.
srole
2 Establish the connection with the SSH server by typing one of the following
commands.
ssh login_name address
or
ssh login_name@address
where:
login_name = the name used when logging onto the SSH server.
address = the address of the host with which you are establishing an SSH
connection.
You have the option to use an authentication method other than the default
method when connecting to another Sidewinder G2. Type a colon and the
name of the authentication method after the login_name field. For example,
to use SafeWord you would type:
ssh login_name:safeword address
If using RSA/DSA authentication
To use the Sidewinder G2 as an SSH client while using RSA/DSA
authentication, you must perform several configuration steps before initiating
the SSH connection.
33

Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Secure Shell
Configuring the
Sidewinder G2 as an
SSH client
Using the
Sidewinder G2 as an
SSH client
34
1 Connect to the Sidewinder G2.
2 Select Services Configuration > Servers.
3 Select sshd in the list of server names, then click the Configuration tab.
4 Click Generate New Client Key to generate a public and private key pair
that the Sidewinder G2 can use when acting as an SSH client. The client
public and private keys are created in the /home/username/.ssh directory,
where username is the user name you used when connecting to the Admin
Console. The file names vary, depending on the SSH version:
• SSH version 1.5 — The client public key file name is identity.pub and
the private key file name is identity.
• SSH version 2.0 — The client public key file names are id_rsa.pub and
id_dsa.pub. The corresponding private key file names are id_rsa and
id_dsa.
5 [Conditional] If the SSH server that you will be connecting to is another
Sidewinder G2, connect to that Sidewinder G2 using the Admin Console at
this time.
If needed, click the New Firewall button in the top portion of the Admin Console
and add the other Sidewinder G2(s) to the list of Sidewinder G2s you
can administer.
6 If the SSH server that you will be connecting to is another Sidewinder G2,
click Export Client Key to export the public client key to the other
Sidewinder G2(s). Otherwise, use the best available method (FTP, cut and
paste, etc.) to export the public client key to the SSH server.
7 Select the Sidewinder G2 to export to, and click OK.
1 At a Sidewinder G2 command prompt, enter the following command to
switch to the admn role:
srole
2 Establish the connection with the SSH server by typing the following
command.
ssh -l login_name -o "RSAAuthentication yes" address
where:
login_name = the user name used when logging onto the SSH server
address = the address of the host with which you are establishing an SSH
connection
See the ssh man page for more details.
On the Sidewinder G2, the SSH client must be run from the Admn domain.
Many SSH daemons, however, do not allow root users to connect to the SSH
daemon. To get around this, be sure to use the -l option when logging in. This
allows you to login as a different user.

Figure 15: sshd Server
Configuration tab
Configuring the
sshd Server
Configuration tab
Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Secure Shell
Configuring the SSH using the Admin Console
SSH is configured from the Admin Console by selecting Services
Configuration > Servers. Select sshd from the list of servers. Select the
appropriate check box(es) to enable the server for one or more burbs. To
configure the SSH server, select the Configuration tab. The following window
appears:
The SSH Server Configuration tab enables you to generate host and client
keys, and to specify whether RSA/DSA authentication is allowed. Follow the
steps below.
1 If you want to allow SSH connections to be authenticated using RSA/DSA
authentication, select the Allow RSA Authentication check box.
RSA/DSA authentication is a common encryption and authentication system
that uses an exchange of public and private keys between the server
and the client. It is based on the RSA/DSA algorithm. If this check box is not
enabled, all SSH connections must be authenticated using the authentication
method specified in the SSH rule(s)’ Authentication tab.
2 To generate an SSH host authentication key that will be used when the
Sidewinder G2 is acting as the server in an SSH connection, click Generate
New Host Key. Sidewinder G2 automatically generates the following three
authentication keys: RSA1, RSA, and DSA.
3 To generate the SSH version 1.5 client authentication key that will be used
when the Sidewinder G2 is acting as a client in an SSH connection, click
Generate New Client Key.
4 [Conditional] To export the client key to another Sidewinder G2, click Export
Client Key. You can only export the client key if:
• you generated a client key as described in step 3
• you currently have an active Admin Console connection with one or
more additional Sidewinder G2s (the Sidewinder G2[s] that will act as
the SSH server).
5 Click the Save icon to save your changes.
35

Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Telnet
Configuring the
Export Client Key
window
Administering
Sidewinder G2
using Telnet
36
The Export Client Key window is used to select the Sidewinder G2(s) to which
you want to export the public client key. After selecting the desired Sidewinder
G2(s), click OK to initiate the export process.
Tips on using SSH with Sidewinder G2
Please note the following information about SSH on the Sidewinder G2.
• There are two configuration files associated with SSH:
– For the SSH daemon: /etc/sshd_config
– For the SSH client: /etc/ssh_config
• See the ssh, sshd, and ssh-keygen man pages for additional details.
• The Sidewinder G2's SSH daemon and client are based on the OpenSSH
implementation. See http://www.openssh.com for more information.
To troubleshoot Sidewinder G2 problems using a command line interface
rather than the Admin Console, you can configure Telnet services that allow
you to connect from a system within your network. You can also allow trusted
users to use a Telnet client to log into Internet systems remotely.
Setting up an internal (trusted) Telnet server
Telnet provides a way to log into a system in your network from another
system. All you need to know is the name of the system in which you want to
log in. Once you have established a connection, you are logged in just as you
would be if you were physically located at that system.
A Telnet server is defined for each burb on your Sidewinder G2: one for the
external (Internet) burb and one for each of the internal (or trusted) burbs. This
gives you the capability to Telnet to the Sidewinder G2 from any system on an
internal burb so you can perform administrative tasks remotely.
Note: For security reasons, the Telnet servers are not initially enabled.

To access the trusted Telnet server, follow the steps below:
Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Telnet
1 Create a proxy rule that allows access to the Telnet server and add it to the
active rule group. See “Creating proxy rules” on page 222.
2 Enable the Telnet server as follows:
a Select Services Configuration > Servers.
b Select telnet from the list of server names.
c Select the burb(s) in which you want the Telnet server to be enabled. A
check mark appears when the server is enabled for a burb.
d Click the Save icon in the toolbar.
Important: All users accessing a Telnet server must be authenticated. If the proxy
rule that allows entry for a Telnet connection does not specify authentication, users
will not be able to log in.
To perform Sidewinder G2 administration tasks, you must have an account on
the Sidewinder G2 as described on “Setting up and maintaining administrator
accounts” on page 43. Aside from your account and authentication information,
all you need to log into the Sidewinder G2 is the name. To log into the
Sidewinder G2 using Telnet, see “Connecting to the Sidewinder G2 using
Telnet” on page 38.
Setting up an external Telnet server
The Sidewinder G2 allows you to enable an external Telnet server. An external
server resides on the external network side of the Sidewinder G2, and is
available to Internet users once you set up the appropriate “allow” proxy rules
and add them to the active rule group. (The other Telnet servers reside on the
internal side of the Sidewinder G2 and are available only to trusted users.)
Security Alert: Setting up a Telnet server on the external side of your Sidewinder
G2 can raise security issues. Contact Secure Computing Technical Support before
attempting this.
37

Chapter 2: Administrator’s Overview
Administering Sidewinder G2 using Telnet
38
Connecting to the Sidewinder G2 using Telnet
Note: You must enable the Telnet server in the appropriate burb(s) before you will
be allowed to Telnet. See “Setting up an internal (trusted) Telnet server” on page
36.
1 Telnet to the Sidewinder G2 and log in by typing the following command,
using your Sidewinder G2 host name.
telnet hostname
When prompted, enter your Sidewinder G2 authentication information.
Depending on the authentication method configured for you on the
Sidewinder G2, you must now provide a valid password or a special passcode
or personal identification number (PIN) before you are logged on to
the Sidewinder G2.
2 Enter the following command:
srole
Enter commands from the UNIX prompt as required. Refer to Appendix A or
the man pages for information on using individual commands.

3 CHAPTER
General System Tasks
In this chapter...
Restarting or shutting down the system .........................................40
Setting up and maintaining administrator accounts........................43
Changing passwords......................................................................47
Setting the system date and time...................................................47
Using system roles to access type enforced domains ...................49
Configuration file backup and restore.............................................50
Activating the Sidewinder G2 license .............................................55
Protected host licensing and the Host Enrollment List ...................62
Enabling and disabling servers ......................................................65
Configuring the synchronization server ..........................................68
Configuring virus scanning services...............................................69
Configuring the shund server .........................................................74
Loading and installing patches .......................................................76
Modifying the burb configuration ....................................................82
Modifying the interface configuration..............................................83
Modifying the static route ...............................................................90
Configuring Admin Console access ...............................................91
Configuring the Sidewinder G2 to use a UPS ................................93
Enforcing FIPS ...............................................................................95
39

Chapter 3: General System Tasks
Restarting or shutting down the system
Restarting or
shutting down
the system
40
You can boot the Sidewinder G2 to start up in one of two kernels: Operational
or Administrative (see “Sidewinder G2 kernels” on page 4 for descriptions of
each kernel). This section describes how to power up the Sidewinder G2 to the
Operational kernel when the Sidewinder G2 is powered off, and how to reboot
or shut down the system when the Sidewinder G2 is running.
Important: The Administrative kernel is used only when an administrator needs to
perform special tasks (such as installing software or restoring Sidewinder G2
software from a backup tape), or under certain circumstances for troubleshooting
purposes. For information on booting the Sidewinder G2 into the Administrative
kernel, see “Powering up the system to the Administrative kernel” on page 636.
When you power up the Sidewinder G2, it will boot to the Operational kernel by
default. You will almost always run the Sidewinder G2 in the Operational
kernel, unless you need to perform a full system backup or restore, or to install
hardware or software. All procedures that require the Administrative kernel are
discussed in Appendix F “Basic Troubleshooting”.
The procedures to power up, reboot, or shut down the Sidewinder G2 in the
Operational kernel are described in the following subsections.
Important: When the Sidewinder G2 is rebooted or shutdown, a record of who
issued the action is logged in the /var/log/messages file. This applies to a reboot or
shutdown issued from the Admin Console or using the shutdown command.
Powering on the system to the Operational kernel
Because the Operational kernel is the default kernel, you can boot your
Sidewinder G2 to the Operational kernel by pressing the power button. Once
the system has booted, you can start the Admin Console and log into your
Sidewinder G2. Once you are logged in, you can perform the Operational
kernel tasks described in this manual.
Note: If the boot process fails, see “What to do if the boot process fails” on page
651.

Figure 16: System
Shutdown window
Entering information
on the System
Shutdown window
.
Chapter 3: General System Tasks
Restarting or shutting down the system
Rebooting or shutting down using the Admin Console
The following procedure allows you to reboot or shut down the system using
the Admin Console.
In the Admin Console, select Firewall Administration > System Shutdown.
The following window appears.
This window is used to either reboot the Sidewinder G2 or to shut down the
system completely. Follow the steps below.
1 In the Shutdown Options area, select the action you want to perform:
• Reboot to Operational Kernel—Restarts the system in the Operational
kernel.
• Reboot to Administrative Kernel—Restarts the system in the
Administrative kernel and displays the # prompt at the Sidewinder G2,
indicating that you are in a login shell and can start issuing Sidewinder
G2 or UNIX commands. (You will be prompted to mount the file
systems.)
Important: Remember that while Sidewinder G2 is in the Administrative
kernel, it is offline and does not pass traffic. You must connect a keyboard and
monitor to the Sidewinder G2 before you can administer the system in the
Administrative kernel. See “Powering up the system to the Administrative
kernel” on page 636 for details.
• Halt System—Shuts down the Sidewinder G2 software without
restarting. Run this command before you move your Sidewinder G2 to a
new location or make hardware changes.
2 [Optional] If you want a shutdown message to appear informing users of a
pending shutdown, type the message text in the Shutdown Message field.
41

Chapter 3: General System Tasks
Restarting or shutting down the system
42
3 In the Shutdown Time field, select the shutdown time from the following
options.
• Immediately—The system will shutdown immediately when you click
Execute Shutdown.
• Delay Shutdown for—The shutdown will be delayed for the amount of
time specified in the Hours and Minutes fields. You can enter values in
these fields that will delay the shutdown for up to 24 hours and 59
minutes.
4 Click Execute Shutdown to implement the shutdown.
Any connections to the Admin Console will be lost when the Sidewinder G2
shuts down. New connections to the Sidewinder G2 will not be allowed
once the shutdown process has been executed.
Rebooting or shutting down using a command line
interface
The shutdown command reboots or shuts down the system from a command
line interface. Use this command to indicate how and when you want the
Sidewinder G2 to shut down.
The shutdown time can be specified as:
• now (for immediate shutdown)
• a number of minutes (If you are specifying the number of minutes, you must
include a plus (+) sign in front of the minutes.)
• an exact date and time ([[[yy]mm]dd]hhmm])
Use the command in the following formats to shut down or reboot the system:
• To restart the system in the Operational kernel, enter the following
command at a Sidewinder G2 command prompt:
shutdown -r [time]
For example, shutdown -r now would immediately reboot Sidewinder G2
into its Operational kernel.
• To restart the system to the Administrative kernel, enter the following
command at a Sidewinder G2 command prompt:
shutdown -g [time]
For example, shutdown -g +120 would reboot Sidewinder G2 into its
Administrative kernel in two hours (120 minutes).
Important: Remember that while Sidewinder G2 is in the Administrative
kernel, it is offline and does not pass traffic. You must connect a keyboard and
monitor to the Sidewinder G2 before you can administer the system in the
Administrative kernel. See “Powering up the system to the Administrative
kernel” on page 636 for details.

Setting up and
maintaining
administrator
accounts
Chapter 3: General System Tasks
Setting up and maintaining administrator accounts
• To shut down the Sidewinder G2 without restarting, enter the following
command at a Sidewinder G2 command prompt:
shutdown -h [time]
For example, shutdown -h 0601312359 would halt Sidewinder G2 at one
minute to midnight on January 31, 2006.
Note: More information about shutdown options is available on the shutdown
man page.
The shutdown process for a Sidewinder G2 that belongs to an HA cluster is
slightly different. See “Scheduling a soft shutdown for an HA cluster
Sidewinder G2” on page 510 for information on shutting down a Sidewinder G2
that belongs to an HA cluster.
Each Sidewinder G2 administrator must have an account created on the
system. When you installed your Sidewinder G2, you created an initial
administrator account by entering a login name and password. This section
describes how to set up and maintain Sidewinder G2 accounts for other
administrators.
Note: Only administrators have accounts directly on the Sidewinder G2. People
who use Sidewinder G2 networking services have “user” (or network login)
accounts, not Sidewinder G2 administrator accounts. See “Creating users and user
groups” on page 132 for information on creating non-administrative user accounts.
When you add an administrator account, you will also assign the new
administrator a role. The following table describes the available administrator
roles. The following processes explain how to view, add, edit, or delete
administrator account information or change role assignments.
Table 6: Administrator roles
Role Authorized to:
admin • Access all windows, menus, and commands within
the Admin Console.
• Add and remove users and assign roles.
• Do incremental back-ups and restore the system.
(Full back-ups and restores are done in the
Administrative kernel.)
• Use all other system functions and commands.
adminro Read access to all windows, menus, and commands
within the Admin Console (including monitoring,
reporting, and auditing). This role is generally used as an
auditor role.
no admin privileges Maintains an existing or new administrator account
without any read or write access. This role is generally
used to temporarily disable an administrator account.
43

Chapter 3: General System Tasks
Setting up and maintaining administrator accounts
44
Figure 17:
Firewall Accounts window
About the Firewall
Accounts window
Viewing administrator accounts
Start the Admin Console and select Firewall Administration > Firewall
Accounts. A window similar to the following appears.
This window displays the administrator accounts currently established on the
Sidewinder G2. Each row in the table defines one user account, and contains
the following information:
• Username—This column identifies the name used by each administrator
when logging into the Sidewinder G2.
• Full Name—This column identifies the full name of each user.
• Role—This column identifies the authorized role for each user.
• Directory—This column identifies the home directory path that is created
for that user.
You can also specify the following information, which applies to all user
accounts:
• Delete home directory upon deletion of user—Select this check box to
configure the Sidewinder G2 to automatically delete a user’s home
directory if a user’s account is deleted from the system.
• Administrator Authentication Default Method—Select the default
authentication method that will be used by administrators to log into the
Sidewinder G2.
Note: This is different from the default authentication method that is specified
within individual proxy rules, which are only for proxy users.

Figure 18:
Administrator Information
tab
Entering information
on the Firewall
Accounts - New/
Modify window
Chapter 3: General System Tasks
Setting up and maintaining administrator accounts
To create or modify a user account, click New or Modify, and see “Adding or
modifying an administrator account” on page 45 for details.
To delete a user account, highlight the user account you want to delete and
click Delete. A confirmation message appears. Select Yes to delete the
account or No to cancel. (When you delete an administrator account, the user
database entry for that administrator is also removed.)
Adding or modifying an administrator account
When you click New or Modify in the Firewall Accounts window, the following
window appears.
Note: The information shown in the Firewall Accounts window is stored in the
/etc/sidewinder/roles.conf file.
To create a new Sidewinder G2 administrator account or to modify an existing
account, follow the steps below.
1 In the Username field, type the user name for the administrator. The name
can consist of up to 16 alpha-numeric characters and must begin with an
alphabetic character.
If you are editing an existing account, you cannot change the user name.
Important: Do not use uppercase characters in the username field, because
sendmail will automatically convert the user name to lowercase before mail is
delivered. Therefore, any mail addressed to a user name that contains
uppercase characters will not be forwarded.
45

Chapter 3: General System Tasks
Setting up and maintaining administrator accounts
46
2 In the Password field, type a password for this administrator. This is the
password the administrator must enter when logging into the Sidewinder
G2. Use the following guidelines to create a strong password:
• Use passwords that are at least 7 or 8 characters in length.
• Use a mix of upper and lowercase letters, and non-alphabetic
characters such as symbols and numbers.
• Do not use any easily guessed words or words found in a dictionary,
including foreign languages.
Note: If you are modifying the account, the encrypted password is displayed in
this field.
3 In the Confirm Password field, retype the password you entered in the
Password field. This text entered in this field must match the text entered in the
Password field and aids in reducing the possibility of error when creating
passwords.
4 [Optional] In the Full Name field, type the full name of the administrator.
5 [Optional] In the Office field, type the office address of the administrator.
6 [Optional] In the Office Phone field, type the office phone number of the
administrator.
7 [Optional] In the Home Phone field, type the home phone number of the
administrator.
8 In the Directory field, specify the home directory for this administrator. The
default value for this field is /home/username. This field can only be modified if
you are creating a new administrator account.
9 In the Login Shell drop-down list, specify the UNIX shell that will be used when
this administrator logs in.
10 In the Roles drop-down list, select the authorized role for this administrator.
• admin—Select this option if you want the user to have administrator
privileges for all areas on the Sidewinder G2.
• adminro—Select this option to allow read privileges only. This role will
allow an administrator to view all system information, as well as create
and run audit reports. An administrator with read-only privileges cannot
commit changes to any area of the Sidewinder G2.
• no admin privileges—Select this option to temporarily disable an
account. An administrator with no admin privileges cannot log into
Sidewinder G2.
11 Click Add to save the changes (or OK if modifying an account), or click
Cancel to exit the window without saving the changes.

Changing
passwords
Setting the
system date and
time
Figure 19: Date and
Time window
About the Date and
Time window
Chapter 3: General System Tasks
Changing passwords
To change an administrator account password (also known as a UNIX account
password), do the following:
Note: If you forget your password, you can still access the administrative kernel to
change your password. See “If you forget your administrator password” on page
653.
1 In the Admin Console, select Firewall Administration > Firewall Accounts.
The Administrator Accounts window appears.
2 Click the administrator account whose password you want to change, then
click Modify. The Firewall Accounts: Modify window appears.
3 In the Password field, enter the new administrator account password.
4 Click OK.
Use the following procedures to check the Sidewinder G2 system clock or
change the system clock from the Admin Console.
Viewing/changing the date and time
To check and/or change the system date and time settings, start the Admin
Console and select Firewall Administration > Date and Time. The Date and
Time window appears.
Before changing the date and time, note the following:
• Applying changes to the date and time will cause the Sidewinder G2 to
automatically reboot. Therefore, you should only modify date and/or time
settings during off-hours. Also note that the reboot will cause you to lose
your Admin Console connection.
• The Admin Console allows you to set the clock ahead a maximum of 31
days. The Admin Console does not allow you to set the system clock back
in time. To set the clock back, reboot to the Administrative kernel and run
the config_time utility. See “Changing the date or time using the
config_time utility” on page 48 for details.
47

Chapter 3: General System Tasks
Setting the system date and time
48
To change the date and time using the Admin Console, follow the steps below.
1 In the Location drop-down list, select the world-wide location of this
Sidewinder G2.
2 In the Time Zone drop-down list, select the time zone in which this
Sidewinder G2 is located.
3 In the Date field, select the current date from the Month, Day, and Year
drop-down lists.
4 In the Time drop-down list, select the current time (hours, minutes,
AM/PM).
5 Click the Save icon to save your changes.
Changing the date or time using the config_time utility
To change the system date or time setting on Sidewinder G2 use the
config_time utility, as follows.
1 Reboot the Sidewinder G2 to the Administrative kernel. For information on
rebooting to the Administrative kernel, see “Powering up the system to the
Administrative kernel” on page 636.
2 At a Sidewinder G2 command prompt, enter the following command:
config_time
The first date and time configuration window appears.
3 Specify the correct time zone.
When you are prompted to set the time zone, type yes or no (default), then
press Enter.
• If you respond no, proceed to step 4.
• If you respond yes, a list of time zone options appears and you must
type in the exact spelling for the time zone option you want and then
press Enter.
4 Specify the correct system clock settings.
At the screen asking if you want to set the system clock, type yes or no
(default), then press Enter.
• If you respond no, the config_time script stops.
• If you respond yes, you will be prompted to enter the current date, then
the current time. Specify the date and time in the format shown on the
screen.
Important: If you increment the system date by more than a few days, you
may cause passwords to expire. For example, if a user’s password is set to
expire in six days and you increment the date setting by seven days, that user’s
password will automatically expire.
5 Reboot to the Operational kernel by entering the following command:
shutdown -r now

Using system
roles to access
type enforced
domains
Chapter 3: General System Tasks
Using system roles to access type enforced domains
The following information provides command line information that will assist
you in determining the kernel, domain, and system role in which you are
currently running.
Note: For more information on any of the commands described below, see the
appropriate man page.
Checking which kernel you are running (uname)
To find out whether you are operating in the Administrative or Operational
kernel, type the following command:
uname -a
Using the -a parameter in this command specifies to print the kernel name as
well as other system identifying attributes, such as hardware platform
information. SW_OPS indicates you are running in the Operational kernel.
SW_ADMIN indicates you are running in the Administrative kernel.
Checking which domain you are using (whereami)
To check which domain you are currently executing in, type the following
command:
whereami
A response similar to the following will appear:
domain=User
The domain in the response indicates in which domain you are operating.
Changing your domain access using the srole command
When you initially log into the Sidewinder G2 using a command prompt, you
are logged into the User domain by default. The User domain allows very little
access, including no access to sensitive files.
To change to the Admn domain, which allows access to all Sidewinder G2
domains (based on your administrative role), enter the following command:
srole
To return to the previous domain role and shell, enter the following command:
exit
You are returned to the User domain.
49

Chapter 3: General System Tasks
Configuration file backup and restore
Configuration
file backup and
restore
50
This feature enables you to backup and restore Sidewinder G2 configuration
files. Backing up the configuration files enables you to quickly restore a
Sidewinder G2 to a previous operational state. Table 7 shows the difference
between a configuration backup and a system file backup.
Overview of configuration file backup and restore
This section covers backing up and restoring configuration files using the
Admin Console. System file backup and restore procedures, and configuration
restores using the command line, are described in Appendix F, “Basic
Troubleshooting.” Back up the full system before and after making major
changes to your Sidewinder G2, such as adding new hardware.
Table 7: Configuration backup/restore vs. system file backup/restore
Configuration backup and restore System file backup and restore
Backs up and restores just the
Sidewinder G2 configuration files.
Backs up the files to diskette, to itself,
or to the hard drive of another
Sidewinder G2.
Backs up and restores the entire
Sidewinder G2 hard drive.
Backs up the Sidewinder G2 hard
drive to a DAT.
Does not allow incremental backups. Allows incremental backups.
You backup and restore from within
the Operational kernel. This enables
you to perform the backup and restore
on another Sidewinder G2.
Can be performed on either a local or
a remote Sidewinder G2, using the
Admin Console.
Enables you to restore a Sidewinder
G2 without having to re-install from
scratch.
Restores only the configuration files.
Mail queues, audit trails, etc., are not
restored.
Does not backup site-specific
changes made to non-configuration
files.
The backup and restore process is
quick.
Requires you to boot to the
Administrative kernel to perform the
backup and restore. This means you
cannot perform this backup and
restore on another Sidewinder G2.
Can only be performed locally using
the Installation Wizard.
Requires you to re-install from scratch
using the DAT.
Restores the entire system as it
existed at the time of the backup. This
includes old mail queues, audit trail
information, etc.
Backs up all site-specific changes.
The backup and restore process is not
as quick.

Figure 20: Configuration file backup options
Option 1)
Back up your local Sidewinder G2
configuration files to diskette
Note: Make sure your Sidewinder G2
has a floppy drive before selecting this
option.
Option 2)
Back up your Sidewinder G2
configuration files to its own hard
drive (used to allow you to FTP
the configuration backup to
another location, for instance).
Option 3)
Back up a Sidewinder
G2 to a different
Sidewinder G2.
What is backed up
and restored
Chapter 3: General System Tasks
Configuration file backup and restore
Figure 20 displays the various options you have when using the configuration
backup process.
Sidewinder G2
local Sidewinder G2
SSL
connection
local Sidewinder G2
Internet
remote
Sidewinder G2
There are two files that determine which configuration files will be backed up
and restored. The files are located in the /etc/backups/config_backup directory
and are named:
• backup_file_list — Contains the list of files and directories that will be
included in the configuration backup/restore process. Wild cards can be
used when specifying names in this file.
• exclude_file_list — Defines the files within backup_file_list that should be
excluded from the configuration backup/restore process. For example, files
that contain graphics are located in some of the directories specified in
backup_file_list that should not be included in the configuration backup/
restore process. You cannot specify directory names or use wild cards in
this file.
Caution: While it is possible to modify these two files, do so with caution. To
prevent accidental modification, these files are defined as read-only. If you
absolutely must modify one of these files, use the Admin Console.
51

Chapter 3: General System Tasks
Configuration file backup and restore
What is not backed
up or restored
52
Figure 21: Configuration
Backup window
About the
Configuration
Backup window
The general rule is, if it is not a configuration file it will not be backed up. For
example, the configuration backup/restore process will not process the mail
queues, the audit trail, the log files, any executable files, etc. As such,
modifications you make to non-configuration files will not be backed up and
restored.
Backing up and restoring config files using the Admin
Console
To back up or restore your configuration files using the Admin Console, start
the Admin Console and select Firewall Administration > Configuration
Backup. The Configuration Backup window appears.
Note: See “Restoring configuration files using the command line” on page 646 for
details on restoring configuration files when the Admin Console is not accessible.
The Configuration Backup window allows you to backup and restore your
Sidewinder G2 configuration files. Configuration files can be backed up to
either a floppy diskette, the Sidewinder G2 hard drive, or the hard drive of
another Sidewinder G2. You can restore the backup configuration files using
this window when your system is operational.
Important: If you will be performing a configuration backup to or restore from a
remote Sidewinder G2, you must first configure the synchronization server
information. (See “Configuring the synchronization server” on page 68.) You must
also enable the Synchronization proxy rule on the remote Sidewinder G2. See
“Creating proxy rules” on page 222.

Chapter 3: General System Tasks
Configuration file backup and restore
Backing up configuration files using the Admin Console
To back up your configuration files using the Admin Console, follow the steps
below.
1 In the Configuration Action field, select Backup.
2 In the Backup To or Restore From field, select the type of backup you want
to make:
• Floppy Diskette—Select this option to back up to a floppy diskette.
(Select this option only if your Sidewinder G2 has a floppy drive.)
• Local Sidewinder—Select this option to back up to the Sidewinder G2
hard drive (the backup can then be transferred to another location using
FTP).
• Remote Sidewinder—Select this option to back up to a different
Sidewinder G2. If you select this option, you must first ensure that both
the synchronization server and Synchronization rule have been
configured and enabled on the remote Sidewinder G2 (where the
backup will reside). See “Configuring the synchronization server” on
page 68.
3 [Conditional] If you selected Remote Sidewinder or Local Sidewinder in the
previous step, do the following:
a [Remote Sidewinder only] In the Address field, type the IP address of
the remote Sidewinder G2.
b [Remote Sidewinder only] In the Port field, type the port that will be used
to connect to the remote Sidewinder G2. The port number specified in
this field must match the port number used for the remote Sidewinder
G2. The default for this field is 9005 and should not be modified.
Note: The Port field does not support port lists. The remote Sidewinder G2
must be listening on the specified port for the transfer to occur.
c [Remote Sidewinder only] In the Shared Sync Key field, enter
a synchronization key that you created when you configured
the synchronization server. (You can view the synchronization key
for the synchronization server by going to Services Configuration >
Servers > Synchronization > Configuration tab.)
d In the Filename field, type the filename that the current configuration is
stored as on the specified Sidewinder G2 in the /var/backups/repository
directory. This is needed in case there are multiple configurations on
your Sidewinder G2.
Remote backups will be stored in directories and file names with the format
filename.hostname (where the filename is the user-specified value
and the hostname is the fully qualified domain name of the Sidewinder
G2 being backed up or restored.
53

Chapter 3: General System Tasks
Configuration file backup and restore
54
4 To edit the list of files that will be included in the backup, click Edit Include
List. A file editor window is displayed, containing a list of the files and
directories that will be backed up. In this window, you can add or delete files
or directories to include in the backup.
Note: By default, previous backups are not included in a new backup. If you
want to include previous backup files in a current backup, you must add the
/var/backups/repository file path to the Include List.
5 To edit the list of files that will be excluded from the backup, click Edit
Exclude List. A file editor window is displayed, containing a list of the files
that will not be backed up. You can add or delete files from the exclude list
as desired. (Only individual files can be added or deleted from the Exclude
list. You cannot include directories in the Exclude list.)
6 The Local Backup Files area provides a list of current configuration
backups stored on the local Sidewinder G2 hard disk repository. To delete a
backup file from the list, highlight one or more backups that you want to
delete and click Delete.
7 To begin the backup process, click the Save.
Restoring configuration files using the Admin Console
To restore configuration files using the Admin Console, follow the steps below.
Note: You must restore configuration files from a backup file that was created at
the same version as the system to which you are restoring (for example, if your
system is currently running at version 6.1.2.00, you can only perform a restore
using a version 6.1.2.00 configuration backup file).
1 In the Configuration Action field, select Restore.
2 In the Backup To or Restore From field, select the type of restore you want
to perform:
• Floppy Diskette—Select this option to restore from a floppy diskette.
(Select this option only if your Sidewinder G2 has a floppy drive.)
• Local Sidewinder—Select this option to restore from the Sidewinder G2
hard drive.
• Remote Sidewinder—Select this option to restore from a different
Sidewinder G2.
Note: The Local Backup Files area provides a list of current configuration
backups stored on the Sidewinder G2 hard disk repository.

Activating the
Sidewinder G2
license
Chapter 3: General System Tasks
Activating the Sidewinder G2 license
3 [Conditional] If you selected Remote Sidewinder or Local Sidewinder in the
previous step, do the following:
a [Remote Sidewinder only] In the IP address field, type the IP address of
the remote Sidewinder G2.
b [Remote Sidewinder only] In the Port field, type the port that will be used
to connect to the remote Sidewinder G2. The port number specified in
this field must match the port number used for the remote Sidewinder
G2.
Note: The Port field does not support port lists. The remote Sidewinder G2
must be listening on the specified port for the transfer to occur.
c [Remote Sidewinder only] In the Shared Sync Key field, enter a
synchronization key that you created when you configured the
synchronization server on the remote Sidewinder G2 (where the backup
resides). You can view the synchronization key for the synchronization
server by going to Services Configuration > Servers > Synchronization
> Configuration tab.
d In the Filename field, type the filename that the current configuration is
stored as on the Sidewinder G2 in the /var/backups/repository directory.
This is needed in case there are multiple configurations on your
Sidewinder G2.
4 To begin the restore process, click the Save. (If you selected the diskette
method, you will be prompted to insert a diskette into the Sidewinder G2
diskette drive.) The system will automatically reboot when the restore
process is complete.
In most cases, you will license your Sidewinder G2 and any licensed features
during the initial configuration process. When you initially connect to a
Sidewinder G2 using the Admin Console, a window appears displaying a list of
features that are currently licensed for that Sidewinder G2.
If you need to relicense or license a feature after initial configuration, you can
use this section to activate a license using the Admin Console.
Note: When the Sidewinder G2 is rebooted or shutdown, a record of who issued
the action is logged in the /var/log/messages file. This applies to a reboot or
shutdown issued from the Admin Console or by using the shutdown command.
Important: See “Protected host licensing and the Host Enrollment List” on page 62
for information on how the Sidewinder G2 enforces the host license limits.
55

Chapter 3: General System Tasks
Activating the Sidewinder G2 license
56
Licensing from a Sidewinder G2 connected to the Internet
If you are working on a Sidewinder G2 that is connected to the Internet, you
can use the following general steps to provide the necessary information for
your company and obtain an activation key.
1 Locate the serial number for your Sidewinder G2. The serial number should
appear on your Activation Certificate.
2 In the Admin Console, enter your company and contact information in the
Firewall Administration > Firewall License > Contact and Company tabs.
The information you provide in each tab is submitted when you obtain your
activation key, and is used for technical support assistance. For details on
providing information in the Contact and Company tabs, see “Configuring
the Firewall License tabs” on page 58.
3 In the Admin Console, complete the information in the Firewall
Administration > Firewall License > Firewall tab. You will need the serial
number that you located in step 1.
4 Click Submit Data to receive your activation key. See “Entering information
on the Firewall tab” on page 60 for details on completing the information
and receiving your activation key.
5 Select Firewall Administration > System Shutdown and reboot the system
to the Operational kernel.
When your system reboots, your Sidewinder G2 software and any features
you licensed will be activated.
Licensing from a Sidewinder G2 on an isolated network
If you are on an isolated network and do not have access to the Secure
Computing activation server, you can request an activation key using the
following method.
1 Start an Admin Console management session.
2 On the Admin Console menu, select Firewall Administration -> Firewall
License.
3 Click the Firewall tab.
4 In the Serial Number field, verify that it shows the 16-digit serial number
located on the Activation Certificate or on your hardware platform.

Chapter 3: General System Tasks
Activating the Sidewinder G2 license
5 In the Firewall ID field, use the drop-down list to select a MAC address to
use as your firewall ID. There will be one MAC address listed for each NIC
in the firewall.
Tip: If your management console does not have Web access, move to a
workstation that has Web access. Bring a copy of the serial number and MAC
address with you to the Web-accessible workstation.
6 Use a Web browser to access the Sidewinder G2 activation Web page:
https://www.securecomputing.com/cgi-bin/sidewinder-activation.cgi
7 Complete the form on the Web site and click Submit. A confirmation screen
appears.
8 Verify that the information you entered is correct, then do one of the
following:
• If correct, click Submit. After a minute or so, a new Web page appears
displaying the activation key.
• If not correct, use the Back button to return to the form and correct the
information.
9 Using the on-screen instructions, save the activation key to a floppy
diskette.
Tip: You may choose to continue following the on-screen instructions for
importing the file via command line, or use the Admin Console instructions
given here.
10 Insert the diskette into the management system’s floppy diskette drive.
11 From your management console, select Firewall Administration -> Firewall
License.
12 Click the Firewall tab.
13 Click the Import Key button to import the key into the Sidewinder G2. Enter
information into the following fields:
• Source: Select Local File
• File: Enter the name of the file that contains the activation key. Click the
Browse button if needed.
14 Click OK to approve the specified file. The activation key is extracted from
the file and written to the Activation Key field.
15 From the Admin Console menu, select Firewall Administration -> System
Shutdown.
16 From the System Shutdown window, select Reboot to Operational Kernel
and specify your shutdown time.
17 Click Execute Shutdown. Once it finishes rebooting, your Sidewinder G2
Security Appliance and the features you licensed will activate.
18 To complete the licensing process, fill in the information fields in the Firewall
License windows. See “Entering information on the Contact tab” on page 58
and “Entering information on the Company tab” on page 59 for details.
57

Chapter 3: General System Tasks
Activating the Sidewinder G2 license
58
Figure 22: Firewall
License: Contact tab
Entering information
on the Contact tab
Configuring the Firewall License tabs
To configure license information, select Firewall Administration > Firewall
License in the Admin Console. The Firewall License window appears. The
window contains four tabs used to collect various licensing information.
The Contact tab is used to enter contact information for the administrator of this
particular Sidewinder G2. This information is needed so that you can receive
important customer bulletins and renewable support licenses. Follow the steps
below.
Note: The fields shown in parentheses are optional.
1 In the First Name field, type the first name of the Sidewinder G2
administrator.
2 In the Last Name field, type the last name of the Sidewinder G2
administrator.
3 In the E-mail field, type the e-mail address of the Sidewinder G2
administrator.
4 In the Primary Phone field, type the phone number of the Sidewinder G2
administrator, including the area code.
5 [Optional] In the Alternate Phone field, type an alternate phone number in
case the first number is unavailable.
6 [Optional] In the Fax field, type a fax number for your organization.
7 [Optional] In the Job Title field, type the job title of the person responsible
for administering this Sidewinder G2.

Figure 23: Firewall
License: Company tab
Entering information
on the Company tab
Chapter 3: General System Tasks
Activating the Sidewinder G2 license
8 [Optional] In the Purchased From field, type the name of the company that
sold you this Sidewinder G2.
9 [Optional] In the Comments field, type record miscellaneous information
about your site.
10 Click the Save icon.
11 Click the Company tab to enter information about your company. The
Company tab appears.
The Company tab is used to enter information about the company that has
purchased this particular Sidewinder G2. Follow the steps below.
1 In the Company Name field, type the full name of the company that
purchased this Sidewinder G2.
2 In the Industry Classification drop-down list, select the classification that
most closely matches your industry.
3 Fill in the requested address information fields on the Company Address
tab and on the Billing Address tab. If the information is the same on both
tabs, enter the information on the Company Address tab, then switch to the
Billing Address tab and click Copy From Company Address.
4 Click the Save icon.
5 Click the Firewall tab to provide the information necessary to license your
Sidewinder G2. The Firewall tab appears.
59

Chapter 3: General System Tasks
Activating the Sidewinder G2 license
60
Figure 24: Firewall
License: Firewall tab
Entering information
on the Firewall tab
This tab is used to enter information about the Sidewinder G2 you are
attempting to license. Follow the steps below.
Note: For information on the Current Features area, see “Displaying the status of
features on Sidewinder G2” on page 62.
1 In the Serial Number field, type the 16-digit alpha-numeric serial number for
this Sidewinder G2. The serial number is located on your Sidewinder G2
Activation Certificate.
2 In the Firewall ID drop-down list, select a MAC address to use as your
firewall ID. There will be one MAC address listed for each NIC in the
Sidewinder G2. Select the first MAC address in the list.
The Activation URL field displays the URL of the Web site to which the
Sidewinder G2 licensing information will be sent. If you are required to modify
the URL, click Edit to modify the activation URL. The Edit Activation URL
window appears. See “Entering information on the Edit Activation URL window”
on page 61.
3 Click Submit Data to submit the data to the Secure Computing Corporation
licensing Web site. The license information is sent using an encrypted
HTTPS session. If the data is complete, the request will be granted and a
new activation key will be written to the Activation Key field. This key is
used by the Sidewinder G2 to activate or deactivate the various software
features available on the Sidewinder G2.
After receiving a new activation key, a message will appear prompting you
to reboot the Sidewinder G2. The new activation key will not take effect until
you perform a reboot.
The current status of the various Sidewinder G2 features is displayed in the
Current Features area. If a feature you want to use is currently not licensed,
you must obtain a different activation key in order to enable that feature.

Figure 25: Firewall
License: Enrollment List
tab
Entering information
on the Enrollment
List tab
Chapter 3: General System Tasks
Activating the Sidewinder G2 license
4 [Optional] If you need to import an activation key that has been saved to a
file, click Import Key. You will typically use this button if your Sidewinder G2
or local network does not have access to the URL defined in the Activation
URL field. The activation key is retrieved by a different machine, saved to
an HTML file, then moved to a location that is accessible by either the
Sidewinder G2 or by the Windows machine you are using to run the Admin
Console.
5 Select the Enrollment List tab to enter information regarding the host
enrollment list. The Enrollment List tab appears.
The Licensed host limit field displays the number of hosts for which you are
licensed. The Number of hosts in enrollment list field displays the current
number of hosts that are contained in the enrollment list. The Host Enrollment
List displays the actual IP addresses of hosts that are in the enrollment list. To
delete a host, highlight the host you want to delete, and click Delete. To refresh
the window to reflect updated information, click Refresh.
See “Protected host licensing and the Host Enrollment List” on page 62 for an
in-depth discussion about the Host Enrollment List.
Entering information on the Edit Activation URL window
To edit the activation URL, follow the steps below.
Note: Do not edit the activation URL unless instructed to do so by Secure
Computing Technical Support.
In Edit Activation URL window you can restore the default web-based URL by
clicking Restore Default URL. You can also click in the URL field and manually
type a new URL address. Click OK to save your changes and return to the
Firewall tab.
61

Chapter 3: General System Tasks
Protected host licensing and the Host Enrollment List
Protected host
licensing and the
Host Enrollment
List
62
Entering information on the Import Key window
1 In the Source field, select either Local File or Firewall File.
• Local File—Select this option if the activation key resides on a diskette
or hard drive on either a local machine or on a network drive.
• Firewall File—Select this option if the activation key resides in a
directory located on the Sidewinder G2.
2 In the File field, type the name of the file that contains the activation key, or
click Browse to search the available drives for the file that contains the
activation key. When you locate the file, select the file, then click Open. The
file name appears in the File field.
3 Click OK to approve the specified file. The activation key is extracted from
the file and written to the Activation Key field.
Note: You must reboot the Sidewinder G2 in order for the new activation key to
take effect.
Displaying the status of features on Sidewinder G2
To display the status of the features installed on Sidewinder G2, in the Admin
Console select Firewall Administration > Firewall License and then select the
Firewall tab. The Current Features field at the bottom of the tab displays the
features currently available for Sidewinder G2 and the status of each feature
on your particular Sidewinder G2.
The Host Enrollment List is a dynamic list that is used to record each unique IP
address (host) that makes an outbound connection to the Internet. The
Sidewinder G2 uses this list to verify compliance with the IP address license
"cap"—the portion of your Sidewinder G2 license that dictates the number of
hosts the Sidewinder G2 will support.
Important: You may ignore this section if you have an unlimited license. All license
processing is bypassed if you have an unlimited license.
Tip: In general, a host is a client on an internal or external network that is being
protected by the Sidewinder G2. For accounting purposes, a host is any unique
host IP address that originates a connection through the Sidewinder G2. See “How
hosts are calculated” on page 63 for more details.
The Sidewinder G2 provides administrators the capability to display and modify
the enrollment list. This allows you to identify which IP addresses are currently
counted against your protected host license cap. It also enables you to delete
IP address entries that you do not want counted against your host cap. For
example, you might do this if a connection is initiated from a test system in your
lab and you do not want that system to count against the host license cap.

Chapter 3: General System Tasks
Protected host licensing and the Host Enrollment List
The Sidewinder G2 strictly enforces the maximum IP address (host) license
number, meaning only the number of IP addresses authorized by the protected
host license will be allowed to make connections through the Sidewinder G2. If
the number of IP addresses in the enrollment list exceeds 75% of the number
allowed by your protected host license, an audit will occur. informing you that
you are approaching the maximum number of hosts. The audit will also display
the current number of hosts and the maximum number of hosts that are
allowed for your license.
If the enrollment list becomes full, additional audits will occur each time a new
IP address attempts to make a connection to the Internet. However, only the IP
addresses contained in the enrollment list will be allowed. IP addresses not
already listed in the enrollment list will be unable to make a connection to the
Internet. A user attempting to make a connection using a browser will receive a
standard policy denial message. If a user is attempting to make a connection
using a non-browser application (for example, FTP) the connection will simply
be blocked and they will not receive an error message.
You can configure the licexceed system event to email the administrator when
the enrollment list reaches the maximum number allowed, and IP addresses
are denied access due to a protected host license violation. See Chapter 20 for
details on configuring system responses.
If you reach the host enrollment maximum and you want to allow access to
additional hosts, you will need to modify the host enrollment list to remove
hosts entries that no longer need to be listed, upgrade your license, or upgrade
to a larger Sidewinder G2 appliance. See “Displaying and modifying the Host
Enrollment List” on page 64 for information on managing the host enrollment
list.
How hosts are calculated
In general, a host is defined as a workstation that is protected by the
Sidewinder G2 and uses the Sidewinder G2 to connect to the Internet. Any
host that contains a unique IP address and that initiates a connection from a
non-Internet burb is counted as a new host.
The manner in which remote hosts access the Sidewinder G2 may affect the
host count. For example:
• Remote hosts that use dynamic addressing rather than static addressing
may have multiple IP addresses added to the Host Enrollment List.
• Hosts accessing the Sidewinder G2 via a VPN will be added to the Host
Enrollment List if the VPN uses proxies to move the traffic from a non-
Internet burb to another burb. Figure 26 illustrates this idea.
63

Chapter 3: General System Tasks
Protected host licensing and the Host Enrollment List
64
Figure 26: Determining
which VPN clients count
against the host license
cap
Client A
Client B
= VPN tunnel
= Data
Internet
VPN
VPN
Sidewinder G2
internal
network
Client A = Not counted against the host license cap.
Client B = Counted against the host license cap.
The Sidewinder G2 counts total hosts, not concurrent hosts. It is important to
understand the distinction. Assume you have a 25 host license. If you have 30
hosts, but only 20 are in use or online at any one time, you will still exceed the
license cap because the Sidewinder G2 will eventually detect a 26th host,
putting you over the limit.
Displaying and modifying the Host Enrollment List
To display and modify the contents of the Host Enrollment List using the Admin
Console, select Firewall Administration > Firewall License and click the
Enrollment List tab. In this window, you can do the following:
• View the number of hosts authorized by your current Sidewinder G2 license
in the Licensed host limit field. This is your host license “cap.”
• View the current number of hosts listed in the Number of hosts in
enrollment list field. This number is important because if it exceeds the
number of hosts authorized by the Sidewinder G2 license, you will be
considered to be in violation of your license cap. If you have an unrestricted
host license, the term Unlimited will appear in this field.
The Host Enrollment List is cleared automatically if you upgrade your protected
host license.
• Delete hosts from the Host Enrollment List by highlighting the host and
clicking Delete. To select multiple hosts to delete, hold the Shift key while
selecting the hosts.
Note: You can update the contents of the Host Enrollment List field by clicking
Refresh.
e
x
t
i
n
t
proxie
virtual

Enabling and
disabling servers
Figure 27: Servers
window
About the Servers
window
Chapter 3: General System Tasks
Enabling and disabling servers
Consider the following information when deleting entries from the enrollment
list:
– If the host you delete has a current connection through the Sidewinder
G2, that connection will be preserved.
– If the host severs the connection and attempts a new connection, the
new connection request may or may not be approved.
– A new connection request will be permitted only if there is still room
available within the enrollment list.
The Admin Console allows you to view the status of each server and to enable
or disable each server from one central location. You can also configure some
of the servers in this window. To view the status of a server or to enable/disable
a server, select Services Configuration > Servers.
The Server window displays a list of the available servers in the left portion of
the window. A green circle appears in front of a server if the server is currently
enabled. A red circle with a slash indicates that the server is disabled. When
you select a server, the properties for that server appear in the right portion of
the window.
You can enable or disable some servers for the entire Sidewinder G2, while
other servers can be enabled or disabled for individual burbs on the
Sidewinder G2. The fields and buttons that appear in the right portion of the
window will change depending on the type of server that is selected. If the
selected server can be enabled for individual burbs, the Enabled For field will
also appear. To enable or disable a server, select the Control check box for
that server for each burb. (A check mark appears for each burb in which the
server is enabled.)
65

Chapter 3: General System Tasks
Enabling and disabling servers
66
Table 8: Sidewinder G2 servers
Server Name Notes
The following table provides some helpful information on specific servers.
auditdbd The audit database daemon server. By default, this server is not enabled. See Chapter
19.
changepw The Change Password server. See Chapter 10.
cmd Certificate Management Daemon server. The CMD server must be enabled before
configuring the certificate server. See Chapter 14.
entrelayd The entrelayd server is used for managing standalone Sidewinder G2s, as well as
multiple Sidewinder G2s in an HA cluster or One-To-Many cluster. See Chapter 16 and
Chapter 17.
fixclock The basic clock synchronization server that is used to ensure that the Sidewinder G2
clock remains up-to-date. This server cannot be enabled if you have configured and
enabled NTP on your Sidewinder G2.
gated-unbound The server used in conjunction with OSPF (Dynamic) routing. See Appendix C.
isakmp The ISAKMP server is used by the Sidewinder G2 to generate and exchange keys for
VPN sessions. See Chapter 14.
kmvfilter The kmvfilter (keyword, MIME, and virus/spyware filter) server enables the Sidewinder G2
to perform keyword, MIME, and anti-virus/spyware mail filtering. For information on
configuring mail filtering, see “Creating Mail (Sendmail) Application Defenses” on page
172.
monitord The server used to report the system’s health status in real time and to record statistics
about system and network utilization. Data gathered by monitord is displayed in the
Sidewinder G2 dashboard. See Chapter 18.
named-internet A DNS server. Available only if two DNS servers (Split DNS mode) are defined. This
server services the Internet burb. See Chapter 11.
named-unbound A DNS server. If one DNS server is defined, this server services all the burbs on
Sidewinder G2. If two DNS servers (Split DNS mode) are defined, this server services all
burbs except the Internet burb. See Chapter 11.
ntp The Network Time Protocol (NTP) server. See Appendix B.
routed The server used in conjunction with RIP routing. See Appendix D.
sendmail The SMTP server. See Chapter 12.
shund The shund server accepts shunning requests from Intrusion Detection Servers (IDS), and
verifies the signature on the data that the IDS has generated.
More...

Server Name Notes
Chapter 3: General System Tasks
Enabling and disabling servers
sidfilter The sender id filter used by sendmail verifies that the host sending or forwarding mail to
Sidewinder G2 is authorized for the domain given in the mail message. For example, if
mail from a@example.com is sent from 10.10.1.3, sidfilter verifies that 10.10.1.3 is
authorized to send mail for example.com.
snmpd Simple Network Management Protocol daemon. The SNMP server can only be enabled
for one burb, and it cannot be enabled for the Internet burb. See Chapter 15.
spamfilter This server allows you to enable anti-spam and anti-fraud mail filtering for the burbs that
you specify, as well as configure whitelists for internal and external burbs. For information
on configuring anti-spam/anti-fraud mail filter rules, see “Creating Mail (Sendmail)
Application Defenses” on page 172. For information on configuring advanced spamfilter
properties and whitelist configuration, see “Configuring advanced anti-spam and antifraud
options” on page 356.
To receive automatic updates for the spamfilter server, enable the spamfilter cron job.
See “Spamfilter cron job” on page 599 for more information.
sshd The Secure Shell daemon server. The SSHd server provides secure encrypted
communication between two hosts. See Chapter 2.
sso The Single Sign-On (SSO) server allows you to configure SSO. SSO allows users access
to multiple services with a single successful authentication to the Sidewinder G2. See
“Configuring SSO” on page 300.
Note: If you disable the SSO server, the SSO authenticated user cache will be emptied
(that is, all cached users will be removed). When the SSO server is enabled again, all
users will need to authenticate before being added back into the cache.
synchronization The synchronization server is used to synchronize configuration information among
Sidewinder G2s that are participating in a One-To-Many cluster or an HA cluster. It also
allows you to perform a configuration backup or restore to/from a remote Sidewinder G2.
See “Configuring the synchronization server” on page 68.
telnet If you disable the Telnet server, all future connections will be denied. Any users who are
currently logged in to the server will not be affected. See Chapter 2.
upsd The Uninterruptible Power Supply daemon server. See “Configuring the Sidewinder G2 to
use a UPS” on page 93 for more information.
WebProxy The Web Proxy server. See Chapter 13.
67

Chapter 3: General System Tasks
Configuring the synchronization server
Configuring the
synchronization
server
68
Figure 28: Synchronization
server:
Configuration tab
About the
synchronization
server Configuration
tab
The synchronization server is used to synchronize configuration information
among Sidewinder G2s that are participating in a One-To-Many cluster or an
HA cluster. It also allows you to perform a configuration backup or restore to/
from a remote Sidewinder G2.
To configure the synchronization server, log into the Admin Console, select
Services Configuration > Servers and then select synchronization from the
Server Name list. The synchronization server Control tab appears. To enable
or disable a server, select the Control check box for that server for each burb.
(A check mark appears for each burb in which the server is enabled.) To
configure the synchronization server, select the Configuration tab. The
following window appears.
This tab allows you to configure the shared synchronization key and port
number, and allows you to select the SSL certificate for the synchronization
server. Follow the steps below.
Note: The synchronization server is automatically configured for you when you
create a High Availability or One-To-Many cluster.
1 In the Shared Sync Key field, type the shared key. The shared key is any 10
character, alphanumeric string (for example, 12345abcde). You will need to
enter this key again if you configure HA or One-To-Many, or if you perform a
configuration backup or restore from a remote Sidewinder G2.
2 In the Port field, specify the port on which the synchronization server will
listen. The default is 9005 and should not be changed.
3 In the SSL Certificate drop-down list, select the certificate to use for the
synchronization server. The certificate will be one of the following:
• the default certificate
• a self-signed, RSA/DSA certificate that is defined on the Firewall
Certificates tab of the Certificate Management window.
Important: Before assigning a new certificate, you must first create a new
certificate.
4 [Conditional] To go to the Firewall Certificates window, click Certificates.
The Firewall Certificates window is used to define new certificates. After
creating a new certificate you can return to the Configuration tab and assign
the new certificate to the synchronization server.

Configuring
virus scanning
services
Chapter 3: General System Tasks
Configuring virus scanning services
For detailed information on certificates, refer to “Configuring and displaying
firewall certificates” on page 424.
5 Select Policy Configuration > Rules and enable the Synchronization rule.
6 Click the Save icon to save your changes.
The scanner service is a licensed add-on module that uses virus scanning
services that allow you to configure and enable system-level MIME, virus, and
spyware scanning on the Sidewinder G2 for HTTP and mail. When you enable
scanning services, you can specify the number of server processes that will be
dedicated to various data sizes, allowing the Sidewinder G2 to process data
more efficiently. You can also configure how often the subscription list will be
updated.
To use scanning services on Sidewinder G2, you must also ensure the
following conditions have been met:
• The Anti-Virus feature must be licensed. To verify that the feature has been
licensed, see “Displaying the status of features on Sidewinder G2” on page
62. If you are not licensed for Anti-Virus, contact your sales representative.
• The kmvfilter server must be enabled for the appropriate burbs if you are
scanning mail messages. (This server is not required to be enabled for
HTTP scanning services.) For information on enabling the kmvfilter server,
see “Enabling and disabling servers” on page 65.
• The appropriate Application Defenses must be configured and contained in
proxy rules that are included in the active proxy rule list.
Note: For information on configuring scanning for Web services, see “Creating
Web or Secure Web Application Defenses” on page 156. For information on
configuring scanning for mail services, see “Creating Mail (Sendmail) Application
Defenses” on page 172.
To configure and enable scanning services, in the Admin Console select
Services Configuration > Scanner. The Scanner window appears with the
Control tab displayed.
About the Scanner Control tab
This tab allows you to enable or disable the scanning services. This feature
must be enabled if you are planning to configure MIME, virus, and spyware
filtering for Web, mail, and/or FTP services. To enable scanning services, click
Enable. To disable scanning services, click Disable. To configure the scanner
feature, click the Advanced tab and see “About the Scanner Advanced tab” on
page 70.
Important: The MIME/virus/spyware scanning service is a licensed feature. While
scanning services can be enabled and configured, they will not function unless the
feature has been licensed. For information on licensing a feature, see “Activating
the Sidewinder G2 license” on page 55.
69

Chapter 3: General System Tasks
Configuring virus scanning services
70
Figure 29: Scanner:
Advanced tab
About the Scanner Advanced tab
This tab allows you to configure how the scanner processes on your
Sidewinder G2 will be distributed for incoming and outgoing traffic. This is done
by configuring the scanner groups that are defined in the distribution table.
There are four groups (or types) of traffic, each with a specific size category.
For each size category, you can specify how many scanner processes will be
dedicated to processing traffic for that size range. (You cannot modify the size
values or configure additional size categories.)
The File Size Range column displays the size limits for each group. The
Scanners column displays the number of scanner processes that will be
dedicated to that size range. The number of scanner processes that you
specify for each group will depend on the type of traffic your Sidewinder G2
processes.
For example, if your Sidewinder G2 processes a large amount of traffic that is
under 40kB, you may dedicate a larger number of scanner processes to that
group. If your Sidewinder G2 processes only a small amount of traffic that
exceeds 40kB, you may dedicate only one scanner process to that group.
There is also a default Unlimited group that processes all traffic that is over
1MB.

Chapter 3: General System Tasks
Configuring virus scanning services
This tab also allows you to view the current virus scanner engine version. To
configure the Scanner Advanced tab, follow the steps below.
1 To configure the number of scanner processes for a particular group,
highlight the group in the table and click Modify. The Edit Scanners window
appears. See “About the Edit Scanners window” on page 71 for information
on configuring the number of scanner processes for a group.
2 In the Scan Buffer Size field, specify the size of information (in kB) that can
be held in the memory buffer before a backup file is created to temporarily
hold the traffic for processing. This value must be between 8kB and 64kB.
The default value is 50kB.
3 In the Archive Scan Buffer Size field, specify the amount of memory that
will be used to contain the contents of archive files before the anti-virus
engine will temporarily write the contents to disk to perform the virus scan.
The default is 128 MB.
4 In the Maximum Number of Files to Scan in an Archive field, specify the
maximum number of files that will be scanned within an archive (such as a
.zip file, etc.). If the number of files in an archive exceeds the number
specified in this field, scanning will not take place.
5 To view the virus scanner engine version number that is currently installed,
click Show Installed Engine Version Number Now. A pop-up window
appears displaying the current version. To close the pop-up window, click
OK.
6 To continue configuring the scanner feature, click the Signatures tab and
see “About the Scanner Signature tab” on page 71.
About the Edit Scanners window
The Edit Scanners window allows you to specify the number of scanner
processes that will be available for processing traffic that falls within the size
limits of the selected group. You must dedicate at least one scanner process to
each group.
1 In the Scanners field, specify the number of scanner processes you want to
dedicate for the selected group. The number of scanner processes should
not exceed a combined total of 20 processes for all groups that are
configured. (Configuring more than 20 total processes may have a negative
impact on performance.)
2 Click OK to update the group and return to the Scanner Advanced tab.
About the Scanner Signature tab
This tab allows you to configure the properties for anti-virus updates. The
Sidewinder G2 will automatically download and install updates at intervals that
you determine. You can also manually download and install updates at any
time. Follow the steps below.
71

Chapter 3: General System Tasks
Configuring virus scanning services
72
Figure 30: Scanner:
Signature tab
Important: Secure Computing recommends downloading the latest signature files
prior to enabling Anti-Virus services on the Sidewinder G2.
1 In the Source area, verify/modify the following fields:
Caution: Changing these defaults may prevent Sidewinder G2 from obtaining
updated signatures file, resulting in inadequate virus and spyware protection.
• Download Site—This is the name of the site from which the package will
be downloaded.
Note: If the download fails, verify that the name resolves to an IP address
and is reachable from the Sidewinder G2 host.
• Directory—The path name on the download site that contains the
update. The default directory is cgi-bin/svupdate.
2 [Conditional] To configure automatic virus updates, follow the sub-steps
below. To manually update the virus definitions immediately, go to step 3.
(The download process validates the new signature files against the
currently installed engine.)
Important: For best results, also turn on Enable Periodic Automated Imports
(Firewall Administration > Software Management > Import tab). Failure to
regularly update your anti-virus engine and signature files will result in
inadequate virus and spyware protection.

Chapter 3: General System Tasks
Configuring virus scanning services
a Select Enable Automated Scanner Engine Updates to automatically
check for new loaded (but not installed) anti-virus engine updates (for
example, patch 611SOV02) when installing new virus signature files. If
an uninstalled engine update exists in the Software Management area
of the Admin Console, the Sidewinder G2 will install it the next time it
installs the new signature files. This installation does not interrupt
system processes.
b In the Frequency field, specify how frequently you want to download
and install updated information:
• To download and install every hour, select Hourly. (Recommended)
• To download and install every day, select Daily.
• To download and install once a week, select Weekly.
c [Conditional] If you selected Weekly in the previous step, in the Day
field, specify the day of the week that you want to download and install
updates. You can use the up and down arrows to select the day, or you
can type the first few letters of the day to display the appropriate day.
d In the Time field, specify the time of day you want the Sidewinder G2 to
download and install the updates. Select the portion of the time you
want to change (hours, minutes, seconds) and then use the up and
down arrows to navigate to the desired value.
Note: Downloading and installing updates has a minimal impact on your
system. Traffic that is received while the download and installation are in
process will be scanned using the current version. Once installation is
complete, all traffic will be scanned using the updated scanner information.
e If you want to receive e-mail notification when the updates are
downloaded and installed, select the Enable Email Notification check
box. If you select this option, you will also need to specify an e-mail
address in the Recipient field.
f Proceed to step 5.
3 [Conditional] To update the virus definition manually, follow the sub-steps
below.
a Click Download and Install Signatures Now. A pop-up window appears.
b Click Background to perform the update in the background, or click Wait
to receive a notification and status pop-up when the update is complete.
Proceed to step 5.
4 To view the current version of the signature file you are using, click Show
Installed Signatures File Version Number Now. An Info window appears
displaying the current installed version. When you are finished viewing the
version, click OK.
5 Click the Save icon to save your changes.
73

Chapter 3: General System Tasks
Configuring the shund server
Configuring the
shund server
74
Figure 31: Shun server:
IDS Configuration tab
Configuring the IDS
Configuration tab
The shund server accepts shunning requests from Intrusion Detection Servers
(IDS), and verifies the signature on the data that the IDS has generated. If the
signature is valid, a blackhole command is executed to shun the IP address as
requested.
To configure the shund server, follow the instructions below.
In the Admin Console, select Services Configuration > Servers and select
shund from the server list. The shund server Control tab appears.
Configuring the Control tab
A check mark will appear in front of each burb for which the shund server is
enabled. To enable the shund server for one or more burbs, select the
appropriate check box(es) in the Enabled For area. To disable the shund
server in one of more burbs, deselect the appropriate check box(es). Click the
Save icon to save your changes.
To configure the IDS properties, select the IDS Configuration tab. The following
window appears.
The IDS Configuration tab allows you to configure the IDS servers from which
the shund server will accept requests. The IDS Server Port field identifies the
IDS Server Port. The default port is 8111. To modify the port, type the new port
number in the IDS Server Port field, and click the Save icon. To revert to the
default port (8111), click Restore Default.
To view currently shunned IP addresses, click Current Shunned IP addresses,
and see “About the Shunned IPs window” on page 75.
To delete an existing IDS server, highlight the server and click Delete. You will
be prompted to confirm the deletion. Click Yes to delete the IDS server, or No
to Cancel.

Figure 32: IDS Server
window
About the IDS
Configuration: IDS
Server window
About the Shunned
IPs window
Figure 33: IDS
Configuration: Shunned
IPs window
Chapter 3: General System Tasks
Configuring the shund server
To add a new IDS server, click New. To modify an existing IDS server, highlight
the server and click Modify. To create a duplicate an IDS server, click
Duplicate. The IDS Configuration: IDS Server window appears.
The IDS Server window allows you a create or modify an IDS server.
Follow the steps below to create or modify an IDS server.
1 In the IDS Server IP address field, enter the IP address for the IDS server.
2 In the Shared secret field, enter a text string that the IDS server uses to
generate a signature for shun packets.
3 In the Default time to shun an IP address field, specify the amount of time
for which the IP addresses will be shunned, as follows:
a In the drop-down list, specify the time format to use by selecting either
Seconds, Minutes, Hours, or Days.
b In the text field, enter the number of seconds, minutes, hours, or days.
4 Click OK to save your changes and return to the Configuration tab. (To
cancel your changes, click Cancel.)
The Shunned IPs window allows you to view and modify the currently shunned
IP addresses.
75

Chapter 3: General System Tasks
Loading and installing patches
Loading and
installing
patches
76
Each entry in the table displays the IP address, burb, and the date and time at
which the IP address will no longer be shunned. You can perform the following
actions in this window:
• Delete one or more IP addresses—To remove one or more IP addresses
from the list, highlight the IP address(es) you want to delete and click
Delete IP(s). (To select multiple addresses, press and hold the Ctrl key as
you select the addresses.)
• Delete all IP addresses—To remove all of the IP addresses that are listed in
the table, click Delete All IPs.
• Update the window—To retrieve an updated list of shunned IP addresses,
click Refresh. The date and time when displayed data was captured is
listed in the upper portion of the window.
The Sidewinder G2 provides the ability to patch your software by installing
software patches or “packages” on your system. Types of packages available
for install include:
• Upgrades — Use when upgrading Sidewinder G2 to a new base version.
• Patches — Contain software fixes and/or new features.
• Hotfixes — Contain an issue-specific fix and should only be installed if it
addresses a current problem. Unlike other patches, hotfixes can be
uninstalled.
• Optional feature patches — Contain fixes, updates, or new features specific
to anti-spam/fraud or anti-virus/spyware add-on modules. Only install these
patches if you have the associated feature licensed.
The software packages are available via Secure Computing’s FTP site. You
can view, load, and install software packages using the Admin Console.
Tip: If your site requires physical patch media, you can burn a patch to a CD using
the CD burning software of your choice. Refer to the CD burning software’s
instructions for information on burning the patch file to CD. (You can also contact
Customer Service for general instructions.)

Figure 34: Software
Management: Summary
tab
About the Summary
tab
Viewing currently installed patches
Chapter 3: General System Tasks
Loading and installing patches
To view the patches currently installed on your system, start the Admin
Console and select Firewall Administration > Software Management, and
select the Summary tab. A window similar to the following appears.
The Summary tab displays information about the patches currently installed on
the Sidewinder G2. This window also enables you to do the following:
• Details—To display a detailed description of a particular patch, highlight the
patch in the list and click Details.
• Verify—To verify the signature on a particular patch, highlight the patch in
the list and click Verify.
• Export—To export a particular patch to a diskette, highlight the patch in the
list and click Export.
• View Log—Click this button to display the Package Installation log. The log
contains a list of all patches that have been installed.
77

Chapter 3: General System Tasks
Loading and installing patches
78
Figure 35: Software
Management: Import tab
Entering information
on the Import tab
Loading a patch
You will generally load patches onto the Sidewinder G2 via the network (via the
FTP site). All patches are encrypted and digitally signed. You must have a
current support license in order to decrypt and load a patch. Patches that are
loaded onto the Sidewinder G2 are stored in the /var/spool/packages directory.
Note: Loading a patch on the Sidewinder G2 is not the same as installing it.
Loading a patch only makes that patch available for installation on the Sidewinder
G2. To install a patch on the Sidewinder G2, see “Installing a patch” on page 80.
To load a software package, select Firewall Administration > Software
Management, and select the Import tab. A window similar to the following
appears.
The Import tab is used to load a patch on the Sidewinder G2. You can load
patches via the network (using Secure Computing’s FTP site), or using
physical media that you create. Follow the instructions below.
To import a patch from the network (via Secure Computing’s FTP site):
1 In the Import from Network area verify the information contained in each
field. If you need to modify any of the fields, click Edit. The Edit FTP
Settings window appears, allowing you to modify the following information:
• FTP Site—The name of the FTP site from which the package will be
downloaded. The default name is ftp.activations.securecomputing.com.
To edit this information, click Edit.
• Username—The name to use when logging onto the FTP site. The
default user name is anonymous.

Chapter 3: General System Tasks
Loading and installing patches
• Password—The password must be used when logging onto the FTP
site. If no password is set, the Sidewinder G2 serial number will be sent
as the password.
• Directory—The path name on the FTP site that contains the desired
patch(es).
To restore the system default values to all of these fields, click Restore
Defaults in the Edit FTP Settings window.
Note: This information is stored in the /etc/sidewinder/package.conf file.
2 Click Import Now to load the patch(es).
3 To enable the Sidewinder G2 to automatically download the latest patches
from the defined FTP site on a periodic basis, select Enable Periodic
Automated Imports. The automated download process will compare the
files on Secure Computing’s FTP site to the files currently on the
Sidewinder G2. Only those patches not already present on your system will
be loaded.
In the Frequency field, specify how often the Sidewinder G2 will automatically
access the FTP site and download the latest patches. The options are:
• daily—Checks for new patches to download every day.
• weekly—Checks for new patches to download every seven days.
• monthly—Checks for new patches to download every 30 days.
• bimonthly—Checks for new patches to download every 60 days.
Note: A cron job defines the exact day and time the download will occur. By
default the download will occur very early in the morning.
4 To have a report e-mailed to the Sidewinder G2 administrator each time the
Sidewinder G2 attempts an automatic import from the FTP site, select
Generate E-mail Report. A report is generated regardless of whether a
patch is actually downloaded. The report is e-mailed to the root e-mail alias
on the Sidewinder G2.
5 Click the Save icon to save any information you entered, or click Cancel to
reset changes to their original values.
To import a patch from CD-ROM or diskette:
Typically, patches are downloaded via the network (using FTP). If your site
requires patch installation using physical media, you can burn a patch to a CD
using the CD burning software of your choice (such as Roxio Easy CD
Creator). Refer to the CD burning software’s instructions for information on
burning the patch file to CD. (You can also contact Customer Service for
general instructions.)
1 In the Import from CDROM/Diskette area select the location of the patch
you want to load. The options are:
79

Chapter 3: General System Tasks
Loading and installing patches
80
Figure 36: Software
Management: Install tab
Entering information
on the Install tab
• CDROM—Select this option if the patch resides on CD.
• Diskette—Select this option if the patch resides on diskette.
2 Insert the CD-ROM or diskette into the appropriate drive on the Sidewinder
G2 and click Import Now.
Note: If the patch resides on multiple diskettes, insert the first diskette, click
Import Now, and follow the on-screen prompts.
The patch(es) are loaded onto the Sidewinder G2.
Installing a patch
Patches that you load or download are not automatically installed. Rather, you
can install them at a time that is convenient for you. This is important because
the Sidewinder G2 must be rebooted during the installation process. The
Admin Console allows you to define exactly when you want patch installation to
occur.
To install a patch, select Firewall Administration > Software Management, then
select the Install tab. A window similar to the following appears:
Important: It is recommended that you perform a system backup before installing
any patches. See “Backing up system files” on page 638 for details.
The Install tab is used to install a patch that is already loaded on the
Sidewinder G2. To install a patch, follow the steps below.
Important: If you have an existing HA or One-To-Many cluster, refer to the
appropriate patch Release Notes for information on installing a patch on an HA or
One-To-Many cluster. Release notes for each patch are available at
www.securecomputing.com/goto/updates.

Chapter 3: General System Tasks
Loading and installing patches
1 Select the patch(es) you want to install from the Package table. This table
lists all the patches currently installed or available for installation on the
Sidewinder G2. To select multiple patches, press the Ctrl key as you select
the patch names.
2 Select the Enable Automated Package Install check box to activate the
installation options. (A check mark appears when the field is enabled.) You
cannot select an installation option unless this check box is selected.
To cancel a scheduled automated patch installation, disable this field and
click the Save icon.
3 Select an installation option for the patch(es) you selected. The following
options are available:
• Install Immediately—Select this option if you want to install the selected
patch(es) as soon as you click the Save icon.
Note: The Admin Console will be disconnected when the Sidewinder G2
begins its reboot process. Wait a few minutes for the reboot process to
complete, then try reconnecting.
• Install Later—Select this option to specify a date and time in the future
that you want to automatically install the selected patch(es).
4 [Conditional] If you selected Install Later in the previous step, fill in the
following information:
• Date—Specify the date the automatic patch installation will be
performed. A typical practice is to define a date when you expect very
little network traffic (for example, a holiday).
• Time—Specify the time of day that the patch installation will be
performed. A typical practice is to define a time when you expect very
little network traffic (for example, 2:00 a.m.).
5 [Optional] If you want a report e-mailed to the Sidewinder G2 administrator
each time a patch is automatically installed, select the Generate E-mail
Report check box. If this check box is selected, the report is e-mailed to the
root e-mail alias on the Sidewinder G2.
6 Click the Save icon to save the changes and to implement the install.
Note: In the unlikely event that the patch installation fails, refer to “If a patch
installation fails” for troubleshooting information.
7 Once the Sidewinder G2 has finished installing the patch and has been
rebooted, launch the Admin Console. You will be prompted to load and
install the Admin Console update for the patch. To upgrade the Admin
Console, follow the prompts that appear. The Admin Console program will
exit automatically during its update process.
81

Chapter 3: General System Tasks
Modifying the burb configuration
Modifying the
burb
configuration
82
Figure 37: Burb
Configuration window
Entering information
on the Burb
Configuration
window
.
A burb is a type enforced network area used to isolate network interfaces from
each other. The burbs in your Sidewinder G2 are initially defined during the
installation process. Using the Admin Console you can create new, modify, and
delete burbs.
To modify your burb configuration, start the Admin Console and select Firewall
Administration > Burb Configuration. The following window appears.
This window allows you to add, modify, or delete burbs within your current
configuration. Follow the steps below.
Note: You can configure a maximum of 64 burbs on a Sidewinder G2.
1 Do one of the following:
• To create a new burb, click New. In the Create New Burb window, enter
a name for the new burb. Click OK to return to the Burb Configuration
window and configure the burb.
Caution: Do not use “Firewall” or “firewall” as a burb name, as this name is
already used elsewhere in the Sidewinder G2.
• To modify a burb, highlight the burb in the Burbs list. The settings for
that burb will appear in the right portion of the window.
• To delete a burb, highlight the burb in the Burbs list and click Delete.
You cannot delete a burb that is currently referenced elsewhere on the
system (for example, a rule or interface configuration). To determine
whether a burb is currently being referenced, highlight the burb and click
Usage.
• To view all areas where a burb is currently being used, highlight the burb
in the Burbs list and click Usage. The Burb Usage window appears
listing every area in which the burb is currently used. When you are
finished viewing the information, click Close to return to the Burb
Configuration window.

Modifying the
interface
configuration
Chapter 3: General System Tasks
Modifying the interface configuration
2 The following settings may be enabled or disabled for each burb:
• Hide port unreachables—If this parameter is enabled, the Sidewinder
G2 will give no response if a node on the network attempts to connect to
a port on which the Sidewinder G2 is not listening. This increases
security by not divulging configuration information to potential hackers.
• Intra-burb packet forwarding—If enabled, traffic will be forwarded
between network interfaces located within this burb. Disabling this
parameter in a burb with two or more network interfaces has the effect
of separating the interfaces. This parameter should be disabled in burbs
with only one network interface.
Note: There is an interaction between the Intra-burb packet forwarding
parameter and NAT. NAT changes the source address of outbound packets
to the IP address of the Sidewinder G2 in the external (outgoing) burb. If
multiple interfaces exist in the same burb, that Sidewinder G2 has to select
an appropriate address based upon how it routes packets. By enabling this
option, the Sidewinder G2 must choose one of the interfaces for the source
address. In this case the Sidewinder G2 will always choose the address of
the first interface in the burb. Problems could occur if the destination is not
defined to use the same route back to the Sidewinder G2.
• Honor ICMP redirects—ICMP messages are used to optimize the
routes for getting IP traffic to the proper destination. On a trusted
network, honoring ICMP redirects can improve the throughput of the
system. On an untrusted network, ICMP redirects can be used by
hackers to examine, reroute, or steal network traffic. Enabling this
parameter allows the Sidewinder G2 to honor ICMP redirects.
• Respond to ICMP echo and timestamp—ICMP echo and timestamp
messages (also known as ping messages) are used to test addresses
on a network. The messages are a handy diagnostic tool, but can also
be used by hackers to probe for weaknesses. Enabling this parameter
allows the Sidewinder G2 to respond to these messages.
3 In the Internet burb drop-down list, specify which of the burbs defined on
the Sidewinder G2 is the Internet burb. The Internet burb is unique because
it is the only burb that communicates directly with the outside world.
4 Click the Save icon to save your changes.
The installation process defines Sidewinder G2’s internal and external network
interfaces. You can configure up to 64 interfaces, using a combination of
physical and VLAN interfaces. Using the Admin Console you can configure the
media type, the IP address, the subnet mask associated with an interface, and
the burb assigned to an interface. You can also enable hardware acceleration,
VLANs, DHCP, support for jumbo frames, and TCP checksum offloading.
To modify your interface configuration, start the Admin Console and select
Firewall Administration > Interface Configuration. The following window
appears.
83

Chapter 3: General System Tasks
Modifying the interface configuration
84
Figure 38: Interface
Configuration window
About the Interface
Configuration main
window
.
The Interface Configuration main window contains an Interfaces tab (in the
upper portion of the window) that displays the configuration settings for each
interface on the Sidewinder G2 in a table format. The Configuration tab (in the
lower portion of the window) displays the configuration information for the
interface that is selected in the Interfaces table.
For a description of each interface field, see “Modifying the Configuration tab”
on page 85. You can perform the following actions in the Interface
Configuration window:
Note: The Hardware Acceleration tab will only appear if you are using a supported
hardware accelerator. For information on the Hardware Accelerator tab, see “About
the Hardware Acceleration tab” on page 89.
• To view the status of all interfaces, click Interface Status. For more
information, see “About the Interface Status window” on page 85
• To delete an interface, highlight the interface and click Delete. You can only
delete interfaces that are disabled. Physical interfaces must have the NIC
removed as well.

About the Interface
Status window
Modifying the
Configuration tab
Chapter 3: General System Tasks
Modifying the interface configuration
• To modify an interface, highlight that interface in the table. The
configuration information appears in the Configuration tab in the lower
portion of the window. (You can also highlight the appropriate table row and
click Modify to access the configuration information in a separate window.)
• To switch the interface configuration settings between two interfaces,
highlight the two interfaces for which you want to swap properties (you will
need to press and hold the Ctrl key to select multiple interfaces), and then
click Swap Parameters. You will receive a warning message indicating that
the system may not function properly until it is rebooted. To swap the
parameters, click Yes and be sure to reboot your system. To cancel, click
No.
If you swap interfaces, the MTU settings will not be swapped. Therefore, if
you swap an interface with modified MTU settings, you will need to reconfigure
those settings after swapping the interfaces.
Caution: Swapping interface parameters after you have initially configured your
Sidewinder G2 could have unexpected results. This process should only be used
immediately after installation, or when an interface has been added or replaced.
This window provides traffic information for each of the physical and VLAN
network interfaces on this Sidewinder G2.
• Interface — Displays the name of the interface.
• IP Address — Displays IP address assigned to that interface.
• Status — Displays if the interface’s status is up (ready for an active network
connection) or down (will not accept an active network connection).
• Connected — Displays Connected if Sidewinder G2 detects an active
network connection and Disconnected if it does not.
You can also view this information at a command line interface by typing
netstat -is.
When you are finished viewing the status, click Close.
The Configuration tab displays the interface name and MAC address that you
are modifying. The following interface settings can be modified:
• Enabled—To enable an interface, select On. To disable an interface, select
Off.
Note: You must select a burb in the Burb field before you can enable an
interface.
85

Chapter 3: General System Tasks
Modifying the interface configuration
86
• Interface Type—Select one of the following options:
– Physical Interface — Select this option to configure a standard physical
interface.
– VLAN-Enabled Interface — Select this option to configure VLANs
(Virtual Local Area Network) for this interface. A VLAN is a virtual
interface that allows administrators to segment a LAN into different
broadcast domains regardless of the physical location. VLANs are only
supported on bge, em, and exp NICs.
When you select the VLAN-Enabled Interface option, the Configuration
tab displays a table listing all of the VLANs that are currently configured
for this interface. To configure VLANs for an interface, click New under
the VLANs table and go to “Configuring VLANs” on page 87.
Important:You must use a router that can decipher VLAN traffic to use
VLANs. Also, you cannot create VLANs on an interface that has DHCP
enabled.
• IP Address—Select one of the following options:
– Obtain an IP address automatically: This option allows you to use the
Dynamic Host Configuration Protocol (DHCP) to centrally manage IP
addresses within your network. When you select this option, the IP
Address and Network Mask fields are filled in with a value of DHCP,
indicating that DHCP will be used to manage IP addresses.
Important:You cannot configure HA or One-To-Many on a Sidewinder G2
that has DHCP configured.
– Use the following IP address: This option allows you to specify the IP
address, network mask, and burb for a physical interface.
• Network Mask—To modify the Network Mask, enter the new network mask
in this field. The value specified is used to identify the significant portion of
the IP address.
• Burb—To modify the burb, select the appropriate burb for this interface
from the drop-down list.
• Media Type—To modify the media type, select the appropriate type from the
drop-down list.
• MTU—This field allows you to specify the size of the Maximum Transfer
Unit (MTU) for outgoing packets. Select one of the following:
– Standard (1500)—Select this option to use the standard MTU.
– Jumbo (9000)—Select this option to allow jumbo frames. This option is
only available on NICs that support jumbo frames.
– Custom (576–9216)—Select this option if you need to specify a custom
MTU. The range may change, based on the following:
• If you are using a current version of the Admin Console to manage a
pre-6.1.2 Sidewinder G2, the range for this option will be 576-16000.
• If the NIC does not support jumbo frames, the range for this option
will be 576–1500.

Chapter 3: General System Tasks
Modifying the interface configuration
Note: The receive_jumbo_frames option (in the Hardware Capabilities area),
allows the interface to receive larger MTUs. This option is automatically enabled
when you specify a size that is larger than 1500 (standard). You must also ensure
that the destination is able to receive the MTU size when using non-standard sizes.
Important: If you swap interfaces, the MTU settings will not be swapped.
Therefore, if you swap an interface with modified MTU settings, you will need to
reconfigure those settings after swapping the interfaces.
• Hardware Capabilities—This option will only appear if the interface you are
modifying has hardware capabilities that can be configured. To select all of
the available options, click Select All. To deselect all options, click Deselect
All. The following options may be available for selection:
– rxcsum: Enable transmission of checksum offload for IPv4 packets.
– txcsum: Enable reception of checksum offload for IPv4 packets.
– tcpseg: Enable TCP/IPv4 segmentation offload for large packets.
When you are finished modifying the interface, click the Save icon to save your
changes. (If you modified the interface in a separate window, you will need to
click OK to return to the Interface Configuration window.)
Configuring VLANs
The VLAN-Enabled Interface Configuration: Modify Interface Configuration
window allows you to create and modify VLANs for an interface. You can
assign up to 64 VLANs/NICs on the Sidewinder G2. For example, if your
Sidewinder G2 has three NICs, you could configure up to 61 VLANS. Other
information about how VLANs function on Sidewinder G2 include:
• VLANs are supported in a High Availability (HA) configuration. For best
results, configure VLANs before configuring HA.
• You must use a router that can decipher VLAN traffic to use VLANs.
• You cannot create VLANs on an interface that has DHCP enabled.
• To filter traffic for a VLAN, use the following syntax:
tcpdump -pni interface_name vlan vlanID
To configure a VLAN, follow the steps below.
87

Chapter 3: General System Tasks
Modifying the interface configuration
88
Figure 39: VLAN-
Enabled Interface
Configuration: Modify
Interface Configuration
window
About the VLAN-
Enabled Interface
Configuration:
Modify Interface
Configuration
window
To create or modify a VLAN, do the following:
1 In the Enable field, select one of the following options:
• On—Select this option to enable this VLAN.
• Off—Select this option to disable this VLAN.
2 In the VLAN ID field, specify a numeric ID for this VLAN. Valid values are 2–
4094.
3 In the IP Address field, enter an IP address for the VLAN.
4 In the Network Mask field, enter a network mask for the VLAN. The value
specified is used to identify the significant portion of the IP address.
5 In the Burb drop-down list, select the burb for this VLAN.
6 Click OK to add the VLAN and return to the main Interface Configuration
window.
7 Click the Save icon to save your changes.
About the Aliases tab
The Interface Configuration Aliases tab contains an Interface Aliases table that
displays any alias IP addresses defined for the selected network interface.
Alias IP addresses are used in Multiple Address Translation (MAT). Adding
alias IP addresses to a network interface can be used for purposes such as:
• Specific logical networks connected to one interface can be consistently
mapped to specific IP aliases on another interface when using address
hiding.
• The NIC can accept connection requests for any defined alias.
• The NIC can communicate with more than one logical network without the
need for a router.
• The NIC can have more than one address on the same network and have
DNS resolve different domains to each host address.
To delete an alias IP address, select the item, and click Delete.
To add or modify an alias IP address, select the item, click New or Modify, and
see “About the Aliases: New/Modify Network Alias window” below.

About the Aliases:
New/Modify Network
Alias window
Chapter 3: General System Tasks
Modifying the interface configuration
To add or modify an alias IP address in the Interface Configuration: Aliases
window, follow the steps below.
1 In the Network Address field, select the appropriate network address for
the interface you want to configure.
2 In the Alias Address field, type the alias IP address that will be associated
with the network interface selected in the Interface Configuration window.
3 In the Network Mask field, type a network mask. The value specified is
used to identify the significant portion of the IP address.
4 Click OK to add the alias IP address, or click Cancel to return to the
Interface Configuration window without saving your changes.
After adding or modifying an entry you should be able to ping the address
from an external device, unless the Respond to ICMP echo and timestamp
parameter is disabled for this burb. See “Entering information on the Burb
Configuration window” on page 82.
5 Click the Save icon to save the changes.
About the Hardware Acceleration tab
The Hardware Acceleration tab will only appear if you are using a supported
hardware accelerator. The Hardware Acceleration tab contains a table listing
the supported hardware accelerators that are currently installed on the
Sidewinder G2. The following table columns appear:
• Hardware Accelerator—This column lists the type of hardware accelerator
(for example, Cavium).
• Accelerator Type—This column lists the type of hardware acceleration (for
example, SSL).
• Enabled—This column lists whether the hardware accelerator is enabled
(On) or disabled (Off).
To enable a hardware accelerator, select the hardware accelerator you want to
enable and click Enable.
To disable a hardware accelerator, select the hardware accelerator you want to
disable and click Disable.
Click the Save icon to save your changes.
89

Chapter 3: General System Tasks
Modifying the static route
Modifying the
static route
90
Figure 40: Static window
About the Static
window
Traffic between machines on different networks or subnets requires routing.
Each computer must be told where to direct traffic it cannot deliver directly; this
“default gateway” is generally a router which allows access to distant subnets.
A “default route” (route of last-resort) is used to specify the IP address where
packets are forwarded that have no explicit route. It is usually the IP address of
a router (for example, a Cisco box) that will forward packets to your Internet
Service Provider (ISP).
Note: For more detailed information on routing, please refer to “Routing options” in
the Sidewinder G2 Startup Guide.
On the Sidewinder G2, this default route is typically defined while using the
Quick Start Wizard during the initial configuration process. Once it is set it
rarely needs to change; hence it is also known as a static route. However, if
your network configuration should change, you may find it necessary to
change this static route. You can do this using the Admin Console. To change a
static route, select Services Configuration > Routing > Static. The Static
window appears.
The Static window contains a static route definition table that lists all of the
route definitions. To modify the static routes currently defined on the
Sidewinder G2, follow the steps below.
Note: Interface routes cannot be modified or deleted.

About the Static:
Route window
Configuring
Admin Console
access
Chapter 3: General System Tasks
Configuring Admin Console access
1 To change the IP address of the router that is used as your default or
“static” route, type the new address in the Default Route field. The address
must be entered using standard quad notation.
Note: If your Sidewinder G2 is defined with two DNS servers, the IP address for
the static route must be an address on the external burb.
2 Perform one of the following actions:
• To add a static route, click New. The Static Route window appears.
Proceed to step 3.
• To modify an existing static route, highlight the route you want to modify
and click Modify. The Static Route window appears. Proceed to step 3.
• To delete an existing static route, highlight the route you want to delete
and click Delete. When you click this button, the system checks for any
sessions that are currently using the address that you want to delete. If
the address is in use, you will not be allowed to delete the entry.
Proceed to step 8.
3 In the Entry Type field, select the type of route: Net or Host.
4 In the Net/Host Address field, type the subnet address for this route.
5 In the Gateway field, type the gateway address the route will use.
6 [Conditional] In the Net Mask field, type the network mask that will be used
for this route. This field is only available if Net is selected in the Entry Type
field.
7 Click Add to add the information you entered to the static route definition
table. (To exit the window without saving your changes, click Close.)
8 In the Static window, click the Save icon to write all non-interface routes to
/etc/gateways and automatically add changes to the current routing table,
or click Cancel to cancel the change.
Sidewinder G2 is managed from a Windows machine installed with the
Sidewinder G2 Admin Console. The Quick Start Wizard enables access on the
internal burb. Before you can establish an Admin Console connection to a
different burb, you must enable Admin Console access for that burb. Use the
following steps to enable or disable administration in a particular burb.
Start the Admin Console and select Firewall Administration > UI Access
Control. A window similar to the following appears.
91

Chapter 3: General System Tasks
Configuring Admin Console access
92
Figure 41: Remote
Administration tab
About the Remote
Administration tab
This window allows you to enable management for the Sidewinder G2 using
the Admin Console. When enabled, users with administrative privileges will be
able to use the Admin Console connect to and administer the Sidewinder G2.
You can enable Admin Console management on a per burb basis. For
example, if you enable Admin Console management for Burb A but not Burb B,
only those users with access to the interfaces assigned to Burb A will be able
to administer the Sidewinder G2 using an Admin Console.
Note: For information on configuring the Firewall Certificate tab, see “Configuring
and displaying firewall certificates” on page 424.
Follow the steps below to configure Admin Console management.
Note: During the initial configuration, the Quick Start Wizard enables Admin
Console access on the internal burb.
1 In the Allow Secure Sessions From list, select the burbs that will allow
administration access from a Windows system. Connections to the burbs in
this list are encrypted using SSL.
2 In the Secure Ports field, specify the range of ports on which secure
sessions will be allowed.
Note: See “NSS regulation of valid ports for the Admin Console” on page 15 for
details on selecting valid ports.
3 Click the Save icon to save your changes. To configure the SSL certificate
fields for the Admin Console, see the following section.

About the SSL
certificate fields for
the Admin Console
Configuring the
Sidewinder G2 to
use a UPS
Chapter 3: General System Tasks
Configuring the Sidewinder G2 to use a UPS
The Admin Console provides secure access to the Sidewinder G2 using the
Secure Socket Layer (SSL) protocol. The SSL protocol requires the use of
certificates by both the client and the server when creating the secure
connection. Follow the steps below to configure the SSL certificate for the
Admin Console.
Important: Secure Computing recommends assigning a new certificate to the
Admin Console before using the Sidewinder G2 in an operational environment.
A default SSL certificate is initially assigned to the Admin Console. When using
the Sidewinder G2 in an operational environment, however, it is highly
recommended that you assign a different certificate to the Admin Console. For
more information, see “Assigning new certificates for Admin Console and
synchronization services” on page 430.
To assign a new SSL certificate to the Admin Console, select the certificate
from the Certificate drop-down list. Only self-signed, RSA/DSA certificates that
are defined in Services Configuration > Certificate Management in the
Firewall Certificates tab are displayed in this field. The Firewall Certificates tab
is used to define a new certificate for use by the Admin Console. After creating
the new certificate you can return to the UI Access Control window and assign
the new certificate to the Admin Console.
Many organizations connect the Sidewinder G2 to an Uninterruptible Power
Supply (UPS). This allows the Sidewinder G2 to continue to be operational if a
power outage occurs. If the power outage is long enough, however, the battery
in the UPS will begin to fail. To avoid an uncontrolled shutdown, you can
configure the Sidewinder G2 to initiate an orderly shutdown before the UPS
fails. The Sidewinder G2 is much more likely to restart in a good condition
following an orderly shutdown than from an uncontrolled shutdown.
Configuring the Sidewinder G2 to use a UPS
To configure the Sidewinder G2 to use a UPS, select Services Configuration >
Servers and select upsd in the list of server names. Click the Configuration
tab. The following window appears.
93

Chapter 3: General System Tasks
Configuring the Sidewinder G2 to use a UPS
94
Figure 42: UPS
Configuration window
About the UPS
Configuration
window
The UPS Configuration window enables you to configure how the Sidewinder
G2 will interact with an uninterruptible power supply. The window contains the
following fields.
• UPS Serial Port—Click the drop-down list to select the Sidewinder G2 port
being used to monitor the UPS.
The Sidewinder G2 only supports COM1 port (COM2 is not supported).
Therefore, you cannot enable the uninterruptible power supply (UPS) service
AND connect a console directly on your Sidewinder G2 on the COM1
port at the same time. Doing so will cause your Sidewinder G2 Security
Appliance to shutdown immediately. If this happens, you must do one of the
following:
– Disable upsd and use a serial console: Disconnect the Sidewinder G2
console, disable upsd using the Admin Console, and then reconnect to
the Sidewinder G2 console.
– Remove the serial console and use upsd: Disconnect the Sidewinder
G2 console, and then connect the UPS cable.
• Battery Time—Specify the estimated amount of time (in seconds) that the
UPS battery will last before running low. The Sidewinder G2 will initiate an
orderly shutdown when this timer expires, regardless of the amount of
battery power remaining in the UPS.

Enabling/disabling the UPS server
Chapter 3: General System Tasks
Enforcing FIPS
1 Connect the UPS’s serial cable to the Sidewinder G2’s COM1 port.
2 Select Services Configuration > Servers.
3 Select upsd from the list of server names.
4 Click Enable or Disable.
• Enabled—Indicates the Sidewinder G2 is configured to use a UPS. If a
power outage occurs, the Sidewinder G2 will monitor the UPS and will
perform an orderly shutdown when the UPS battery begins to run low.
• Disabled—Indicates the Sidewinder G2 is not configured to use a UPS.
If a power outage occurs and the Sidewinder G2 IS connected to a
UPS, the Sidewinder G2 will not monitor the UPS and will not perform
an orderly shutdown when the UPS battery begins to run low.
5 Click the Save icon.
Enforcing FIPS Federal Information Processing Standard (FIPS) 140-2 is a standard that
describes the U.S. federal government requirements for a cryptographic
module used in a security system. Select this option to configure settings that
make a managed Sidewinder G2 FIPS 140-2 compliant. For more information
on how enabling this option affects Sidewinder G2, see the FIPS application
note at www.securecomputing.com/goto/appnotes.
Figure 43: Enforcing
FIPS
Note: This option is appropriate only for organizations that are explicitly required
by the U.S. federal government to be FIPS 140-2 compliant.
To enable FIPS, do the following:
1 Select Firewall Administration. The FIPS check box appears in the righthand
pane.
2 Select Enforce US Federal Information Processing Standard.
3 Click the Save icon to save the configuration change.
4 Select Firewall Administration > System Shutdown and reboot the
Sidewinder G2 to the Operational kernel to activate the change.
95

Chapter 3: General System Tasks
Enforcing FIPS
96

4 CHAPTER
Understanding Policy
Configuration
In this chapter...
Policy configuration basics.............................................................98
Rule elements ..............................................................................103
Application Defenses....................................................................109
Proxy rule basics ..........................................................................112
IP Filter rule basics.......................................................................121
97

Chapter 4: Understanding Policy Configuration
Policy configuration basics
Policy
configuration
basics
98
Figure 44: Basic rule
group structure Sample rule group
Your site’s security policy is implemented and enforced by applying rules to all
traffic that passes through the Sidewinder G2. Each rule is basically a mini
policy that contains criteria which are used to inspect incoming or outgoing
traffic. Rules determine whether that traffic will be allowed to continue to its
destination. There are two distinct rules types that you can configure on the
Sidewinder G2:
• Proxy rules—Proxy rules allow you to control access to Sidewinder G2
proxies and servers. Proxy rules determine whether traffic will be allowed
through the Sidewinder G2 or denied using various criteria such as source
and destination address.
Proxy rules are automatically bi-directional, meaning that a rule allows traffic
or sessions to be initiated from both source and destination addresses.
Also, each rule automatically allows the response(s) to the initial request.
Note: When you are configuring proxy rules for a particular proxy or service,
you must ensure that the corresponding proxies and/or servers have also been
enabled and configured before the rule will pass traffic. This can be verified at
Policy Configuration > Proxies and Policy Configuration > Servers.
• IP Filter rules—IP Filter rules allow you to configure your Sidewinder G2 to
securely forward IP packets between networks. IP Filter rules operate
directly on the IP packets, allowing you to configure filtering for TCP/UDP
and non-TCP/UDP traffic passing between networks.
After you plan and create all of the rules you need to enforce your security
policy, you can organize them into sets, called rule groups. A rule group can
consist of both rules and nested rule groups. A nested rule group is a rule
group that you place within another rule group. You can nest multiple rule
groups within a rule group.
Figure 44 demonstrates the basic structure of a rule group that uses nested
rules.
Rule 1
Rule group
Rule group
Rule 9
Rule Rule 21
Rule 3
Rule 4
Rule 5
Rule 6
Rule 7
Rule 8

Figure 45: Example of
active rules
Chapter 4: Understanding Policy Configuration
Policy configuration basics
While you can create numerous rules and groups, the Sidewinder G2 will only
load and use the rules contained in the groups that you select in the Active
Rules window. These active rules are the rules that enforce your security
policy. When you select the active rule groups (you can select one active proxy
group and one active IP Filter group), those groups begin actively monitoring
traffic coming into and leaving the Sidewinder G2. All rules and rule groups that
are not part of the active rules will remain inactive unless you add them to an
active rule group. You can modify your existing active rule group to add or
delete rules and/or nested rule groups as your security needs change. You can
also re-organize the rules within a group as needed.
When you select an active group, the individual rules and the rules within
nested groups are extracted into a single table of ordered rules as shown in
Figure 45.
rule group
Rule 1
Rule group
Rule group
Rule 9
active rules
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Rule 6
Rule 7
Rule 8
Rule 9
contents of
rule group A
contents of
rule group B
The rules within an active group are processed in sequential order. When
traffic arrives at the Sidewinder G2, it will first be processed by the active IP
Filter rules. If the traffic does not match any IP Filter rules or matches a
Bypass IP Filter Rules rule, it is forwarded on to the active proxy rules. If a rule
match is found, the traffic is processed according to that rule and will not be
processed by any other rules. Therefore, the order of the rules and nested rule
groups within an active rule group is very important.
The rule groups you specify in the Active Rules window (one for proxy and one
for IP Filter) work together as follows: All traffic coming into and leaving the
Sidewinder G2 is compared to any active IP Filter rules that you have
configured. The IP Filter rules examine packets at the IP layer. If a match is not
found in the IP Filter rules, the traffic is then examined by the active proxy
rules, which examine the traffic at the Application layer.
99

Chapter 4: Understanding Policy Configuration
Policy configuration basics
100
Figure 46: Traffic passing through the active rule groups
traffic
1. Traffic enters
the Sidewinder G2
and is processed
by the active
IP Filter rules.
active IP Filter rules proxies
Rule group A
Rule
Rule group B
Rule group C
Rule
2. No match is found,
so traffic is forwarded
to the proxies.
Proxy
Proxy
Proxy - enabled
Proxy
Proxy
3. A match is found at
Proxy C, so the traffic is
forwarded to the active
proxy rules.
active proxy rules
Rule group A
Rule group B
Rule group C
Tip: Always place the deny_all rule at the end of the active proxy rules list. This
rule denies any traffic that reaches it. Therefore, any rules that are listed after the
deny_all rule will not process any traffic.
An example of traffic being processed by the active rules
The following scenario walks you through the basic process used by the
Sidewinder G2 to process an outbound Telnet connection request. For
simplicity, this scenario assumes that the active rules table consists of the
following items:
• Some non-TCP/UDP IP Filter rules.
• A rule called NetMeeting that allows users to use audio and video
conferencing components for NetMeeting ® .
• A rule group called Administration, which allows Sidewinder G2
administrators to access the Sidewinder G2.
• A rule called Internet Services, which includes a service group that allows
access to the most commonly used Internet services, including Telnet. (For
information on service groups, see “Service groups” on page 108.)
• All proxies included in those rules are enabled in the appropriate burbs.
• A deny_all rule that will deny any requests that did not match any other
rules. This rule acts as a safeguard against traffic that did not meet any rule
criteria, and may or may not be desirable depending on your site’s security
policy.
Rule
Rule
4. A match is found in Rule
Group B. The traffic is
processed by the rule
specifications.

Chapter 4: Understanding Policy Configuration
Policy configuration basics
The following steps outline the basic processing that takes place when an
outbound Telnet connection request arrives at a Sidewinder G2 with the above
active rules in place.
1 A outbound Telnet request arrives at the Sidewinder G2.
2 The request is processed by the active IP Filter rules. No match is found, so
the request is forwarded to the proxies.
3 The request is processed by the proxies. The telnet proxy is listening
(enabled), so the request is forwarded to the active proxy rules.
4 The request is processed by the first rule in the Active Rules table, which is
the NetMeeting rule. The request does not match the rule criteria.
5 The request is forwarded to the next rule in the table, a rule group called
Administration, and is inspected in sequential order by each rule contained
within that group. No match is found in this rule group.
6 The request is forwarded to the next rule in the table, a rule called Internet
Services. A match is found (because the Telnet proxy is included in the
service group used in this rule).
7 The request is processed according to the specifications in the Internet
Services rule. The Internet Services rule is an allow rule with NAT enabled.
The request bypasses all other rules and groups contained in the active
rules table, the internal address of the request is translated, and the request
is granted.
Ordering proxy rules within a rule group
The order in which rules and nested groups appear in the active rule group is
significant. When the Sidewinder G2 is looking for a rule match, it searches the
active rules in sequential order (beginning with the first rule or nested group
within the group, then the second, and so on). The first rule that matches all the
characteristics of the connection request (service type, source, destination,
and so on) is used to determine whether to allow or deny the connection.
Therefore, you should always place rules that allow or deny the most frequent
traffic near the top of an active rule group to reduce the processing time.
Important: If the characteristics of a connection request matches more than one
rule, the first one it matches will be used and the search will stop.
For example, suppose you want to allow access to FTP services on the
Internet for all systems except those included in a netgroup called
“publications.” The scenarios below illustrate both the incorrect and correct rule
placement.
101

Chapter 4: Understanding Policy Configuration
Policy configuration basics
102
Incorrect placement of rules in a rule group
The following shows a rule group list that is INCORRECT for this scenario.
Rule 1: Allow FTP service for all internal systems to all external systems.
Rule 2: Deny FTP service for the netgroup “publications” to all external
systems.
The first rule in the rule group allows all systems (via a wildcard) to use FTP
and the second rule denies one particular netgroup.
Problem: When a system specified in the “publications” netgroup requests an
FTP connection to somewhere in the Internet, the Sidewinder G2 will check
rule 1 in the active proxy rule group. Because that rule allows all systems FTP
service to the Internet, the Sidewinder G2 detects a match, stops searching the
rule group, and grants the connection.
Correct placement of rules in a rule group
To deny a particular netgroup in this example, the deny rule should be placed
before the allow rule. The correct way to order the rules in the rule group for
this example is as follows.
Rule 1: Deny FTP service for the netgroup “publications” to all external
systems.
Rule 2: Allow FTP service for all internal systems to all external systems.
Important: As a basic guideline when configuring a rule group, place specific rules
before any general (wildcard) rules.

Chapter 4: Understanding Policy Configuration
Rule elements
Rule elements Rule elements are the building blocks for your rules and help you save time
and effort by allowing you to group information, reducing the number of rules
you need to create. Rule elements consist of the following:
• Users and user groups—Users can be placed in user groups, allowing you
to apply a single proxy rule to multiple users who share the same access
privileges. See “Users and user groups” on page 104.
• Network objects—Network objects are entities for which you configure the
Sidewinder G2 to allow or deny connections. They can consist of IP
addresses, hosts, domains, netmaps, subnets, or netgroups. See “Network
objects” on page 105.
• Service groups—A service group is a collection of proxies and/or servers.
When specified in a proxy rule, the rule will regulate access to all proxies
and servers defined within that service group. See “Service groups” on
page 108.
Planning for rule elements
In providing network security, the main objective of the Sidewinder G2 is to
enforce a set of rules that reflect your desired security policy. Properly defining
and creating user groups, network objects, and service groups provides you
with building blocks you can use to create sound rules. Remember, the groups
you create and the rules you define serve as the embodiment of your site’s
security policy.
The following list provides guidelines to consider when planning your rule
elements:
• Start by considering your security policy. If you do not have a security
policy, see the Perimeter Security Planning Guide (located on the
Sidewinder G2 Management Tools CD) for information on how to develop
one.
• Decide if you want to control access based on user groups, netgroups, or
both.
• If you want to control access based on user groups, make a list defining all
users, and organize the list by the networking services they will be granted
and authentication methods they must use.
• Plan to include all users who require access to the same services using the
same authentication methods in the same group.
• Plan to create service groups for each user or netgroup that requires
access to the same services to reduce the number of rules you need to
create.
103

Chapter 4: Understanding Policy Configuration
Rule elements
104
• If you want to control access based on netgroups, make a list defining all
your machines, and organize the list by the networking services they will be
granted.
• Create a proxy rule for each user group and/or netgroup.
Important: Creating netgroups saves you the trouble of entering multiple
versions of the same proxy rule. It is important to model (define) all network
objects for which you want to allow access before you set up your rules.
Users and user groups
Users are people who use the networking services provided by the Sidewinder
G2. User accounts are a mechanism used to authenticate people before they
are permitted to make a network connection through (or to) the Sidewinder G2.
Note: Users and user groups are used only in proxy rules.
As described in the following chapter, you can use the Admin Console to
create user accounts which are stored in a user database located on the
Sidewinder G2 or in a separate authentication server. A single account in a
user database includes information such as the user’s login name and
password. (“Supported authentication methods” on page 277 provides detailed
information on various methods used to authenticate users during a
Sidewinder G2 connection attempt.)
A user group is a logical grouping of one or more users, identified by a single
name. Also, a user group can include another “nested” user group. Figure 47
shows an example of two user groups.
Important: User groups can be used in an allow rule only if the specified service
supports authentication (login, Telnet, FTP, Web, secure shell [SSH], or SSO).

Figure 47: User Groups
user group
named
“Accounting”
user group
named
“Engineering”
Chapter 4: Understanding Policy Configuration
Rule elements
Figure 47 shows five users divided into two user groups: “Accounting” and
“Engineering.” Suppose you want to allow both user groups Telnet access to
the Internet. Also suppose you want to authenticate the “Accounting” user
group differently from the “Engineering” user group. In this example you create
two nearly identical rules to allow Telnet access, one for each user group. The
only difference in the rules for each user group would be the authentication
method you specify for each group.
Network objects
A network object is an entity for which you configure the Sidewinder G2 to
allow or deny connections. A network object can be an IP address, a host, a
domain, a netmap, a subnet, or netgroup. When you create rules, you must
specify a network object as the source or destination of the connection. (You
may also select the All option, which serves as a wildcard.) The following
subsections provide an overview of how each network object is used.
Domain objects
internal
network
Sidewinder G2
A domain object specifies a domain name that is registered in the Domain
Name System (DNS). A domain object matches any domain or host name
within the specified domain; for example, somehost.example.com matches
example.com. See “Configuring domain objects” on page 142 for more
information.
Domain network objects are not supported in IP Filter rules.
Internet
105

Chapter 4: Understanding Policy Configuration
Rule elements
106
Host objects
A host object specifies an individual machine connected to the network. When
specifying a host object, you must use a host name that is resolvable by DNS,
or provide at least one IP address. See “Configuring host objects” on page 143
for more information.
In IP Filter rules, the localhost network object is supported but DNS-resolvable
host names should be avoided. DNS-resolvable host names become
inoperative during any periods when the appropriate DNS server is unavailable
or unreachable.
IP address objects
A network object can be an IP address of an individual machine connected to
the network. A machine can have more than one IP address. See “Configuring
IP address objects” on page 145 for more information.
Netmap objects
Many organizations use network address translation (NAT) and/or redirection
to prevent internal addresses from being visible to external users. On the
Sidewinder G2, NAT refers to rewriting the source address of the packet, while
redirection refers to rewriting the destination address of the packet.
For example, when a user sends a packet from an internal IP address on the
Sidewinder G2 to an external IP address, the Sidewinder G2 intercepts the
packet. If NAT is enabled for the matching rule, the Sidewinder G2 re-assigns
(or translates) the source address to its external address (or an address you
specify). Therefore, all traffic leaving your system appears to come from a
single external IP address.
If an organization requires many different address translations for multiple IP
addresses, you would normally need to create an individual rule for each
different NAT or redirection scenario, which can become difficult to manage.
However, using netmaps you can map multiple IP addresses and subnets to
alternate addresses without creating numerous rules.
A netmap consists of one or more netmap members. A netmap member is any
IP address or subnet object that you define. Each member in the netmap is
mapped to an alternate address that you specify. See “Configuring netmaps”
on page 145 for more information.
When creating a rule, you can use netmaps as follows:
• If you select a netmap in the source address field for a rule, the appropriate
NAT properties are automatically supplied based on the mapping
configured for each IP address or subnet in that netmap.
• If you select a netmap as the destination address in a rule, the appropriate
redirection properties are automatically supplied based on the mapping
configured for each IP address and subnet in that netmap.

Figure 48: Netgroup
Subnet objects
Chapter 4: Understanding Policy Configuration
Rule elements
A subnet object is a subset of a larger network, and consists of a network
address and a subnet mask. A subnet object defines a range of IP addresses
within a specific subnet. See “Configuring subnet objects” on page 147 for
more information.
Note: For more information on subnets, refer to Section 13.4 in the UNIX System
Administration Handbook, third edition.
Netgroup objects
A netgroup object consists of two or more network objects, identified by a
single name. You can create netgroups for network objects that are inside or
outside of the Sidewinder G2. A netgroup can include nested netgroups.
For example, you can define a netgroup that includes a number of domains,
several hosts that are outside of these domains, and a subnet. See
“Configuring netgroup objects” on page 148 for more information.
Figure 48 shows a sample netgroup configuration.
members of
“sales”
network
group
presales.example.co
sales.example.co
172.16.12.3
internal
network
Sidewinder G2
Internet
As shown in Figure 48, a netgroup named “Sales” is comprised of two domains
within a sales organization and an individual system using IP address
172.16.12.3. Suppose you want to allow users in all three of these network
objects to access Telnet servers anywhere on the Internet. You need to create
a rule to configure the connection, specifying ‘Sales’ as the source and a
wildcard (leave the field blank to indicate a wildcard) as the destination.
Without creating the Sales netgroup, you would need to make three rules to
configure the Telnet access, one for each network object.
107

Chapter 4: Understanding Policy Configuration
Rule elements
108
Service groups
A service group is a collection of selected proxies and/or servers. Once
defined, a service group can be used in a proxy rule to regulate access to the
services in the group. There are important administrative benefits gained by
using service groups: While a typical proxy rule will regulate access for a single
proxy or server, a proxy rule that is implemented using a service group can
regulate access for multiple proxies and/or servers. Grouping services together
in this manner enables you to reduce the overall number of rules you define,
which in turn reduces the overall complexity of your rule database. A less
complex rule database means there is less chance of introducing errors that
may affect the integrity of your security policy. You can also configure
Application Defense groups for rules that use service groups to specify
advanced properties for each proxy included in that rule. (See “Application
Defenses” on page 109 for an overview of Application Defenses.)
Example of a rule that uses a service group
Here’s an example that illustrates the power of a service group.
Assume you have a netgroup named eng_net_grp that consists of all the
engineers in your organization. If you want to grant Web, FTP, and Telnet
access to this group, you might do so by defining three separate rules. Table 9
illustrates how these three rules might look in the rule database.
Table 9: Typical rules not using service groups
No. Name Service Service Type Enabled Action
1 http_out HTTP proxy Enabled Allow
2 ftp_out FTP proxy Enabled Allow
3 telnet_out Telnet proxy Enabled Allow
A better option, however, is to use a service group. This enables you to
accomplish the same thing with one proxy rule. Create a service group that
contains the HTTP, FTP, and Telnet proxies, then use this service group when
defining the proxy rule. Table 10 illustrates the service group you might create,
and Table 11 illustrates how the resulting proxy rule will appear in a rule.
Table 10: Sample service group
Service Group Name Selected Proxies Selected Servers
EngServGrp HTTP, FTP, Telnet

Application
Defenses
Table 11: Sample proxy rule using a service group
Please note the following points about service groups:
Chapter 4: Understanding Policy Configuration
Application Defenses
No. Name Service Service Type Enabled Action
1 Eng_rule EngServGrp servicegroup Enabled Allow
• The proxies in a service group must be enabled on the
Services Configuration > Proxies window before they will pass traffic.
• Service groups are not supported in IP Filter rules.
• The services in a service group can be either all allowed or all denied on a
proxy rule. It is not possible to use the same proxy rule to allow access to a
subset of services in a service group while at the same time deny access to
a different subset of services.
• Service groups are extremely effective when implemented in a proxy rule
that regulates access for a user group or netgroup. Keep in mind, however,
that all members in the user group or netgroup must conform to the same
security policy (that is they will all be allowed or denied access to the same
collection of services).
• Authentication can be configured for a service group rule, even if not every
service in the group permits authentication. The Sidewinder G2 is able to
differentiate which services require authentication within a group. Mixed
service groups (authenticating and non-authenticating services) are best
used with allow rules. You can use SSO to require authentication for all
services in a service group.
• You can define as many service groups as needed.
• As always, the sequencing of rules within the active rule group remains
important, regardless of whether a service group is used.
Application Defenses allow you to configure advanced application-specific
properties for each proxy, including basic time-out properties and applicationspecific
permissions. You can also configure key services such as anti-virus/
anti-spyware, anti-spam/anti-fraud, SSL decryption, and Web services
management.
You can create Application Defenses in advance and then select the defense
for each rule that you create, or you can create defenses during rule creation.
Whether you create Application Defenses in advance or within a proxy rule, the
defense will be saved to a common database and can be used for other proxy
rules without needing to be recreated for other rules.
109

Chapter 4: Understanding Policy Configuration
Application Defenses
110
Application proxies that allow you to configure connection properties are
included in the Standard Application Defense. (You can also configure
transparency properties for the Telnet proxy within a Standard Application
Defense.) Application proxies that allow you to configure advanced,
application-specific options (such as anti-virus, application permissions, etc.)
as well as connection properties have their own branch in the Defenses branch
(e.g., Web, Secure Web, Mail, Multimedia).
You can also create Application Defense groups that allow you to specify an
Application Defense for each category (Web, Secure Web, Mail, Standard,
etc.). Application Defense groups are most useful when creating rules that use
service groups. When you create an Application Defense group, you can
configure and specify an Application Defense for each application included in a
service group. For an example of how an Application Defense group is used in
a rule, see Table 12 on page 112.
The following list summarizes the various categories of Application Defenses:
Note: For information on specifying an Application Defense in a proxy rule, see
“Creating proxy rules” on page 222.
• Web—This category allows you to configure advanced parameters for
HTTP, including header filtering and MIME/virus/spyware filtering. It also
provides support for SmartFilter 4.x. For information on configuring a Web
Application Defense, see “Creating Web or Secure Web Application
Defenses” on page 156.
• Secure Web—This category allows you to configure advanced parameters
for Web-based proxies, such as HTTPS and SSO. It also provides support
for SmartFilter 4.x. For information on configuring a Secure Web
Application Defense, see “Creating Web or Secure Web Application
Defenses” on page 156.
• Web Cache—This category allows you to configure Squid parameters for
SmartFilter 3.x. For information on configuring a Web Cache Application
Defense, see “Creating Web Cache Application Defenses” on page 170.
• Mail (Sendmail)—This category allows you to configure mail filtering and
anti-virus services to ensure that all e-mail traffic is scanned and filtered
before being allowed through to your internal networks. For information on
configuring a mail (sendmail) Application Defense, see “Creating Mail
(Sendmail) Application Defenses” on page 172.
• Mail (SMTP proxy)—This category allows you to filter mail using the SMTP
proxy based on destination address and determine if source routing is
supported. It also allows you to limit the length of replies received from mail
servers. For information on configuring a mail (SMTP proxy) Application
Defense, see “Creating Mail (SMTP proxy) Defenses” on page 181.
• Citrix—This category allows you to configure advanced ICA proxy
parameters. For information on configuring a Citrix Application Defense,
see “Creating Citrix Application Defenses” on page 185.

Chapter 4: Understanding Policy Configuration
Application Defenses
• FTP—This category allows you to configure FTP permissions and scanning
of FTP files. For information on configuring an FTP Application Defense,
see “Creating FTP Application Defenses” on page 186.
• IIOP—This category allows you to configure filtering properties for the
Internet Inter-ORB Protocol (IIOP) proxy. For information on configuring an
IIOP Application Defense, see “Creating IIOP Application Defenses” on
page 191.
• Multimedia—This category allows you to configure permissions for T.120
and H.323 proxies. For information on configuring a multimedia Application
Defense, see “Configuring the IIOP Connection tab” on page 191.
• Oracle—This category allows you to configure continuous session
monitoring to prevent spoofing and tunneling attacks while sessions are in
progress for the SQL proxy. For information on configuring an Oracle
Application Defense, see “Creating Oracle Application Defenses” on page
194.
• MS SQL—This category allows you to configure the standard connection
properties. For information on configuring an MS SQL Application Defense,
see “Creating MS SQL Application Defenses” on page 196.
• SOCKS—This category allows you to configure advanced properties for the
SOCKS proxy. For information on configuring a SOCKS Application
Defense, see “Creating SOCKS Application Defenses” on page 197.
• SNMP—This category allows you to configure advanced properties for the
SNMP proxy. For information on configuring an SNMP Application Defense,
see “Creating SNMP Application Defenses” on page 198.
• Standard—This category allows you to configure connection properties for
application proxies that do not require additional configuration options. You
can also configure transparency properties for the Telnet proxy. For
information on configuring a standard Application Defense, see “Creating
Standard Application Defenses” on page 201.
The pre-configured rule called Internet Services uses a service group by the
same name (Internet Services). This service group consists of multiple
applications such as HTTP, HTTPS, FTP, ping, and Telnet that require Internet
access. Using an Application Defense group in this rule allows you to configure
advanced, application-specific properties for each service contained in that
service group without creating a separate rule for each application. The
following table lists the applications that are contained in the Internet Services
service group and how each application uses the Application Defense group.
111

Chapter 4: Understanding Policy Configuration
Proxy rule basics
112
Table 12: Application Defense group used in the Internet Services rule
Service Group Apps Application Defense Used in Group
ftp FTP (FTP allowed permits, connection properties)
http Web (header filtering, MIME/virus/spyware filtering, etc)
https SecureWeb (SSL decryption, MIME/virus/spyware
filtering, etc)
ping Standard (ping-specific connection properties)
RealMedia Standard (RealMedia-specific connection properties)
rtsp Standard (rtsp-specific connection properties)
telnet Standard (Telnet-specific connection properties)
Proxy rule basics The following subsections provide information on the basic components that
comprise a proxy rule.
Note: This section provides an overview of proxy rules. For instructions on
creating proxy rules, see “Creating proxy rules” on page 222.
Basic criteria used to allow or deny a connection
Sidewinder G2 determines whether to allow or deny a proxy or server
connection by sequentially checking the rules in the active proxy rule group for
the first match to all criteria attributed to the connection request. When a match
is found, the connection will be allowed or denied based on the option selected
in the Action field. The Sidewinder G2 uses the first proxy rule that matches all
characteristics of the connection request to determine whether the connection
will be allowed or denied. The basic criteria used to allow or deny a connection
includes the following:
• source or destination burb—You can configure a proxy rule to allow or
deny connections based on the source burb, the destination burb, or both.
• source or destination network object—You can configure a proxy rule to
allow or deny connections based on the source network object, the
destination network object, or both. The source or destination object can be
an IP address, a host name, a domain name, a netmap, a subnet, or a
netgroup. A netgroup is a grouping of network objects defined by the
Sidewinder G2 administrator (see “Network objects” on page 105 for more
information on netgroups).
• connection service type—You can configure a proxy rule to allow or deny
connections based on the service type providing the connection in the
Sidewinder G2. Service types include:

Chapter 4: Understanding Policy Configuration
Proxy rule basics
– All—Allows connection service for both proxies and servers, but not
service groups.
– Proxy—Provides a connection through the Sidewinder G2 in order to
access a remote system.
– Server—Provides a service (such as Telnet) directly on the Sidewinder
G2.
– Service group—Allows multiple proxies and/or servers to be grouped
together and used to define a single proxy rule.
• type of network service requested—You can configure a proxy rule to allow
or deny connections based on the type of network service that will be
provided between the client and server. For proxy connections, the services
include FTP, Telnet, and Web (HTTP), as well as many others.
Optional criteria used to allow or deny a connection
When setting up a proxy rule, you can also specify the following optional
criteria for a connection.
Note: You can specify any of the following criteria in an ‘allow” rule. However, only
the authentication and date/time bullets apply to a ‘deny’ rule.
• the user requesting the connection—You can configure a proxy rule to
allow connections based on a group for which the user requesting the
connection is a member. A user group is comprised of multiple users
defined by the Sidewinder G2 administrator. See “Users and user groups”
on page 104 for more information on user groups.
This option is only valid when using authentication or SSO.
• authentication—You can configure a proxy rule to require the Sidewinder
G2 to authenticate the user requesting the connection before granting the
connection request. See “Supported authentication methods” on page 277
for detailed information on the types of authentication services you can use.
You can also configure a proxy rule to deny with authentication. The purpose
of this type of rule would be to allow access to everyone except a specific
group of users. For example, you might want to deny Telnet access to
your contractors but allow access for your regular employees.
Important: If you are not using SSO, configuring a deny with authentication
proxy rule in a mixed service group (authenticating and non-authenticating
services like Telnet and ping, respectively) will deny all non-authenticating
services. However, if SSO authentication is configured, initial authentication will
apply to all services contained in the service group. See “Service groups” on
page 108 for more information.
• the time and day when the connection request is made—You can
configure a proxy rule to allow or deny connections based on the time, the
day, or both.
113

Chapter 4: Understanding Policy Configuration
Proxy rule basics
114
• Application Defense properties—You can configure a proxy rule to allow
connections based on advanced application-specific parameters by
selecting the appropriate Application Defense. You can also configure
whether the connection will be transparent or non-transparent for some
proxies. See “Application Defenses” on page 109 for information.
Using NAT and redirection in proxy rules
You can configure proxy rules to perform Network Address Translation (NAT)
and/or redirection. On the Sidewinder G2, NAT refers to rewriting the source
address of the packet, while redirection refers to rewriting the destination
address of the packet. This protects IP addresses behind the Sidewinder G2
(on your internal network). The following scenarios demonstrate how NAT and
redirection work.
Scenario 1 - Internal network to external network Telnet access
using NAT
Internal network 172.17.0.0 requires Telnet access to the external network
192.101.0.0. The IP address of a machine on the internal network should not
be passed through the Sidewinder G2. Traffic sent from the internal network to
the external network should appear as if it originated at the Sidewinder G2.
Therefore, a rule must be created that will translate the internal host addresses
to the external address of the Sidewinder G2. To allow this type of access, the
NAT information would be configured as follows:
Source Burb: internal
Destination Burb: external
Source: 172.17.0.0 (internal address)
Destination: 192.101.0.0 (destination address)
NAT Address: localhost
Scenario 2 - Redirect external connections to an internal Telnet
server
An external network at 192.101.0.0 requires Telnet access to the internal host
at 172.17.120.123. However, 192.101.0.0 is not allowed to directly route to the
internal host. External hosts will initiate a Telnet connection to the external side
of the Sidewinder G2 (localhost). The rule will then rewrite the destination
address to that of the internal host and then forward the traffic onward. The
TCP/UDP allow information for the rule could be configured as follows:
Source Burb: external
Destination Burb: internal
Source: 192.101.0.0 (source address)
Destination: localhost
Redirection Address: 172.17.120.123 (internal host)

Simple proxy rule examples
Chapter 4: Understanding Policy Configuration
Proxy rule basics
This section provides several examples of proxy rules to help you better
understand how the Sidewinder G2 uses a rule to determine whether to allow
or deny a connection request.
Table 13 summarizes criteria for a proxy rule that permits any client in a trusted
burb to connect to any Web server located in the Internet burb. This criteria
reflects only the basic settings needed to allow access.
Table 13: Sample settings for a simple proxy rule
Basic rule
Criteria
Service Type
Service
Action
Setting
Comments
Proxy Software service type: proxy, server, or
service group.
HTTP Type of service: Telnet, FTP, Web (HTTP),
etc.
Allow Specifies whether to allow or deny a
service.
Source Burb Internal Name of the source burb.
Source
Destination
Burb
Destination
any (leave
blank)
Name of the source network object.
Internet Name of the destination burb.
any (leave
blank)
Name of the destination network object.
App. Defense Web Contains application-specific properties.
There are a number of optional effects you can configure for each proxy rule.
For example, by adding the entry options shown in Table 14, you can specify
which internal users are allowed Web access, specify a time interval when
Web access is allowed, and require authentication.
115

Chapter 4: Understanding Policy Configuration
Proxy rule basics
116
Figure 49: Sample
Network Configuration
Table 14: Optional proxy rule options
Optional Rule
Criteria
Setting
Comments
User Group marketing Specify the name of a user group.
Authentication Password Specify the authentication method(s). FTP
and Telnet proxies and console logins can
also specify Password, Radius, SafeWord,
SecurID, or SNK.
Times/Day Mon-Fri
7am-7pm
Important: If you are not using SSO, user groups can be used in an allow rule only
if the specified service supports authentication (login, Telnet, FTP, Web, or secure
shell [SSH]).
Example of proxy rules using netgroups
Specify the time restrictions for allowing or
denying service.
For the configuration shown in Figure 13, the Sidewinder G2 administrator has
grouped all internal systems into one of three netgroups: marketing
(mkt_net_group), engineering (eng_net_group), and accounting
(acct_net_group).
Note: For more information on netgroups, see “Network objects” on page 105.
mkt_net_grp
eng_net_grp
acct_net_grp
internal burb
172.20.1.1
proxies
Sidewinder G2
external burb
192.55.214.2
Internet
192.55.12.3

Chapter 4: Understanding Policy Configuration
Proxy rule basics
Suppose you want to allow all groups access to external FTP sites but only the
engineering group access to FTP host 192.55.12.3. Table 15 shows the proxy
rules in the order that they should be added to the rule group.
Table 15: Proxy rules for sample configuration shown in Figure 49
Proxy rule
Criteria
Rule 1:
allow_eng_ftp
Rule 2:
deny_other_ftp
Service Type Proxy Proxy Proxy
Service FTP FTP FTP
Action Allow Deny Allow
Rule 3:
allow_oth_ftp
Source Burb Internal Internal Internal
Source eng_net_group any (leave blank) any (leave blank)
Destination Burb Internet Internet Internet
Destination 192.55.12.3 192.55.12.3 any (leave blank)
User Group any (leave blank) any (leave blank) any (leave blank)
Authentication SafeWord
Times/Days Fri 7am-7pm
Application
Defense (FTP)
Allow Put/Get deny_all Allow Put/Get
The following list summarizes key points to consider for the proxy rules listed in
Table 15.
• Rule 1 allows all systems in the engineering group authenticated FTP
access to IP address 192.55.12.3 on the Internet, but only on Friday
between 7:00 a.m. and 7:00 p.m.
• This rule requires users to authenticate themselves via SafeWord before an
FTP connection is allowed.
• Rule 2 denies all systems in the trusted burb named internal from FTP
service to IP address 192.55.12.3 on the Internet.
• Rule 3 allows FTP service from all systems in the internal trusted burb to
any external system in the Internet burb.
117

Chapter 4: Understanding Policy Configuration
Proxy rule basics
118
Advanced proxy rule example using service groups
Now assume you want to specify all the various privileges afforded each of the
three netgroups in Figure 15. You could do this by defining many different allow
and deny proxy rules. However, because the source and destination criteria for
each of the network objects within a group are identical, a more elegant option
is to use service groups. Service groups enable you to use a single proxy rule
to define all the privileges assigned to a particular group.
Note: For more information on service groups, see “Service groups” on page 108.
For example, assume you want to assign the following privileges to each of the
netgroups in Figure 15:
• Engineering group—Access to all Sidewinder G2 proxies and servers
• Marketing group—Access to the Web, FTP, and e-mail via the http, ftp, and
smtp proxies
• Accounting group—Access to FTP and e-mail via the ftp and smtp proxies
You first define three different service groups. This is illustrated in Table 16.
Table 16: Sample service groups
Service group
Criteria
Selected
Proxies
Selected
Servers
EngServiceGrp MktServiceGrp AcctServiceGrp
All proxies HTTP, FTP,
SMTP
All servers None None
FTP, SMTP
You then use the service groups when defining your proxy rules. Table 17
shows the sample proxy rules.

Table 17: Proxy rules for the advanced rule group example
Proxy rule
Criteria
Entry 1:
eng_rule
Entry 2:
deny_other_ftp
Chapter 4: Understanding Policy Configuration
Proxy rule basics
Entry 3:
mkt_rule
Entry 4:
acct_rule
Service Type Service Group Proxy Service Group Service Group
Service EngServiceGroup FTP MktServiceGroup AcctServiceGroup
Action Allow Deny Allow Allow
Source Burb Internal Internal Internal Internal
Source eng_net_group Any (leave blank) mkt_net_group acct_net_group
Destination Burb Any (leave blank) Internet Internet Internet
Destination Any (leave blank) 192.55.12.3 Any (leave blank) Any (leave blank)
User Group Any (leave blank) Any (leave blank) Any (leave blank) Any (leave blank)
Authentication SafeWord SafeWord SafeWord
Times/Days
Application
Defense group
Web
FTP
Mail
deny_all Web
FTP
Mail
Web
FTP
Mail
119

Chapter 4: Understanding Policy Configuration
Proxy rule basics
120
Default rules
As mentioned earlier in this chapter, when you configure Sidewinder G2 you
can select from one of two sets of default services that will be automatically
placed in the active proxy rule group during initial configuration. The following
options are available and described in Table 18 on page 120:
• Allow administrative services only: If you select this option, Sidewinder
G2’s active rule group will contain only rules necessary for administration.
Other pre-configured rules appear on the Rules screen by default, but are
not in the active proxy rule group and therefore do not pass traffic.
• Allow administrative and basic outbound Internet services: If you select
this option, Sidewinder G2’s active rule group will include rules for
administration and a rule providing users access to the most commonly
used Internet services.
Table 18: Initial active policy
Proxy rule
name
dnsp (names
vary)
Admin
Console
Login
Console
Internet
Services
Summary
Allow DNS traffic to proxy between indicated burbs. Which
rules are created depends on the location of the DNS resolver
IP addresses (internal burb, external burb, assumed to be
reach-by-default route) provided in the Network Information
window.
Allows administrators to connect to the Sidewinder G2 using
the Admin Console.
Allows administrators to log in directly at the Sidewinder G2,
using an attached keyboard and monitor.
This rule is added if you select “Allow administrative services
and basic outbound Internet services” on the policy window.
The rule provides users access to the most commonly used
Internet services using a pre-configured “Internet Services”
service group. The Internet Services rule regulates access to
the following proxies and servers:
• FTP
• HTTP
• HTTPS
• Ping
• Real Media
• RTSP
• Telnet
Deny All Denies all connections from any source burb to any destination
burb.

IP Filter rule
basics
Chapter 4: Understanding Policy Configuration
IP Filter rule basics
IP Filter rules allow you to securely forward IP packets between networks,
allowing traffic to pass between the networks (for example, encrypted VPN
sessions). You can create IP Filter rules for TCP, UDP, ICMP, and many other
protocols (such as AH).
Security Alert: Secure Computing strongly recommends that you use IP Filter only
for non-TCP/UDP protocols, such as Vines, PPTP, NES, etc. Using IP Filter for a
TCP/UDP protocol will, in most cases, severely degrade the effectiveness of the
Sidewinder G2 and will expose your network to security hazards.
Functionally, IP Filter is based upon a rule database in the Sidewinder G2
kernel. IP Filter rules filter incoming packets based on source IP address,
destination IP address, and ports. Like proxy rules, IP Filter rules also have the
option of using network address translation (NAT) and/or redirection. You can
configure and manage the IP Filter rule database using the Admin Console.
IP Filter processing can be configured to reject the following source address
packets:
• Packets with broadcast source addresses
• Packets with source addresses on a loopback network that were received
on a non-loopback device
Note: Packets that are rejected for source route information will generate a
netprobe audit event.
When you initially configure the Sidewinder G2, you will have a default IP Filter
rule group that is assigned in the active rules. This rule group is empty. You can
create and add rules and/or rule groups to this group, or create your own group
and assign it as the active rule group instead.
The following sections summarize how IP Filtering works when stateful packet
inspection (also known as session tracking) is enabled and when it is not
enabled. The sections also provide information on what criteria is used to
determine rule matches and what happens after the Sidewinder G2 checks the
packet against the active IP Filter rules.
Note: For information on creating IP Filter rules, see “Creating IP Filter rules” on
page 228.
121

Chapter 4: Understanding Policy Configuration
IP Filter rule basics
122
How traffic is filtered if stateful packet inspection is
enabled
When Sidewinder G2 receives TCP, UDP, and ICMP traffic, it starts by
checking an IP Filter session record database to determine if an active session
record exists for this traffic. A session record indicates that this traffic is in
response to a previous successful match to an allow rule. Session records only
exist if the matching rule had stateful packet inspection enabled. Stateful
packet inspection is only an option for TCP, UDP, and ICMP IP Filter rules.
If an active session record exists, the following occurs:
a Perform address rewriting, if required
b Perform session processing
c Forward packet directly to the correct destination interface without any
additional processing
If no active session record exists, the following occurs:
Sidewinder G2 uses the criteria in Table 19 to check the active IP Filter rules
and find a match. The description for how the packet proceeds through the
Sidewinder G2 comes after the table. The flowchart in Figure 50 illustrates the
complete process.
Table 19: Rule matching criteria with stateful packet inspection enabled
Protocol Criteria
TCP/UDP • source IP address
• destination IP address
• ports
ICMP • packet type (echo, message, timestamp)
• source IP address
• destination IP address
• If a matching allow rule does exist, the following occurs:
a Add a session record to the session record database.
b Perform Network Address Translation (NAT) if required.
c Session processing occurs.
d Forward packet directly to the correct destination interface without any
additional processing by the Sidewinder G2.
• If a matching deny rule exists, the packet is discarded without any further
processing.

Chapter 4: Understanding Policy Configuration
IP Filter rule basics
• If a matching bypass rule exists, the packet is forwarded directly to
application-layer processing.
Tip: Bypass rules are used to expedite processing of specified traffic by not
checking them against all IP Filters rules before sending them to applicationlevel
processing. Therefore, position bypass IP Filter rules early in the active
rule group.
• If no matching IP Filter rule exists, the packet is forwarded to normal
Sidewinder G2 application-layer processing.
Figure 50: IP Filtering on packets with rules that have stateful packet inspection enabled
TCP/UDP/
ICMP
in
does a
session
exist?
translate as
required
perform
session
processing
forward
message w/o
further
processing
no
match
“bypass”
rule?
Sidewinder G2
no
match
“allow”
rule?
yes yes
yes
add a
session
no
match
“deny”
rule?
yes
discard
packet
no
perform
application-layer
processing
out
123

Chapter 4: Understanding Policy Configuration
IP Filter rule basics
124
How traffic is filtered if stateful packet inspection is not
enabled
When Sidewinder G2 receives traffic, it checks the active IP Filter rules for a
matching rule. If a rule does not have stateful packet inspection enabled,
Sidewinder G2 checks the criteria in Table 20 to find a match.
Table 20: Rule matching criteria without stateful packet inspection enabled
Protocol Criteria
TCP/UDP • source IP address
• destination IP address
• ports
ICMP • source IP address
• destination IP address
Other • source IP address
• destination IP address
Using this criteria, the Sidewinder G2 determines if the packet matches any of
the active allow, bypass, or deny rules. (Bypass rules are not available when
creating rules of type Other.) Sidewinder G2 then does one of the following:
• If a rule match is found, the packet source or destination address will be
translated according to the translation information that is configured for that
rule. The packet then is forwarded on for any further Sidewinder G2
processing. The flowchart in Figure 51 illustrates this process.
• If there are no matching rules in the IP Filter database, the Sidewinder G2
sends the packet onto application-layer processing.
Figure 51: IP Filtering on packets that do not have stateful inspection disabled
Sidewinder G2
incoming
packet A
incoming
packet B
active
IP Filter
rules
no match
match
allow, bypass
or deny rule?
Deny Rule
reject packet
no further
processing
Allow Rule
translate
packet (as
rule required)
Bypass Rule
do not check
against rest of
IP filter rules
continue application
layer proxy
processing

Figure 52: Example
network
Chapter 4: Understanding Policy Configuration
IP Filter rule basics
Using NAT and redirection for IP Filter rules
Many organizations use network address translation (NAT) and/or redirection
to prevent internal addresses from being visible to external users. On the
Sidewinder G2, NAT refers to rewriting the source address of the packet to the
external address of the Sidewinder G2 (or an address you specify). This allows
you to protect (or hide) the actual client source address, and in the case of
non-routable source addresses (such as 10.0.0.0) rewrite it to an address that
can be routed on the Internet. Redirection refers to rewriting the destination
address of an incoming packet to a redirect host for delivery.
Note: NAT and redirection function independently of one another. For applications
that allow either side of a connection to act as the client, you will generally create
two rules: one using NAT, and one using redirection.
Caution: Allowing IP Filter to pass traffic without NAT or redirection is possible
assuming all addresses are routable. However, it is not recommended because it
will expose internal addresses to the external side of your Sidewinder G2 without
the protection of a proxy.
When NAT or redirection is enabled in a rule, the source address in the rule is
always protected, as follows:
• For a rule of source -> destination, enabling NAT will “hide” the source
address from the destination for traffic originating from the source by
translating that address to the external address of the Sidewinder G2.
• For a rule of source -> redirect address, the destination (or external
Sidewinder G2 address) will be redirected to the actual source address and
hides the redirected address for traffic returning to the source.
Note: NAT or redirection are not allowed for bi-directional IP Filter rules with
stateful inspection enabled.
For the following scenarios, assume your network looks like this:
172.17.0.0
internal network
172.17.129.130 10.11.12.13
Sidewinder G2
192.101.0.0
external network
125

Chapter 4: Understanding Policy Configuration
IP Filter rule basics
126
Limitations of NAT for IP Filter protocols
Note the following limitations when setting up rules involving address rewriting
for TCP/UDP/ICMP protocols.
• NAT and redirection are not allowed for bi-directional IP Filter rules with
stateful packet inspection enabled.
• For address rewrite rules with redirection to the source address, only unidirectional
rules are allowed. Furthermore, the destination address in this
type of rule must have a significant bits value of 32 (that is, it must be a
single host or netmap). This is because the redirect address must be a
single host.
Setting the IP Filter NAT port rewrite range
When a packet from a source reaches the Sidewinder G2 and matches an IP
Filter rule with NAT configured, the source port and source address will be
rewritten and the packet will then be forwarded to its destination.
To facilitate this process, the IP Filter reserves a block of 875 ports for its own
use. The OS will never allow a process to bind to a port in this range. Creating
a TCP generic services proxy in this port range will not work. The default range
is set to 9210—9995.
If you need a port in IP Filter's reserved range (perhaps for a generic proxy),
the range can be moved by modifying the Start of Reserved Ports field in the
IP Filter Properties window. See “Viewing and modifying general IP Filter
properties” on page 241.
It is possible that an existing TCP proxy connection may be using a port in the
range you specify. In this case the cf ipfilter command will fail. You should
look at the current port usage by entering the netstat -a command and
adjust the IP Filter port range accordingly.
Specifying the source port in an IP Filter rule
The Sidewinder G2 enables you to specify the source port value to use in an
TCP or UDP IP Filter connection. This capability is typically only used when
connecting to an application that requires the source port to be a specific
value. (In some cases the application will require the source port to be the
same value as the port on which the application is listening.)
This capability is implemented by configuring NAT on the appropriate IP Filter
rule. This “source port” implementation of NAT, however, is different from a
normal implementation of NAT.

Figure 53: Normal NAT
IP Filter rule
implementation
Chapter 4: Understanding Policy Configuration
IP Filter rule basics
• Normal—Each connection uses the same IP address but gets its source
port from a pool of ports. When using normal NAT rules, the total number of
connections is dependent on the number of ports reserved for IP Filter in
the IP Filter Properties window.
• Source port—Each connection uses the original client source port, but gets
its translated IP address from a pool of IP addresses. (The pool of IP
addresses is derived from whatever IP aliases are defined for the
associated NIC. The total number of connections is therefore dependent on
the number of alias addresses defined for the NIC.) The pool of addresses
is normally a group of alias IP addresses associated with the destination
NIC. The total number of connections is therefore dependent on the
number of IP addresses specified by the rule.
By specifying one or more IP aliases, you can have multiple connections (each
connection uses the same port number but a different IP address).Figure 53
and Figure 54 illustrate the differences in the two implementations.
internal
A network
172.27.18.9
Possible connections from
workstation A to application B
using a normal NAT IP Filter rule
Internal IP
172.27.18.9
172.27.18.9
172.27.18.9
172.27.18.9
9120
....
9995
Sidewinder G2
11.80.1.1
pool of available IP
Filter ports
app. B
Source IP Source Port Dest IP Dest Port
11.80.1.1 9142 192.1.1.1 50
11.80.1.1 9877 192.1.1.1 50
11.80.1.1 9812 192.1.1.1 50
11.80.1.1 9884 192.1.1.1
50
192.1.1.1 listening
on port 50
127

Chapter 4: Understanding Policy Configuration
IP Filter rule basics
128
Figure 54: “Source port”
NAT IP Filter rule
implementation
internal
A network
172.27.18.9
Requirements
Sidewinder G2
Possible connections from workstation
A to application B using “source port
NAT IP Filter rule
Internal IP
172.27.18.9:50
172.27.18.9:50
172.27.18.9:50
172.27.18.9:50
IP aliases
11.80.1.4
11.80.1.5
11.80.1.6
11.80.1.7
11.80.1.1
Please note the following requirements when using NAT to specify the source
port of an IP Filter connection.
• This configuration only applies to uni-directional (source -> destination) IP
Filter rules with stateful inspection enabled.
• Use Source Port when specifying the source port in an IP Filter connection.
See “Creating IP Filter rules” on page 228 for more information.
Sharing IP Filter sessions in an HA cluster
pool of available
IP addresses
app. B
192.1.1.1
listening on port 50
Source IP Source Port Dest IP Dest Port
11.80.1.4 50 192.1.1.1 50
11.80.1.5 50 192.1.1.1 50
11.80.1.6 50 192.1.1.1 50
11.80.1.7 50 192.1.1.1 50
When IP Filter session sharing is configured for an HA cluster, the processing
(often primary) Sidewinder G2 sends out multicast messages to notify the other
nodes (such as the secondary or standby) Sidewinder G2 of IP Filter session
activity (such as a new session, closed session, or change in session state).
Each time a Sidewinder G2 receives a message, it updates its local session
table accordingly. All sessions received from the primary Sidewinder G2 will
have a status of shared on the secondary/standby Sidewinder G2.
When HA causes a secondary/standby Sidewinder G2 to take over as the
acting primary, the shared sessions on the acting primary become available.
When a packet is received for a session, it will be validated against the rules of
the processing Sidewinder G2. The processing Sidewinder G2 will then begin
sending multicast state-change messages.

Chapter 4: Understanding Policy Configuration
IP Filter rule basics
Specifying the number of TCP or UDP IP Filter sessions
By default, the Sidewinder G2 allows only 1,000 active TCP and UDP filter
sessions. These limits can be changed by modifying the Max TCP Sessions or
Max UDP Sessions field in the IP Filter General Properties window. See “About
the IP Filter General Properties window” on page 241.
129

Chapter 4: Understanding Policy Configuration
IP Filter rule basics
130

5 CHAPTER
Creating Rule Elements
In this chapter...
Creating users and user groups ...................................................132
Creating network objects..............................................................139
Creating service groups ...............................................................150
131

Chapter 5: Creating Rule Elements
Creating users and user groups
Creating users
and user groups
132
Figure 55: Users and
User Groups window
About the Users and
User Groups
window
A user is a person who uses the networking services provided by the
Sidewinder G2. A user group is a logical grouping of one or more users,
identified by a single name. You can also nest one or more user groups within
a user group.
Note: For basic information on users and user groups, see “Users and user
groups” on page 104.
To display the current users and user groups configured for your Sidewinder
G2, using the Admin Console select Policy Configuration > Rule Elements >
Users & User Groups. The following window appears.
This window displays the users and user groups currently configured in the
user database. In this window you can perform the following actions:
Note: When you initially install your Sidewinder G2, the only user that will appear
is the user name for the administrator account you defined during installation.
There will not be any user groups defined.
• Select multiple entries by pressing the Shift key while you select entries. To
select several non-consecutive entries, press the Ctrl key as you select the
desired entries.
• Display users, groups, or both—You can display only users (Users), only
groups (Groups) or both users and groups (All) using the Show drop-down
list.

Chapter 5: Creating Rule Elements
Creating users and user groups
• Filter users and/or groups—You can filter the users and/or groups that are
displayed in the window by typing alphabetic characters for which you want
to filter in the Match field. For example, if you type br in the Match field, only
users and groups whose name begins with “br” will appear in the list. The
Match field is case sensitive.
• Add or modify a user or user group—To add a new user or user group, see
“Configuring users or user groups” on page 133. To modify an existing user
or user group, highlight the entry you want to modify and click Modify.
Tip: You may find it more convenient to create user groups before creating
individual user accounts. That way, as you set up your user accounts, you will
be able to assign them to a group at the same time.
• Modify the members of a user group—To modify the members in a user
group, highlight the user group and click Members. See “Managing user
group membership” on page 138 for details.
• Delete a user or user group—To delete a user or user group, highlight the
entry you want to delete and click Delete. You will be prompted to confirm
this action.
Configuring users or user groups
To create or modify a user or user group, follow the steps below.
1 Using the Admin Console, select Policy Configuration > Rule Elements >
Users & User Groups. The Users and User Groups window appears.
2 In the Show drop-down list, select one of the following options and then
click New:
• All—Select this option to display both users and groups. If you select
this option, when you click New the Create User or Group Object
window appears. See “About the Create New User or Group Object
window” on page 134.
• Groups—Select this option to display only user groups. If you select this
option, when you click New the New Group Object window appears.
See “Configuring a new group using the New Group Object window” on
page 135.
• Users—Select this option to display only users. If you select this option,
when you click New the New User Object window appears. See
“Configuring individual user accounts using the New User Object
window” on page 136.
3 To edit a user or user group, highlight the entry you want to modify and click
Modify. You can also double-click the entry.
4 To delete an entry, select that entry by clicking it, and then click Delete. You
are prompted to verify your action—click Yes to delete the entry or click No
to cancel the action.
133

Chapter 5: Creating Rule Elements
Creating users and user groups
134
Figure 56: Create New
User or Group Object
window
About the Create
New User or Group
Object window
This window allows you to select whether you want to create a user or user
group.
1 Select one of the following options in the Create field:
• New User—Select this option to create a new user.
• New Group—Select this option to create a new user group.
2 (New User only) If you want to create a new user account using the
information contained in an existing user account, select the Copy from
existing user option and then select the user account that you want to copy.
This option will copy the following information fields from the existing user’s
account: Organization, User Fields 1–4, Description, Employee ID, and
Group Membership information. You will still need to enter information for
the Username and Password, as these fields contain information specific to
each individual user.
3 Click OK.
• If you are creating a new user group, the New Group Object window
appears. See “Configuring a new group using the New Group Object
window” on page 135.
• If you are creating a new user, the New User Object window appears.
See “Configuring individual user accounts using the New User Object
window” on page 136.

About the Group
Information tab
About the Group
Membership
Information tab
Chapter 5: Creating Rule Elements
Creating users and user groups
Configuring a new group using the New Group Object window
The New Group Object window contains two tabs:
• Group Information—This tab is used to define the name of a new group.
Follow the steps below.
• Group Membership Information—This is an optional tab that enables you
to make this group a member of one or more other groups (called a “nested
group”). See “About the Group Membership tab” on page 138 for details.
Note: You cannot edit the name of an existing group from this window. To
change a group name you must delete the group, then add it back using the
new name.
1 In the Group Name field, type a name for this group. Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_), and
spaces ( ). However, the first and last character of the name must be
alphanumeric. The name cannot exceed 100 characters.
2 [Optional] In the Comments field, type any additional information about the
user group.
3 [Optional] If you want to add or remove this group as a member of another
group, click the Group Membership Information tab and follow the steps
below. If not, click OK.
The Group Membership Information tab enables you to make this group a
member of one or more other groups (called a nested group).
1 To add the group that is being created (or modified) as a member of one or
more other groups, click an existing group in the Available Groups list to
select it, and then click the ==>> button.
You can move multiple groups simultaneously by pressing the Shift key as
you select groups. To select multiple groups, press the Ctrl key and then
clicking the desired entries.
2 To remove the group from one or more groups, select the group in the
Member of Groups list to select it, and then click the

Chapter 5: Creating Rule Elements
Creating users and user groups
136
Figure 57: User
Information window
About the User
Information tab
Configuring individual user accounts using the New User
Object window
The New User Object window contains three tabs: User Information, User
Password, and Member Information. Use these tabs to create and modify user
accounts and user groups.
Tip: You may find it more convenient to create user groups before creating
individual user accounts. That way, as you set up your user accounts you will be
able to assign them to a group at the same time.
When you create a new user account or modify an existing user account, the
User Information window appears. This window contains three tabs that are
used to enter information about a user.
The User Information tab is used to enter descriptive information about a user.
Follow the steps below.
1 In the Username field, type the name the user will enter when he or she
requests a connection that requires authentication. This entry can consist of
up to 16 alphanumeric characters (upper or lower case) but must start with
an alphabetic character. Apostrophes are not allowed (for example,
O’Hare).
2 [Optional] In the Description field, type any information about the user that
may be helpful.
3 [Optional] In the Employee ID field, type an employee ID number, if
applicable.
4 [Optional] In the Organization field, type the organization that the user is
associated with, if applicable.

About the User
Password tab
Chapter 5: Creating Rule Elements
Creating users and user groups
5 [Optional] In the four User Fields, enter any additional information that your
organization requires. For example, if you will be generating chargeback
reports for authenticated FTP, Telnet, or Web connections, you might enter
account numbers in these fields.
You cannot modify the field names.
6 Select the User Password tab and see “About the User Password tab”
below to define password information for this user.
The User Password tab is used to enter password information for a user.
Follow the steps below.
1 In the Password area, create the user’s password using one of the
following methods:
• Manually create password—If you want to manually create a password
that the user must type when requesting a connection that requires
authentication, click in the text box and type a password. Then retype
the password in the Confirm Password field. The password must not
exceed 64 characters.
• Generate Password—If you want the Sidewinder G2 to automatically
create a password, click Generate Password. This will be the password
the user must type when he or she requests a connection that requires
authentication. Be sure to memorize the password that appears in the
Generated Password window before clicking OK. Once you click OK,
the password will no longer be visible.
2 If you want the user’s password to expire so they are required to change it,
do the following:
a Click Expire Password. A confirmation window appears.
b Click Yes. The Expire Password button changes to a Reinstate
Password button.
c Click OK and then click the Save icon to save your changes. If the user’s
password is expired, the password will appear in the Password field with
asterisks (*) prepended to the password.
3 If you need to re-instate a user’s expired password, click Reinstate
Password, click OK, and then click the Save icon in the toolbar.
4 To delete a user’s password account from the database, click Discard
Password Info. For example, this can be used if you are changing a user’s
authentication method from password to SafeWord and need to remove the
previous password information.
5 Select the Group Membership tab and see “About the Group Membership
tab” below to define group information for this user.
137

Chapter 5: Creating Rule Elements
Creating users and user groups
About the Group
Membership tab
138
Figure 58: User Group
Membership window
The Group Membership tab is used to assign the user to one or more existing
groups. (For information on setting up a user group, see “Configuring users or
user groups” on page 133.)
1 To add the user to a group, select a group in the Available Groups list and
then click the ==>> button.
2 To remove the user from a group, click a group in the Group Membership
list and then click the Users & User Groups. The Group Information window appears.
2 In the Show drop-down list, select Groups.
3 Select a group name, and then click the Members button in the lower
portion of the window. The User Group Membership window appears.

About the User
Group Membership
window
Creating network
objects
Chapter 5: Creating Rule Elements
Creating network objects
This window displays the users and groups that are members of the selected
group. You can perform the following actions from this window:
• Select a group to modify—In the Group Name drop-down list, select the
group for which you want to add or remove members.
• Determine which users and groups are displayed—To display only users,
only groups, or both users and groups (all), select the appropriate item from
either Show drop-down list. To further filter the list, in the Match field enter
alphabetic characters for which you want to filter. For example, if you type
br in the text box, only entries that begin with “br” appear in the list.
The Match field is case sensitive.
• Add or remove users as members of the selected group—To add a user or
group to this group, select an entry in the Available Users and Groups list
and then click the ==>> button. To remove a user from this group, select a
user in the Current Group Members list and then click the
Network Objects. The following window appears.
139

Chapter 5: Creating Rule Elements
Creating network objects
140
Figure 59: Network
Objects window
About the Network
Objects window
This window lists the network objects currently configured on the Sidewinder
G2. You can perform the following actions in this window:
• Filter the list of network objects—To modify the list that is displayed, select
an object type from the Filter drop-down list. The list will then display only
network objects of that type.
• Configure a new network object—To configure a new object, click New.
The New Network Object window appears. See “About the New Network
Object window” on page 141.
• Modify an existing network object—To modify an existing network object,
highlight the appropriate item within the list and click Modify. For
information on modifying specific fields, refer to the following sub-sections.
• Delete an existing network object—To delete a network object, highlight
the item you want to delete in the list and then click Delete.
• Add or remove a network object from a netgroup—To add or remove a
network object from one or more netgroups, highlight the netgroup and click
the Groups Object In button in the lower portion of the window. See
“Managing the groups to which a network object belongs” on page 149.
• View the areas that are currently using a particular network object—To
view the areas (netgroup, netmap, proxy rule) that are currently using a
particular network object, highlight the network object and click the Object
Usage button in the lower portion of the window. Click Close to exit the
Object Usage window.
Note: You cannot modify the information in the Object Usage window.

Figure 60: New Network
Object window
About the New
Network Object
window
Chapter 5: Creating Rule Elements
Creating network objects
In the Type drop-down list, select the type of object you want to create. The
following options are available:
Note: The fields that appear will vary depending on the type of object you select.
• Domain—For information on configuring a domain object, see “Configuring
domain objects” on page 142.
• Host—For information on configuring a host object, see “Configuring host
objects” on page 143.
• IP Address—For information on configuring an IP address object, see
“Configuring IP address objects” on page 145.
• Netmap—For information on configuring a netmap object, see “Configuring
netmaps” on page 145.
• Subnet—For information on configuring a subnet object, see “Configuring
subnet objects” on page 147.
• Netgroup—For information on configuring a netgroup object, see
“Configuring netgroup objects” on page 148.
141

Chapter 5: Creating Rule Elements
Creating network objects
142
Figure 61: Network
Objects: Domain window
Entering domain
information
Configuring domain objects
When you add a new domain using the Admin Console, the following window
appears.
This window is used to define information about a domain. (To create a
different network object, change the Type field.) Each domain you define
becomes a network object that can be used in a rule. Follow the steps below.
1 In the Name field, type a name for this domain object (for example,
“example” for example.com). Valid values include alphanumeric characters,
periods (.), dashes(-), and underscores (_), and spaces ( ). However, the
first and last character of the name must be alphanumeric. The name
cannot exceed 100 characters.
This field cannot be edited if you are modifying an existing domain.
2 [Optional] In the Description field, enter any useful information for this
domain object.
3 In the Domain field, enter the domain to use for this object (for example,
“example.com”).
4 Click Add to add the domain object. (If you are modifying an existing
domain object, click OK.)

Figure 62: Host network
object window
Entering host
information
Configuring host objects
Chapter 5: Creating Rule Elements
Creating network objects
When you add a new host, a window similar to the following appears:
This window is used to define information about a host. (To create a different
network object, change the Type field.) Each host you define becomes a
network object that can be used in a rule.
Note: In IP Filter rules, the localhost network object is supported, but DNSresolvable
host names should be avoided. DNS-resolvable host names become
inoperative during any periods when the appropriate DNS server is unavailable or
unreachable.
1 In the Name field, type a name of the host. Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_), and
spaces ( ). However, the first and last character of the name must be
alphanumeric. The name cannot exceed 100 characters.
This field cannot be edited if you are modifying an existing host.
2 [Optional] In the Description field, enter any useful information about this
host.
3 In the Host field, enter the hostname for this host object (for example,
mail.example.com).
4 In the DNS drop-down list, determine whether this host will use DNS:
• DNS—Select this option to perform normal DNS look-ups.
• No DNS—Select this option if you do not want to perform DNS lookups
for this host.
143

Chapter 5: Creating Rule Elements
Creating network objects
Managing host IP
addresses
144
5 If you selected DNS in the previous step, and you need to override the DNS
time-to-live value, do the following:
Note: Overriding the default DNS time-to-live value is not recommended.
a Select the Override TTL check box.
b Specify a time value in the first text field.
c Specify the appropriate time increment in the drop-down list.
For example, if you wanted the DNS time-to-live value to be 30 minutes you
would type 30 in the text field and select minutes from the drop-down list.
6 To configure the IP address list for a host, do one of the following:
• To add a new IP address, click New and refer to “Managing host IP
addresses” on page 144.
• To modify an existing IP address, highlight the IP address and click
Modify and refer to “Managing host IP addresses” on page 144.
• To delete an IP address, highlight an entry and click Delete.
7 Click Add to add the host information. (If you are modifying an existing host
object, click OK.)
The IP Addresses window allows you to add an IP address for this host. (To
create a different network object, change the Type field.) When you add IP
addresses, if the host name is not known to DNS, it can be identified here. To
assign a new IP address to this host or modify an existing IP address, follow
the steps below.
1 In the Host IP Address field, type the host IP address associated with that
host.
Note: A host IP address should only be specified if it cannot be derived
dynamically from DNS.
2 Click Add, and then click Close.

Figure 63: IP Address
network object window
Entering IP address
information
Configuring IP address objects
Chapter 5: Creating Rule Elements
Creating network objects
When you add a new IP address, a window similar to the following appears.
This window is used to define information about an IP address. (To create a
different network object, change the Type field.) Each IP address you define
becomes a network object that can be used in a rule. Follow the steps below.
1 In the Name field, enter a name for this object. Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_), and
spaces ( ). However, the first and last character of the name must be
alphanumeric. The name cannot exceed 100 characters.
This field cannot be edited if you are modifying an existing IP address.
2 [Optional] In the Description field, enter any useful information about this IP
address object.
3 In the IP Address field, type the value of the IP address.
4 Click Add to add the IP address information. (If you are modifying an
existing IP address object, click OK.)
Configuring netmaps
Netmap objects allow you to map multiple IP addresses and subnets to
alternate addresses without creating numerous rules. A netmap consists of
one or more netmap members. A netmap member is any IP address or subnet
that you add to a particular netmap. Each member in the netmap is mapped to
an alternate address that you specify. For more information about netmaps,
see “Rule elements” on page 103.
145

Chapter 5: Creating Rule Elements
Creating network objects
146
Figure 64: Network
Object: Netmap window
Creating/modifying
a netmap entry
About the Netmap
Members window
To create a netmap, in the New Network Object window, select netmap. A
window similar to the following appears.
This window is used to create or modify a netmap. (To create a different
network object, change the Type field.) Each netmap you define becomes a
network object that can be used in a rule. Follow the steps below.
1 In the Name field, type the name of the new netmap. Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_).
However, the first and last character of the name must be alphanumeric.
The name cannot exceed 100 characters.
This field cannot be edited if you are modifying an existing netmap.
2 In the Description field, enter any useful information for this netmap.
3 To create a new netmap member, click New. The Netmap Members window
appears.
Once you add netmap members, you can sort them in the table by clicking
the column name that you want to sort. For example, if you want to sort the
table by type, click the Type column heading. All of the entries in the table
will be sorted by type and will appear in alphanumeric order. If you click the
heading a second time, the table will be sorted by type in the reverse alphanumeric
order.
4 Click Add to add the netmap information. (If you are modifying an existing
netmap, click OK.)
The Netmap Members window allows you to map an IP address or subnet
address to an alternate address within a netmap. (To create a different network
object, change the Type field.) Follow the steps below.
1 In the drop-down list that appears, select one of the following:
• IP Address—Select this option if you want to map an internal IP address
to be translated to a different IP address.

Figure 65: Subnet
network object window
Entering subnet
information
Chapter 5: Creating Rule Elements
Creating network objects
• Subnet—Select this option if you want to map a subnet address to be
translated to a different subnet address.
2 In the Original list, select the IP address or subnet that you want to map to
a different address.
3 In the Mapped list, select the IP address to which the original IP address or
subnet (that you selected in the previous step) will be mapped.
4 Click Add.
Configuring subnet objects
When you add a subnet, the following window appears.
This window is used to define information about a subnet. (To create a different
network object, change the Type field.) Each subnet you define becomes a
network object that can be used in a rule.
1 In the Name field, type a name for this object. Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_), and
spaces ( ). However, the first and last character of the name must be
alphanumeric. The name cannot exceed 100 characters.
This field cannot be edited if you are modifying an existing subnet.
2 In the Description field, type any useful information about the object.
147

Chapter 5: Creating Rule Elements
Creating network objects
148
Figure 66: Network
Object: netgroup window
Entering netgroup
information
3 In the Subnet field, enter the following information:
• In the Subnet text field, type the subnet address. You must enter a valid
IP address containing four distinct fields separated by periods (for
example, 1.2.3.4).
• In the numeric text box following the subnet field, enter the number of
significant bits for the subnet address. You must enter an integer value
in the range 0–32. For example, if you enter 16, only the first 16 bits of
the address are important.
4 Click Add to add the subnet object. If you are modifying an existing subnet,
click OK.
Configuring netgroup objects
When you add a new netgroup object, the following window appears.
This window is used to define information about a netgroup. (To create a
different network object, change the Type field.) Each group you define
becomes a network object that can be used in a rule. Follow the steps below.
Tip: You may find it more convenient to create all of your network objects before
defining your netgroup objects. That way, as you set up your netgroup objects, you
will be able to immediately assign the desired network objects to the group.
1 In the Name field, type the name of the new netgroup. The name will be
used by rules to identify the netgroup when you set up Sidewinder G2
connections. Valid values include alphanumeric characters, periods (.),
dashes(-), and underscores (_), and spaces ( ). However, the first and last
character of the name must be alphanumeric. The name cannot exceed
100 characters.

Figure 67: Group
Membership window
Chapter 5: Creating Rule Elements
Creating network objects
This field cannot be edited if you are modifying an existing group.
2 [Optional] In the Description field, enter any useful information about this
group.
3 Modify the netgroup’s members by doing the following:
• To add a member to this netgroup, highlight the member in the Available
Members list that you want to add, and then click the ==>> button to
move it to the Chosen Members list.
• To remove a network object from this netgroup, highlight the object in
the Chosen Members list, and then click the

Chapter 5: Creating Rule Elements
Creating service groups
About the Group
Membership window
Creating service
groups
150
Figure 68: Service
Groups window
This window allows you to configure the groups to which a particular network
object belongs. The Available list displays all the available groups. The
Selected list displays the groups to which the object currently belongs. To add/
remove the network object to/from a particular group, do the following:
• To add this network object to another group, select the group in the
Available list and then click the ==>> button to move the group to the
Selected list.
• To delete a network object from a group, select the group in the Selected
list and then click the Service Groups. The following window appears:

About the Service
Groups window
Chapter 5: Creating Rule Elements
Creating service groups
This window allows you to view information for individual service groups. The
Service Group Name list contains all currently defined service groups.
To view information for a particular service group, highlight the service group
and the information will appear in the right-hand portion of the window. To add
a new service group, follow the steps below.
1 Determine if you want to create a new service group, modify an existing
service group, or delete a service group, and then do the following:
• To create a new service group, click New. The New Service Group
window appears. Proceed to step 2.
• To modify a service group, highlight the service group name in the
Service Group Name list and proceed to step 3.
• To delete a service group, highlight the service group and click Delete.
2 Type a name for the service group in the New Service Group field and click
Add. The service group is added to the list of service groups in the main
Service Group window. Valid values include alphanumeric characters,
periods (.), dashes(-), and underscores (_), and spaces ( ). However, the
first and last character of the name must be alphanumeric. The name
cannot exceed 100 characters.
3 Determine which proxies you want to assign to the selected service group.
The proxies currently assigned to the selected service group are listed in
the Selected Proxies list. The proxies that are available on the Sidewinder
G2 are listed in the Available Proxies list.
• To add a proxy to the Selected Proxies list, click a proxy name in the
Available Proxies list, and then click the ==>> button.
• To remove a proxy from the Selected Proxies list, click a proxy name,
and then click the button.
• To remove a server from the Selected Servers list, click a server name,
and then click the

Chapter 5: Creating Rule Elements
Creating service groups
152

6 CHAPTER
Configuring Application
Defenses
In this chapter...
Viewing Application Defense information .....................................154
Creating Web or Secure Web Application Defenses....................156
Creating Web Cache Application Defenses .................................170
Creating Mail (Sendmail) Application Defenses ...........................172
Creating Mail (SMTP proxy) Defenses.........................................181
Creating Citrix Application Defenses............................................185
Creating FTP Application Defenses .............................................186
Creating IIOP Application Defenses.............................................191
Creating Multimedia Application Defenses...................................192
Creating Oracle Application Defenses .........................................194
Creating MS SQL Application Defenses ......................................196
Creating SOCKS Application Defenses .......................................197
Creating SNMP Application Defenses..........................................198
Creating Standard Application Defenses......................................201
Configuring Application Defense groups ......................................202
Configuring connection properties................................................203
153

Chapter 6: Configuring Application Defenses
Viewing Application Defense information
Viewing
Application
Defense
information
154
Figure 69: Application
Defenses window (Web)
To view the Application Defenses windows, in the Admin Console select Policy
Configuration > Application Defenses > Defenses and then select the type of
Application Defense you want to view from the tree. A window similar to the
following appears.
The top portion of each Application Defense window consists of a table that
lists all of the Application Defenses (by row) that are currently configured for a
particular category. The table columns display the individual attributes for the
defenses. Basic default defenses (such as Default and Deny All) are preconfigured
for each category of Application Defense.
Note: The Application Defenses that are displayed in the table will vary depending
on the defense category you select from the tree.
You can perform the following actions in any of the Application Defense
windows:
• Create/modify/delete an Application Defense—To create a new Application
Defense, click New in the upper portion of the window. To create a new
Application Defense based on an existing defense, select the defense that
you want to duplicate, and then click Duplicate. You can then modify the
defense as needed to suit your needs. See “About the New/Duplicate
Application Defense window” on page 156.
To modify an existing Application Defense, select the defense that you want
to modify from the table. The configuration information is displayed in the
bottom portion of the window. To modify the Application Defense in a popup
window format, click Modify.

Chapter 6: Configuring Application Defenses
Viewing Application Defense information
For information on configuring a specific Application Defense, see the following:
– Web/Secure Web (page 156)
– Web Cache (page 170)
– Mail (Sendmail) (page 172)
– Mail (SMTP proxy) (page 181)
– Citrix (page 185)
– FTP (page 186)
– IIOP (page 191)
– Multimedia (page 191)
– Oracle (page 194)
– SOCKS (page 197)
– SNMP (page 198)
– Standard (page 201)
Note: For information on configuring Application Defense groups, see
“Configuring Application Defense groups” on page 202.
To delete an Application Defense, select the Application Defense that you
want to delete, and click Delete. You will be prompted to confirm your decision.
However, you cannot delete an Application Defense if it is being used
in a proxy rule. If the Application Defense is used in a rule, a pop-up window
will appear informing you which rules are currently using this defense.
Before you can delete the defense, you will need to modify each of the rules
to remove the specified defense from those rules.
• View the rules in which an Application Defense/Group is currently used—
To view the rules or rule groups that currently use a particular Application
Defense (or group), highlight the appropriate defense (or group) and click
Usage. A pop-up window appears listing the rule names that are currently
using the specified defense. Click Close when you are finished viewing the
rule list.
The bottom portion of each window (or pop-up, if you clicked Modify) displays
the actual configuration information for the selected Application Defense. The
information will vary depending on the Application Defense category you
select. The following fields remain constant among all Application Defense
windows:
• Name—This field contains the name of the Application Defense that you
are viewing. This field cannot be modified. If you need to rename an
Application Defense, you can create a duplicate defense with the desired
name, and then delete the existing Application Defense.
• [Web/Secure Web only] Type—This field allows you to specify whether a
defense will be used to protect a server, client, or both. For more
information about the Type field, see “Creating Web or Secure Web
Application Defenses” on page 156.
• Description—This field allows you to provide information about the
Application Defense to help you more easily identify it.
155

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
Creating Web or
Secure Web
Application
Defenses
156
Figure 70: Application
Defense: Web and Secure
Web
About the New/Duplicate Application Defense window
When you click New or Duplicate in the Application Defense window, the New/
Duplicate Application Defense window appears. This window allows you to
specify a name for the Application Defense. If you are creating a Web or
Secure Web Application Defense, the type of Web filtering this Application
Defense will protect against is also listed. You cannot modify the Type field
when creating a duplicate defense. Click OK.
When you click OK, the Application Defense is added to the table and the
properties for that defense are displayed in the lower portion of the window. To
configure the new Application Defense, either use the lower portion of the
window, or click Modify to configure the properties within a pop-up window.
The remaining sections in this chapter provide information for configuring each
Application Defense category.
The Web/Secure Web Application Defenses allow you to configure advanced
parameters for Web (HTTP) or Secure Web (HTTPS and SSO) proxy rules. To
create Web or Secure Web Application Defenses, in the Admin Console select
Policy Configuration > Application Defenses > Defenses and then select Web
or Secure Web respectively. One of the following windows appears. (Figure 70
displays only the bottom portion of the windows.)
Web Secure Web
Configuring the Web/Secure Web Enforcements tab
The Enforcements tab allows you to select the feature enforcement tabs that
you want to make available for configuration, as well as relax enforcement of
HTTP proxy standards. If you are configuring a Secure Web Application
Defense, you can also configure SSL decryption properties in the
Enforcements tab.

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
In the Type field, you can specify whether this defense will be used to protect a
server, client, or both, as follows.
• Combined—[Web only] This option allows you to create an Application
Defense that can protect both a Web client (outbound) and a Web server
(inbound) behind the Sidewinder G2. When you select this option, all of the
configuration options for this defense will appear. However, some of the
options that you configure will only apply to the client or server. (For
example, HTTP Request properties do not apply to the client. Therefore, if
you select Combined, HTTP Request properties that you configure will only
apply to the server.)
• Client—This option allows you to create an Application Defense that
protects a client behind the Sidewinder G2. Options that do not apply for
client protection (such as HTTP Requests) will not be available for
configuration.
• Server—This option allows you to create an Application Defense that
protects a server behind the Sidewinder G2. Options that do not apply for
server protection (such as Content Control options other than SOAP) will
not be available for configuration.
To enable enforcement of HTTP proxy standards in a manner that allows traffic
from systems that do not adhere to strict RFC standards for the HTTP proxy,
select the Relax Protocol Enforcements option. Enabling relaxed mode allows
the following RFC infractions:
• Media types in Content-Type: headers in a relaxed form, where the subtype
is not required
• Empty headers
• Duplicated responses from the server where the response is the same but
the version is different
• Query strings containing arbitrary data
Caution: Each listed infraction introduces an element of risk into your security
policy, particularly if enabled on server-side rules. Use this mode only when
necessary, and implement on a rule-by-rule basis.
Select this option if the above infractions are acceptable or required in your
network. When you enable this option, you will also need to specify whether
the protocol enforcements will be relaxed when receiving HTTP traffic from
clients, servers, or both by selecting one of the following options from the dropdown
list:
• Client—Select this option to relax protocol enforcements only when
receiving HTTP traffic from clients.
• Server—Select this option to relax protocol enforcements only when
receiving HTTP traffic from servers.
• Client and Server—Select this option to relax protocol enforcements when
receiving HTTP traffic from both clients and servers.
157

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
158
Enabling Web/Secure Web configuration tabs
To enable (or disable) feature enforcement tabs for Web/Secure Web, you
must first select the appropriate check box in the Enforcements tab. When you
select the check box for a feature, that tab becomes enabled.
Note: The Connection tab does not need to be enabled before you can configure
it.
The following tabs can be enabled:
Note: If you are configuring a Secure Web defense and you select the Decrypt
Web Traffic check box, you can enable any of the tabs below. If you select the Do
Not Decrypt Web Traffic check box, you can only enable the SmartFilter tab.
• URL Control—The URL Control tab allows you to configure filtering on the
URL contained in the HTTP request. To enable URL filtering, select this
check box. To configure URL filtering properties, select the URL Control tab
and see “Configuring the Web/Secure Web URL Control tab” on page 160.
• HTTP Request—The HTTP Request tab allows you to configure header
filtering on HTTP requests. To enable HTTP header filtering for HTTP
requests, select this check box. To configure HTTP header request
properties, select the HTTP Request tab and see “Configuring the Web/
Secure Web HTTP Request tab” on page 162.
• HTTP Reply—The HTTP Reply tab allows you to configure header filtering
on HTTP replies. To enable HTTP header filtering for HTTP replies, select
this check box. To configure HTTP header reply properties, select the
HTTP Reply tab and see “Configuring the Web/Secure Web HTTP Reply
tab” on page 163.
• MIME/Virus/Spyware—The MIME/Virus/Spyware tab allows you to
configure MIME (Multi-Purpose Internet Mail Extensions) and anti-virus/
spyware filtering, virus signature scanning, and infected file handling. To
enable filtering for MIME/virus/spyware, select this check box. To configure
MIME/virus/spyware properties, select the MIME/Virus/Spyware tab and
see “Configuring the Web/Secure Web MIME/Virus/Spyware tab” on page
165.
• Content Control—The Content Control tab allows you to configure filtering
for Web content types including Active X, Java, scripting languages, and
SOAP. (For Secure Web, you can only configure SOAP filtering.) To enable
content filtering, select this check box. To configure content control
properties, select the Content Control tab and see “Configuring the Web/
Secure Web Content Control tab” on page 168.
• SmartFilter —The SmartFilter tab allows you to enable filtering of Web
traffic using SmartFilter. For information on configuring the SmartFilter tab,
see “Configuring the Web/Secure Web SmartFilter tab” on page 169.

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
Configuring SSL decryption properties [Secure Web server
only]
The Sidewinder G2 can perform SSL decryption services at the firewall level
on a per rule basis, increasing the security of your data transactions. You can
also use SSL decryption to allow clientless VPN connections for trusted remote
users to provide secure access to the internal network. (For information on
configuring clientless VPN services, see “Setting up clientless VPN access for
trusted remote users” on page 379.)
To use SSL decryption services on Sidewinder G2, you must have the
following features licensed:
• Strong Cryptography—This feature is included with the basic Sidewinder
G2 Security Appliance license.
• SSL Decryption—This feature is an add-on module. If it is purchased after
Sidewinder G2’s initial activation, you will need to relicense your
Sidewinder G2 to activate this feature. For licensing information, see
“Activating the Sidewinder G2 license” on page 55
Tip: If using SSL decryption, you may use a supported hardware accelerator
board (such as Cavium) in your Sidewinder G2 to offload decryption, increasing
system performance. If you do not currently have a supported hardware
accelerator board installed on your Sidewinder G2, contact your sales
representative for assistance.
To configure decryption properties for a Secure Web Application Defense,
follow the steps below.
Important: Proxy rules that use Secure Web Application Defenses with the
Decrypt Web Traffic option enabled must have redirection configured.
1 Select from the following:
• To enable SSL decryption for an Application Defense, select Decrypt
Web Traffic. Remember to verify that the SSL Decryption and Strong
Cryptography features are licensed.
• To allow Web traffic to pass through without being decrypted, select Do
Not Decrypt Web Traffic. SSL connections will be validated when this
option is selected. If you select this option, you can select the
SmartFilter check box to enable Web filtering and enable the SmartFilter
tab for configuration.
2 [Conditional] If you are configuring a Secure Web defense to allow
clientless VPN sessions to access a Microsoft Exchange® Server, select
the Rewrite Microsoft OWA HTTP check box. For details on configuring the
Sidewinder G2 to allow clientless VPN connections for trusted remote
users, see “Setting up clientless VPN access for trusted remote users” on
page 379.
159

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
160
Figure 71: Web/Secure
Web: URL Control tab
3 Select the appropriate firewall certificate from the Firewall Certificate dropdown
list. This is the certificate that is used to authenticate the Sidewinder
G2 to the remote HTTPS/SSL client. For information on configuring firewall
certificates, see “Configuring Certificate Management” on page 415.
4 Click SSL Settings to configure SSL properties:
a Specify the SSL/TLS versions that will be accepted for secure Web
connections.
• SSL2—When this check box is selected, the SSL version 2 protocol
will be accepted.
Note: SSL2 is not recommended. It is only provided to allow compatibility
with older Web browsers/SSL applications. Diffe-Hellman Key Exchange is
not supported for SSL2. You must deselect SSL2 to enable the Require
Diffe-Hellman Key Exchange field.
• SSL3—When this check box is selected, the SSL version 3 protocol
will be accepted.
• TLS1—When this check box is selected, the TLS version 1 protocol
will be accepted.
b Select the minimum level of cryptography from the Minimum Crypto
Level Strength drop-down list.
c Click OK to return to the Enforcements tab.
Configuring the Web/Secure Web URL Control tab
To configure URL control properties for a Web/Secure Web defense, click the
URL Control tab.

About the URL
Control tab
Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
The URL Control tab allows you to configure URL properties, such as which
HTTP operations will be allowed and which URLs will be explicitly denied.
Follow the steps below.
Note: The fields in this tab will be disabled unless you select the URL Control
check box on the Enforcements tab.
1 In the Allow Selected HTTP Commands area, select the commands
(operations) that you want to allow users to issue by clicking in the
corresponding check box(es).
To select all of the commands, click Select All. To deselect all of the commands,
click Deselect All. A description of each command is provided
within the window.
2 To disallow special characters in a query, select the Enforce Strict URLs
check box. If you select this option, URLs with certain special characters
will be disallowed under certain circumstances (such as RFC violation). For
example: quote (“), single quote (‘), back quote (`), brackets ( [ ], { }, < >),
pipe (|), back slash (\), caret (^), and tilde (~).
3 To allow international multi-byte characters in a query, select the Allow
Unicode check box.
4 [Server or Combined only] In the Maximum URL Length field, specify the
maximum length allowed for a URL. The default value is 1024 characters.
Valid values are 1–10000.
5 To require that the HTTP version be included in all requests, select the
Require HTTP Version in Request check box.
6 [Conditional] If you selected Require HTTP Version in Request in the
previous step, specify the HTTP versions that you want to allow in the
Allow Selected HTTP Versions area. Valid versions are 1.0 and 1.1.
7 In the Deny Specified URL Matches table, you can specify which URLs to
explicitly deny. The table lists any URLs that are currently denied.
To add a URL to the list, click New. To modify a URL in the list, highlight the
URL and click Modify. The Edit URL Parsing Values window appears. See
“Configuring the Edit URL Parsing Values window” on page 161 for information
on adding a URL.
Configuring the Edit URL Parsing Values window
This window allows you to create a URL value to add to the Deny Specified
URL Matches table. Follow the steps below.
1 In the String field, type the character string that, if found while checking
URLs, you want to deny.
2 In the Match Parameter area, select the portion of the URL to check when
attempting to match the String value:
161

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
162
Figure 72: Web/Secure
Web: HTTP Request tab
About the HTTP
Request tab
• Host — Select this option to filter on the URL host.
(http://hostname/path)
• Path — Select this option to filter on the URL path
(http://hostname/path)
• All — Select this option to filter on the entire request
(http://hostname/path)
For example, Sidewinder G2 encounters the URL http://www.example.com/
info/cookies.html. Sidewinder G2 is looking for the character string “cookie.” If
the Host option is selected, this URL will be allowed. If the Path or All option is
selected, this URL will be denied.
Configuring the Web/Secure Web HTTP Request tab
To configure HTTP Request properties for a Web/Secure Web defense, click
the HTTP Request tab. The following window appears.
The HTTP Request tab allows you to configure header filtering for HTTP
requests. This tab is only available if you selected Server or Combined in the
Type field. Follow the steps below.
Note: The fields in this tab will be disabled unless you select the HTTP Request
check box on the Enforcements tab.
1 Select the type of HTTP header filtering you want to allow or deny in the
Selected HTTP Request Header Filter Types area. The following options
are available:
Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx
request headers (commonly found in user-defined headers). If you create an
Allow list and do not include the X-* filter type, most Web traffic will be denied.

Figure 73: Web/Secure
Web: HTTP Reply tab
Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
• None—Select this option if you want to deselect all HTTP request
header filter types in the list. (You can also deselect all of the types by
clicking Deselect All.)
• Standard—Select this option if you want to automatically select all of the
header types contained in the list. (You can also select all header types
by clicking Select All.)
• Paranoid—Select this option if you want to exclude all options not
defined in the RFC.
• Custom—Select this option if you want to manually configure which
HTTP header types you will allow or deny.
2 In the Filter Option field, determine whether you want to allow or deny the
header types you select, as follows:
• Allow—Select this option to allow all header types that are selected in
the HTTP Request Header Filter Types window. All other types will be
denied.
• Deny—Select this option to deny all header types that are selected
selected in the HTTP Request Header Filter Types window. All other
types will be allowed.
3 In the Denied Header Action area, select one of the following options:
• Block Entire Page—Select this option to block the entire page when an
HTTP header is denied.
• Allow Page Through Without Denied Headers—Select this option to
mask the denied HTTP header, but still allow the page to be viewed. (A
denied HTTP header will be overwritten with X’s.)
Configuring the Web/Secure Web HTTP Reply tab
To configure HTTP Reply properties for a Web/Secure Web defense, click the
HTTP Reply tab. The following window appears.
163

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
About the HTTP
Reply tab
164
The HTTP Reply tab allows you to configure header filtering for HTTP replies.
Follow the steps below.
Note: The fields in this tab will be disabled unless you select the HTTP Reply
check box on the Enforcements tab. Also, this tab is not available for Secure Web if
you select Client in the Type field.
1 In the Filter Option field, determine whether you want to allow or deny the
header types you select, as follows:
• Allow—Select this option to allow all header types that are selected in
the HTTP Reply Header Filter Types window. All other types will be
denied.
• Deny—Select this option to deny all header types that are selected
selected in the HTTP Reply Header Filter Types window. All other types
will be allowed.
2 Select the type of HTTP header filtering you want to allow or deny in the
Selected HTTP Reply Header Filter Types area. The following options are
available:
Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx reply
headers (commonly found in user-defined headers). If you create an Allow list
and do not include the X-* filter type, most Web traffic will be denied.
• None—Select this option if you want to deselect all HTTP reply header
filter types in the list. (You can also deselect all of the types by clicking
Deselect All.)
• Standard—Select this option if you want to automatically select all of the
header types contained in the list. (You can also select all header types
by clicking Select All.)
• Paranoid—Select this option if you want to exclude all options not
defined in the RFC.
• Custom—Select this option if you want to manually configure which
HTTP reply header types you will allow or deny.
3 In the Denied Header Action area, select one of the following options:
• Block Entire Page—Select this option to block the entire page when an
HTTP reply header is denied.
• Allow Page Through Without Denied Headers—Select this option to
mask the denied HTTP reply header, but still allow the page to be
viewed. (A denied HTTP reply header will be scrubbed.)

Figure 74: Web/Secure
Web: MIME/Virus/
Spyware tab
About the MIME/
Virus/Spyware tab
Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
Configuring the Web/Secure Web MIME/Virus/Spyware tab
To configure MIME/virus/spyware properties for a Web/Secure Web defense,
click the MIME/Virus/Spyware tab. The following window appears.
The MIME/Virus/Spyware tab allows you to configure filtering for MIME, virus,
and spyware scanning services. The tab contains a rule table that displays any
MIME/Virus/Spyware filtering rules that have been created. The tab also
contains various virus scanning and handling configuration options.
Note the following:
• The fields in the MIME/Virus/Spyware tab will be disabled unless you select
the MIME/Virus/Spyware check box on the Enforcements tab.
• For Web defenses, MIME/Virus/Spyware scanning services are not
available if you select Server in the Type field.
• For Secure Web defenses, MIME/Virus/Spyware scanning services are not
available if you select Client in the Type field.
• Virus and spyware scanning is performed on data sent from the client if the
request method is either PUT or POST, and the appropriate file type is
specified for scanning in the MIME/Virus/Spyware filtering rules table.
To configure MIME/Virus/Spyware properties for an Application Defense, follow
the steps below.
Important: You must license and configure scanning services before the MIME/
Virus/Spyware filter rules you create will scan HTTP/HTTPS traffic. See
“Configuring virus scanning services” on page 69.
1 Configure the appropriate MIME/Virus/Spyware filter rules in the MIME/
Virus/Spyware Filter Rules table, as follows:
• Create a new filter rule—To create a new filter rule, click New and see
“Configuring MIME filtering rules” on page 166.
165

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
166
• Modify an existing filter rule—To modify an existing filter rule, select the
rule you want to modify, and click Modify. See “Configuring MIME
filtering rules” on page 166. (If you are modifying the default MIME
filtering rule, see “Configuring the Default filtering rule action” on page
168.)
• Delete a filter rule—To delete an existing filter rule, select the rule you
want to delete and click Delete. You will be prompted to confirm your
decision.
2 Determine how infected files will be handled in the Infected File Handling
area as follows:
• To discard infected files, select Discard Infected Files.
• To remove the virus from the file and then continue processing the file,
select Repair Infected Files.
3 To reject all files in the event that scanning is not available, select the
Reject All Files If Scanning Is Unavailable check box. If you select this
option, the connection will be dropped if scanning is unavailable.
4 In the Scan File Size Limit (KB) field, specify the maximum file size that will
be allowed in KB. If a file exceeds the size specified in this field, filtering will
not take place and the file will be denied.
Configuring MIME filtering rules
When you click New or Modify beneath the MIME/Virus/Spyware Filter Rules
area, the MIME/Virus/Spyware Rule Edit window appears. This window allows
you to add or modify MIME/Virus/Spyware filtering rules.
Important: Rules that are configured with an allow or deny action will allow or deny
traffic based on the rule criteria that is defined for those rules. Allow and deny rules
do not perform virus scanning. To perform virus scanning for traffic that matches a
rule before it is allowed, you must specify Virus/Spyware Scan in the rule’s Action
field.
By default, a single allow rule is contained in the filter rule table. If you choose
to leave the default allow rule as the last rule in your table (that is, all traffic that
isn’t explicitly denied will be allowed), you will need to configure the appropriate
virus scan and/or deny rules and place them in front of the default allow rule. If
you configure the default rule action to deny (that is, all traffic that is not
explicitly allowed will be denied) you will need to configure the appropriate
virus scan and/or allow rules and place them in front of the default deny rule.
To create MIME/Virus/Spyware rules, follow the steps below.
Note: Rules that specify both a MIME type/subtype and file extensions will allow or
deny any traffic that matches either the MIME Type or a File Extension type. That
is, the traffic does not need to match both criteria to match the rule.

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
1 In the MIME Type drop-down list, select the MIME type for which you want
to filter. If you select the asterisk (*) option, the filter rule will ignore this field
when determining a match.
2 In the MIME Subtype drop-down list, select a subtype for the MIME type
that you selected in the previous step (the available options will vary
depending on the MIME type you selected in the previous step). If you
select the asterisk (*) option, the filter rule will ignore this field when
determining a match.
3 In the File Extensions area, specify the type of file extensions that you want
to filter:
• Ignore Extensions (*)—Select this option to ignore extensions when
determining a match.
• Archive Extensions—Select this option to specify basic archive
extensions (such as .tar, .zip, etc.) for the specified MIME types/subtype.
• Standard Extensions—Select this option to specify the standard file
extensions associated with the selected MIME type/subtype. For
example, if you select text in the MIME Type field, and HTML in the
MIME Subtype field, the .htm and .html file extensions will appear in the
standard list.
• Custom—Select this option to create a custom list of file extensions for
the selected MIME type/subtype. To add a file extension to the list, click
New and see “Configuring the Add New File Extension window” on page
167. To delete a file extension, select the extension you want to delete
and click Delete. You can use the Reset button to clear all extensions
from the list, or to select a different file extension list (Archive or
Standard).
4 In the Action area, select one of the following options:
• Allow—Select this option if you want to explicitly allow the file
extensions that you specified in the previous steps. (Virus scanning will
not be performed.)
• Deny—Select this option if you want to explicitly deny the file extensions
that you specified in the previous steps. (Virus scanning will not be
performed.)
• Virus/Spyware Scan—Select this option if you want to perform virus
scanning on the file extensions that you specified in the previous steps.
If no viruses are detected, the file will be allowed through the system.
Configuring the Add New File Extension window
This window allows you to specify additional file extensions on which to filter. In
the File Extension field, type the extension (without the leading period) that
you want to add, and then click Add. The file extension is added to the Custom
file extension list.
If you select the Custom file extension option, all file extensions listed in the
box will be allowed, denied, or filtered, depending on the action you select.
167

Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
168
Figure 75: Web/Secure
Web Content Control tab
About the Content
Control tab
Configuring the Default filtering rule action
The default filter rule is a catch-all rule designed to occupy the last position in
your rule table. To modify the default action for the default MIME filtering rule,
do the followings:
1 Select the default rule in the table and click Modify. The MIME Default
Action window appears.
2 Select the appropriate action for this rule and then click OK.
• Allow—The default rule is initially configured to allow all data that does
not match other filter rules. If you leave the default rule as an allow rule,
you must create filter rules that require virus scanning or explicitly deny
any MIME types that you do not want to allow, and place them in front of
the default allow rule.
• Deny—If you prefer the default rule to deny all data that did not match a
filter rule, you must create the appropriate virus scan and allow rules
and place them in front of the default deny rule.
• Virus/Spyware Scan—If you want to perform virus and spyware
scanning for traffic that does not match any allow or deny filter rules you
create, select this option. You will then need to create the appropriate
allow and deny rules that will not require scanning.
Configuring the Web/Secure Web Content Control tab
To configure content control properties for a Web/Secure Web defense, click
the Content Control tab. The following window appears.
The Content Control tab allows you to configure filtering to deny certain types
of embedded objects. Follow the steps below.
Note: If you are configuring a Web or Secure Web defense for type Server, you
will only be allowed to select the Deny SOAP option. If you are configuring a Web
defense for type Client, the Deny SOAP option is not available.

Figure 76: Web/Secure
Web: SmartFilter tab
About the Web/
SecureWeb
SmartFilter tab
Chapter 6: Configuring Application Defenses
Creating Web or Secure Web Application Defenses
1 Select the Deny ActiveX Controls check box to scrub the ActiveX
embedded objects from the Web content.
2 Select the Deny Java Applets check box to scrub the Java Applet objects
from the Web content.
3 Select the Deny Scripting Languages check box to scrub scripting
languages from the Web content.
4 Select the Deny SOAP check box to scrub SOAP embedded objects from
the Web content. In some cases, selecting this option can cause the entire
page to be denied if it contains SOAP embedded objects.
Configuring the Web/Secure Web SmartFilter tab
When SmartFilter is configured, the SmartFilter tab allows you to determine
whether requests will be rejected if the SmartFilter server is unavailable.
Select the Reject all requests if SmartFilter is unavailable check box to reject
any requests that occur when the SmartFilter server on Sidewinder G2 is
unavailable.
For more information about configuring SmartFilter 4.x for Sidewinder G2, see
“Configuring SmartFilter for HTTP/HTTPS” on page 630.
Configuring the Web/Secure Web Connection tab
The Web/Secure Web Connection tab allows you to configure basic connection
properties, such as the type of connection that will be allowed (transparent,
non-transparent, or both), timeout properties, and fast path session properties.
You can also configure whether to send traffic to an upstream proxy.
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.
169

Chapter 6: Configuring Application Defenses
Creating Web Cache Application Defenses
Creating Web
Cache
Application
Defenses
170
Figure 77: Application
Defenses: Web Cache
window
To configure Web Cache Application Defenses, in the Admin Console select
Policy Configuration > Application Defenses > Defenses > Web Cache. The
following window appears. (Figure 77 displays only the bottom portion of the
window.)
Configuring the Web Cache Application Defense window
This window allows you to configure SmartFilter 3.x properties for the Web
Proxy server (Squid). Follow the steps below.
Note: A newer SmartFilter version (4.0.2) is available and configured using the
Web or Secure Web application defense. New web filtering subscribers should start
with SmartFilter for Web and Secure Web, and existing users should consider
upgrading. For either version, you must first enable SmartFilter (Services
Configuration > SmartFilter).
1 Configure the SmartFilter category table.
The SmartFilter category table displays the available SmartFilter categories,
as well as the configured properties for each category. To modify the
properties for a SmartFilter category, select the category that you want to
modify, and click Modify. See “Modifying a SmartFilter category” on page
171.
2 To filter URLs to deny specific file extension types, click New in the Denied
File Extensions area. To modify an existing file extension, select the file
extension you want to modify and click Modify in the Denied File
Extensions area. See “Configuring the SmartFilter File Extension window”
on page 172 for information about adding or modifying a denied file
extension.

Chapter 6: Configuring Application Defenses
Creating Web Cache Application Defenses
3 [Conditional] To slow the download process for filtered sites, in the Delay
field, type the amount of time (in seconds) that you want to delay the Web
page display.
Delaying the download time discourages users from browsing certain sites
because it takes longer for those pages to be displayed. Valid values are
from 1–999.
Note: The Delay field applies to ALL categories in a rule that are set to Delay.
For example, if you have set Chat, Entertainment, and Art/Culture to delay, and
enter 30 seconds in the Delay field, sites that fall into any of the three categories
will be delayed by 30 seconds.
4 To deny Web access if a user attempts to access a site using an IP address
rather than a URL, select the Deny IP Addresses check box. Secure
Computing recommends enabling this check box.
5 To deny unclassified personal pages, select the Deny Unclassified
Personal Pages check box.
Note: Unclassified personal pages are pages that consist of uncategorized
URLs that contain a tilde, such as www.rootsweb.com/~wgnorway/. This
option does not refer to the Personal Pages category. It only refers to pages
that contain a tilde (~), as described above.
6 Click the Save icon to save your changes when you are finished configuring
an Application Defense.
Modifying a SmartFilter category
When you select a SmartFilter category and click Modify in the SmartFilter tab,
the SmartFilter Modification window appears. This window enables you to
change the settings for the selected SmartFilter category. The Category field in
the top portion of the window displays the SmartFilter category you selected for
modification. Follow the steps below.
1 In the Permission field, specify whether access to the selected SmartFilter
category will be allowed or denied by selecting the appropriate option from
the drop-down list.
2 In the Special Handling field, specify whether SmartFilter will process Web
requests to this category in a special manner. Valid options are:
• None—No special handling is performed.
• Coach—A predefined message is displayed to users informing them
that the site has been filtered, but allows them to proceed at their own
risk. The predefined message can be modified by editing the
/usr/local/squid/etc/errors/ERR_SCC_SMARTFILTER_COACH file.
Note: The Coaching feature works with all Internet Explorer browsers and
with Netscape browsers at version 6.0 or greater.
171

Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
Creating Mail
(Sendmail)
Application
Defenses
172
Figure 78: Application
Defenses: Mail (Sendmail)
window
• Delay—Slows the download process of filtered sites. This discourages
users from browsing certain sites because it takes longer for those
pages to be displayed. The delay time is specified on the Set
SmartFilter Delay field on the main SmartFilter tab.
Configuring the SmartFilter File Extension window
This window allows you to specify file extensions that will be denied. To add a
file extension that you want to deny, type the extension in the Denied File
Extension window. Do not include a period (.) in front of the file extension.
Mail (Sendmail) Application Defenses are used in SMTP proxy rules. To
configure Mail (Sendmail) Application Defenses, in the Admin Console select
Policy Configuration > Application Defenses > Defenses > Mail (Sendmail).
The following window appears. (Figure 78 displays only the bottom portion of
the window.)
Note: You must have Secure Split SMTP mail servers configured to use mail
filtering.
Configuring the Mail (Sendmail) Control tab
This tab allows you to configure filtering for sendmail services. The Anti-Relay
feature prevents your mailhost from being used by a hacker as a relay point for
spam to other sites. This option is automatically enabled for all mail defenses
and cannot be disabled.

Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
To configure a Mail (Sendmail) Application Defense, follow the steps below.
1 To enable (or disable) a particular type of filtering, you must select the
appropriate check box in the Enable Mail Filters area. Once you enable a
mail filter, you can configure it by selecting the appropriate tab. You cannot
configure a mail filter unless you have selected it in this tab. The following
filters can be enabled:
• Size Filter—The Size filter allows you to specify the maximum size for
mail messages. To configure the Size filter once it has been enabled,
select the Size Filter tab and see “About the Mail (Sendmail) Size tab”
on page 174.
• Keyword Search Filter—The Keyword Search filter allows you to filter
mail messages based on the presence of defined key words (character
strings). To configure the Keyword Search filter once it has been
enabled, select the Keyword Search tab and see “About the Keyword
Search tab” on page 175.
• MIME/Virus/Spyware Filter—The MIME/Virus/Spyware Filter allows you
to configure MIME, virus, and spyware filtering for e-mail messages. To
configure the filter once it has been enabled, select the MIME/Virus/
Spyware tab and see “Configuring the Mail (Sendmail) MIME/Virus/
Spyware tab” on page 177.
• Spam/Fraud Filter—The Spam/Fraud filter allows you to filter out mail
messages that fall under the “spam” and “fraud” profile. The Spam/
Fraud filter can only be enabled or disabled in this window.
• To enable spam and fraud filtering, select this check box. To disable
spam and fraud filtering, clear the check box.
• To receive automatic updates for the spamfilter server, enable the
spamfilter cron job. See “Spamfilter cron job” on page 599 for more
information.
• If desired, you can modify the default actions for the Spam/Fraud
filter in the appropriate configuration file(s) using the Admin Console
File Editor. See “Configuring advanced anti-spam and anti-fraud
options” on page 356 for details.
Before using anti-spam service, the Anti-Spam add-on module must be
licensed and the spamfilter server must be enabled.
2 To specify how mail messages that are rejected should be handled, select
one of the following options in the Rejected Mail Handling field:
• Discard—Select this option if you want to discard rejected mail
messages without notifying the sender.
• Return To Sender—Select this option if you want to send a rejection
notice to the sender.
Note: If a message is denied by the MIME/Virus/Spyware filter rules (configured
in the MIME/Virus/Spyware tab), that message will be discarded without
sending a rejection notice regardless of which option you select here.
173

Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
174
Figure 79: Mail
(Sendmail) Size tab
About the Mail
(Sendmail) Size tab
Figure 80: Keyword
Search tab
Configuring the Mail (Sendmail) Size tab
To configure size restrictions for a Mail (Sendmail) defense, select the Size tab.
The following window appears.
The Size filter checks e-mail messages for the number of bytes the message
contains, including the message header. A message is rejected if it is greater
than or equal to the threshold size you specify when you configure a filter.
To configure the Size filter, in the Maximum Message Size field specify the
maximum message size (in KB) that will be allowed to pass through the
Sidewinder G2. The default is 1024KB. Valid values are 1–2147483647 KB.
Configuring the Mail (Sendmail) Keyword Search tab
To configure key words (character strings) that will be filtered for a Mail
(Sendmail) defense, select the Keyword Search tab. The following window
appears.

About the Keyword
Search tab
Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
The Keyword Search tab allows you to configure the Sidewinder G2 to perform
a search for specified character set(s), or key words, within an e-mail
message. The search scans the message’s header and body sections. If the
mail body contains mime encoded attachments, the encoded attachments are
scanned. If the filter finds a specific number of key word matches, the message
is rejected. If the filter does not match a specific number of key words, it passes
the message onto the next filter or to the intended recipient.
Select your key words carefully. For best results:
• Use spaces before and after each defined phrase.
• Create a comprehensive list of phrases instead of relying on wildcard-like
searching.
• Note that key word searching is most reliable on MIME attachments with
ASCII content-types. If dealing with non-ASCII types of attachments, false
positives are likely if the length of the key words are short and the
attachments are long.
Following these guidelines can decrease the chance of mistakenly rejecting a
legitimate message.
To configure character sets to search for, follow the steps below.
1 Verify that kmvfilter server is enabled in the appropriate burbs (Services
Configuration > Servers).
2 In the Minimum Number of Phrase Matches Required for Rejection of
Message field, specify the number of key word matches that must be found
in a message before it is rejected.
3 In the Total Number of Phrase Matches to Verify Before Rejection field,
specify whether the filter will search the entire message for key words, or
whether it will stop searching for key words if the minimum number of
matches is met:
• Minimum—Select this option if you want the filter to stop searching and
fail the message if the minimum number of key word matches is met.
This is based on the number that you enter in the previous step. The
filter will reject a mail message once the minimum number of key words
are matched.
• All—Select this option if you want the filter to continue searching the
message for key words after the minimum number of key word matches
is met, for auditing purposes. After searching the entire message for key
word matches, the message is rejected.
4 The Phrase List table provides the list of phrases that will be filtered for this
Application Defense. The table contains three columns:
• Before—This column indicates whether a space is required immediately
before the specified phrase to match the filter. An asterisk (*) indicates
that the phrase will not match unless there is a space immediately in
front of the phrase.
175

Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
176
• Phrase Text—This column lists each phrase for which the filter will
search.
• After—This column indicates whether a space is required immediately
after the specified phrase to match the filter. An asterisk (*) indicates
that the phrase will not match unless there is a space immediately
following the phrase.
To add a phrase, click New. To modify a phrase, highlight the appropriate
row and click Modify. The Keyword Search: Phrase Edit window appears.
Configuring the Keyword Search: Phrase Edit window
When you click New or Modify beneath the Phrase List area, the Keyword
Search Phrase Edit window appears. This window allows you to add or modify
character strings (known as “key words”). Follow the steps below.
1 In the Text field, type the text you want to filter. The keyword search is not
case sensitive. The character string must consist of at least two characters.
You can include any printable character, as well as spaces.
Note: Some special characters, such as a space, will be displayed in the Key
Word list using their hexadecimal equivalents.
You can also define a key word entry that consists partly or entirely of
binary characters. The binary characters you want to search for are entered
into the Key Word list using their hexadecimal equivalents. Each character
must be preceded with a back slash (\). This distinguishes the character
from a regular character. You can specify several characters in a row, but
each character must be preceded by a back slash. You can also intermingle
the binary characters with regular characters. For example, the following
are valid entries in the Key Word list:
– \ac\80\fe
– \ff\00\fb\40secrets
– password\df\01\04
Valid hexadecimal characters are allowed immediately following a back
slash. To use the back slash character as part of a key word entry, you must
type a double back-slash (\\).
Note: The exception is \0a (the new line character). The filter will not detect a
key word that contains this character unless it is the first character in the key
word entry or unless the character is preceded by \0d (the line feed) character
(e.g., \0d\0a).
2 If you want to require that there be white space directly in front of and/or
after a key word, select the Require whitespace immediately before phrase
and/or Require whitespace immediately after phrase check boxes,
accordingly. This prevents the filter from misidentifying character strings
that innocently appear as part of another word.

Figure 81: Mail
(Sendmail) MIME/Virus/
Spyware tab
About the Mail
(Sendmail) MIME/
Virus/Spyware tab
Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
For example, if you require whitespace before and after the key word “for,”
words like “forest,” “formula,” “information,” and “uniform” will be allowed to
pass through the filter, while the word “for” would not. If you do not require
whitespace before and after the key word “for,” the “for” string within the
word would match the filter and cause the message to be rejected (if the
specified number of matches are found).
3 To add the new or modified key word, click OK.
Configuring the Mail (Sendmail) MIME/Virus/Spyware tab
To configure MIME, virus, and spyware filtering options for a Mail defense,
select the MIME/Virus/Spyware tab. The following window appears.
The MIME/Virus/Spyware tab allows you to configure MIME, virus, and
spyware filtering services. The tab contains a rule table that displays any
MIME/Virus/Spyware filtering rules that have been created. It also contains
various virus/spyware scanning and handling configuration options.
Important: You must license and configure additional services before the MIME/
Virus/Spyware filter rules you create will scan mail messages. See “Configuring
virus scanning services” on page 69.
To configure MIME/Virus/Spyware properties for an Application Defense, verify
that the Control tab’s MIME/Virus/Spyware check box is selected and then
follow the steps below.
Security Alert: If you want to perform virus and spyware scanning, you must
create the appropriate rules with Virus/Spyware Scan selected in the Action field.
Rules that are configured only to allow or deny traffic based on rule criteria will not
perform virus and spyware scanning. (See step 1 for information on configuring
MIME/Virus/Spyware filter rules.)
177

Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
178
1 Configure the appropriate MIME/Virus/Spyware filter rules in the MIME/
Virus/Spyware Filter Rules table, as follows:
• Create a new filter rule—To create a new filter rule, click New and see
“Configuring MIME filtering rules” on page 166.
• Modify an existing filter rule—To modify an existing filter rule, select the
rule you want to modify, and click Modify. See “Configuring MIME
filtering rules” on page 166. (If you are modifying the default MIME
filtering rule, see “Configuring the Default filtering rule action” on page
168.)
• Delete a filter rule—To delete an existing filter rule, select the rule you
want to delete and click Delete. You will be prompted to confirm your
decision.
2 Determine how infected files will be handled by selecting one of the
following options:
• Discard Infected Files—Select this option to discard infected files.
• Repair Infected Files—Select this option to remove the virus from the
file and then continue processing the file.
3 To reject all files in the event that scanning is not available, select the
Reject All Files If Scanning Is Unavailable check box. If you select this
option, files will either be discarded or returned to sender as specified by
the Rejected Mail Handling option selected on the Mail (Sendmail) Control
tab.
4 In the Scan File Size Limit (KB), specify the maximum file size that will be
allowed (in KB). If a file exceeds the size specified in this field, scanning will
not take place and the file will be denied.
5 Select Full Scan of Entire Mail Message if you want to perform scanning on
the entire mail message (that is, the message with all of its MIME types is
scanned as a single entity). A mail message is scanned only if one or more
of its extensions match the MIME type/subtype settings on a filter rule with
Virus/Spyware Scan selected.
If this check box is clear, each piece of the mail message will be scanned
and handled independently.
6 Select Discard mail with denied attachments if you want to discard mail
once a MIME/Virus/Spyware filter rule denies its attachment(s). If you select
this option, files will either be discarded silently (sender is not notified) or
returned to sender, as specified by the Rejected Mail Handling option
selected on the Mail (Sendmail) Control tab.
If this option is not selected, the message is sent on without the denied
attachment.

Configuring MIME
filtering rules
Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
When you click New or Modify beneath the MIME/Virus/Spyware Filter Rules
area, the MIME Rule Edit window appears. This window allows you to add or
modify a MIME filtering rule.
Important: Rules that are configured with an Allow or Deny action will allow or
deny messages based on the rule criteria that is defined within the rule. Allow and
deny rules do not perform virus and spyware scanning. To perform virus and
spyware scanning for messages that match a rule before it is allowed, you must
specify Virus/Spyware Scan in the rule’s Action field.
By default, a single allow rule is contained in the filter rule table. If you choose
to leave the default allow rule as the last rule in your table (that is, all mail that
isn’t explicitly denied will be allowed), you will need to configure the appropriate
virus /spyware scan and/or deny rules and place them in front of the default
allow rule.
If you configure the default rule action to deny (that is, all mail that is not
explicitly allowed will be denied) you will need to configure the appropriate
virus/spyware scan and/or allow rules and place them in front of the default
deny rule. In this scenario, if you want to allow multi-part mixed MIME elements
within a mail message (which is fairly common) you will need to create an allow
rule with Multipart selected in the Type field and Mixed selected in the Subtype
field. If you do not create this type of allow rule when using a default deny rule,
any mail message that contains multiple MIME types will be denied.
To configure MIME/Virus/Spyware Filter rules, follow the steps below.
Note: Rules that specify both a MIME type/subtype and file extensions will allow or
deny any traffic that matches either the MIME Type or a File Extension type. That
is, the traffic does not need to match both criteria to match the rule.
1 In the MIME Type drop-down list, select the MIME type for which you want
to filter. If you select the asterisk (*) option, the filter rule will ignore this field
when determining a match.
2 In the MIME Subtype drop-down list, select a subtype for the MIME type
that you selected in the previous step (the available options will vary
depending on the MIME type you selected in the previous step). If you
select the asterisk (*) option, the filter rule will ignore this field when
determining a match.
3 In the File Extensions area, specify the type of file extensions that you want
to filter:
• Ignore Extensions (*)—Select this option to ignore extensions when
determining a match.
• Archive Extensions—Select this option to match basic archive
extensions (such as .tar, .zip, etc.).
179

Chapter 6: Configuring Application Defenses
Creating Mail (Sendmail) Application Defenses
180
• Standard Extensions—Select this option to match standard file
extensions associated with the selected MIME type/subtype. For
example, if you select text in the MIME Type field, and HTML in the
MIME Subtype field, the .htm and .html file extensions will appear in the
standard list.
• Custom—Select this option to create a custom list of file extensions for
the selected MIME type/subtype. To add a file extension to the list, click
New and see “Configuring the Add New File Extension window” on page
167. To delete a file extension, select the extension you want to delete
and click Delete. You can use the Reset button to clear all extensions
from the list, or to select a different file extension list (Archive or
Standard).
4 In the Action area, select one of the following options:
• Allow—Select this option if you want to explicitly allow the file
extensions that you specified in the previous steps. (Virus scanning will
not be performed.)
• Deny—Select this option if you want to explicitly deny the file extensions
that you specified in the previous steps. (Virus scanning will not be
performed.) A message is added, informing the user that a file was
removed.
• Virus/Spyware Scan—Select this option if you want to perform virus and
spyware scanning on the file extensions that you specified in the
previous steps. If no viruses or spyware are detected, the file will be
allowed through the system.
5 Click OK to save the rule.
Configuring the Add New File Extension window
This window allows you to customize the file extensions on which to filter. In
the File Extension field, type the extension (without the leading period) that
you want to add, and then click Add. The file extension is added to the Custom
file extension list.
When you select the Custom file extension option, all file extensions listed in
the box will be allowed, denied, or filtered depending on the action you select.
Configuring the Default filter rule action
The default filter rule is a catch-all rule designed to occupy the last position in
your rule table. To modify the default action for the default MIME filtering rule,
do the followings:
1 Select the default rule in the table and click Modify. The MIME Default
Action window appears.

Creating Mail
(SMTP proxy)
Defenses
Figure 82: Mail (SMTP
proxy): Enforcements tab
Chapter 6: Configuring Application Defenses
Creating Mail (SMTP proxy) Defenses
2 Select the appropriate action for this rule and then click OK.
• Allow—The default rule is initially configured to allow all messages that
do not match other filter rules. If you leave the default rule as an allow
rule, you must create filter rules that require virus scanning or explicitly
deny any MIME types that you do not want to allow, and place them in
front of the default allow rule.
• Deny—If you prefer the default rule to deny all data that did not match a
filter rule, you must create the appropriate virus/spyware scan and allow
rules, and place them in front of the default deny rule.
• Virus/Spyware Scan—If you want to perform virus and spyware
scanning for messages that do not match other allow or deny filter rules,
select this option. You will then need to create the appropriate allow and
deny rules that will not require scanning.
The default behavior is changed.
The Mail (SMTP proxy) Application Defense allows you to filter mail using the
SMTP proxy based on destination address and determine if source routing is
supported. It also allows you to limit the length of replies received from mail
servers. To configure Mail (SMTP proxy) Application Defenses, in the Admin
Console select Policy Configuration > Application Defenses > Defenses >
Mail (SMTP proxy). The following window appears.
Configuring the Mail (SMTP proxy) Enforcements tab
The Mail (SMTP proxy) Enforcements tab allows you to enable destination–
based mail filtering and to limit the length of replies received from mail servers.
Follow the steps below.
1 Select Enforce SMTP Command Filtering to configure the Command tab,
which sets the list of the allowed mail commands.
2 If you enabled SMTP command filtering in step 1, select Enforce
Destination Address Filtering to configure the Destination Address tab,
which sets the filtering parameters.
181

Chapter 6: Configuring Application Defenses
Creating Mail (SMTP proxy) Defenses
182
Figure 83: Mail (SMTP
proxy): Commands tab
Configuring the Mail
(SMTP proxy)
Commands tab
3 To filter replies from mail servers, select one of these two options:
• Allow any size of server replies— Select this option if you do not want a
limit enforced.
• Enforce limit on server reply length—Select this option to put a limit on
the length of messages received from mail servers. A message is
rejected if it is greater than the specified character limit. The default is
256 characters. Valid values are 3–1024.
Configuring the Mail (SMTP proxy) Commands tab
The Commands tab allows you to specify which set of mail commands to allow
through Sidewinder G2. To configure these options for a Mail (SMTP proxy)
defense, select the Commands tab. The following window appears
The Commands tab allows you to specify which set of commands are allowed
with a mail message. Select from the following options:
Note: If you allow starttls, xexch50, xexps, or xlink2state and a session includes
one of those commands, Sidewinder G2 will disallow any further SMTP command
filtering for the rest of that session.
• Basic—Select this option to allow the commands typically expected when
sending mail to a generic mail server.
• Exchange—Select this option to allow the commands typically expected
when sending mail to a Microsoft Exchange Server.
• Sendmail—Select this option to allow the commands typically expected
when sending mail to a sendmail server.
• Custom—Select this option to create a customized set of allowed
commands. If you selected Basic, Exchange, or Sendmail and alter the
commands set, the Admin Console will automatically change your selection
to Custom.

Figure 84: Mail (SMTP
proxy): Destination
Address tab
Configuring the Mail
(SMTP proxy)
Destination Address
tab
Chapter 6: Configuring Application Defenses
Creating Mail (SMTP proxy) Defenses
Configuring the Mail (SMTP proxy) Destination Address
tab
The Destination Address tab allows you to filter mail based on destination
address and allow or deny source routing. To configure destination address
options for a Mail (SMTP proxy) defense, select the Destination Address tab.
The following window appears.
The Destination Address tab allows you to configure the following options:
• Allow Source Routing—Select this option to forward mail that includes
source routing information in the RCPT TO: command.
Note: Most mail does not contain source routing information.
• Allow mail to any destination—Select this option to allow mail to any
destination.
However, if Allow Source Routing is not enabled, any RCPT TO: command
that contains source routing will be rejected. RCPT TO: commands without
source routing will be forwarded.
• Only allow mail to defined destinations—Select this option to specify the
domains, IP address, and IP ranges to which the Sidewinder G2 will
forward mail. Sidewinder G2 allows mail based on the contents of its RCPT
TO: field; if the domain name portion of the rctp to: field matches a
character string in the domain address list, the mail is allowed to pass.
To create or change a definition, click New or Modify and the following window
appears.
183

Chapter 6: Configuring Application Defenses
Creating Mail (SMTP proxy) Defenses
184
Figure 85: Destination
Address: Allowed SMTP
Destination window
Configuring the
Allowed SMTP
Destination window
Use this window to allow a new mail destination or modify an existing mail
destination. Match the entry to the destination’s expected format in the rctp to:
field. Identify an allowed SMTP destination by doing one of the following:
• Specify a Fully Qualified Domain Name—Select this option to specify a fully
qualified domain name (FQDN). In the Domain field, enter a FQDN, such as
example.com. Check Include Subdomains to include the specified FQDN’s
subdomains.
Tip: This is the most reliable option, as most destinations In the RCPT TO: field
are formatted as the domain name.
• Specify an IP Address—Select this option to specify a single IP address. In
the IP Address field, enter the destination as a valid IP address.
• Specify an IP Range—Select this option to specify an address range. In the
Beginning of IP Address Range and End of IP Address Range fields,
specify the range of addresses that are allowed.
Configuring the Mail (SMTP proxy) Connections tab
The Mail (SMTP proxy) Connections tab allows you to configure timeout
properties and specify whether fast path sessions will be disabled.
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.

Creating Citrix
Application
Defenses
Figure 86: Application
Defenses: Citrix window
Figure 87: Citrix Filters
tab
Chapter 6: Configuring Application Defenses
Creating Citrix Application Defenses
To configure Citrix Application Defenses, in the Admin Console select Policy
Configuration > Application Defenses > Defenses > Citrix. The following
window appears. (Figure 86 displays only the bottom portion of the windows.)
Configuring the Citrix Enforcements tab
The Enforcements tab allows you to enable or disable Citrix filtering. You will
not be able to configure filtering on the Citrix Filter tab unless the Citrix Filters
check box is selected. When this check box is selected, the values you
configure in the Citrix Filters tab will be enforced. To disable Citrix filtering,
deselect the Citrix Filters check box.
Configuring the Citrix Filters tab
To configure the Citrix Filters tab, select the tab. The following window
appears.
185

Chapter 6: Configuring Application Defenses
Creating FTP Application Defenses
About the Citrix
Filters tab
Creating FTP
Application
Defenses
186
Figure 88: Application
Defenses: FTP window
The Citrix Filters tab allows you to configure filtering properties for Citrix. To
configure filters in Citrix, select the items that you want to deny. Each entry in
the list represents a type of application or communication channel supported
by Citrix. A check box will appear in front of types that will be denied. Deselect
the check boxes for the items you want to allow in Citrix.
To deny all of the types listed, click Select All. To allow everything (no filter
restrictions), click Deselect All.
Configuring the Citrix Connections tab
The Citrix Connections tab allows you to configure timeout properties and
specify whether fast path sessions will be disabled.
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.
To configure FTP Application Defenses, in the Admin Console select Policy
Configuration > Application Defenses > Defenses > FTP. The following
window appears. (Figure 88 displays only the bottom portion of the window.)

Configuring the FTP Enforcements tab
Chapter 6: Configuring Application Defenses
Creating FTP Application Defenses
To enable or disable FTP feature enforcement tabs, you must first select the
appropriate check box in the Enforcements tab. (The Connection tab does not
need to be enabled before you can configure it.) When you select the check
box for a feature, that tab becomes enabled.
The following tabs can be enabled:
• Enforce Command Filtering—The FTP Command Filter tab allows you to
specify the categories of FTP commands that you want to allow your users
to issue.
• Enforce Virus/Spyware Scanning—The Virus/Spyware tab allows you to
set the filtering parameters, such as infected file handling, which
commands to scan, and which extensions to allow or deny.
Configuring the FTP Command Filter tab
This tab allows you to specify the categories of FTP commands that you want
to allow your users to issue. The categories available FTP commands, as well
as a description of each, is included in the Allowed FTP Command Categories
area. For example, selecting “GET” allows the FTP commands necessary to
download files from a server.
Select one of the following options:
• None—Select this option if you do not want to allow any FTP commands.
(None of the check boxes will be selected.)
• All—Select this option if you want to allow all of the categories of FTP
commands that are displayed. (All of the check boxes will be selected.)
• Custom—Select this option if you want to allow only certain FTP
commands. To select the categories of FTP commands that will be allowed,
click the appropriate check box. A check mark appears in front of
commands that are allowed.
Note: If you select None or All and then make modifications to the commands, the
Custom option will automatically become selected.
187

Chapter 6: Configuring Application Defenses
Creating FTP Application Defenses
188
Configuring the FTP Virus/Spyware tab
The FTP Virus/Spyware tab allows you to configure virus and spyware
scanning services. The tab contains a rule table that displays any virus and
spyware filtering rules that have been created. The tab also contains various
virus and spyware scanning and handling configuration options.
To configure the FTP virus and spyware scanning properties, follow the steps
below.
Important: You must license and configure scanning services before the Virus/
Spyware filter rules you create will scan FTP traffic. See “Configuring virus
scanning services” on page 69.
1 Configure the appropriate virus and spyware filter rules in the Virus/
Spyware Filter Rules table, as follows:
• Create a new filter rule—To create a new filter rule, click New and see
“Configuring Virus/Spyware filtering rules” on page 189.
• Modify an existing filter rule—To modify an existing filter rule, select the
rule you want to modify, and click Modify. See “Configuring Virus/
Spyware filtering rules” on page 189. (If you are modifying the default
filtering rule, see “Configuring the Default filtering rule action” on page
190.)
• Delete a filter rule—To delete an existing filter rule, select the rule you
want to delete and click Delete. You will be prompted to confirm your
decision.
2 Determine how infected files will be handled in the Infected File Handling
area as follows:
• To discard infected files, select Discard Infected Files.
• To remove the virus or spyware from the file and then continue
processing the file, select Repair Infected Files. If the virus or spyware
cannot be removed, the file will be discarded.
3 To reject all files in the event that scanning is not available, select the
Reject All Files If Scanning Is Unavailable check box. If you select this
option, the FTP proxy will not pass any files through the Sidewinder G2 until
scanning is available again.
4 Determine which commands to scan by selecting one of the following
options:
• Uploads (PUT) — Scan all files going to the FTP server.
• Downloads (GET) — Scan all files coming from the FTP server.
• Uploads and Downloads (PUT, GET) — Scan all files going to (put) and
coming from (get) the FTP server.

Configuring Virus/Spyware filtering rules
Chapter 6: Configuring Application Defenses
Creating FTP Application Defenses
When you click New or Modify beneath the Virus/Spyware Filter Rules area,
the Virus/Spyware: Extensions Edit window appears. This window allows you
to add or modify virus/spyware filtering rules.
Important: Rules that are configured with an allow or deny action will allow or deny
traffic based on the rule criteria that is defined for those rules. Allow and deny rules
do not perform virus and spyware scanning. To perform virus and spyware
scanning for traffic that matches a rule before it is allowed, you must specify Virus/
Spyware Scan in the rule’s Action field.
By default, a single allow rule is contained in the filter rule table. If you choose
to leave the default allow rule as the last rule in your table (that is, all traffic that
isn’t explicitly denied will be allowed), you will need to configure the appropriate
virus/spyware scan and/or deny rules and place them in front of the default
allow rule. If you configure the default rule action to deny (that is, all traffic that
is not explicitly allowed will be denied) you will need to configure the
appropriate virus/spyware scan and/or allow rules and place them in front of
the default deny rule.
To create Virus/Spyware filter rules, follow the steps below.
1 In the Action area, select one of the following options:
• Allow—Select this option if you want to explicitly allow the file
extensions that you will specify in the next step. (Virus and spyware
scanning will not be performed.)
• Deny—Select this option if you want to explicitly deny the file extensions
that you will specify in the next step. (Virus and spyware scanning will
not be performed.)
• Virus/Spyware Scan—Select this option if you want to perform virus and
spyware scanning on the file extensions that you will specify in the next
step. If no viruses or spyware are detected, the file will be allowed
through the system.
2 In the File Extensions area, specify the type of file extensions that you want
to filter:
• Perform action on all file extensions—Select this option to perform the
action specified in step 1 on all file extension.
• Choose from predefined categories—Select this option to perform the
action specified in step 1 on file extensions associated with a particular
category, such as image, audio, video, etc.
To choose the file extension, select the appropriate category from the
Category drop-down list. Check the desired extensions.
• Custom List—Select this option to create a custom list of file
extensions. To add a file extension to the list, click New and see
“Configuring the Add New File Extension window” on page 190. To
delete a file extension, select the extension you want to delete and click
Delete. You can use the Clear button to clear all extensions from the list.
189

Chapter 6: Configuring Application Defenses
Creating FTP Application Defenses
190
3 Click OK to save the rule.
Configuring the Add New File Extension window
This window allows you to specify additional file extensions on which to filter. In
the File Extension field, type the extension (without the leading period) that
you want to add, and then click Add. The file extension is added to the Custom
file extension list.
If you select the Custom file extension option, all file extensions listed in the
box will be allowed, denied, or filtered, depending on the action you select.
Configuring the Default filtering rule action
The default filter rule is a catch-all rule designed to occupy the last position in
your rule table. To modify the default action for the default virus/spyware
filtering rule, do the followings:
1 Select the default rule in the table and click Modify. The Default Action
window appears.
2 Select the appropriate action for this rule and then click OK.
• Allow—The default rule is initially configured to allow all data that does
not match other filter rules. If you leave the default rule as an allow rule,
you must create filter rules that require virus scanning or explicitly deny
any extensions that you do not want to allow, and place them in front of
the default allow rule.
• Deny—If you prefer the default rule to deny all data that did not match a
filter rule, you must create the appropriate virus scan and allow rules
and place them in front of the default deny rule.
• Virus/Spyware Scan—If you want to perform virus and spyware
scanning for traffic that does not match any allow or deny filter rules you
create, select this option. You will then need to create the appropriate
allow and deny rules that will not require scanning.
Configuring the FTP Connection tab
The FTP Connection tab allows you to configure timeout and fast path session
properties, as well as the type of connection that will be allowed (transparent,
non-transparent, or both).
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Click the Save icon to save your changes when you are finished configuring an
Application Defense.

Creating IIOP
Application
Defenses
Figure 89: Application
Defenses: IIOP Filter tab
About the IIOP Filter
tab
Configuring the IIOP
Connection tab
Chapter 6: Configuring Application Defenses
Creating IIOP Application Defenses
To configure IIOP Application Defenses, in the Admin Console select Policy
Configuration > Application Defenses > Defenses > IIOP. The following
window appears. (Figure 89 displays only the bottom portion of the windows.)
The IIOP Filter tab allows you to configure the following options:
• Allow Bi-directional GIOP—Select this option to enable support for bidirectional
1.2 GIOP (General Inter-ORB Protocol).
• Validate Content Format—Select this option to filter the message
encapsulated in the GIOP PDU, and verify that the header content,
message direction, and message length are valid for the GIOP message
type identified in the GIOP header.
Note: The data in the GIOP header portion of the PDU is always validated.
The IIOP Connection tab allows you to configure timeout and fast path session
properties, as well as the maximum allowed message size.
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.
191

Chapter 6: Configuring Application Defenses
Creating Multimedia Application Defenses
Creating
Multimedia
Application
Defenses
192
Figure 90: Application
Defenses: Multimedia
To configure Multimedia Application Defenses, in the Admin Console select
Policy Configuration > Application Defenses > Defenses > Multimedia. The
following window appears. (Figure 90 displays only the bottom portion of the
windows.)
Configuring the Multimedia General tab
This tab allows you to enable the multimedia applications you want to
configure. You cannot configure the H.323 Filter or T.120 Filter tabs unless you
have selected the appropriate check box on the Multimedia-General tab. The
following options are available:
• Enforce Permission Checking for H.323—Select this option to enable the
H.323 filter. To configure H.323 properties, see “Configuring the H.323 Filter
tab” on page 193.
• Enforce Permission Checking for T120—Select this option to enable the
T.120 filter. To configure T.120 properties, see “Configuring the T120 Filter
tab” on page 194.
Note: For more information on H.323 or T.120, see “T.120 and H.323 proxy
considerations” on page 262.

Configuring the H.323 Filter tab
Chapter 6: Configuring Application Defenses
Creating Multimedia Application Defenses
This tab allows you to select H.323 codecs you will allow your users to access.
You can select from the following options:
• Required—Select this option to allow only the codecs required by H.323 for
compliance.
• Required + Low Bandwidth Audio—Select this option to allow the required
H.323 codecs as well as low bandwidth options.
• Required + All Audio—Select this option to allow all H.323 codecs except
the codecs that allow video.
• Required + All Audio + Video—Select this option to allow all available
H.323 codecs.
• Custom—Select this option to specify which codecs you want to allow. To
allow a codec, select the appropriate check box. A check mark appears in
the corresponding check box when a codec is allowed.
• Select All—Click this button to select all of the H.323 codecs (all codecs will
be selected).
• Deselect All—Click this button to deselect all of the H.323 codecs (all
codecs will be deselected).
Note: If you select an option other than Custom and then make modifications to
the selected codecs, the Custom option will automatically become selected.
The following list provide an example of codecs commonly used by Microsoft’s
NetMeeting:
• G.711—The G.711 codec options can transmit audio at 48, 56, and 64 kB
per second (kBps). Select this codec for audio that is being passed using
high speed connections.
• G.723—The G.723 codec options determine which format and algorithm will
be used for sending and receiving voice communications over a network.
This codec transmits audio at 5.3 and 6.3 kBps, which will reduce
bandwidth usage.
• H.261—The H.261 codec will transmit video images at 64 kBps (VHS
quality). Select this codec for video that is being passed using high speed
connections.
• H.263—The H.263 codec determines which format and algorithm will be
used to send and receive video images over a network. This codec
supports common interchange format (CIF), quarter common interchange
format (QCIF), and sub-quarter common interchange format (SQCIF)
picture formats. It is also a good match for Internet transmission over lowbit-rate
connections (for example, a 28.8 kBps modem).
193

Chapter 6: Configuring Application Defenses
Creating Oracle Application Defenses
Creating Oracle
Application
Defenses
194
Figure 91: Application
Defenses: Oracle
Enforcements window
Configuring the T120 Filter tab
This tab allows you to specify which T.120 services you will allow your users to
access. One of the more common T.120 applications is Microsoft’s Netmeeting.
You can select from the following options:
• Whiteboard (T.126)
• File transfer (T.127)
• Base application sharing (T.128)
• Legacy application sharing (T.128)
• Chat (Microsoft specific)
Configuring the Multimedia Connection tab
The Multimedia Connections tab allows you to configure timeout properties for
the T.120 and H.323 proxies. To configure the properties for one of the proxies,
either double-click the entry in the table, or highlight the entry and click Modify.
The Connection window appears.
For information on configuring the Connections window, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.
To configure Oracle Application Defenses, in the Admin Console select Policy
Configuration > Application Defenses > Defenses > Oracle. The following
window appears. (Figure 91 displays only the bottom portion of the windows.)

About the Service
Name (SID): New
Service Name
window
Configuring the Oracle Enforcements tab
Chapter 6: Configuring Application Defenses
Creating Oracle Application Defenses
The Enforcements tab allows you to enable or disable Oracle service name
checking. Service name checking allows you to restrict access to the SQL
server by specifying which service names will be explicitly allowed. If service
name checking is enabled, only sessions that match a service name specified
in the Service Name (SID) tab will be allowed.
You cannot configure service name checking on the Service Name (SID) tab
unless the Enforce Service Name Checking check box is selected. When this
check box is selected, the values you configure in the Service Name (SID) tab
will be enforced. To disable service name checking, deselect the Enforce
Service Name Checking check box.
Configuring the Service Name (SID) tab
The Service Name (SID) tab allows you to configure which service names will
be allowed access to the SQL server. If you do not specify any service names,
service names will not be used in determining whether a session is allowed or
denied.
To configure a service name, click New. See “About the Service Name (SID):
New Service Name window” on page 195.
To modify a service name, highlight the service name you want to modify, and
click Modify. See “About the Service Name (SID): New Service Name window”
on page 195.
To delete a service name, highlight the service name you want to modify, and
click Delete.
The New Service Name window allows you to create or modify a service name.
In the Service Name (SID) field, enter the service name you want to add or
modify and then click OK.
Important: The service name you enter in this field must be an exact match
(including capitalization) of the full service name that is in the Oracle tnsnames.ora
file in order for those sessions to be allowed. The use of wildcards or substrings is
not supported at this time.
195

Chapter 6: Configuring Application Defenses
Creating MS SQL Application Defenses
Creating MS SQL
Application
Defenses
196
Figure 92: MS SQL Filter
tab
About the MS SQL
Filter tab
Configuring the MS
SQL Connection tab
Configuring the Oracle Connection tab
The Oracle Connections tab allows you to configure timeout, fast path session,
and connection timeout properties.
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.
To configure MS SQL Application Defenses, in the Admin Console select
Policy Configuration > Application Defenses > Defenses > MS SQL. The
following window appears. (Figure 93 displays only the bottom portion of the
window.)
This tab is reserved for future use.
The MS SQL Connections tab allows you to configure timeout, fast path
session, and connection timeout properties.
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.

Creating SOCKS
Application
Defenses
Figure 93: Application
Defenses: SOCKS5
Chapter 6: Configuring Application Defenses
Creating SOCKS Application Defenses
To configure SOCKS Application Defenses, in the Admin Console select Policy
Configuration > Application Defenses > Defenses > SOCKS. The following
window appears. (Figure 93 displays only the bottom portion of the windows.)
Configuring the SOCKS 5 Filter tab
The SOCKS 5 Filter tab allows you to configure the type of SOCKS traffic that
will be allowed when using the SOCKS5 proxy. The following options are
available:
• Allow TCP SOCKS traffic—Select this option to allow TCP traffic.
• Allow UDP SOCKS traffic—Select this option to allow UDP traffic.
• Allow Both—Select this option to allow both TCP and UDP traffic.
• Enforce SOCKS 4 Filtering—Select this option if you want to support
SOCKS at version 4. (If this check box is not selected, you will not be able
to pass traffic using SOCKS 4.)
Configuring the SOCKS Connections tab
The SOCKS Connections tab allows you to configure timeout properties, fast
path session properties, and which ports will be open for the SOCKS proxy.
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.
197

Chapter 6: Configuring Application Defenses
Creating SNMP Application Defenses
Creating SNMP
Application
Defenses
198
Figure 94: SNMP Filter
tab
To configure SNMP Application Defenses, in the Admin Console select Policy
Configuration > Application Defenses > Defenses > SNMP. The following
window appears. (Figure 94 displays only the bottom portion of the windows.)
Configuring the SNMP Filter tab
This tab allows you to specify the SNMP version you want to configure. The
options that you are allowed to configure within the subsequent SNMP tabs will
vary depending on which option you select. The following options are
available:
• Allow SNMP v1 filtering—Select this option to allow SNMP v1 traffic and
configure object ID (OID) filtering. For information on configuring OID
filtering for SNMP v1 traffic, see “Configuring the SNMP v1 tab” on page
199.
• Allow SNMP v2c traffic—Select this option to allow SNMP v2c traffic. OID
filtering is not available for SNMP v2c traffic. For information on configuring
OID filtering for SNMP v2 traffic, see step 2 on page 199.
• Allow SNMP v1 and v2c traffic—Select this option to allow SNMP v1 and
v2c traffic. OID filtering is not available when both SNMP v1 and v2c are
allowed. For information on configuring connection timeout properties, see
“Configuring connection properties” on page 203.

Figure 95: SNMP v1:
OID Editing window
Configuring the SNMP v1 tab
Chapter 6: Configuring Application Defenses
Creating SNMP Application Defenses
This tab allows you to configure Object ID (OID) filtering for SNMP v1 traffic.
Follow the steps below.
Note: Filtering is not available for SNMP v2c. If you selected Allow SNMP v2c
Traffic or Allow SNMP v1 and v2c Traffic on the SNMP Filter tab, you cannot
configure any options on this tab.
1 In the Options area, determine the types of requests and events that the
SNMP proxy will filter, as follows:
• Allow Read Requests—Select this option to allow the Get and
Get Next requests. (If you select SNMP v2c, this is automatically
allowed.)
• Allow Write Requests—Select this option to allow the Set request. (If
you select SNMP v2c, this is automatically allowed.)
• Allow Notify Events—Select this option to allow v1 traps. (If you select
SNMP v2c, this is automatically allowed.)
Note: Additional SNMP requests are not supported in SNMP v1.
2 Select the Enable OIDs Filtering check box to configure object IDs (OIDs)
for the SNMP proxy. OIDs are a unique, numeric representation of a device
within the SNMP network.
3 In the Actions field, determine whether the list of OIDs that you define will
be allowed or denied, as follows:
• Allow—Select this option to allow only the OIDs that you specify in the
table. All other OIDs will be denied.
• Deny—Select this option to deny only the OIDs that you specify in the
table. All other OIDs will be allowed.
To add an OID to the table, click New. To modify an existing OID, select that
ID and click Modify. The OID Editing window appears. (For information on
configuring a new OID, see “Configuring the SNMP v1: OID Editing window”
on page 200.)
4 [Conditional] To delete an existing OID, select that ID and click Delete. You
will be prompted to confirm your action.
199

Chapter 6: Configuring Application Defenses
Creating SNMP Application Defenses
200
Figure 96: Example of
OID numbering scheme
Configuring the SNMP v1: OID Editing window
This window allows you to add a new object ID (OID). You can select from the
list of standard OIDs, or you can create your own OID using the custom option.
Follow the steps below.
1 In the OID Options area, determine whether the OID will be Standard (predefined)
or Custom (you determine and enter the OID manually) by
selecting the appropriate radio button.
2 [Conditional] If you selected Standard in step 1, select the appropriate OID
from the Standardized OIDs drop-down list.
3 [Conditional] If you selected Custom in step 1, type the OID number in the
Customized OID field using the standard OID structure. The numbering
scheme for each object is determined by the object’s management
information base (MIB) location, as shown in Figure 96 below.
For example, the object ID for the SCC node in the private enterprise portion
of the network would be .1.3.6.1.4.1.1573.
Note: The object ID will always begin with the following pattern .1.3.6.1. For
assistance on obtaining object IDs, visit the Internet assigned numbers authority
Web site at www.iana.org/assignments/enterprise-numbers or contact the
appropriate vendor.
system
.1
interfaces
.2
.2 mgmt
private .4
.1 mib2
enterprises .1
ip
.4
tcp
.6
4 Click Add or OK to add the OID to the table. Repeat these steps for each
OID you want to add or modify.
5 Click Close to return to the SNMP v1 tab.
iso
org
dod
internet
..........
.1
.3
.6
.1
UNIX
.4
sc
.1573
..........

Creating
Standard
Application
Defenses
Figure 97: Standard
Application Defense:
Connections tab
Configuring the SNMP Connection tab
Chapter 6: Configuring Application Defenses
Creating Standard Application Defenses
The SNMP Connections tab allows you to configure timeout properties and the
maximum protocol data unit (PDU) size.
Configuring connection properties is common to most Application Defenses.
For information on configuring the Connections tab, see “Configuring
connection properties” on page 203.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.
The Standard window allows you to configure timeout and fast-path properties
for proxies that are not listed elsewhere in the Application Defenses tree. You
can also configure transparency properties for the Telnet proxy. To configure
Standard Application Defenses, in the Admin Console select Policy
Configuration > Application Defenses > Defenses > Standard. The following
window appears. (Figure 97 displays only the bottom portion of the windows.)
Configuring the Standard Connections tab
To configure connection properties for a standard Application Defense, select
the Application Defense type that you want to configure from the table, and
click Modify. The Connection window appears. See “Configuring connection
properties” on page 203 for information on configuring connection properties.
Note: Click the Save icon to save your changes when you are finished configuring
an Application Defense.
201

Chapter 6: Configuring Application Defenses
Configuring Application Defense groups
Configuring
Application
Defense groups
202
Figure 98: Application
Defense Group window
Application Defense groups allow you to select a single Application Defense
from each category within a single group. When you specify an Application
Defense group within a rule, only the Application Defense(s) that apply to that
rule’s services will be implemented in the rule. Application Defense groups can
only be used when configuring rules that use service groups.
Note: For more information on how Application Defense groups are used in a rule,
see Chapter 4.
To create an Application Defense group, in the Admin Console select Policy
Configuration > Application Defenses > Groups. The following window
appears.
Configuring the Application Defense groups window
The Application Defense Group window allows you to select a defense for
each category (for example, Web, Secure Web, standard, etc.) to include in a
group. A list of which defenses are included in a group are displayed in the
table, with the following information:
• Type—This column lists each of the Application Defense types contained.
• Name—This column lists the Application Defense that is currently selected
for each category.
• Set—This column indicates which Application Defense is currently selected
for configuration.
To select an Application Defense for a particular category, select the
appropriate row in the table. A list of available Application Defenses for that
category appear. Select an Application Defense from the list. The table will be
updated to display the new selection as the current Application Defense for
that category. (To add or modify an Application Defense for a category,
highlight the appropriate row and click New or Modify.)

Configuring
connection
properties
Configuring
connection
properties
Figure 99: Web
Connection tab
Chapter 6: Configuring Application Defenses
Configuring connection properties
You can configure connection properties for most Application Defenses. For
defenses that support multiple proxies (Multimedia and Standard), the
Connections tab will display a table. To configure the connection properties for
Multimedia or Standard, select the proxy for which you want to configure
connection properties, and click Modify. A Connection window appears. For
defenses that have configurable connection properties (Web, Secure Web,
Citrix, FTP, Oracle, SOCKS5, and SNMP) the configurable connection
properties are displayed directly in the Connection tab. Figure 99 shows the
Connection tab for a Web defense.
To configure the connection properties for an Application Defense, follow the
steps below. The fields that appear will vary depending on the type of
Application Defense you are configuring.
1 In the Set Timeouts (in seconds) area, do the following:
a In the TCP Connect Timeout field, specify the length of time, in seconds,
that the proxy should attempt to connect to the server before the proxy
stops trying.
b In the TCP Idle Timeout field, specify the length of time, in seconds, that
the connection can remain idle before it is closed.
c [SNMP proxy only] In the Request Timeout field, specify the length of
time, in seconds, that the proxy will wait for a response from an SNMP
agent before the connection times out. (The Get, Get Next, and Set
commands request a response.)
d In the UDP Idle Timeout field, specify the length of time, in seconds, that
the UDP “session” can remain idle before it is closed. This field is valid
for Citrix, SOCKS, and various Standard proxies.
e To return the values to their default value, click Restore Defaults.
203

Chapter 6: Configuring Application Defenses
Configuring connection properties
204
2 [Conditional] If you want to disallow fast path sessions, select the Disable
Fast Path Sessions check box. (In most cases, fast path sessions enhance
system performance.) Fast path sessions are allowed by default for proxies
that support this option. See “Improving performance using Fast Path
Sessions” on page 245 for more information.
Note: This option is disabled by default for the IIOP Application Defense.
3 [Web/Secure Web only] To enable a proxy to communicate with a nontransparent
proxy, select the Send Traffic to Upstream Proxy option, and
configure the following options:
Note: If you allow transparent connections when using this option, the URL will
be rewritten to contain an IP address rather than a hostname. If you allow
transparent connections, you must first ensure that the upstream proxy server
will accept an IP address.
a In the IP Address field, specify the IP address for the upstream proxy.
b In the Port field, specify the port that will be used (for HTTP, this will
generally be port 80.)
4 [Conditional] In the Allowed Connection Types area, determine the type of
traffic that will be allowed for this Application Defense (this field appears if
you selected Web, Secure Web, Oracle [SQL]), or Telnet. The following
options are available:
Note: The default connection type for Oracle is Transparent. The default for
Web, Secure Web, and Telnet is Both. If you are using Non-Transparent or
Both, you will need to specify which destination ports will be allowed through
the proxy. See “Configuring connection ports” on page 205.
• Transparent—Select this option to allow transparent connections.
• Non-Transparent—Select this option to allow non-transparent
connections.
• Both—Select this option to allow both transparent and non-transparent
connections.
5 [SNMP only] In the Max PDU field, specify the maximum protocol data unit
(PDU) size that will be allowed. The default is 535.
Valid values are 120–1450. You may want to increase this value depending
on the type of device(s) you are using. However, keep in mind that some
devices cannot handle a larger value.
6 [IIOP only] In the Maximum message size (PDU) field, specify the maximum
protocol data unit (PDU) message size that will be allowed. The default is
72000.
7 [SOCKS/Web/Secure Web only] To configure ports for a defense, click New
and see “Configuring connection ports” on page 205.
8 [Web only] To allow non-transparent, secure Web traffic through the HTTP
proxy, select the Allow non-transparent secure web traffic through the web
(HTTP) proxy check box.

Configuring connection ports
Chapter 6: Configuring Application Defenses
Configuring connection properties
The Edit a Port window allows you to configure a single port or a port range, or
you can select from pre-defined ports for specific proxies by selecting one of
the following radio buttons:
• Specify a Port—Select this option to specify a single port. In the Port field,
type a port number or use the up and down arrows to display the desired
port.
• Specify a Port Range—Select this option to specify a port range. In the
Begin Port and End Port fields, specify the range of ports that this proxy
can use (you can either type the port numbers in the appropriate fields or
use the up and down arrows to display the desired ports).
• Use Pre-defined Ports—Select this option if you want to specify the port(s)
or port range(s) that have been pre-defined for this proxy.
205

Chapter 6: Configuring Application Defenses
Configuring connection properties
206

7 CHAPTER
Configuring Network
Defenses
In this chapter...
Viewing Network Defense information .........................................208
Configuring the TCP Network Defense ........................................210
Configuring the IP Network Defense ............................................212
Configuring the UDP Network Defense........................................213
Configuring the ICMP Network Defense ......................................215
Configuring the ARP Network Defense ........................................217
207

Chapter 7: Configuring Network Defenses
Viewing Network Defense information
Viewing Network
Defense
information
208
Network Defenses allow you to control the audit output for suspicious traffic
detected by Sidewinder G2, automatically preventing that traffic from passing
from one burb to another. Some traffic is stopped because a packet, or
sequence of packets, resembles a known attack. Other traffic is stopped
because a packet does not comply with its protocol’s standards.
Options for what audit to generate include:
• Audit for packets that Sidewinder G2 determines to be part of an identifiable
attack can be audited based on attack description (bad header length, bad
redirect, etc.).
• Audit for packets that are not specifically identified as a potential attack can
be audited at the following levels:
– All packets that do not comply with their protocol’s standards
– Packets that do not comply with their protocol’s standards and have
been identified as a severe or moderate risk to your network
– Packets that do not comply with their protocol’s standards and have
been identified as a severe risk to your network
– Do not generate audit when Sidewinder G2 stops a packet because it
does not comply to its protocol’s standard
Network Defenses represent one element of Sidewinder G2’s audit
capabilities. Information about additional auditing tools can be found in the
following chapters:
• Chapter 18, "Monitoring"
• Chapter 19, "Auditing and Reporting"
• Chapter 20, "IPS Attack and System Event Responses"

Figure 100: Network
Defense window (TCP)
Chapter 7: Configuring Network Defenses
Viewing Network Defense information
To view the Network Defenses windows, in the Admin Console select Policy
Configuration > Network Defenses. The Network Defenses window displays
with the TCP tab displayed, as shown in Figure 100. All tabs are similar in
appearance and function.
The Network Defenses tabs allows you to configure which audit Sidewinder G2
will generate for each of the specified protocols and how frequently to generate
that audit.
For information on configuring a specific Network Defense, see the following:
• TCP (page 210)
• IP (page 212)
• UDP (page 213)
• ICMP (page 215)
• ARP (page 217)
209

Chapter 7: Configuring Network Defenses
Configuring the TCP Network Defense
210
Figure 101: Network
Defenses: Restore default
values window
About the Restore
default values
window
Configuring the
TCP Network
Defense
Figure 102: Network
Defenses: TCP tab
If you want to return the Network Defense settings to their defaults, click
Restore Defaults. The following window appears.
This window allows you to restore the Network Defenses’ attack and protocol
compliance issue settings to their system defaults. When the window appears,
all Network Defenses are selected.
• If you want to restore the defaults for all Network Defenses, click OK.
• If you want to restore the defaults for selected Network Defenses, clear the
check box next to the Network Defenses that need to keep their current
settings. After clearing the appropriate check box(es), click OK.
The selected Network Defenses now display and enforce their default settings.
The TCP Network Defense allows you to customize audit output for TCP
attacks and compliance issues stopped by the Sidewinder G2. To configure the
TCP Network Defense, in the Admin Console select Policy Configuration >
Network Defenses > TCP. The following window appears.

About the Network
Defenses: TCP tab
Chapter 7: Configuring Network Defenses
Configuring the TCP Network Defense
This tab allows you to configure which audit to generate for TCP attack and
compliance issues. Sidewinder G2 automatically stops all listed attacks;
selecting or clearing a check box only affects whether or not this behavior is
audited.
1 In the Audit the selected TCP attacks section, select the attacks for which
you want Sidewinder G2 to generate audit.
2 In the Audit the selected TCP compliance issues area, select which level of
audit to generate. Options are:
• All TCP compliance issues
• Severe and moderate TCP compliance issues
• Severe TCP compliance issues
• No TCP compliance issues
3 In the TCP Audit Frequency area, select how often to generate audit for
TCP issues. Select one of the following:
• Limit auditing (recommended) — Generates an audit record for the first
x occurrences for every y seconds. Other occurrences of the same audit
event in that window will not be recorded. An additional audit event will
be generated to record how many other audit events were suppressed.
For example, the audit is limited to generating an audit event for the first
three (3) occurrences for every 60 seconds. If Sidewinder G2 stopped
100 SYN-ACK probes in 60 seconds, then Sidewinder G2 generates
three records for the first three denials, and then generates another
audit record stating that 97 occurrences were suppressed in that 60
second window.
Limiting audit in this manner reduces system load.
• Always audit — Generates an audit record for every audit event.
Caution: Unlimited auditing runs the risk of overflowing the log partition
and creating problems for the Sidewinder G2.
Options for viewing the audit output generated by these selections include:
• Admin Console > Dashboard
• Admin Console > Audit and Reports
• Sidewinder G2 Security Reporter
• Third-party reporting tools
211

Chapter 7: Configuring Network Defenses
Configuring the IP Network Defense
Configuring the
IP Network
Defense
212
Figure 103: Network
Defenses: IP tab
About the Network
Defenses: IP tab
The IP Network Defense allows you to customize audit output for IP attacks
stopped by the Sidewinder G2. To configure the IP Network Defense, in the
Admin Console select Policy Configuration > Network Defenses > IP. The
following window appears.
This tab allows you to configure which audit to generate for IP attack and
compliance issues. Sidewinder G2 automatically stops all listed attacks;
selecting or clearing a check box only affects whether or not this behavior is
audited.
1 In the Audit the selected IP attacks section, select the attacks for which you
want Sidewinder G2 to generate audit.
2 In the Audit the selected IP compliance issues area, select which level of
audit to generate. Options are:
• All IP compliance issues
• Severe and moderate IP compliance issues
• Severe IP compliance issues
• No IP compliance issues
3 In the IP Audit Frequency area, select how often to generate audit for IP
issues. Select one of the following:
• Limit auditing (recommended) — Generates an audit record for the first
x occurrences for every y seconds. Other occurrences of the same audit
event in that window will not be recorded. An additional audit event will
be generated to record how many other audit events were suppressed.

Configuring the
UDP Network
Defense
Figure 104: Network
Defenses: UDP tab
Chapter 7: Configuring Network Defenses
Configuring the UDP Network Defense
For example, the audit is limited to generating an audit event for the first
three (3) occurrences for every 60 seconds. If Sidewinder G2 stopped
100 source routed packets in 60 seconds, then Sidewinder G2 generates
three records for the first three denials, and then generates another
audit record stating that 97 occurrences were suppressed in that 60
second window.
Limiting audit in this manner reduces system load.
• Always audit — Generates an audit record for every audit event.
Caution: Unlimited auditing runs the risk of overflowing the log partition
and creating problems for the Sidewinder G2.
Options for viewing the audit output generated by these selections include:
• Admin Console > Dashboard
• Admin Console > Audit and Reports
• Sidewinder G2 Security Reporter
• Third-party reporting tools
The UDP Network Defense allows you to customize audit output for UDP
attacks stopped by the Sidewinder G2. To configure the UDP Network
Defense, in the Admin Console select Policy Configuration > Network
Defenses > UDP. The following window appears.
213

Chapter 7: Configuring Network Defenses
Configuring the UDP Network Defense
About the Network
Defenses: UDP tab
214
This tab allows you to configure which audit to generate for UDP attack and
compliance issues. Sidewinder G2 automatically stops all listed attacks;
selecting or clearing a check box only affects whether or not this behavior is
audited.
1 In the Audit the selected UDP attacks section, select the attacks for which
you want Sidewinder G2 to generate audit.
2 In the Audit the selected UDP compliance issues area, select which level
of audit to generate. Options are:
• All UDP compliance issues
• Severe and moderate UDP compliance issues
• Severe UDP compliance issues
• No UDP compliance issues
3 In the UDP Audit Frequency area, select how often to generate audit for
UDP issues. Select one of the following:
• Limit auditing (recommended) — Generates an audit record for the first
x occurrences for every y seconds. Other occurrences of the same audit
event in that window will not be recorded. An additional audit event will
be generated to record how many other audit events were suppressed.
For example, the audit is limited to generating an audit event for the first
three (3) occurrences for every 60 seconds. If Sidewinder G2 stopped
100 zero source port UDP attacks in 60 seconds, then Sidewinder G2
generates three records for the first three denials, and then generates
another audit record stating that 97 occurrences were suppressed in
that 60 second window.
Limiting audit in this manner reduces system load.
• Always audit — Generates an audit record for every audit event.
Caution: Unlimited auditing runs the risk of overflowing the log partition
and creating problems for the Sidewinder G2.
Options for viewing the audit output generated by these selections include:
• Admin Console > Dashboard
• Admin Console > Audit and Reports
• Sidewinder G2 Security Reporter
• Third-party reporting tools

Configuring the
ICMP Network
Defense
Figure 105: Network
Defenses: ICMP tab
About the Network
Defenses: ICMP tab
Chapter 7: Configuring Network Defenses
Configuring the ICMP Network Defense
The ICMP Network Defense allows you to customize audit output for ICMP
attacks stopped by the Sidewinder G2. To configure the ICMP Network
Defense, in the Admin Console select Policy Configuration > Network
Defenses > ICMP. The following window appears.
This tab allows you to configure which audit to generate for ICMP attack and
compliance issues. Sidewinder G2 automatically stops all listed attacks;
selecting or clearing a check box only affects whether or not this behavior is
audited.
1 In the Audit the selected ICMP attacks section, select the attacks for which
you want Sidewinder G2 to generate audit.
2 In the Audit the selected ICMP compliance issues area, select which level
of audit to generate. Options are:
• All ICMP compliance issues
• Severe and moderate ICMP compliance issues
• Severe ICMP compliance issues
• No ICMP compliance issues
3 In the ICMP Audit Frequency area, select how often to generate audit for
ICMP issues. Select one of the following:
• Limit auditing (recommended) — Generates an audit record for the first
x occurrences for every y seconds. Other occurrences of the same audit
event in that window will not be recorded. An additional audit event will
be generated to record how many other audit events were suppressed.
215

Chapter 7: Configuring Network Defenses
Configuring the ICMP Network Defense
216
For example, the audit is limited to generating an audit event for the first
three (3) occurrences for every 60 seconds. If Sidewinder G2 stopped
100 invalid redirect ICMP attacks in 60 seconds, then Sidewinder G2
generates three records for the first three denials, and then generates
another audit record stating that 97 occurrences were suppressed in
that 60 second window.
Limiting audit in this manner reduces system load.
• Always audit — Generates an audit record for every audit event.
Caution: Unlimited auditing runs the risk of overflowing the log partition
and creating problems for the Sidewinder G2.
Options for viewing the audit output generated by these selections include:
• Admin Console > Dashboard
• Admin Console > Audit and Reports
• Sidewinder G2 Security Reporter
• Third-party reporting tools

Configuring the
ARP Network
Defense
Figure 106: Network
Defenses: ARP tab
About the Network
Defenses: ARP tab
Chapter 7: Configuring Network Defenses
Configuring the ARP Network Defense
The ARP Network Defense allows you to customize audit output for ARP
attacks stopped by the Sidewinder G2. To configure the ARP Network
Defense, in the Admin Console select Policy Configuration > Network
Defenses > ARP. The following window appears.
This tab allows you to configure which audit to generate for ARP compliance
issues. Sidewinder G2 automatically stops all listed attacks; selecting or
clearing a check box only affects whether or not this behavior is audited.
1 In the Audit the selected ARP compliance issues area, select which level
of audit to generate. Options are:
• All ARP compliance issues
• Severe and moderate ARP compliance issues
• Severe ARP compliance issues
• No ARP compliance issues
2 In the ARP Audit Frequency area, select how often to generate audit for
ARP issues. Select one of the following:
• Limit auditing (recommended) — Generates an audit record for the first
x occurrences for every y seconds. Other occurrences of the same audit
event in that window will not be recorded. An additional audit event will
be generated to record how many other audit events were suppressed.
217

Chapter 7: Configuring Network Defenses
Configuring the ARP Network Defense
218
For example, the audit is limited to generating an audit event for the first
three (3) occurrences for every 60 seconds. If Sidewinder G2 stopped
100 ARP attacks in 60 seconds, then Sidewinder G2 generates three
records for the first three denials, and then generates another audit
record stating that 97 occurrences were suppressed in that 60 second
window.
Limiting audit in this manner reduces system load.
• Always audit — Generates an audit record for every audit event.
Caution: Unlimited auditing runs the risk of overflowing the log partition
and creating problems for the Sidewinder G2.
Options for viewing the audit output generated by these selections include:
• Admin Console > Dashboard
• Admin Console > Audit and Reports
• Sidewinder G2 Security Reporter
• Third-party reporting tools

8 CHAPTER
Creating Rules and Rule
Groups
In this chapter...
Viewing rules and rule groups ......................................................220
Creating proxy rules .....................................................................222
Creating IP Filter rules..................................................................228
Creating and managing rule groups .............................................236
Selecting your active policy rules .................................................239
219

Chapter 8: Creating Rules and Rule Groups
Viewing rules and rule groups
Viewing rules
and rule groups
220
Figure 107: Rules
window displaying proxy
rules
About the Rules
window
To view the existing proxy and IP Filter rules currently available for use, in the
Admin Console select Policy Configuration > Rules. The main Rules window
appears with the Proxy Rules list displayed by default.
The Sidewinder G2 contains two rule tables:
• Proxy rules—This table contains all of the proxy rules and groups that were
loaded during initial configuration as well as any rules that you have created
(displayed in Figure 107).
• IP Filter rules—This table contains all of the IP Filter rules and groups that
have been created. Each row within a table contains a single rule or group.
The components of each rule are displayed in the labeled columns.
The order of rules in the main rule tables is not important. The rule tables are
holding grounds for rules that you create. They may or may not be included in
the active rule group that enforces your security policy. Rather, it is the order of
rules and nested rule groups within rule groups that is important. For
information on ordering your rule groups, see “Ordering proxy rules within a
rule group” on page 101.
You can perform the following tasks in the Rules window:
• View proxy or IP Filter rules and groups—To view a rule table, click the
appropriate radio button (Proxy Rules or IP Filter Rules) in the View Option
field. You can resize the columns to suit your needs by clicking and
dragging the edge of a column heading. (Use the scroll bars to view all
columns and entries listed in the table.)
Note: If you view the proxy rule table, an Inspection column will appear in front
of the Name column. A status of On indicates that all of the Application Defense
properties will be actively enforced for a rule. A status of Off indicates that only
the connection properties portion of the defense will be enforced for that rule.

About the Duplicate
Rule Name window
Chapter 8: Creating Rules and Rule Groups
Viewing rules and rule groups
• Filter the table to display rules or groups—To filter the table to display only
rules or only groups, select Rules or Groups from the Filter drop-down list.
(To display both rules and groups, select No Filter.)
• Add/modify a rule—To add a new rule, select the appropriate rule view
(Proxy or IP Filter) using the View Option and then click New
> Rule. (To modify a rule, highlight the entry and click Modify.)
– To add/modify a new proxy rule, see “Creating proxy rules” on page 222.
– To add/modify a new IP Filter rule, see “Creating IP Filter rules” on page
228.
• Add/modify a group—To add a new rule group, select the appropriate rule
view (Proxy or IP Filter) using the View Option and then click New > Group.
For information on adding or modifying a rule group, see “Creating and
managing rule groups” on page 236. (To modify a rule group, highlight the
entry and click Modify.)
• Delete a rule or group—To delete a rule or group, highlight the entry you
want to delete and click Delete. You cannot delete rules or rule groups that
are part of a group.
• View the groups to which a rule or group belongs—To determine which
groups a rule or group belongs to, highlight the entry and click the Member
Of button. An information window appears listing the groups to which the
rule or group belongs.
• Duplicate an existing rule or rule group—To duplicate a rule or group,
highlight the rule or group you want to duplicate and click Duplicate. The
Duplicate Rule Name window appears.
In the Duplicate Rule Name window, do the following:
1 In the Name field, type a unique name for the duplicate rule or group. Valid
values include alphanumeric characters, periods (.), dashes(-),
underscores (_), and spaces ( ). However, the first and last character of the
name must be alphanumeric. The name cannot exceed 100 characters.
2 [Conditional] If you are creating a duplicate IP Filter rule of type Other,
select a protocol for the new rule from the Protocol drop-down list. (The
protocol does not need to be the same protocol used by the original rule.)
3 Click Add.
221

Chapter 8: Creating Rules and Rule Groups
Creating proxy rules
Creating proxy
rules
222
Figure 108: Proxy Rule
window: General tab
Entering information
on the Proxy Rule
General tab
This section provides information on creating proxy rules. For an overview of
proxy rules, see Chapter 4.
To create a proxy rule, using the Admin Console select Policy Configuration >
Rules. Then click New > Proxy Rule. (To modify a proxy rule, highlight the rule
you want to modify and click Modify.) The Proxy Rule window appears.
Note: Proxy rules that you create will not be part of the active policy unless you
place them in a rule group that is part of the active policy. For information on adding
a proxy to a rule group and ensuring that it is included in the active policy, see
“Creating and managing rule groups” on page 236 and “Selecting your active policy
rules” on page 239.
The General tab in the Proxy Rule window is used to enter basic information
about a proxy rule. Follow the steps below.
Tip: Remember that rules’ proxies and servers must be enabled before the rules
can pass traffic. Their status can be verified at Policy Configuration > Proxies and
Policy Configuration > Servers.
1 In the Name field, type a name that helps identify the purpose of the rule.
For example, the pre-configured rule that allows synchronization between
systems is called “Synchronization.” Valid values include alphanumeric
characters, periods (.), dashes(-), underscores (_), and spaces ( ).
However, the first and last character of the name must be alphanumeric.
The name cannot exceed 100 characters.
2 In the Service Type drop-down list, select one of the following:
Note: The Service Type field determines the options that are available to you in
the Service field in step 3.

Chapter 8: Creating Rules and Rule Groups
Creating proxy rules
• All—This option includes both proxies and servers. It does NOT include
service groups.
• Proxy—This option includes proxies only.
• Server—This option includes servers only.
• Service Group—This option includes service groups only. For
information on service groups, see “Service groups” on page 108.
3 In the Service drop-down list, select the type of network service this rule is
allowing or denying. (The options that are displayed in this list are
determined by the option you selected in the previous step.)
4 In the Action drop-down list, select Allow to allow the service or Deny to
deny the service when a match occurs.
5 In the Control drop-down list, select Enable to enable the rule or Disable to
disable the rule. This allows you to disable a rule, if necessary, without
deleting it. Rules that are disabled will appear grayed out in the main Rule
window.
6 In the Audit Level drop-down list, select one of the following audit options
for this rule:
• Errors Only—Select this option to generate only error audit events for
this rule. If you select this option, normal traffic will not be logged. (This
option increases performance and reduces the size of audit logs.)
• Traffic—Select this option to generate both normal traffic and error audit
events for this rule.
• Informational—Select this option to generate error audit events, normal
traffic, and informational audit events for this rule.
7 [Optional] In the Description field, enter any useful information for this rule
(for example, a brief description of the rule).
8 [Optional] If you want to disable the Application Defense associated with
this rule, select the Disable Defense Inspection check box. Selecting this
check box will disable all Application Defense settings other than
connection properties (timeout and fast-path settings).
Clear this check box if you want to start using the Application Defense
again.
This option will be grayed out if there is no Application Defense associated
with the rule.
223

Chapter 8: Creating Rules and Rule Groups
Creating proxy rules
224
Figure 109: Proxy Rule:
Source/Dest tab
Entering source and
destination
information
The Source/Dest tab is used to enter source and destination restrictions for a
proxy rule. Follow the steps below.
1 [Optional ] To create a network object to use as the source or destination of
this rule, do the following:
a Click New. You will be prompted to select the type of object you want to
create.
b Select the type of network object you want to create and click OK. The
New Network Object window appears.
c Create the network object. When you click Add, you are returned to the
Source/Dest tab in the Proxy Rule window.
Note: For information on creating a Network Object, see “Creating network
objects” on page 139.
2 In the Source Burb drop-down list, select the source burb associated with
this rule.
3 In the Destination Burb drop-down list, select the destination burb
associated with this rule.
Note: When defining inbound address redirection for a rule, you should select
the Internet (external) burb for both the Source Burb and the Destination Burb
fields unless you are redirecting internally, or if you are redirecting inbound to
another internal address.
4 In the Source list that is displayed, select the source object to use for this
rule. (If needed, you can use the Show drop-down list to filter the list to
display only one type of object.)
5 In the Destination list that is displayed, select the destination object to use
for this rule. (If needed, you can use the Show drop-down list to filter the list
to display only one type of object.)

Figure 110: Proxy Rule:
Authentication tab
Entering
authentication
information
Chapter 8: Creating Rules and Rule Groups
Creating proxy rules
6 [Conditional] In the NAT Address drop-down list, select the object (IP
address or host) that will replace the original source address when it is
translated.
Note: Do not set the NAT Address to localhost if you are using a virtual burb as
your destination burb.
If you selected a netmap in the Source field, the appropriate NAT properties
are automatically supplied based on the mapping configured for each IP
address or subnet in that netmap. For more information on netmaps, see
“Netmap objects” on page 106.
7 [Conditional] In the Redirect Host drop-down list, select the host or IP
address to redirect the original destination.
If you selected a netmap in the Destination field, the appropriate redirection
properties are automatically supplied based on the mapping configured for
each IP address and subnet in that netmap. For more information on netmaps,
see “Netmap objects” on page 106.
8 [Conditional] In the Redirect Port field, type the port number on which the
connection will be redirected.
The Authentication tab is used to enter authentication information for this rule.
Note: The following proxies can use authentication: FTP, HTTP, HTTPS, SOCKS,
Telnet, and nt_Telnet. The following servers can use authentication: cobra, console,
Telnet, sshd, SSO, and WebProxy.
1 Select one of the following options:
• Do not require Authentication—Select this option if you do not want to
require authentication for this rule.
• Authentication using SSO (Single Sign On)—Select this option if you
want to allow SSO cached authentication for this rule.
If the SSO server has not been configured, you will not be able to select
the option. For more information, see “Configuring SSO” on page 300.
225

Chapter 8: Creating Rules and Rule Groups
Creating proxy rules
226
Figure 111: Proxy Rule:
Time tab
• Authenticate using selected Authentication Methods—Select this
option to require authentication for this rule. If you select this option, you
will need to specify the types of authentication that will be allowed for
this rule by selecting the appropriate check boxes in the Authentication
Methods area.
Only methods that have been configured and enabled will be available for
selection. For information on authentication methods, see “Supported
authentication methods” on page 277.
2 [Optional] If more than one authentication method is selected, you may
specify a default method from the Default Method drop-down list. This is the
authentication method that will be used by the Sidewinder G2 if the user
does not specify an authentication method during log in
Important: The Default field is not used for administrative purposes (such as
logging in to the Admin Console). The default administration authentication
method is defined in the Firewall Administration> Firewall Accounts window.
3 [Conditional] In the Authorization area, select one of the following options:
• Allow all successfully authenticated users—Select this option if you
want to allow all users who successfully authenticate.
• Allow only users in the selected Sidewinder User Group—Select this
option if you want to require users who belong to a particular group to be
allowed to use the service(s) specified within the rule. By default All
Users are authenticated.
• [Conditional] Allow only users in the selected External Authorization
Role—This option is active only if SafeWord or LDAP is selected and
enabled. Selecting this option is similar to assigning a user group to a
proxy rule, except the group (or role in this case) is defined within an
external authentication program such as SafeWord PremierAccess or
LDAP/Active Directory. This relieves you from having to maintain a
second instance of the group (role) on the Sidewinder G2.
Note: For additional information on configuring authentication for services,
see “Setting up authentication for services” on page 303.

Entering information
on the Time tab
Figure 112: Proxy Rule:
Application Defense tab
Chapter 8: Creating Rules and Rule Groups
Creating proxy rules
This tab allows you to determine the days and times a proxy rule is enabled.
You can also specify whether a proxy rule is temporary and will expire after a
specific period of time. Follow the steps below.
1 In the Times/Days field, specify when to allow or deny the service(s)
defined for this proxy rule. The format is fairly flexible. You must enter a day
of the week (or a range of days), followed by a time range (be sure to either
use military time OR include am or pm after each hour). You may
abbreviate the day, but do not use periods. You can include multiple entries
as long as they are separated by a comma and a space. The following are
examples of valid entries:
• Mon-Fri 8am-5pm
• Monday-Tuesday 8am-5pm, Friday noon-Sunday 8am
• Thur 1200-1500, Sat 1800
• 8:00am-10:00pm Mon-Thur, 8:30am-5:30pm Fri
2 In the Rule Time To Live field, you can configure a proxy rule to be
temporary (that is, to expire after a specified time period). Select one of the
following three options:
• No Expiration—Select this option if you do NOT want the proxy rule to
be temporary (that is, it will NOT expire). This is the default value.
• Offset—Select this option to specify a period of time that must elapse,
starting from the creation date of the rule, before the proxy rule will
expire (for example, two days, one week, three years). When you select
this option, the Disable Rule In field appears. Select a time period from
the drop-down list (Days, Hours, Minutes, Months, Seconds, Weeks, or
Years) and then specify the appropriate number in the text box.
• Date/Time—Select this option to specify an exact date and time when
the proxy rule will expire. When you select this option, additional fields
appear. In the Month, Day, and Year drop-down lists, specify the date
that you want the rule to expire. In the Time drop-down lists, specify the
exact time you want the rule to expire.
227

Chapter 8: Creating Rules and Rule Groups
Creating IP Filter rules
Entering Application
Defense rule
information
Creating IP Filter
rules
228
The Application Defense tab is used to determine which Application Defense
(or group if you selected Service Group in the Service Type field) will be used
by a rule. Select one of the following options:
Note: Proxy rules that use Secure Web Application Defenses with the Decrypt
Web Traffic option enabled must have redirection configured.
• Use the default Application Defense/Group—Select this option to use the
current default Application Defense group. The current default Application
Defense that will be used is displayed next to this option. Ensure that this is
the correct Application Defense Group for this rule.
• Select an Application Defense/Group—Select this option to select the
Application Defense (or group if you selected a service group in the Service
Type field) that you want to apply to this rule. Only Application Defenses
that are applicable to the type of rule you are creating will appear in the
table. For example, if you are creating an HTTP rule, you will only see Web
Application Defenses in the table. To view the properties for a particular
defense, select the appropriate table row and click View.
To create a new Application Defense for this rule, click New. To modify one
of the existing Application Defenses, highlight the appropriate table row and
click Modify. (If you want to create a new defense based on an existing
defense, highlight the defense and click Duplicate.) For information on creating
or modifying an Application Defense, see Chapter 6.
To view the other areas where an Application Defense is used, highlight
that defense and click Usage.
Important: If the defense you want to modify is currently being used by other
rules, you will receive a pop-up window listing the areas where this defense is
used and asking you whether you want to continue modifying the defense. Click
Yes to modify the defense, or click No to return to the Application Defense tab
without modifying the defense.
This section provides information on creating IP Filter rules. For overview
information on IP Filter rules, see Chapter 4.
To create an IP Filter rule, follow the steps below.
Important: IP Filter rules that you create will not be active until you place them in a
rule group that is part of the active IP Filter rules. For information on adding an IP
Filter rule to a rule group and ensuring that it is included in the active IP Filter rules,
see “Creating and managing rule groups” on page 236 and “Selecting your active
policy rules” on page 239.

Figure 113: IP Filter
Rules window
Chapter 8: Creating Rules and Rule Groups
Creating IP Filter rules
1 Using the Admin Console select Policy Configuration > Rules. The Rules
window appears.
2 In the View Option field, select IP Filter Rules. The Rules window appears
with the IP Filter rules table displayed.
3 Click New > IP Filter Rule and then select the type of IP Filter rule you want
to create:
• TCP—Select this option to create an IP Filter rule specifically for the
TCP protocol.
• UDP—Select this option to create an IP Filter rule specifically for the
UDP protocol.
• ICMP—Select this option to create an IP Filter rule specifically for the
ICMP protocol.
• Other—Select this option to create an IP Filter rule for protocols other
than TCP, UDP, and ICMP (such as AH).
Note: ICMP control and error messages generated by TCP/UDP traffic are
managed using TCP/UDP rules, as opposed to ICMP rules. For example, if you
want to pass “host unreachable” error messages for a specific rule’s
undelivered TCP packets through the Sidewinder G2, you would configure this
option on that rule’s TCP Advanced tab.
To modify an IP Filter rule, highlight the rule you want to modify, and click
Modify.
The IP Filter Rules window appears with the Rule tab displayed.
229

Chapter 8: Creating Rules and Rule Groups
Creating IP Filter rules
Entering information
on the Rule tab
230
To configure the Rules tab for an IP Filter rule, follow the steps below.
1 In the Name field, specify a name for the rule. Valid values include
alphanumeric characters, periods (.), underscores (_), hyphens (-), and
spaces( ). The name cannot exceed 100 characters.
2 In the Protocol field, select the protocol type for the rule you are creating. (If
you selected TCP, UDP, or ICMP as the rule type, the Protocol field will be
automatically filled in for you.)
To create an IP Filter rule for a protocol that is not listed in the drop-down
list, manually type the protocol number in the Protocol field.
3 In the Action field, specify the action that should occur when a packet
matches this rule:
• Allow—The packet will be translated or redirected, as defined in the
Source/Dest tab and will then continue regular kernel-level processing.
• Deny—The packet will be rejected without further filtering.
• Bypass IP Filter Rules —The packet will bypass IP Filter processing
and go to the beginning of the proxy rule list. This option is generally
used for common proxy protocols, such as HTTP, and is recommended
as an optimization when you have a large number of IP Filter rules. This
action is not an option for Other rules.
4 In the Control field, select Enable to enable the rule or Disable to disable
the rule. This allows you to temporarily disable a rule, if necessary, without
deleting it. Rules that are disabled will appear grayed out in the main Rule
window.
5 In the Audit Level field, select the type of audit you want performed when a
packet matches this rule. The options vary depending on the rule action, as
follows:
• If Action = Allow, then:
– None—No audit information will be recorded for this rule.
– Informational—Select this option to generate errors, normal traffic,
and informational audit events for this rule.
– Traffic—Select this option to generate normal traffic and error audit
events for this rule.
– Errors Only—Select this option to generate only error audit events
for this rule. If you select this option, normal traffic will not be logged.
(This option increases performance and reduces the size of audit
logs.)
• If Action = Deny or Bypass IP Filter Rules, then:
– All—Select this option to generate audit events for all packets that
match this rule.
– Limit—Select this option to generate audit events for this rule at the
frequency specified in the IP Filter Properties window’s setting. See
“Viewing and modifying general IP Filter properties” on page 241 for
more information.
– None—No audit information will be recorded for this rule.

Figure 114: IP Filter
Rules Source/Dest tab
About the IP Filter
Source/Dest tab
Chapter 8: Creating Rules and Rule Groups
Creating IP Filter rules
6 [Conditional] If you selected Informational for the audit level, in the Audit
Threshold field, specify the number of packets that will be allowed by this
rule before an audit record is generated. To limit auditing for this IP Filter
rule to only connection or session information, set the value to zero (0).
7 [Optional] In the Description field, enter any useful information about this IP
Filter rule (for example, a brief description of the rule).
8 To configure the source and destination information for this IP Filter rule,
select the Source/Dest tab. The following window appears.
The Source/Dest tab is used to specify the source and destination information,
as well as NAT and redirection for this IP Filter rule. Follow the steps below.
1 [Optional] If the appropriate source and destination network objects do not
yet exist, do the following to create them:
a Click New. You will be prompted to select the type of object you want to
create.
b Select the type of network object you want to create. The New Network
Object window appears.
c Create the network object. When you click Add, you are returned to the
Source/Dest tab in the IP Filter Rule window.
2 In the Direction field, specify the following:
• Uni-directional: This option allows traffic to initiate only from the source
address. If stateful packet inspection is enabled, selecting this option
also creates a session that allows return traffic.
• Bi-directional: If stateful inspection is enabled for this rule, this option
allows traffic or sessions to be initiated from either source or destination
addresses.
Note: NAT and redirection are not allowed for bi-directional rules with
stateful packet inspection enabled.
231

Chapter 8: Creating Rules and Rule Groups
Creating IP Filter rules
232
3 In the Source Burb drop-down list, select the burb through which the
Sidewinder G2 should route to get to the source IP address.
4 In the Destination Burb drop-down list, select the burb through which the
Sidewinder G2 should route to get to the destination IP address.
5 In the Source Show drop-down list, select the type of network object or
group to use as the source object.
6 In the displayed Source list, select the source object to use for this rule.
7 In the Destination Show drop-down list, select the type of network object or
group to use as the destination object.
8 In the displayed Destination list, select the destination object to use for this
rule.
9 In the Source Port Range field, specify the port or range of ports (inclusive)
in which connections are allowed to be made to or initiated from the
corresponding address. Note the following:
• Valid values are 1–65535.
• To specify “any port,” leave the field blank.
If configuring an ICMP or Other rule, port configuration is not an option.
10 In the Destination Port Ranges field, do one of the following:
• To specify “any port,” leave the field blank.
• To specify one or more port or port ranges (inclusive) in which
connections are allowed to be made to or initiated from the
corresponding address, click New. Valid values are 1–65535. You also
have the option to modify or delete existing entries.
If configuring an ICMP or Other rule, port configuration is not an option.
11 In the NAT Mode drop-down list, select one of the following options:
• None—This option will disable NAT for this rule.
• Normal—All packets that match this rule will be translated as follows:
the source address will be translated to the associated NAT address,
and the source port will be translated to a port within the NAT port
range.
• Source Port—All packets that match this rule will be translated as
follows: the source address will be translated to the associated NAT
address. The source port will not be translated.
12 In the NAT Address drop-down list, select the object (IP address, host, or
subnet) that will replace the original source address when it is translated.
(To filter the type of objects that appear in the list, select an option from the
Show drop-down list.)
Important: If you selected Source Port NAT in the previous step, you must
specify an alias IP address or a subnet that contains at least one alias IP
address as the NAT Address. If you specify an interface IP address or subnet
that does not contain an alias IP address, this rule will not pass traffic and audit
will be generated.

Figure 115: IP Filter
Time tab
About the IP Filter
Time tab
Chapter 8: Creating Rules and Rule Groups
Creating IP Filter rules
13 In the Redirection Mode field, select one of the following options:
• None—Select this option if you do not want to enable redirection.
• Normal—Select this option to enable redirection.
14 In the Redirect Host drop-down list, select the IP address or subnet to
which the original destination should be redirected. (To filter the type of
objects that appear in the list, select an option from the Show drop-down
list.)
15 To configure the days and times that the IP Filter rule is enabled, select the
Time tab. The following window appears. (See “About the IP Filter Time tab”
below.)
This tab allows you to determine whether an IP Filter rule is temporary and will
expire after a specific period of time. Follow the steps below.
1 In the Rule Time To Live area, specify whether this rule will expire (become
disabled). Select one of the following three options:
• No Expiration—Select this option if you do NOT want the rule to expire.
This is the default value.
• Offset—Select this option to specify a period of time that must elapse,
starting from the creation date of the rule, before the rule will expire (for
example, two days, one week, three years). When you select this
option, the Disable Rule In field appears. Select a time period from the
drop-down list (Seconds, Minutes, Hours, Days, Weeks, Months, or
Years) and then specify the appropriate number in the text box.
• Date/Time—Select this option to specify an exact date and time when
the rule will expire. When you select this option, additional fields appear.
In the Month, Day, and Year drop-down lists, specify the date that you
want the rule to expire. In the Time drop-down lists, specify the exact
time you want the rule to expire.
233

Chapter 8: Creating Rules and Rule Groups
Creating IP Filter rules
234
Figure 116: IP Filter
(TCP and ICMP)
Advanced tabs
About the IP Filter
Advanced tabs
2 To configure advanced configuration information for this IP Filter rule, select
the Advanced tab. Depending on the rule type, different options appear.
• For TCP/UDP IP Filter rules, see “Configuring the TCP/UDP Advanced
tab” on page 234.
• For ICMP IP Filter rules, see “Configuring the ICMP Advanced tab” on
page 235.
• The Advanced tab is not available if you selected Other as the IP Filter
rule type.
The IP Filter Advanced tab option vary depending on the initial rule type. The
options change as follows:
• TCP—Allows you to configure stateful packet inspection, connection and
idle timeouts, connection rates, stateful session failover, and allowed
control and error responses.
• UDP—Allows you to configure stateful packet inspection, idle timeouts,
packet rates, stateful session failover, and allowed control and error
responses packets.
• ICMP—Allows you to configure stateful packet inspection, request
timeouts, request rates, and which message types will be allowed or
denied.
• Other—The Advanced tab is not available for IP Filters of type Other.
Configuring the TCP/UDP Advanced tab
1 To enable stateful inspection for this rule, select the Stateful Packet
Inspection check box. You will not be able to configure other fields in this
tab without this option selected.
To disable stateful packet inspection, clear the Stateful Packet Inspection
check box.
2 [TCP only] In the Connection Timeout field, specify the amount of time (in
seconds) that a TCP session will wait for a connection to be established
once it is started. Valid values are 1–65535. (The minimum value is one
second.)

Chapter 8: Creating Rules and Rule Groups
Creating IP Filter rules
3 In the Idle Timeout field, specify the amount of time (in seconds) that a
session will remain open when there is no new traffic within an established
session. Valid values are 1–65535. (The minimum value is one second.)
4 [TCP only] In the Limit Connection Rate area, you can limit the number of
connections that will be allowed per second by selecting Yes, and entering
the number of connections that you want allowed per second in the Rate
field. Valid values are 0—1000000000.
To disable connection rate limitations, select No.
5 [UDP only] In the Limit Packet Rate area, you can limit the number of
packets that will be allowed per second in either direction by selecting Yes,
and entering the number of packets that you want allowed per second in the
Rate field. Valid values are 0—1000000000.
To disable packet rate limitations, select No.
6 [Conditional] In the Stateful Session Failover field, select Yes to enable
stateful session sharing, or select No to disable stateful session sharing.
This field can only be modified if you are connected to an HA cluster. (For
more information on stateful session sharing, see “Sharing IP Filter
sessions in an HA cluster” on page 128.)
7 In the Allowed Control and Error Responses area, select the response
types that you want to allow for this rule by selecting the check box next to
each response type you want to allow. A check mark will appear next to
response types that are selected. To deselect a response type, click the
check box to clear it.
Note: This section controls the ICMP messages generated by this rule’s TCP/
UDP traffic. These messages do not need separate ICMP rules.
8 Click Add to save your changes, or click Cancel to reset the fields to the
values that were previously entered.
9 [Conditional] If you selected Add and want this rule to begin managing
traffic, add this newly configured rule to an active rule group and save the
changes.
Your TCP/UDP IP Filter rule is now configured.
Configuring the ICMP Advanced tab
1 To enable stateful inspection for this rule, select the Stateful Packet
Inspection check box. You will not be able to configure other fields in this
tab without this option selected.
To disable stateful packet inspection, clear the Stateful Packet Inspection
check box.
2 In the Response Timeout field, specify the amount of time (in seconds) that
a session will await responses after the final request. The minimum value is
1 second.
235

Chapter 8: Creating Rules and Rule Groups
Creating and managing rule groups
Creating and
managing rule
groups
236
3 In the Limit Request Rate area, you can limit the number of requests that
will be allowed per second in either direction by selecting Yes, and entering
the number of packets that you want allowed per second in the Rate field.
Valid values are 0—1000000000.
4 In the Message Type area, select the ICMP message types that you want to
filter for this rule by selecting the check box next to each desired message
type you want to allow or deny. A check mark will appear next to message
types that are selected. To deselect a message type, click the check box to
clear the checkmark. The following options are available:
• echo—Selecting this matches echo requests and responses used by
ping.
• info—Selecting this matches ICMP information requests and
responses.
• timestamp—Selecting this matches timestamp requests and responses.
5 Click Add to save your changes, or click Cancel to reset the fields to the
values that were previously entered.
6 [Conditional] If you selected Add and want this rule to begin managing
traffic, add this newly configured rule to an active rule group and save the
changes.
Your ICMP IP Filter rule is now configured.
This section provides information on creating and managing your rule groups.
The process for creating and managing proxy groups and IP Filter groups is
essentially the same.
Creating a rule group
To create a rule group, follow the steps below.
1 Using the Admin Console, select Policy Configuration > Rules. The Rules
window appears.
2 Select one of the following options in the View Option field:
• To create a proxy rule group, select Proxy Rules. A list of existing proxy
rules and groups appears.
• To create an IP Filter group, select IP Filter Rules. A list of existing IP
Filter rules and groups appears.
3 Click New and select Proxy Group or IP Filter Group, as appropriate. A
New Rule Group window appears prompting you to enter a name for the
new group.
4 Enter a name that will help you identify the purpose of the rule group. For
example, a default proxy rule group called Administration contains all of the
rules associated with basic Sidewinder G2 administration.

Figure 117: Modify
Groups window
Chapter 8: Creating Rules and Rule Groups
Creating and managing rule groups
5 Click Add to add the rule group. An empty rule group with the name you
specified will appear in the appropriate rule table.
6 To add rules and nested rule groups to the rule group you created, see
“Managing rules and nested groups within a rule group” below.
Managing rules and nested groups within a rule group
When you create a new rule group, it will remain empty until you populate it
with rules and/or groups. To add or remove rules and groups to an existing rule
group, follow the steps below.
Note: The process is essentially the same regardless of whether you are
managing a proxy rule group or an IP Filter rule group.
1 Using the Admin Console, select Policy Configuration > Rules. The Rules
window appears.
2 Select one of the following options in the View Option field:
• To modify a proxy rule group, select Proxy Rules. A list of existing proxy
rules and groups appears.
• To modify an IP Filter group, select IP Filter Rules. A list of existing IP
Filter rules and groups appears.
3 Double-click the rule group that you want to modify. (You can also highlight
the rule group you want to modify and click Modify.) A Modify Groups
window appears.
237

Chapter 8: Creating Rules and Rule Groups
Creating and managing rule groups
About the Modify
Groups window
238
This window allows you to determine which rules and nested groups will be
included in a particular rule group. It also allows you to determine the order in
which you organize those rules and nested groups. The order of rules and
nested groups within a rule group is very important. (For information on
organizing your rule groups, see “Ordering proxy rules within a rule group” on
page 101.)
The Available Rules and Groups table contains a list of the rules and groups
that are available to add to this rule group. The Assigned Rules and Groups
table contains a list of the rules and groups that are currently assigned to this
rule group. You can perform the following actions within the Rule Group
window:
• Add a rule or nested group to the selected rule group—To add a rule or
nested group to a rule group, double-click the entry that you want to add in
the Available Rules and Groups table (or highlight the entry and click the
down arrow icon). The rule or group will be placed in the Assigned Rules
and Groups table.
• Remove a rule or rule group from the selected rule group—To remove a
rule or group from a rule group, double-click the entry in the Assigned
Rules and Groups table (or highlight the entry and click the up arrow icon).
The rule or group will be removed from the Assigned Rules and Groups
table and placed in the Available Rules and Groups table.
• Organize the assigned rules and groups within the selected rule group—
To organize the rules and groups in the Assigned Rules and Groups table,
click and drag each entry to the desired location. For information on
organizing your rule groups, see “Ordering proxy rules within a rule group”
on page 101.
• Edit the description for a rule group—To edit the description for a rule
group, place your cursor in the Description field and add or modify the text
as needed.
• Save the changes you made to the rule group—To save your changes,
click OK.

Selecting your
active policy
rules
Figure 118: Active Rules
window
About the Active
Rules window
Chapter 8: Creating Rules and Rule Groups
Selecting your active policy rules
When you initially configure your Sidewinder G2, a default rule group is
automatically assigned as your active policy (the rules contained in those
groups will vary depending on the choices you made in the Quick Start
Wizard). All rules and groups that you have created that are not part of the
active rules (that is, rules that are not included in the active group, or in a rule
group that is nested in the active group) will remain inactive unless you add
them to the active rule group or to a group that is part of the active rule group.
You can modify your existing active rule group to add or delete rules and/or
nested rule groups as your security needs change. You can also re-organize
the rule group entries as needed. For a more detailed overview of the active
rules and how they work, see Chapter 4.
Viewing the active policy
To view the active rules currently configured for your Sidewinder G2, using the
Admin Console select Policy Configuration > Rules and then click View Active
Policy. The Active Rules window appears.
This window allows you to view the active rules currently in use on your
Sidewinder G2. The active rules listed in each table consist of all of the rules
(including both individual rules and rules included in nested groups) and
determine the order in which traffic will be processed. Which rules appear in
each table are determined by the rule group that is displayed in the Active
Group field.
When you select rule groups in the Active Rules window (one for proxy rules
and one for IP Filter rules), they will begin actively filtering traffic coming into
and leaving the Sidewinder G2.
239

Chapter 8: Creating Rules and Rule Groups
Selecting your active policy rules
240
Figure 119: Rule Group
Select window
About the Rule
Group Select
window
In this window, you can perform the following actions:
• Select a new active rule group—To select a new active rule group that will
enforce traffic coming into and leaving the Sidewinder G2, see “Modifying
the active rule groups” on page 240. (The window is similar for IP Filter and
Proxy rule groups.)
• View the IP Filter properties—To view the properties configured for the IP
Filter rules contained in the active IP Filter group, click the IP Filter
Properties button. The IP Filter General Properties window appears. See
“About the IP Filter General Properties window” on page 241.
• Determine which group a rule belongs to—Each active rule must be a
member of at least one group, which is listed in the Rule Group column. If a
rule belongs to more than one group, the rule is listed multiple times.
Modifying the active rule groups
To modify the active rule groups that are currently enforcing your policy, using
the Admin Console select Policy Configuration > Rules and then click View
Active Policy. Click the appropriate Set button (IP Filter or Proxy). The Rule
Group Select window appears.
This window allows you to select a new active policy for either IP Filter or proxy
rules. Before you select a new rule group to enforce your security policy,
ensure that the rule group you are specifying contains all of the necessary
rules and rule groups in the correct order. When you select a new rule group in
this window and save your changes, the rules contained in that rule group will
be loaded into the Sidewinder G2 and will begin enforcing your policy.
To select a new rule group, click the rule group that you want to use to enforce
your security policy and click OK. The new rules will be loaded in the kernel
and the Sidewinder G2 will use those rules to enforce your policy.

Figure 120: IP Filter
General Properties
window
About the IP Filter
General Properties
window
Chapter 8: Creating Rules and Rule Groups
Selecting your active policy rules
Viewing and modifying general IP Filter properties
There are a number of IP Filter properties that affect all active IP Filter rules. To
view or modify these properties, in the Admin Console select Policy
Configuration > Rules and then click View Active Policy > IP Filter Properties.
You can also access this window from the main Rules window when the IP
Filter Rules view is selected. The IP Filter General Properties window appears.
The IP Filter General Properties window allows you to specify basic properties
that apply to all IP Filter rules contained in the IP Filter portion of the active
policy. Follow the steps below.
1 In the Maximum TCP Sessions field, specify the maximum number of TCP
sessions allowed to use the IP Filter at one time. Valid values are
0–1000000.
2 In the Maximum UDP Sessions field, specify the maximum number of UDP
sessions allowed to use the IP Filter at one time. Valid values are
0–1000000.
3 In the Start of reserved ports field, specify the starting port that IP Filter will
reserve for its own use. Valid values are 1024–65533. The default is 9120.
4 In the Number of ports reserved for ipfilter field, specify the number of
ports IP Filter will reserve for its own use. Valid values are 1–64509. The
default is 875.
5 In the Deny Audit Frequency area, specify how frequently Sidewinder G2
will generate audit records for IP Filter deny rules with the audit level set to
Limit. Audit will be created for the first x occurrences in every y seconds. An
additional audit event will be generated to record how many other audit
events were suppressed.
For example, the audit is limited to generating an audit event for the first 1
occurrences for every 1 seconds. If Sidewinder G2 stopped 100 netprobes
in 1 second, one record would be generated for the first denial, and then
another audit record stating that 99 occurrences were suppressed.
6 Click OK to save your changes, or click Cancel to reset the fields to the
values that were previously entered.
241

Chapter 8: Creating Rules and Rule Groups
Selecting your active policy rules
242

9 CHAPTER
Configuring Proxies
In this chapter...
Proxy basics.................................................................................244
Redirected proxy connections ......................................................247
Standard Sidewinder G2 proxies..................................................250
Using other proxies on the Sidewinder G2...................................254
Transparent & non-transparent proxies........................................254
Notes on selected proxy configurations .......................................255
Configuring proxies ......................................................................266
Setting up a new proxy.................................................................270
243

Chapter 9: Configuring Proxies
Proxy basics
Proxy basics A proxy is a program that controls communication between clients on one side
of a Sidewinder G2 and servers on the other side. That is, an application client
and application server on opposite sides of a Sidewinder G2 do not
communicate directly. Instead, the client and server both “talk” to a proxy,
which forwards the data back and forth.
244
Figure 121: Example
Sidewinder G2 proxy
connection
Network applications are typically accessed using one of two lower level
communication protocols: TCP or UDP. TCP is a connection-based protocol
that guarantees data is delivered in order and ensures address and data
integrity. UDP is a connectionless service that delivers data with minimum
overhead.
The Sidewinder G2 provides pre-defined TCP-based proxies for a variety of
Internet applications including Web, Telnet, FTP, and many others. The
Sidewinder G2 also supports proxies for routing UDP transmissions for
applications based on protocols such as SNMP and NTP.
Important: There is a security risk involved with using UDP proxies. Unlike TCP,
UDP does not ensure address integrity. This makes it possible for a hacker to fake
the source address for some dubious purpose.
A proxy is not a server on your Sidewinder G2. Rather, a proxy controls access
to a server on the other side of your Sidewinder G2. Also, a proxy can only
access the kind of server that it represents. For example, as shown in Figure
121, a Telnet proxy can access only Telnet servers; it cannot access a Web
Proxy server (or any other kind of server).
Telnet client
internal
network
Telnet
proxy
Sidewinder G2
external
network
Telnet server
Proxies can control connections between any two Type Enforced network
areas, regardless of whether the areas are internal or external. The rules that
you define in the active proxy rule group (see Chapter 4) determine how the
networks connected to the Sidewinder G2 are allowed to communicate. The
most common proxy directions, internal burb-to-external burb and external
burb-to-internal burb, are explained below.
• internal burb-to-external burb
The proxy connections you configure on the Sidewinder G2 will typically be
outbound (internal-to-external) connections. All data packets traveling out
through your Sidewinder G2 will appear to come from the external address

Chapter 9: Configuring Proxies
Proxy basics
of your Sidewinder G2. That is, the address of the network in the internal
burb is not seen in the packet information on the external burb.
• external burb-to-internal burb
A proxy can also be set up for inbound (external-to-internal) connections. In
general, inbound proxies are not desirable for security reasons (see the
"Important" note below). There are, however, certain configuration options
you can use such as encryption, authentication, and address or port redirection
that make an inbound proxy more secure. (These options are covered
in more detail later in this chapter.)
Important: Network attacks using “sniffer” programs to steal users’ accounts
and passwords are frequent on the Internet. To prevent such intrusions, you
should use a strong authentication method (such as those described in Chapter
10) that prevent an attacker from gaining account information. However, attacks
can still use sniffers to compromise your data. By encrypting your network
transmissions and using proxy redirection, you can provide further defense
against network attacks.(Strong Cryptography is a premium feature).
Configuring advanced proxy parameters on a per-rule
basis using Application Defenses
The Proxy window allows you to configure the basic proxy properties and
enable them in the appropriate burbs. Proxy rules allow you to determine
whether proxy access will be allowed or denied and under what conditions. By
adding Application Defenses to your rules, you can specify advanced,
application-specific proxy properties (such as MIME/anti-virus filtering, SSL
decryption, and timeout properties) on a per-rule basis. For information on
configuring Application Defenses and rules for proxies, see Chapter 6 and
Chapter 8.
Improving performance using Fast Path Sessions
The Sidewinder G2 supports a Fast Path Sessions option that improves
system performance by lessening the load placed on the system kernel when
passing proxy data through the Sidewinder G2. Performance is improved on
the Sidewinder G2 when the Fast Path Sessions option is enabled for
protocols that use many small packets, such as Telnet.
The Fast Path Session option is configured in the Application Defenses
windows in the Connections area. Application Defenses can be configured in
advance and added to rules later, or they can be created directly within a rule.
For information on configuring Fast Path Session options, see “Configuring
connection properties” on page 203.
245

Chapter 9: Configuring Proxies
Proxy basics
246
When to disable the Fast Path Sessions option
In most cases, the Fast Path Sessions option enhances system performance,
and in many of these cases the improvement is significant. However, there are
some cases where the Fast Path Sessions option may negatively affect
performance. Large data transfers on heavily loaded systems, primarily FTP or
HTTP traffic, can overload a system. The Sidewinder G2 will also “throttle”
these connections under very heavy load conditions to prevent them from
taking over the system.
Proxy session limits
There is an upper limit to the number of simultaneous sessions for certain
proxy configurations. Table 21 provides a summary of hard limits based on perprocess
resource limits.
Table 21: Proxy session limits (hard limits)
Proxy Session Limits
FTP 4000 sessions
t120 1000 sessions
all other TCP 8000 sessions a
UDP The number of ports plus two times the number of sessions
must not exceed 16,000. (The maximum number of enabled
ports for all services on all burbs must not exceed 8000.)
a. A maximum of 16 Telnet sessions are allowed in the “enter destination” or
“authentication” stage.
Tip: Session limits for each proxy can be lowered from the hard limits by editing
the simultaneous_sessions entry in the configuration file (*.conf) for each proxy.
Configuring multiple instances of certain proxies
Certain proxies (HTTP, HTTPS, generic TCP, and SQL) can be configured to
enable multiple instances of the same proxy in order to load the traffic across
the multiple instances. This is useful for hardware configurations with multiple
CPUs or sites that have experienced problems due to an exceedingly large
amount of concurrent connections through one of those proxies. A single proxy
instance for any of these proxies can handle up to 8000 sessions (a session
consists of two connections for most protocols), which is more than adequate
for most sites. However, if your site is consistently recording concurrent
sessions that hover around the 8000 range (or if you have experienced
problems because the number of connection attempts is significantly higher)
for any of these proxies, you may need to enable additional instances for that
proxy.

Redirected proxy
connections
Chapter 9: Configuring Proxies
Redirected proxy connections
To monitor the number of concurrent connections for any of the proxies listed
above, in the Admin Console, select the dashboard. The upper-right portion of
the dashboard contains a link titled Proxy Connections. Click that link to see a
list of all proxies and servers that are currently running, with the current
number of connections that exist for that proxy.
For information on configuring the HTTP, HTTPS, or SQL proxy to enable
multiple instances, see “Configuring proxies” on page 266.
For typical Sidewinder G2 operation, proxies are configured to permit
connections from the internal network to the Internet. However, there may be
circumstances in which you want to allow an external client access to hosts
within your internal network (behind the Sidewinder G2). For example, you
may want to provide access to an internal Telnet server or you may want a
server inside your internal network to be able to receive news feeds from an
Internet news feeder.
You can set up proxy rules to redirect a connection between an external client
and the external side of the Sidewinder G2 to a system inside your network.
This rerouted connection to the internal host system hides the actual
destination from the system requesting the connection. You can configure
Sidewinder G2 proxy rules to translate connection requests to different
addresses or to different ports within the internal network.
The address or port translation provided by redirection is usually needed when
enabling proxying from the external network to the internal network. The
following section provides examples of both address and port redirection as
supported by the Sidewinder G2.
Important: All proxies pose a security risk. As with any external-to-internal proxy,
while you can guarantee the integrity of the Sidewinder G2, you cannot guarantee
the integrity of the system for which an external user will have access. For the rare
occasion where you configure an inbound proxy, you should always use a strong
authentication method.
Address redirection
If you need to configure a proxy that allows access to the internal network, but
do not want to provide routes to the internal network you will need to configure
the Sidewinder G2 for address redirection. Address redirection is implemented
in the Source/Dest tab of the Rule window on a per-rule basis. See Chapter 8
for information on configuring address redirection.
In the configuration shown in Figure 122, suppose you want to allow any host
in the Internet to Telnet to host 172.25.5.5 on the internal network.
247

Chapter 9: Configuring Proxies
Redirected proxy connections
248
Figure 122: Address
redirection for inbound
proxy
Telnet server
172.25.5.5
internal
network
The Sidewinder G2 proxy redirects
(remaps) the Telnet session to address
172.25.5.5 (but the address is
concealed from the external network)
redirect
192.55.214.24
Sidewinder G2
external
network
Telnet client
192.55.214.25
The client can access the internal
server, but must use the Sidewinder
G2 external address in the Telnet
request
With redirection configured, the connection is proxied to an address that is
different from the original destination address. In Figure 122, a connection
request from Internet address 192.55.214.25 is proxied to the external side of
the Sidewinder G2 (192.55.214.24). The proxy then redirects the connection to
172.25.5.5 and proxies the session to the internal host. From the external
system’s point of view, the destination is 192.55.214.24, when in fact, the
destination is really 172.25.5.5.
Address redirection can also be applied to solve more complicated problems.
Suppose you want to allow inbound Telnet connections to three different hosts
on your internal network. If you configure your router to route multiple
addresses to the Sidewinder G2, it can then accept the connections and proxy
them through to hosts on the internal network. Redirected proxy connections
provide the address translation between IP addresses which are valid and
routed on the Internet and private IP addresses on the corporate network. So if
you want to redirect all incoming connections to one of three hosts, then you
must reserve three IP addresses for your Sidewinder G2, or use netmaps. (For
information on using netmaps, see “Network objects” on page 105.)
Note: To avoid using multiple Sidewinder G2 addresses in this scenario, you could
set up port redirection rather than address redirection (described in the following
section).

Figure 123: Port
redirection for inbound
proxy
Port redirection
Chapter 9: Configuring Proxies
Redirected proxy connections
If you need to work around site-specific idiosyncrasies or to obscure the
existence of a proxy for a given service, you can use port redirection. While
such obscurity does not lessen the vulnerability resulting from something like
an inbound Telnet proxy, it does reduce the number of attacks because the
casual attacker might not notice it. Also, the attacker must take more
conspicuous actions, like port scanning, to find the entry point. This makes it
more likely that the administrator will notice the attack. Port redirection is
implemented in the Source/Dest tab of the Rule window on a per-rule basis.
See Chapter 8 for information on configuring port redirection.
As an example, in Figure 123, suppose you want to configure a new proxy for
an internal host that will provide Telnet service and accept external
connections. In this configuration, a proxy connection arrives from the external
network and connects to the external side of the Sidewinder G2. The
connection arrives on the port named “hidenet” (port 5111). When this
connection comes in, it will be proxied to the internal network, similar to how an
address redirection is handled.
Telnet server
192.55.4.4
Telnet port 23
internal
network
redirect
external
network
192.55.214.24
Sidewinder G2
hidenet port 5111
client Telnets to
port 5111 on the
Sidewinder G2
172.16.4.4
The proxy redirects (remaps) the
Telnet session to port 23 (but the
port is concealed from the
external network)
The difference here is that the client on the external network connects to port
5111 (hidenet) on the Sidewinder G2 and the Sidewinder G2 connects the
client to port 23 (the standard Telnet port) on 192.55.4.4 host in the internal
network. This permits an inbound Telnet connection to a host with a private IP
address and does so on a port number that is not well-known for this service.
This discourages so-called “door-knob rattlers.”
249

Chapter 9: Configuring Proxies
Standard Sidewinder G2 proxies
Standard
Sidewinder G2
proxies
Table 22: Proxies initially configured on the Sidewinder G2
250
Proxy Name Type and Port Description
aol TCP
5190
changepw-form TCP
1999
dns TCP/UDP
53
finger TCP
79
ftp TCP
21
gopher TCP
70
h.323 TCP/UDP
1720
http TCP
80
https TCP
443
The Sidewinder G2 provides a variety of pre-defined proxies to control
connections to popular Internet services using the standard port numbers for
those services (see /etc/services for a list of recognized protocols). Table 121
shows an alphabetical listing of the proxies that are preconfigured and can be
quickly enabled using the Admin Console. To set up other proxies, see “Using
other proxies on the Sidewinder G2” on page 254.
During system installation, if you selected Standard Internet services, the
proxies listed in bold are automatically enabled for internal network-to-external
network, and corresponding proxy rules are added to the default active rule
group.
Allows America Online (AOL) members in your network to run their AOL
client software and connect directly to America Online through the
Sidewinder G2.
Allows users to change their network login password for Web, Telnet,
and FTP sessions.
Enables DNS query traffic and DNS zone file transfers to cross burb
boundaries.
Enables the UNIX finger command to be used across burb boundaries.
Allows users on one side of the Sidewinder G2 transparent or nontransparent
access to FTP (File Transfer Protocol) servers on the other
side of the Sidewinder G2.
Allows internal users to use a Gopher client to access information on
Internet Gopher servers.
Allows users to use audio and video features for H.323 applications
such as Microsoft’s NetMeeting application. See “T.120 and H.323 proxy
considerations” on page 262.
Allows internal users to use a Web client, such as Netscape or Internet
Explorer, to access Web sites on the Internet via transparent or nontransparent
connections. See Chapter 13 for more information.
Allows Secure Socket Layer (SSL) encrypted connections to Web
servers such as the Netscape Commerce Server (optional). For Web
software that supports SSL, such as Netscape’s browser and the
Commerce Server, this proxy permits a more secure Web connection.
This proxy can be configured to handle decryption.
More...

Proxy Name Type and Port Description
ica TCP 1494
UDP 1604
ident TCP
113
iiop TCP
683
imap TCP
143
irc TCP
6667
ldap TCP
389
lotus TCP
1352
msn TCP
569
mssql TCP
1433
netbios-tcp TCP
139
netbios-udp UDP
137, 138
nntp TCP
119
Chapter 9: Configuring Proxies
Standard Sidewinder G2 proxies
Allows users to locate and connect to a Citrix server farm within a private
address space.
• If you are using Citrix XML Service, to locate the master browser you
will need to enable the HTTP proxy on the port that the Citrix server
is configured to use.
• For information on using the altaddr feature on your Citrix server
farm, refer to your Citrix documentation.
Allows users to use the UNIX ident command.
The Internet Inter-ORB Protocol (IIOP) is the wire protocol used by
CORBA (Common Objects Request Broker Architecture) applications to
interoperate in a heterogeneous network environment. The IIOP proxy
allows the Sidewinder G2 administrator to exercise control over the
dialogue between the CORBA applications.
Note: For more information on CORBA, refer to www.omg.org.
Allows use of the Internet Message Access Protocol to access e-mail
from a local server.
Allows your users to chat with other users via the Internet Relay Chat
protocol.
Allows the LDAP protocol through the Sidewinder G2.
Allows use of Lotus Notes applications across burb boundaries.
Allows Microsoft network members in your network to run their MSN
client software and connect directly to MSN through the Sidewinder G2.
Microsoft SQL proxy.
Generic netbios TCP proxy.
Generic netbios UDP proxy.
Allows your internal users to access Usenet News received at your site
and post information to newsgroups. See “Usenet News proxy
configurations” on page 260 later in this chapter for information on
Usenet News proxy configurations.
More...
251

Chapter 9: Configuring Proxies
Standard Sidewinder G2 proxies
252
Proxy Name Type and Port Description
nt_telnet TCP
23
ntp UDP
123
ping ICMP
(na)
pop TCP
110
printer TCP
515
RealMedia TCP/UDP
7070
rlogin TCP
513
rsh TCP
514
rtsp TCP/UDP
554
smtp TCP
25
snmp UDP
161-162
socks5 TCP
1080
sql TCP
1521
ssh TCP
22
streamworks TCP
1558
Allows users on one side of your Sidewinder G2 non-transparent access
to Telnet servers on the other side of your Sidewinder G2. See
“Transparent & non-transparent proxies” on page 254 for the difference
between transparent and non-transparent proxies.
Allows you to send/receive Network Time Protocol (NTP) time feeds.
Relays ICMP ECHO (ping) requests and ICMP Echo-REPLY messages
through the Sidewinder G2.
Allows connections to Post Office Protocol (POP) remote mail servers.
Allows use of the UNIX lpr command.
Allows the Sidewinder G2 to proxy audio and video data packet
connections.
Allows users on one side of your the Sidewinder G2 access to rlogin
servers on the other side of the Sidewinder G2.
Supports rcp and rsh.
Supports Real Media Player and Quick Time Multimedia Player
protocols.
Allows Simple Mail Transfer Protocol traffic to be sent across burb
boundaries. (This proxy is automatically enabled if you selected
transparent SMTP service during configuration.)
Supports remote management using SNMP protocol.
Supports the SOCKS5 protocol.
Allows Structured Query Language database lookup requests across
burb boundaries.
Allows use of the UNIX Secure Shell command, which provides secure
access to remote systems.
Supports Streamworks streaming audio and video.
More...

Proxy Name Type and Port Description
sunrpc TCP/UDP
111
sybase TCP
4000
syslog UDP
514
t120 TCP
1503
telnet TCP
23
wais TCP
210
whois TCP
43
wins UDP
42
Xscreen0 TCP
6000
X500 TCP
103
Chapter 9: Configuring Proxies
Standard Sidewinder G2 proxies
Relays requests from an RPC client through the Sidewinder G2 to a
remote server.
Generic Sybase SQL proxy.
Generic UNIX syslog protocol.
Allows users to use T.120 applications such as Microsoft’s NetMeeting
application.
Allows users on one side of your Sidewinder G2 transparent access to
Telnet servers on the other side of your Sidewinder G2.
Allows users on your network with WAIS client software connections to a
database service called WAIS.
Allows users to send the UNIX whois command from a terminal. whois
looks up records in the Network Information Center.
Supports Microsoft Windows Network Services.
Allows UNIX-based X Windows sessions to pass through the
Sidewinder G2. For instance, an X Windows process running on one
terminal could send screen output through the Sidewinder G2 to another
window at a different terminal.
While redirecting X Windows is a common practice at larger UNIX sites
with X Windows environments, X Windows is not a secure application.
Using this proxy strictly for sending X Windows traffic through the
Sidewinder G2 is not recommended for most sites. However, if the
Sidewinder G2 has been configured as a Sidewinder G2 between two
networks, both of which are within your organization (sometimes called
“inter-walling”), the Xscreen0 proxy might not pose serious security
hazards. This depends on the nature of the site’s two networks.
Supports the X500 directory server.
253

Chapter 9: Configuring Proxies
Using other proxies on the Sidewinder G2
Using other
proxies on the
Sidewinder G2
Transparent &
non-transparent
proxies
254
In special cases, you may want to set up a UDP proxy or a TCP proxy service
that is not preconfigured when you install the Sidewinder G2. The Sidewinder
G2 contains a special domain called Genx that can be used for TCP proxies
other than the ones that are initially set up on the Sidewinder G2. A special
domain called UDPx can be used for UDP proxies.
If you set up more than one of your own proxies, they will not be isolated from
each other using Type Enforcement since they are all contained in one domain
(Genx for TCP and UDPx for UDP). However, proxies you add are still isolated
from all other domains and cannot interfere with any other Sidewinder G2
activity.
If you set up your own proxies or reconfigure established proxies, do not use
ports 9000–9010. These ports are reserved by the Sidewinder G2 for
administration purposes.
Tip: To set up additional proxies using the Admin Console, refer to “Setting up a
new proxy” on page 270.
The Sidewinder G2 HTTP, HTTPS, and Telnet proxies can be configured to be
transparent or non-transparent to users. Transparency for the HTTP and
HTTPS proxies is configured on a per-rule basis via Application Defenses.
Transparency for Telnet is determined by two distinct proxies that can be
enabled and specified in your active rules (telnet and nt_telnet). When using
transparent proxy settings, the user appears to connect directly to the desired
network’s HTTP, HTTPS, or Telnet proxy without connecting to the Sidewinder
G2 first.
For example, to initiate an outbound Telnet session using a transparent Telnet
proxy, a user would issue the following command from his or her workstation:
telnet destination_IP_address
With a non-transparent Telnet proxy, a user must first Telnet to the Sidewinder
G2 and specify a destination address for the Telnet session. For example, the
following shows how an internal user would initiate a Telnet session to a server
in an external network using a non-transparent proxy that requires standard
password authentication.
>telnet internal_IP_address
(connection message from the Sidewinder G2 appears...)
>Enter destination: destination_address
>Username: username
>Password: password
(connection message from the destination Telnet server appears...)
>login: username
>Password: password

Notes on
selected proxy
configurations
Chapter 9: Configuring Proxies
Notes on selected proxy configurations
While non-transparent proxy configurations are not typically used, they may be
useful under special circumstances. For example, if your internal network is
experiencing problems resolving routes or names, non-transparent proxy
configurations may be used as a temporary measure to allow HTTP, HTTPS,
or Telnet sessions.
You may also need to use non-transparent proxy configurations for outgoing
connections if you configure the Sidewinder G2 to trigger an IPS attack or
system event response when external addresses are detected on the internal
side of the Sidewinder G2. (For information on responses, see Chapter 20.)
For incoming connections, you may need to use non-transparent proxy
configurations if the internal network is not visible to the external side and
redirection to a single internal machine is undesirable.
Note: Certain transparent and non-transparent proxy configurations can require
users to authenticate before they are allowed to connect (see Chapter 10).
This section provides additional configuration information on some of the more
common proxy configurations that you can use at your site.
• Telnet (page 255)
• FTP (page 257)
• HTTP/HTTPS (page 259)
• ICA (page 259)
• Sun RPC (page 260)
• NNTP (page 260)
• T.120 and H.323 (page 262)
• DNS (page 266)
Notes on using the Telnet proxy
The Sidewinder G2 provides a Telnet proxy that allows your trusted users to
remotely log into Internet systems using a Telnet client. When the proxy
software is enabled, users can Telnet to any available Internet site, and the
connections will be routed through the Sidewinder G2 without users being
aware of it. You can control which systems on your trusted networks can use
Telnet and prohibit users from accessing specified external addresses.
Systems that users log into must be running a Telnet server in order to
establish the connection. To make the Telnet connection, users must run a
Telnet client and specify the name of the remote system they want to access.
Users accessing a Telnet server must also have accounts on that system.
Once the session is established, the user is logged in on the remote system as
if he or she were a local user.
255

Chapter 9: Configuring Proxies
Notes on selected proxy configurations
256
Important: Using the Admin Console, you can also set up a Telnet proxy from the
external burb to an internal burb on your Sidewinder G2. This is only required in
specialized cases. For example, if you are using a strong authentication method to
authenticate Telnet sessions, you may want to allow administrators to remotely
access a server inside your network. Before setting up this type of proxy, you may
want to contact Secure Computing to get assistance addressing any security issues
this presents.
Note: If an Internet Telnet server is not available when a trusted user tries to
connect, the user will NOT receive a message stating that the connection was
unsuccessful.
The following steps summarize the tasks you need to perform to set up Telnet
access for internal users.
1 Enable the Telnet proxy for the appropriate burb(s). (See “Configuring
proxies” on page 266.) The Telnet proxy runs in its own domain on the
Sidewinder G2.
2 Ensure that the Internet Services proxy rule is enabled and is contained in
the active rule group. The Internet Services proxy rule consists of a service
group that contains Telnet as well as other Internet services. (You can also
create an individual telnet_out rule if you want to configure authentication
specifically for Telnet.) See “Creating proxy rules” on page 222.
This rule allows users from one of your trusted burbs to Telnet to the Internet.
You can use the Admin Console to disable this proxy rule or change its
settings to control which internal users are allowed Telnet access and to
which external systems they can connect. See “Users and user groups” on
page 104 for detailed information.
3 [Optional] Configure the Sidewinder G2 to authenticate all users requesting
Telnet service before the Sidewinder G2 makes the network connection.
Refer to Chapter 10 for details on the authentication methods supported by
the Sidewinder G2.

Notes on using the FTP proxy
Chapter 9: Configuring Proxies
Notes on selected proxy configurations
The FTP proxy allows internal users to use an FTP client to remotely log into
Internet systems. Systems that users log into must be running an FTP server in
order to establish the connection. To make the FTP connection, users must run
an FTP client and specify the name of the remote system they want to access.
Setting up FTP using the Admin Console
The following steps summarize the tasks you need to perform to set up FTP
access for internal users.
1 Enable the FTP proxy for the appropriate burb(s). (See “Configuring
proxies” on page 266.) The FTP proxy runs in its own domain on the
Sidewinder G2.
2 Ensure that the Internet Services proxy rule is enabled and is contained in
the active rule group. The Internet Services proxy rule consists of a service
group that contains FTP as well as other Internet services. (You can also
create an individual ftp_out rule if you want to configure authentication
specifically for FTP.) See “Creating proxy rules” on page 222.
Once you enable the FTP proxy, this rule will allow all internal users FTP
access to the Internet. You can use the Admin Console to disable this proxy
rule or change its settings to control which internal users are allowed FTP
access and to which external systems they can connect. See “Users and
user groups” on page 104 for detailed information.
3 [Optional] Create a rule that requires authentication for all users requesting
FTP service before the Sidewinder G2 makes the network connection.
Refer to Chapter 10 for details on the authentication methods supported by
the Sidewinder G2.
Note: You can configure advanced parameters (such as FTP commands) for
the FTP proxy on a per rule basis using Application Defenses. For information
on creating FTP Application Defenses, see “Creating FTP Application
Defenses” on page 186.
257

Chapter 9: Configuring Proxies
Notes on selected proxy configurations
258
Changing the FTP server response configuration
By default, Sidewinder G2 restricts which FTP servers responses it will accept.
Accepted FTP server response codes range from 100 to 599. To alter which
codes are accepted or to turn off server response checking, do the following:
Caution: Only experienced administrators should edit configuration files.
1 Log into the Sidewinder G2 and enter the following command to switch to
the admin role:
srole
2 Using a file editor, open /etc/sidewinder/proxy/pftp.conf.
3 If you want to turn off server response checking, find the following line:
validate_server_response[yes]
and change [yes] to [no].
4 If you want to limit which FTP server responses Sidewinder G2 accepts,
edit the following lines:
min_server_response_code[100]
max_server_response_code[599]
Valid values are between 000 and 999, and must be continuous.
5 Save your changes.
6 Restart the proxy to apply the changes by doing the following:
a List the burbs in which the ftp proxy is enabled by entering the following
command:
cf proxy ftp q
b Disable the ftp proxy in all burbs where it is enabled by entering the
following command for each burb name listed in the previous step:
cf proxy ftp disable protocol=tcp burb=burbname
c Enable the ftp proxy in the same burbs by using the following command:
cf proxy ftp enable protocol=tcp burb=burbname
The FTP proxy has now been restarted and is using the updated configuration
file.

HTTP/HTTPS considerations
Chapter 9: Configuring Proxies
Notes on selected proxy configurations
The HTTP and HTTPS proxies allow you to configure Web access (including
authentication) for trusted and untrusted users. You can configure header
filtering, URL controls, MIME/virus/spyware filtering, and types of Web content
(objects) that will be denied on a per-rule basis using Application Defenses.
Additionally, using HTTPS you can also configure SSL decryption and
clientless VPN services. For more information on the HTTP/HTTPS proxies,
see Chapter 13. For information on creating Application Defenses for the
HTTP/HTTPS proxies, see “Creating Web or Secure Web Application
Defenses” on page 156.
Note: If your site requires caching services, you can use the Web proxy server.
The Web proxy server is implemented using Squid, open source software that
provides proxying and caching capabilities. The Web proxy server is described in
Chapter 13.
ICA proxy considerations
The ICA proxy allows you to use the Citrix Independent Computing
Architecture (ICA) protocol to allow remote clients to access applications within
a Citrix server farm. You may locate these applications either by configuring
your client directly, or by pointing it to a master browser. A master browser is a
Citrix server that is configured to be responsible for tracking the ICA functions
that are available for clients to access, such as applications or other Citrix
servers (known as member browsers).
For information on configuring the ICA proxy, see “Configuring proxies” on
page 266
You can configure advanced parameters (such as timeout properties) for the
ICA proxy on a per rule basis using Application Defenses. For information on
creating Application Defenses for the ICA proxy, see “Creating Citrix
Application Defenses” on page 185.
Note: Refer to your Citrix documentation for information on configuring your
master browser and member browsers.
259

Chapter 9: Configuring Proxies
Notes on selected proxy configurations
260
Sun RPC proxy considerations
The RPC proxy allows you to transfer Sun RPC traffic between a client
application and an RPC server on opposite sides of the Sidewinder G2. This
proxy listens on port 111 (the portmap process) for RPC requests and forwards
them to the destination server.
Both TCP and UDP traffic are supported for this proxy. However, some
additional configuration may be necessary for timeout processing when
proxying UDP traffic. UDP sessions remain live until the idle timeout threshold
is met. Therefore, a session with a timeout value of 30 seconds will remain live
for 30 seconds even though the session may have only required two seconds
of processing time.
Connection properties for the Sun RPC proxy are configured via Standard
Application Defenses. See “Creating Standard Application Defenses” on page
201.
Usenet News proxy configurations
Sidewinder G2 supports a Network News Transfer Protocol (NNTP) proxy that
allows you to use a Usenet News server at your site. This allows your site to
exchange news with an Internet News provider. (Sidewinder G2 does not run a
news server because of the large amount of disk space required.)
When you set up a news server at your site, that system must run a Usenet
News package such as C-News/NNTP or InterNet News (INN). You must
arrange for a news “feed” from the site responsible for transferring news to/
from your site. In addition, you need to provide internal users with software that
allows them to access the news that your site receives and post their own
articles to newsgroups.
Before you configure a proxy rule for Usenet News proxies, you must specify
which network objects the news information can be transferred to and from.
For information on network objects, see “Creating network objects” on page
139.
Note: You cannot use the Sidewinder G2 to control which newsgroups your
internal users can subscribe or post to—that must be configured in the Usenet
News software.
Whether you need Usenet News proxies in one direction or two will depend on
your server configuration, as described below. Normally you will use the NNTP
proxy so that news can be transferred only to and from your feed site.

Figure 124: News server
in front of the Sidewinder
G2
Figure 125: News server
behind the Sidewinder G2
News server configurations
Chapter 9: Configuring Proxies
Notes on selected proxy configurations
You have several options for configuring a Usenet News server when you use
the Sidewinder G2 in your network. Two common configurations are listed
below, along with issues to consider with each.
• News server in front of the Sidewinder G2
In this configuration, your news server is placed in front of the Sidewinder
G2. The external server could be operated by your Internet service provider
(ISP) or by your site. This configuration assumes that news access only via
NNTP is allowed, which is typical (rather than through NFS or a local filesystem).
news client
Sidewinder
G2
In Figure 124:
– An internal-to-external proxy is required to allow internal users access
to the news server. An external-to-internal news proxy is not necessary.
– Your router should be used to limit access so that only your news feed
site can access the news server from the Internet.
• News server behind the Sidewinder G2
In this configuration, your news server is behind the Sidewinder G2 on your
internal network.
news client
internal
network
news server
news
proxy
internal
network
external
network
Sidewinder G2
external
network
news server
news feed
261

Chapter 9: Configuring Proxies
Notes on selected proxy configurations
262
In Figure 125:
– Your feed site must send news through the Sidewinder G2. The
Sidewinder G2 forces the connection to go to the server you designate
as your internal news server.
– If the NNTP daemon on your news server is compromised, an attacker
may have full access to the internal network.
– This configuration normally requires a news proxy for each direction as
follows: An internal-to-external proxy must be enabled to allow your
news server to send information to the feed site. A second proxy allows
the feed site to send news to the internal server. The connection in both
directions is handled through the Sidewinder G2. If your internal news
server’s address was visible to the Internet, you could set up an
external-to-internal proxy from your feed site to your news server. This
is usually not the case, since you normally do not want internal
addresses to be visible on the Internet.
Note: If you set up the news feed using the NNTP “pull” model, you will only
need an internal-to-external proxy. (For more information, see Managing
UUCP and Usenet, published by O’Reilly & Associates, Inc.)
– Instead of a standard external-to-internal proxy, you set up an externalto-internal
news proxy using port or address redirection. Redirecting a
proxy allows you to reroute a connection to a specific host system using
the same or different port number as the original connection request.
When you set up a proxy redirection for news, you allow a connection
between your feed site and the Sidewinder G2, then provide the
address of your internal news server to the Sidewinder G2 so it will
reroute the proxy to that server.
Important:If your news server is behind the Sidewinder G2, refer to “Redirected
proxy connections” on page 247 for additional information.
T.120 and H.323 proxy considerations
The T.120 and H.323 proxies can be configured to work together, allowing you
to make use of both the data-sharing and audio/video features of data
conferencing products, such as Microsoft NetMeeting, in a single conference.
This section provides an overview of each proxy and its role in data
conferencing. It also provides information on configuring the two proxies to
work together to enable the complete realm of NetMeeting features.

About the T.120 proxy
Chapter 9: Configuring Proxies
Notes on selected proxy configurations
The T.120 proxy provides support for applications built using the International
Telecommunication Union (ITU) T.120 recommendations. The T.120
recommendations are most prevalent in data conferencing applications. T.120
defines several standardized data conferencing services including application
sharing, text chat, shared whiteboard, and multipoint file transfer.
Microsoft’s NetMeeting is a popular example of a T.120 enabled application.
The T.120 proxy enables you to use all of the standard T.120 data conferencing
services, and provides you with a means to control which services are
accessible. The T.120 proxy also provides support for the Microsoft
NetMeeting chat and application sharing, which are non-standard T.120
application services.
Note: The audio, video, ILS, and ULS features of NetMeeting are not supported by
the T.120 proxy. To provide support for these features, you must enable the H.323
proxy. You must also add the pre-configured NetMeeting proxy rule to the active
proxy rule group. This will ensure that both proxies remain in synchronization with
one another. See “Synchronizing the T.120 and H.323 proxies for use with
NetMeeting” on page 265 for more information.
When configured, the T.120 proxy is transparent to the participants of the data
conference. The T.120 proxy will come into play when a conference participant
attempts to join an existing conference or attempts to invite another participant
that resides in a different burb. The T.120 proxy will intercept and mediate the
session between the pair of conference host machines (referred to as "nodes"
in T.120 parlance).
T.120 conferences are arranged into a hierarchy of nodes. The placement of
the Sidewinder G2 with respect to the nodes in the conference affects how
many sessions are created through the proxy and the communication path of
the conference data. When a first conference participant joins a conference in
a different burb, a T.120 session will be created between the participant's node
and the contacted node. If a second conference participant attempts to contact
the new conference node, a separate session will be created.
The preconfigured NetMeeting proxy rule (when added to the active rule
group) will apply to each participant’s respective node IP address. On the other
hand, if the second participant contacts the first participant and asks to join the
conference, the same session through the proxy will be used. The NetMeeting
proxy rule, which applies to the first participant’s node will also apply to this
session.
The T.120 proxy is configured to use port 1503 by default. This can be changed
as described in “Configuring proxies” on page 266.
263

Chapter 9: Configuring Proxies
Notes on selected proxy configurations
264
About the H.323 proxy
H.323 is an International Telecommunications Union (ITU) standard that
provides support for audio and video conferencing across a shared medium
such as the Internet. The H.323 proxy provides for safe transfer of packets
between burbs, standard functions such as filtering on source and destination
hosts and burbs, and NAT and redirection. The H.323 proxy is a protocolaware,
application layer proxy that examines H.323 packets for correctness
and adherence to site security policy. In addition to the standard filtering
mentioned above, the H.323 proxy provides a mechanism for allowing or
disallowing certain codecs (audio or video encoding schemes) within the H.323
protocol. (See the H.323 permissions discussion in “Creating proxy rules” on
page 222.)
Microsoft NetMeeting is a popular implementation of the H.323 protocol. The
H.323 proxy enables you to use the audio and video features of data
conferencing products, such as NetMeeting.
Note: The standard data conferencing features, as well as the chat and
application sharing features of NetMeeting are not supported by the H.323 proxy.
To provide support for these features, you must also enable the T.120 proxy. You
must also add the pre-configured NetMeeting proxy rule to the active proxy rule
group. This will ensure that both proxies remain in synchronization with one
another. See “Synchronizing the T.120 and H.323 proxies for use with NetMeeting”
on page 265 for more information.
The H.323 proxy can function between two endpoints (a single client
implementation such as NetMeeting), or between one or more endpoints and a
Multi-point Control Unit (MCU). The MCU enables two or more endpoints to
simultaneously participate in a call. Each endpoint sends its audio and video
signals through the Sidewinder G2 to the MCU. The MCU then combines the
audio signals and selects one or more video signals to return to each endpoint.
Note: The H.323 proxy does not recognize any configuration difference between
an endpoint and an MCU.
At this time, the H.323 proxy will not communicate with an H.323 gatekeeper. A
gatekeeper is an entity, not unlike a Sidewinder G2, which sits between the
source and destination endpoints, and typically provides services such as
authentication, authorization, alias resolution, billing, and call routing. If there is
a gatekeeper between the Sidewinder G2 and the source or destination
endpoint, and the endpoint is configured to use the gatekeeper, the conference
will not be possible.
The H.323 proxy must examine the contents of the protocol packets for
encoded addresses and port numbers. Therefore, any sort of encryption of
H.323 sessions is not possible in conjunction with the proxy. When
implementing the H.323 protocol, you must disable NetMeeting's security
features, or the security features of any other endpoint or MCU you may be
using. Additionally, you must not route H.323 traffic through a VPN.

Chapter 9: Configuring Proxies
Notes on selected proxy configurations
Also, any calls originating from the outside network and destined for a host on
the internal network may be configured to use the netmaps feature. (For
information on using netmaps, see “Configuring netmaps” on page 145.) This
provides a form of redirection that allows you to hide a group of addresses
behind the Sidewinder G2 while still allowing the inbound caller to reach the
proper destination machine.
Synchronizing the T.120 and H.323 proxies for use with
NetMeeting
The T.120 and H.323 proxies can work together, allowing you to make use of
both the data-sharing and audio/video features of NetMeeting in a single
conference as follows:
• The T.120 proxy enables you to use all of the standard T.120 data
conferencing services and provides you with a means to control which
services are accessible. The T.120 proxy also provides support for the
Microsoft NetMeeting chat and application sharing, which are non-standard
T.120 application services.
• The H.323 proxy provides support for the audio and video features of
NetMeeting.
To make use of both the data-sharing and audio/video features of NetMeeting
in a single conference, you must ensure that both the T.120 and H.323 proxies
are enabled in the same burbs. This is necessary because for a single
NetMeeting session, part of the traffic (the H.323 portion) is routed through the
H.323 proxy, and part of the traffic (the T.120 portion) is routed through the
T.120 proxy. If the H.323 and T.120 proxy configurations are out of
synchronization, it is likely that NetMeeting conferences will not function
correctly or completely (for example, audio and video work, but data-sharing
does not work).
To prevent the two proxies from becoming out of synchronization, add the preconfigured
NetMeeting proxy rule to your active rule group. The NetMeeting
proxy rule allows access to both the T.120 and H.323 proxies (using the preconfigured
NetMeeting Service Group), and allows access to all available
NetMeeting features.
You can modify the default NetMeeting proxy rule or create your own proxy
rules to allow only a portion of NetMeeting’s features, such as the chat and
whiteboard features. These properties are configured via the Multimedia
Application Defense. For information on configuring Application Defenses for
H.323/T.120, see “Configuring the IIOP Connection tab” on page 191.
To appropriately restrict access for the NetMeeting proxy rule, configure
network objects or other rule elements. For example, if you want to allow only
administrators access to all NetMeeting features, create and specify a network
object within a proxy rule that contains the IP addresses for all of your
administrators. See “Rule elements” on page 103 and “Creating proxy rules” on
page 222 for more details.
265

Chapter 9: Configuring Proxies
Configuring proxies
Configuring
proxies
266
Notes on using the DNS proxy
If you have many hosts on a trusted network that point to an external DNS
server, and you want these hosts to use the unbound DNS server on the
Sidewinder G2 instead, you have two options:
• You can modify each of the individual hosts to point to the unbound DNS
server.
• You can configure a DNS proxy rule on the Sidewinder G2 that redirects the
DNS traffic from the trusted burb in which the hosts reside to the unbound
DNS server. This may be the preferred option if you have hundreds or
thousands of local hosts, because you can make one change on the
Sidewinder G2 rather the hundreds or thousands of individual changes.
When defining the DNS proxy rule, be sure to set the following information
on the Source/Dest tab in the Proxy Rule window:
– Set the NAT Address field to Host: localhost.
– Set the Redirect Host field to IPAddr: Firewall. The DNS proxy will not
allow redirection to any other loopback addresses (127.2.0.1).
Important: If your Sidewinder G2 uses split DNS mode, do not create this type of
proxy rule on the Internet burb, because traffic will bypass the Internet DNS name
server.
The pre-configured Sidewinder G2 proxies consist of standard settings and
require very little modification. For most proxies the only configuration decision
to be made is whether to enable or disable each individual proxy. However, the
Admin Console also provides the capability to modify and delete existing
proxies, or to create entirely new proxies.
Tip: You can configure advanced properties for most proxies on a per rule basis
using Application Defenses. For information on configuring Application Defenses,
see Chapter 6. For an overview of Application Defenses, see “Application
Defenses” on page 109.
To configure properties for a proxy, start the Admin Console and select
Services Configuration > Proxies. A table appears in the upper portion of the
window, listing the available proxies. (Use the scroll bar to browse the entire list
of proxies.)

Figure 126: Proxies
window
About the Proxies
window
Chapter 9: Configuring Proxies
Configuring proxies
The main proxy window consists of a proxy table that lists all of the proxies that
are currently available by row. Each row displays a summary of the current
configuration for that proxy, as follows:
Tip: You can configure advanced properties for most proxies on a per rule basis
using Application Defenses. For information on configuring Application Defenses,
see Chapter 6. For an overview of Application Defenses, see “Application
Defenses” on page 109.
Note: To enable or disable the Web proxy server, refer to “Configuring the Web
proxy server” on page 383.
• Proxy Name—Displays the name of the proxy.
• Attributes—Displays icons indicating the type of Application Defense
associated with a proxy, as well as which protocol this proxy uses. (A “T”
icon with a solid line beneath it appears for TCP proxies, and a “U” icon with
a dashed line appears for UDP proxies. If a proxy uses both protocols, both
icons will appear.)
• Enabled in Burbs—Displays the burb(s) for which this proxy is currently
enabled.
• Port Definitions—Displays the port(s) that this proxy currently uses.
To create a new proxy, click New beneath the proxy table. See “Setting up a
new proxy” on page 270 for details on creating a new proxy.
267

Chapter 9: Configuring Proxies
Configuring proxies
268
To delete a proxy, highlight the proxy you want to delete, and click Delete in the
lower left portion of the window. You cannot delete proxies that are preconfigured
on the Sidewinder G2 and you cannot delete a proxy that is
specified as a service in a proxy rule.
When you select a proxy in the proxy table, the configuration information for
that proxy appears in the Proxy Properties tab in the lower portion of the
window. This tab allows you to modify the proxy information. However, you
cannot modify a proxy’s name or protocol once it has been created. To change
the name or protocol for a proxy, you must delete the proxy and then create a
new proxy with the new name and/or protocol.
To configure or modify the properties for a proxy, select the proxy in the table,
and follow the steps below.
Note: The fields that appear will vary depending on which proxy you select.
1 In the Enabled In Burbs field, select the burb(s) for which this proxy is
enabled. A check mark indicates that a burb is enabled for that proxy.
Important: Be sure to deselect any burbs for which you do not want this proxy
enabled. (If a burb is disabled, a check mark will not appear next to it.)
2 In the Port Definitions field, specify the port(s) or range(s) of ports that the
proxy will use. TCP proxies can have multiple, non-contiguous ports
configured. Non-TCP proxies may only be allowed to have a single port, or
a single port range configured.
To add a new port or range of ports, click New. To modify an existing port or
range of ports, highlight the entry and click Modify. The Port(s) Configuration
window appears. For information on configuring the Port Configuration
window, see “Configuring connection ports” on page 271.
Important: Do not specify a port number or range that is currently being used
for a server or another proxy running on the Sidewinder G2.
3 (http, https, sql, and generic TCP proxies only) To specify the total number
of connections expected for a proxy, select one of the following options
from the Expected Connections drop-down list:
Caution: Do not change the value for this field unless you have experienced
performance problems for one of the proxies listed. Opening multiple instances
of a single proxy can create performance problems if you enable them
unnecessarily. For specific information on when to enable multiple proxy
instances, see “Configuring multiple instances of certain proxies” on page 246.
• 1000—Select this value to open a single instance for a proxy.
• 2000—Select this value to open a single instance for a proxy.
• 4000—Select this value to open two identical proxies.
• 8000—Select this value to open four identical proxies.
• 16000—Select this value to open eight identical proxies.

Figure 127: ica proxy
Advanced tab
About the ICA proxy
Advanced tab
Configuring the ping
proxy Advanced tab
Chapter 9: Configuring Proxies
Configuring proxies
4 Click the Save icon to save your changes, or click Cancel to revert to the
previously saved data.
You can configure advanced proxy parameters (such as Fast Path Sessions)
and assign them on a per rule basis using Application Defenses. See Chapter
6 for details.
Note: The ICA and ping proxies contain an additional Advanced tab that you can
configure. For information on configuring the ICA proxy Advanced tab, see
“Configuring the ICA proxy Advanced tab” on page 269. For information on
configuring the ping proxy Advanced tab, see “Configuring the ping proxy
Advanced tab” on page 269.
Configuring the ICA proxy Advanced tab
To configure the Advanced tab for the ICA proxy, in the Admin Console, select
Services Configuration > Proxies. The Proxies window appears. Select the ica
proxy from the proxy table and select the Advanced tab. The following tab
appears in the lower portion of the window.
The ICA Advanced tab allows you to configure which burbs you want to enable
for the master browser. Follow the steps below.
Note: Refer to your Citrix documentation for information about the master browser.
1 In the Browser field, select the burb(s) for which you want to enable the
master browser.
2 Click the Save icon in the toolbar to save your changes.
Ping timeout properties cannot be configured on a per rule basis. Therefore,
advanced ping properties cannot be configured via Application Defenses. To
configure the timeout value for the ping proxy, do the following:
1 In the Admin Console, select Services Configuration > Proxies.
2 Select the ping proxy, and then select the Advanced tab.
3 In the Timeout field, specify the length of time, in seconds, that the proxy
should attempt to reach the server before the proxy stops trying.
4 Click the Save icon to save your changes.
269

Chapter 9: Configuring Proxies
Setting up a new proxy
Setting up a new
proxy
270
Figure 128: New Proxy
window
Entering new proxy
information
As described earlier in this chapter, the Sidewinder G2 is set up to run a variety
of standard proxies. You can set up additional proxies if needed. To set up a
new proxy, you will need to know the name of the service and the port
number(s) on which it runs. In the Admin Console, select Services
Configuration > Proxies. The Proxies window appears.
This window allows you to define a new proxy. Follow the steps below.
1 In the New Proxy Name field, type a descriptive name for the new proxy.
You cannot modify the proxy name once it has been saved.
2 In the Protocol drop-down list, select the appropriate protocol for this proxy,
as follows:
• TCP—Select this option to create a TCP proxy.
• UDP—Select this option to create a UDP proxy.
• Other—Select this option to create a new instance of an applicationaware
proxy. If you select this option, a drop-down list appears. Select
the appropriate service from the list.
3 In the Port Range field, click New to specify the port range that the proxy
will use. See “Configuring connection ports” on page 271 for more
information on configuring ports.
Important: Do not specify a port number or range that is currently being used
for a server or another proxy running on the Sidewinder G2.
4 Click Add to add the new proxy to the proxy table. Once you have added
the proxy to the table, you may select the proxy and configure additional
information such as the burbs for which it will be enabled. For information
on configuring the proxy, see “Configuring proxies” on page 266.
5 After configuring a new proxy, configure access restrictions to the proxy by
following the procedure described in “Creating proxy rules” on page 222.

Configuring connection ports
Chapter 9: Configuring Proxies
Setting up a new proxy
The Port Configuration window allows you to configure a single port or a port
range by selecting one of the following radio buttons:
• Single Port—Select this option to specify a single port. In the Port field,
enter a port number.
• Port Range—Select this option to specify a port range. In the Begin and
End Port fields, enter the range of ports that this proxy can use.
Configuring an SNMP port definition
The SNMP Port window allows you to configure an alternative port the for
SNMP proxy. Enter a port number that is greater than 1500. Sidewinder G2
automatically assigns the associated trap port to the next sequential port.
For example, if you enter the 1501 in the SNMP Port field, 1502 automatically
is assigned as the Trap Port.
TCP maximum segment size
The TCP layer uses a maximum segment size (MSS) parameter to determine
how much data can fit in a single data segment. At connection time, systems
negotiate how big this value can be.
If you choose an MSS that is too small, all systems passing a given piece of
data through a network must process more IP and physical network frames.
This can drastically slow down an entire network. On the other hand, an MSS
value that is too large forces the IP layer to fragment and reassemble the data,
overburdening the receiving system.
Almost all systems on the Internet accept a TCP MSS of 536 data bytes. Most
newer TCP/IP systems can effectively use a TCP MSS of 1460 bytes,
improving the traffic load on the entire network. The Sidewinder G2 uses this
as the default MSS value. With systems that cannot accept segments of 1460
bytes, the Sidewinder G2 negotiates down to the MSS that can be effectively
used.
In a few cases, the default 1460 byte MSS size could cause a problem. Some
older TCP/IP implementations do not negotiate the TCP MSS value. These
older implementations also cannot perform IP reassembly. The most likely
symptom will be that these systems will no longer be able to communicate
through the Sidewinder G2.
The TCP MSS can be set to different values using the sysctl command. For
example, the following command sets the TCP MSS to 536:
sysctl -w net.inet.tcp.mssdflt=536
Important: You must also add this line to /etc/rc.local or it will be overwritten upon
reboot.
271

Chapter 9: Configuring Proxies
Setting up a new proxy
272

10
CHAPTER
Setting Up
Authentication
In this chapter...
Authentication overview ...............................................................274
Supported authentication methods...............................................277
Authentication process overview..................................................282
Users, groups, and authentication................................................283
Configuring authentication services .............................................284
Configuring SSO ..........................................................................300
Setting up authentication for services ..........................................303
Special authentication notes.........................................................304
Setting up authentication for Web sessions .................................305
Setting up authentication for administrators .................................306
Allowing users to change their passwords ...................................306
How users can change their own password.................................308
273

Chapter 10: Setting Up Authentication
Authentication overview
Authentication
overview
274
In general, authentication refers to a process that validates a person’s identity
before he or she is allowed to log into a network server. Depending on the
authentication method used, a person must provide a user name and valid
password and/or a special passcode or personal identification number (PIN)
before being logged on to a server. If a user enters an invalid password,
passcode, or PIN the log in request is denied.
There are two basic Sidewinder G2 authentication scenarios: proxy
authentication and Sidewinder G2 administrator authentication. The following
sections describe each scenario.
Proxy authentication
You can configure the Sidewinder G2 to authenticate network users trying to
connect from one side of the Sidewinder G2 to another via a Web, SOCKS5,
Telnet, or FTP proxy. You can authenticate proxy use for internal-to-external,
external-to-internal, and internal-to-internal connections.
• Internal-to-external authentication
You can authenticate internal users whenever they try to access a
SOCKS5, Telnet, FTP server, or Web access through the Sidewinder G2.
While internal users are generally thought to be trusted, authenticating
internal-to-external proxy connections provides an extra level of security
and allows you to closely track who is using each Internet service and how
long they are using it. (See Chapter 20 for information on Sidewinder G2
reporting.) For example, you might use this information for internal accounting.
Note that if you do not authenticate internal-to-external proxies, you
can still track Internet usage, but the tracking is done for each machine
address only (not for individual users).
• External-to-internal authentication
You can authenticate SOCKS5, Telnet, FTP, or Web access from the Internet
to hosts on an internal network. For example, an internal network may
have Telnet, FTP, or Web servers that users at another location need to
access via the Internet. In most, if not all cases, your Sidewinder G2 should
be configured to authenticate all external-to-internal proxy connections.
• Internal-to-internal authentication
When your Sidewinder G2 is configured with two Ethernet cards for two
internal networks, you can authenticate SOCKS5, Telnet, FTP, and Web
access from one internal network to a second internal network.

Administrator authentication
Chapter 10: Setting Up Authentication
Authentication overview
When you log into the Sidewinder G2, you are authenticated using either
standard UNIX password authentication or a stronger form of authentication,
such as SafeWord PremierAccess. If standard UNIX password authentication
is used, the password you provide is maintained in the user database, and the
Sidewinder G2 checks the database to validate your password. Dynamic
passwords, called passcodes, or challenge/response information generated for
stronger authentication methods are not stored on the Sidewinder G2. Instead,
they are located on the associated authentication server. (Strong
authentication is described in the next section.) The default administrator
authentication method is configured in the Firewall Accounts window. For
information on configuring the default administrator authentication method, see
“Setting up and maintaining administrator accounts” on page 43.
Administrators can use Telnet or SSH to access a Sidewinder G2 via a
command line interface. By default, standard UNIX password authentication is
used to validate this type of remote login attempt.
Note: Secure Computing recommends using a strong authentication method for
login attempts from a remote server.
Weak versus strong authentication
Secure Computing uses the terms “weak” and “strong” when referring to the
level of security provided by an authentication method. The differences are
discussed in the following section.
Weak authentication
A weak authentication method merely requires a user to enter the same
password each time he or she logs on. The “standard” UNIX password process
is considered to be a weak authentication method. If someone “sniffs” the
password off the phone line or network as it is transmitted, they can
conceivably use that password to break into the system. Because your internal
network is thought to be “trusted,” this type of authentication is generally used
for authenticating internal-to-external proxy connections.
275

Chapter 10: Setting Up Authentication
Authentication overview
Hardware
authenticators
Software
authenticators
276
Strong authentication
A basic premise of security is to positively identify who is accessing your
networks. Strong user authentication performs this function and is generally
desired for external-to-internal proxy connections. An authentication server,
such as Secure Computing’s SafeWord PremierAccess, typically resides in the
internal network burb. When a user attempts to log in, the authentication server
displays a passcode prompt for the user.
A passcode is a unique, one-time response that is generated for the user via a
hardware or software authenticator known as a token. Because the token
generates a unique passcode for each log in attempt, they are immune to
passcode sniffing or theft. Because the passcodes are generated by a
cryptographic algorithm, they are essentially impossible to guess.
When tokens are PIN-protected, this strong authentication method is known as
two-factor authentication. That is, authentication is based on something the
user knows (a PIN that allows access to the token) and something the user has
(a token that generates unique passwords).
The Sidewinder G2 coordinates the passcode prompt and response process
between the authentication server and the user. The authentication server
maintains detailed information about user accounts and connection times.
A hardware authenticator is a small, hand-held device that looks similar to an
ordinary calculator. The hardware authenticator displays the proper log in
response on a digital display. A hardware authenticator is platformindependent
and can be used from any PC or workstation equipped for
network communications.
In contrast, a software authenticator is installed directly on the user’s PC or
workstation. It automates the response process, requiring the user only to
enter a personal identification number (PIN). A valid PIN unlocks the software
authenticator, which then calculates and returns the proper log in response. An
example of a supported software authenticator is the SafeWord PremierAccess
SofToken-II.

Supported
authentication
methods
Chapter 10: Setting Up Authentication
Supported authentication methods
Sidewinder G2 supports standard UNIX password authentication, Windows
Domain authentication, and the following stronger authentication methods:
SafeWord PremierAccess and SafeWord RemoteAccess (from Secure
Computing Corporation), SecureNet Key (SNK) from Symantec Corporation,
and SecurID from RSA Security, Inc. Sidewinder G2 also supports the
widely-used RADIUS authentication protocol and the Lightweight Directory
Access Protocol (LDAP). All of these can be used to authenticate SOCKS5,
Telnet, FTP, and Web connections through the Sidewinder G2 and
administrator log in connections to the Sidewinder G2.
Table 23 provides a brief summary of the authentication methods supported by
the Sidewinder G2.
Note: Single Sign-On (SSO) can be used in conjunction with the authentication
methods listed below to cache a user’s initial authentication, thereby allowing
access to multiple services with a single authentication to the Sidewinder G2. For
information on configuring SSO, see “Configuring SSO” on page 300.
Table 23: Authentication methods available for the Sidewinder G2
Authentication
Methods
Security
Level
Recommended Usage Server Type
Standard Password Weak • Internal-to-external login
• FTP
• Telnet
• Web
• SOCKS5
• SSH sessions
SafeWord
(PremierAccess and
RemoteAccess)
Strong • External-to-internal login
• FTP
• Telnet
• Web
• SOCKS5
• SSH sessions
LDAP Weak • Internal-to-external login
• FTP
• Telnet
• Web
• SOCKS5
• SSH sessions
Authenticator
Type
Not applicable Not applicable
SafeWord
Authentication Server,
external to the
Sidewinder G2
X.500 or other LDAPcompatible
directory
server, external to the
Sidewinder G2
Software
(SoftToken II)
and hardware
token (Silver
2000, Gold 3000,
Platinum)
Not applicable
More...
277

Chapter 10: Setting Up Authentication
Supported authentication methods
278
Authentication
Methods
Windows Domain Weak • Internal-to-external login
• FTP
• Telnet
• Web
• SOCKS5
• SSH sessions
SecureNet Key
(SNK)
Security
Level
Recommended Usage Server Type
Strong • External-to-internal login
• FTP
• Telnet
• SSH sessions
SecurID Strong • External-to-internal login
• FTP
• Telnet
• Web
• SOCKS5
• SSH sessions
RADIUS Strong • External-to-internal login
• FTP
• Telnet
• Web
• SSH sessions
Standard Password Weak • Internal-to-external login
• FTP
• Telnet
• Web
• SOCKS5
• SSH sessions
Windows primary
domain controller
(PDC) or backup
domain controller
(BDC)
Standard password authentication
Defender Security
Server (DSS), external
to the Sidewinder G2
ACE/Server, external
to the Sidewinder G2
RADIUS server,
external to the
Sidewinder G2
Authenticator
Type
Not applicable
SecureNet Key
(SNK) or
Symantec
Corporation
hardware
authenticator
SecurID hardware
authenticator
Standard password authentication requires a user to enter the same password
each time he or she logs on. This method typically is used for authenticating a
user’s internal-to-external SOCKS5, Telnet, FTP, and Web connections, and
local Sidewinder G2 administrator log ins. Since the internal users are
generally thought to be trusted, a weak authentication method is probably all
that is required. You may want to authenticate internal-to-external connections
not so much for security reasons but to track usage of the system.
Any
Not applicable Not applicable

SafeWord authentication
Chapter 10: Setting Up Authentication
Supported authentication methods
The SafeWord family of authentication servers that interoperate with the
Sidewinder G2 includes SafeWord RemoteAccess and SafeWord
PremierAccess. The following table provides a reference to better understand
each server’s authentication capabilities when interoperating with Sidewinder
G2.
Table 24: Authentication capabilities of SafeWord servers
Feature/Capability
Sidewinder G2 authentication
methods supported
SafeWord
RemoteAccess
When connected to the Sidewinder G2 using standard RADIUS ports, the
authentication method is appropriately called RADIUS. This method is
available with both SafeWord RemoteAccess and SafeWord PremierAccess.
(For additional information on RADIUS, see “RADIUS authentication” on page
281.)
SafeWord PremierAccess provides the ability to use fixed passwords or
passcode authentication for Telnet and FTP sessions through the Sidewinder
G2, and can be used to authenticate logins and SSH logins to the Sidewinder
G2. Web sessions can also be authenticated, but are limited to using either
fixed passwords or passcodes without the challenge/response option. (Not all
tokens support this option.)
The biggest advantages of using a tightly coupled configuration such as
SafeWord PremierAccess authentication are the following:
• An improvement in performance over RADIUS
SafeWord
PremierAccess
RADIUS only SafeWord & RADIUS
Fixed passwords No Yes
Dynamic passcodes w/o
challenge
Dynamic passcodes with
challenge
Hardware tokens
only
No Yes
Hardware and
software tokens
Location of user database Active Directory SafeWord
Connectivity w/ Sidewinder G2 RADIUS ports only RADIUS ports or port
5030 (default)
279

Chapter 10: Setting Up Authentication
Supported authentication methods
280
• The ability for PremierAccess to forward role information for a user from the
PremierAccess database to the Sidewinder G2. (While SafeWord
PremierAccess can be connected to Sidewinder G2 via standard RADIUS
ports, configuration changes to the user’s role cannot be made available to
the Sidewinder G2.)
Note: SafeWord RemoteAccess is always connected to the Sidewinder G2 via
standard RADIUS ports and therefore cannot be assigned the SafeWord
authentication method. Aside from the ability to return a user’s role, SafeWord
RemoteAccess provides equally strong user authentication via the RADIUS
interface.
LDAP/Active Directory
LDAP (Lightweight Directory Access Protocol)/Active Directory is a protocol
that you can use to provide fixed password authentication for SOCKS5, Telnet,
FTP, and Web sessions through the Sidewinder G2. It can also be used to
authenticate logins and SSH logins to the Sidewinder G2. You can set up an
LDAP directory server containing users and passwords. Use any valid
combination of LDAP attributes and values as an optional filter string to
distinguish authorized Sidewinder G2 users.
Windows Domain
If your organization operates a Windows primary domain controller (PDC) or
backup domain controller (BDC), you can use it to provide weak authentication
for login, SOCKS5, Telnet, FTP, Web, and SSH sessions to the Sidewinder G2.
The PDC or BDC can be used to provide password authentication. Be sure the
domain controller does not allow blank or default logins that can be easily
guessed by outsiders.
You can also use transparent browser authentication. Transparent browser
authentication is controlled on a per-rule basis and is enabled on the Rule’s
Authentication tab. For more information about configuring your organization’s
PDC or BDC to use transparent browser authentication on Sidewinder G2, see
the related application note located at
:www.securecomputing.com/goto/appnotes.

Chapter 10: Setting Up Authentication
Supported authentication methods
SNK (SecureNet Key)/Symantec Defender authentication
If your organization operates a Defender Security Server (DSS) (made by
Symantec Corporation) you can use it to provide fixed password, challenge/
response, or password + challenge/response authentication for SOCKS5,
Telnet, and FTP sessions through Sidewinder G2. It can also be used to
authenticate logins and SSH logins to Sidewinder G2. Web sessions can also
be authenticated but are limited to using the password authentication method.
SecurID authentication
If your organization operates an ACE/Server (made by RSA Security, Inc.) you
can use it to provide fixed or one-time password authentication for login,
SOCKS5, Telnet, FTP, Web, and SSH sessions to the Sidewinder G2. For this
authentication method, users enter a PIN and a passcode that is displayed on
the user’s SecurID authenticator.
RADIUS authentication
If your organization operates a RADIUS server, you can use it to provide strong
authentication for SOCKS5, Telnet, FTP, and Web sessions through the
Sidewinder G2. It can also be used to authenticate logins and SSH logins to
the Sidewinder G2.
SafeWord RemoteAccess and SafeWord PremierAccess are RADIUS servers
that have been certified for full interoperability with the Sidewinder G2. As
shown in Table 24, each method provides strong authentication using
passcodes for SOCKS5, Telnet, and FTP sessions through the Sidewinder G2,
and for authenticating logins and SSH logins to the Sidewinder G2. Web
sessions can also be authenticated, but are limited to using fixed passwords or
passcodes without a challenge/response option.
281

Chapter 10: Setting Up Authentication
Authentication process overview
Authentication
process
overview
282
Figure 129:
Authentication servers
supported by the
Sidewinder G2
For all authentication methods, a warder in the Sidewinder G2 communicates
with an authentication server to validate users. A warder provides an interface
between the proxy software and the various authentication services. As shown
in Figure 129, there is a separate warder for each authentication method.
3
Sidewinder G2
proxy
active rules
Windows Domain
warder
LDAP warder
RADIUS warder
SNK warder
SecurID warder
SafeWord
warder
password warder
user database
2 5
4
6
1
client PC
or workstation
NT PDC OR BDC
LDAP SERVER
RADIUS SERVER
DEFENDER SEC.
SERVER (DSS)
ACE SERVER
SAFEWORD
SERVER
database
database
database
database
database
database
Note: The numbers in this
figure correspond to the
process overview steps
listed on the next page.

Users, groups,
and
authentication
Chapter 10: Setting Up Authentication
Users, groups, and authentication
The numbers in Figure 129 represent the sequence of events that occur when
a remote user requests a network connection through the Sidewinder G2.
These events are described below. In this scenario, the user is authenticated
using SafeWord PremierAccess, which implements a challenge-response
authentication process. (Note that the process is different for other
authentication methods.)
1 A user tries to make a network connection via Telnet or FTP.
2 The Sidewinder G2 checks the active rules to determine whether the
connection between the source and destination addresses is allowed and
to determine which warder to use.
3 If the connection is allowed, the proxy contacts the appropriate warder in
the Sidewinder G2.
4 The warder passes the log in request to the appropriate authentication
server. The server checks the data base to verify the user’s log in name is
registered and then generates a log in prompt.
5 The log in challenge is sent to the user. Using client software or a hardware
authenticator, the user types in the proper response to the prompt.
6 The Sidewinder G2 sends the response to the authentication server. The
authentication server checks the response and informs the Sidewinder G2
to either accept or reject the log in request.
As a Sidewinder G2 administrator, you are responsible for configuring the
Sidewinder G2 to work with the desired authentication server. The first step is
identifying the users that will need authentication services on the Sidewinder
G2. You can set up authentication on a user-by-user basis or create user
groups. A user group is a mechanism that allows you to identify multiple users
by a single name, making it easier to configure authentication requirements for
your network.
Note: The procedures to add users to the user database and set up user groups
are described in Chapter 5.
After defining and creating the appropriate user groups for your site, you need
to configure the authentication method(s) that your site will use. The following
section describes what needs to be done to configure the Sidewinder G2 for
authenticating users or administrators.
283

Chapter 10: Setting Up Authentication
Configuring authentication services
Configuring
authentication
services
284
Figure 130:
Authentication
Configuration window
About the
Authentication
Configuration
window
To configure authentication services for the Sidewinder G2, start the Admin
Console and select Services Configuration > Authentication. The
Authentication Configuration window appears.
Note: You must configure an authentication method before it can be enabled.
This window allows you to configure authentication services on the Sidewinder
G2. You can also manage locked out administrators and users, and SSOauthenticated
users. You can perform the following actions in this window:
• Configure an authentication method—To configure an authentication
method, click the appropriate Configure button. (If you attempt to enable an
authentication method that has not yet been configured, you will be
prompted to configure the method first.) The following authentication
methods can be configured:
– LDAP/Active Directory—To configure LDAP/Active Directory
authentication, see “Setting up LDAP authentication” on page 288.
– Password—To configure password authentication, see “Setting up
password authentication” on page 291.
– RADIUS—To configure RADIUS authentication, see “Setting up
RADIUS authentication” on page 292.
– SafeWord—To configure SafeWord PremierAccess authentication in a
tightly coupled configuration, see “Setting up SafeWord authentication”
on page 294. (SafeWord PremierAccess and SafeWord RemoteAccess
can also be configured using the RADIUS interface.)
– SecurID—To configure SecurID authentication, see “Setting up SecurID
authentication” on page 295.

Chapter 10: Setting Up Authentication
Configuring authentication services
– SNK/Symantec Defender—To configure SecureNet (SNK)/Symantec
Defender authentication, see “Setting up SecureNet Key (SNK)
authentication” on page 296.
– Windows Domain—To configure Windows Domain authentication, see
“Setting up Windows Domain authentication” on page 298.
• Enable/disable an authentication method—A check mark appears in front
of authentication methods that are currently enabled. To enable an
authentication method, select the appropriate check box under the Enable
Warders area. To disable an authentication method, deselect the
appropriate check box in the Enable Warders area.
Note: If you attempt to enable an authentication method that has not yet been
configured, you will be prompted to configure the method first.
• Manage locked out users—To configure the Sidewinder G2 to lockout a
user if the number of failed authentication attempts reaches the specified
lockout threshold, or to manage users who are currently locked out, click
Authentication Failure Locked Out Users and see “Configuring and
managing the locked out users” on page 286 for details.
• View SSO Authenticated Users—To view users currently in the SSO
authenticated cache, click Current SSO Authenticated Users, and see
“Viewing currently authenticated SSO users” on page 287.
• Configure external authorization roles—The External Authorization Roles
list displays the roles defined by an external authentication program (for
example, SafeWord PremierAccess or LDAP/Active Directory) that can be
used within a Sidewinder G2 proxy rule. Use the New, Modify, and Delete
buttons to manage this list. If you click New or Modify under the External
Authorization Roles field, the New (or Modify) External Authorization Roles
window appears.
Note: See “Creating proxy rules” on page 222 for information on how these
roles are used in a proxy rule. (You may need to consult the administrator of
your particular authentication program for the names of the roles to add to this
list.)
About the New (or Modify) External Authorization Roles
window
The New (or Modify) External Authorization Roles window contains a single
External Role field in which you specify a name for the external role. Currently,
the only external authorization servers that support roles within a proxy rule are
SafeWord PremierAccess and LDAP/Active Directory. The name of the
external role must match the name of a group within the server (SafeWord
PremierAccess or LDAP) to which the user belongs.
Click Add to add the entry to the External Authorization Roles list, to add the
entry and close the window.
285

Chapter 10: Setting Up Authentication
Configuring authentication services
286
Configuring and managing the locked out users
This window allows you to configure the authentication failure lockout feature
on your Sidewinder G2. The authentication failure lockout feature allows you to
configure the Sidewinder G2 to block access to a user if the number of
consecutive failed authentication attempts reaches a configured number. This
protects unauthorized users from multiple attempts at guessing a user’s
password. Using this window, you can perform the following actions:
Important: If all administrators become locked out of the Sidewinder G2, see
“Manually clearing an authentication failure lockout” on page 654.
• Enable or disable the lockout feature—To enable this feature, select the
Enable radio button. To disable this feature, select the Disable radio button.
When this feature is enabled, any time a user account surpasses the specified
authentication attempt threshold without a successful authentication,
that user will be locked out until the lock is cleared by an administrator. The
lock can also be cleared if the locked out administrator logs in at the
Sidewinder G2 using the correct login information.
When authentication failure lockout is enabled, the client-side cache is
emptied and authenticated allow rules will not be cached.
• View locked out users—The Locked Out Users area lists any users who
are currently locked out of the Sidewinder G2 due to exceeded
authentication failures. It will also display the number of failed login
attempts for each user.
• Configure the lockout threshold—The Lockout Threshold field allows you
to specify the number of failed login attempts that can occur for a single
user account before that user is locked out of the Sidewinder G2.
Note: When a user is locked out, their authentication method will become
invalid. They will not be notified that they are locked out.
• Clear user locks—To clear the lock for a user select the user and click
Clear.

Figure 131: SSO
Cached Authentication
Users
Viewing currently authenticated SSO users
Chapter 10: Setting Up Authentication
Configuring authentication services
This window allows you to view the current SSO-authenticated (cached) users.
In this window, you have the option to override the authentication cache default
values and immediately expire user SSO authentication for one or more users.
The Authentication Cache table allows you to view all users who are currently
authenticated (cached) using SSO. The following fields are displayed in the
table:
Note: If you disable the SSO server, the authenticated user cache will be emptied.
When the SSO server is enabled again, all users will need to authenticate before
being added back into the cache.
Note: For information on configuring SSO, see “Configuring SSO” on page 300.
• Name—This column displays the name(s) of all users who currently have
cached authentication.
• External Group—This column displays the external group to which a user
belongs.
• Warder—This column displays the type of authentication used by a user.
• IP Address—This column displays the source IP Address from which the
authentication request originated.
• Time of User Entering Cache—This column displays the time at which a
user was initially authenticated and added to the cache.
• Time Cached Data Last Accessed—This column displays the time at which
a user last accessed a service that required authentication.
To expire the SSO authentication cache for all users listed in the table, click
Expire All Entries. To expire the SSO authentication cache for a single user or
group of users, select the users you want to expire by clicking the appropriate
table row(s). To select multiple users, press and hold the Ctrl key as you select
users. Then click Expire Entry(s) to expire the selected users from the
authentication cache.
287

Chapter 10: Setting Up Authentication
Configuring authentication services
288
Figure 132: LDAP/Active
directory window
Entering information
on the LDAP
Configuration
window
When you expire the authentication cache for a user(s), those users will be
required to re-authenticate before they can again access any authenticated
services.
Note: Subsequent authentication requests by an expired user will be cached when
they re-authenticate, allowing them to again use SSO authentication.
Setting up LDAP authentication
To configure LDAP authentication on the Sidewinder G2, in the Admin Console
select Services Configuration > Authentication, and click Configure LDAP.
The following window appears.
This window is used to configure your Sidewinder G2 to work with an LDAP
server. The top left portion of the window displays a list of any current LDAP
servers you have defined. To configure the general LDAP properties for all of
the defined LDAP servers, follow the steps below.
1 Define and rank the LDAP/Active Directory servers to use for authentication.
Sidewinder G2 always uses the server ranked first, unless it is unavailable.
Note: See “Configuring the Domain Controller Configuration window” on page
290 for instructions on adding or modifying an LDAP server entry.
• To add a new server, click New.
• To modify an existing server, select the server and click Modify.
• To delete an existing server, select the server and click Delete.
• To change a server’s rank, select the server and use the up and down
arrows.

Chapter 10: Setting Up Authentication
Configuring authentication services
2 Select which Directory User Identifier and Directory Member Identifier to
use from the following options. The defaults are displayed in the Directory
User Identifier and Directory Member Identifier fields.
• Use Active Directory defaults—Select this option if using an Active
Directory LDAP server.
• Use iPlanet defaults—Select this option if using an iPlanet LDAP server.
• Use Open LDAP defaults—Select this option if using an Open LDAP
server.
• Specify LDAP attributes—Select this option to customize the Directory
User Identifier and Directory Member Identifier.
3 Define the search container option by selecting one of the following:
• Search in defined containers only—Select this option to limit searches
to containers listed here. To add or modify a search container, see
“Adding/modifying search containers” on page 290.
• Search in containers and all subcontainers—Select this option to
search all listed containers and their subcontainers. If this option is
selected, in step 4 you must indicate what credentials the LDAP server
requires to allow subcontainer searches.
• Search in Active Directory domains—Select this option to search only
in Active Directory domains listed here. Each domain must be listed
separately.
4 [Conditional] This option is only enabled if you selected Search in
containers and all subcontainers in step 3. In the Define LDAP/Active
Directory Servers area, select how Sidewinder G2 will connect to LDAP/
Active Directory servers by selecting one of the following options:
• Connect to Server(s) Anonymously—Select this option if the LDAP
server allows Sidewinder G2 to connect and search subcontainers
without providing login information.
• Connect to Server(s) with Username/Password—Select this option if
the LDAP server requires Sidewinder G2 to submit the specified login
name and password in order to connect and search subcontainers.
5 Select the filtering criterion:
• Do not filter searches—Select this option to disable filtering of the
LDAP or Active Directory tree.
• Only allow users that match the filter below—Select this option to filter
users based on the profile filter displayed here. Enter the filter name in
the Profile Filter field.
6 Click Server Timeouts/Retries to configure the retry and login limits. For
more information, see “Configuring the Server Timeouts/Retries window” on
page 290.
7 In the Configure Console and Telnet LDAP login area, click Login Options
to configure the prompts presented when parameters for logging into the
Sidewinder G2 require LDAP authentication. See “Configuring the Login
Options window” on page 290 for more information.
289

Chapter 10: Setting Up Authentication
Configuring authentication services
290
Configuring the Domain Controller Configuration window
The LDAP Configuration Domain Controller window allows you to configure the
IP address and port for an LDAP server. Follow the steps below.
1 In the IP Address field, type the IP address for the LDAP server.
2 In the Port Number field, type the port that the LDAP server should use.
The default port is 389.
3 Click OK to add the LDAP server to the list of configured LDAP servers.
4 Click the Save icon in the toolbar to save your changes.
Configuring the Server Timeouts/Retries window
This window allows you to configure limits on authentication retries and server
timeouts.
• In the Maximum Retries field, specify the number of authentication attempts
that a user can make before a failure is issued. Valid values are between
1—9999999. The default is 3.
• In the Login Timeout in seconds field, specify the number of seconds to
wait for the LDAP server to respond. Valid values are between
1—9999999. The default is 60 seconds. If the server cannot be reached in
that time frame, Sidewinder G2 will attempt to connect to the next server in
the Define LDAP/Active Directory Servers area.
Configuring the Login Options window
This window allows you to specify what you want to appear as prompts during
the login process.
• In the Login Prompt field, specify the prompt that you want to appear for
the user name portion of the login process. The default is Username.
• In the Password Prompt field, specify the prompt that you want to appear
for the password portion of the login process. The default is Password.
Adding/modifying search containers
This window allows you to add or modify a search container.
1 In the Edit Search Container field, enter either a single container name or a
concatenated container name.
Note: The search string format depends on the type of server selected.
Microsoft Active Directory searches use a format similar to sales.example.com.
Standard LDAP searches use a format similar to
dc=sales,dc=example,dc=com.
2 Click OK.

Figure 133: Password
Configuration window
Entering information
on the Password
Configuration
window
Setting up password authentication
Chapter 10: Setting Up Authentication
Configuring authentication services
To configure password authentication on the Sidewinder G2, in the Admin
Console select Services Configuration > Authentication, and click Configure
Password. The following window appears.
This window is used to configure password authentication on the Sidewinder
G2. Follow the steps below.
1 In the Login Prompt field, type the prompt text that you want to appear
when the Telnet proxy service prompts a user for his or her user name.
Note: The prompt you configure in this field is only used for the Telnet proxy
service, and only appears after an authentication attempt of this type has failed.
2 In the Password Prompt field, type the prompt text that you want to appear
when the Sidewinder G2 prompts a user for his or her password.
3 In the Expiration Message field, type the message you want to appear
when a user’s password has expired.
4 In the Password Expiration Timespan field, type the number of days the
password will be valid.
5 In the Minimum Password Length field, specify the minimum number of
characters that a password must contain.
6 Select one of the following:
• Allow simple passwords—Select this option if you do not want to
specify any other password requirements.
• Require complex passwords—Select this option to configure and
enforce complex password requirements.
291

Chapter 10: Setting Up Authentication
Configuring authentication services
292
Figure 134: RADIUS
configuration window
7 [Conditional] If you selected Require complex passwords in the previous
step, do the following:
a Specify the number of character groups that will be required for
passwords. For example, if you specify 2, passwords must use
characters from two of the four character groups. The character groups
are:
• lowercase
• uppercase
• numbers
• special characters (includes all printable characters that can be
typed from the keyboard, such as ^ % $ # @ ! . , etc.)
b Specify the number of characters that will be required from each
character group. For example, if you specify 3 characters from each
group, and two character groups are required, passwords will need to
contain three characters from two different groups, such as a13c7b.
8 Click OK to save your changes before returning to the Authentication
Configuration window.
Note: If you want to use password authentication after it is configured, you must
also enable it in the Authentication Configuration window.
Setting up RADIUS authentication
RADIUS is a standard protocol used to authenticate users before they are
allowed access to your system. To configure the Sidewinder G2 to work with a
RADIUS server, start the Admin Console and select Services Configuration >
Authentication, and click Configure Radius. The following window appears.

Entering information
on the RADIUS
window
Adding or modifying
a RADIUS server
entry
Chapter 10: Setting Up Authentication
Configuring authentication services
This window is used to configure RADIUS authentication on the Sidewinder
G2. Follow the steps below.
1 The Radius Servers table lists the RADIUS servers currently configured for
the Sidewinder G2. The columns indicate the following:
• Rank — Which server the Sidewinder G2 will try first.
• Host — The host (IP address) for each server entry.
• Port Number — The port number for each server entry. The default port
is 1812.
• Shared Secret — The text string or phrase that matches the shared
secret of the listed RADIUS server.
To configure the Radius Servers table, do one of the following:
• New—Click this button to create a new server entry. See “Adding or
modifying a RADIUS server entry” on page 293 for details.
• Modify—Click this button to modify the selected server entry. See
“Adding or modifying a RADIUS server entry” on page 293 for details.
• Delete—Click this button to remove the selected server entry.
2 In the Login Prompt field, type the login prompt that you want to appear
when a user authenticates using RADIUS (the default is Username:).
3 In the Password Prompt field, type the password prompt that you want to
appear when a user authenticates using RADIUS (the default is
Password:).
4 In the Failed Authentication Message field, type the message that you want
to display if the user incorrectly enters their authentication information (the
default is Login incorrect).
5 Click OK to save your changes before returning to the Authentication
Configuration window.
Note: If you want to use RADIUS authentication after it is configured, you must
also enable it in the Authentication Configuration window.
The RADIUS Configuration: Domain Controller Configuration window is used
to create a new or to modify an existing server entry. Follow the steps below.
1 In the IP Address field, type the IP address used by the RADIUS server.
Tip: If configuring SafeWord RemoteAccess authentication, the IP address is
that of the Microsoft RADIUS server running the SafeWord agent for IAS. See
the SafeWord product documentation for more information.
2 In the Port Number field, specify a port number used by the RADIUS
server. (The default port is 1812.)
3 In the Shared Secret field, type any text string or phrase. This must match
the Shared Secret defined on the RADIUS server.
4 Click Add to add the entry to the list of RADIUS servers, and then click
Close.
293

Chapter 10: Setting Up Authentication
Configuring authentication services
294
Figure 135: SafeWord
Configuration window
About the SafeWord
Configuration
window
Setting up SafeWord authentication
This section describes how to configure your Sidewinder G2 to work with a
SafeWord PremierAccess authentication server for login, SOCKS5, Telnet,
FTP, Web, or SSH authentication.
To configure SafeWord PremierAccess authentication on the Sidewinder G2,
you must first install and configure the SafeWord PremierAccess
Authentication Server. (Refer to the appropriate product documentation.)
To configure SafeWord RemoteAccess authentication, use the RADIUS
warder. See “Setting up RADIUS authentication” on page 292 for more
information.
In the Admin Console select Services Configuration > Authentication, and
click Configure SafeWord. The following window appears.
This window allows you to view and modify your SafeWord PremierAccess
server entries. The SafeWord Configuration tab contains a table with the
following fields:
• Rank—This column indicates which server the Sidewinder G2 will try first.
• Host—This column indicates the host (IP address) for each server entry.
• Port Number—This column indicates the port number for each server entry.
The default port number for SafeWord PremierAccess is 5030. (If you are
configuring a server entry for SafeWord, you will need to change the port to
7482.)
To delete an existing entry, highlight that entry and click Delete.
To create a new server entry, click New. To modify an existing server entry,
highlight the entry you want to modify, and click Modify. See “Adding or
modifying a SafeWord server entry” on page 295 for details.
Note: If you want to use SafeWord PremierAccess authentication after it is
configured, you must also enable it in the Authentication Configuration window.

Adding or modifying
a SafeWord server
entry
Chapter 10: Setting Up Authentication
Configuring authentication services
The SafeWord Server Configuration window is used to create a new server
entry or to modify an existing server entry. Follow the steps below.
1 In the IP Address field, type the IP address used by the SafeWord
PremierAccess Authentication Server.
2 In the Port Number field, specify a port number used by the SafeWord
PremierAccess Authentication Server. (The default port for SafeWord
PremierAccess is 5030.)
3 Click Add to add the entry to the list of SafeWord servers, and then click
Close.
Setting up SecurID authentication
This section describes how to configure your the Sidewinder G2 to work with
an ACE Server for login, SOCKS5, Telnet, FTP, Web, or SSH authentication.
Follow the steps below.
1 Install and configure the ACE server software. Be sure to add the
Sidewinder G2 as a client. Refer to your ACE server documentation for
details.
Note: If you need to reinstall Sidewinder G2, you must disable the Send Node
Secret option in the Edit Client window on the ACE server. This will cause the
ACE server to resend the node secret to the Sidewinder G2.
2 Import the ACE Server configuration file (sdconf.rec) to a directory (for
example, the /tmp directory) on the Sidewinder G2 or directly to the Admin
Console system.
The ACE Server configuration file is created on the ACE Server. It must be
transferred to a temporary location on the Sidewinder G2 or Admin Console
via FTP or diskette.
3 Start the Admin Console and select Services Configuration >
Authentication and click Configure SecurID. The following window
appears.
295

Chapter 10: Setting Up Authentication
Configuring authentication services
296
Figure 136: SecurID
Configuration window
Entering information
on the SecurID
Configuration
window
This window allows you to specify the installation configuration file location.
Follow the steps below.
1 In the Source field, specify whether the configuration file is stored on the
Admin Console (Local File) or on the Sidewinder G2 (Remote File).
2 In the Install Configuration File field, type the path name of the file in which
you stored the ACE Server configuration. This is the same file you imported
in step 2 of “Setting up SecurID authentication” on page 295.
To browse for the location of the configuration file rather than typing it
directly, click Browse.
3 Click OK to save your changes before returning to the Authentication
Configuration window. This assigns the sdconf.rec file the proper Type
Enforcement type and installs the file in the correct Sidewinder G2
directory.
Note: If you want to use SecureID authentication after it is configured, make
sure you enable it in the Authentication Configuration window.
Setting up SecureNet Key (SNK) authentication
To configure your Sidewinder G2 to work with Symantec Defender Security
Server (DSS) for login, SOCKS5, Telnet, FTP, Web, and SSH authentication,
follow the steps below.
Note: Configuring SNK consists of performing some configuration tasks on the
DSS and some on the Sidewinder G2.
On the Defender Security System, do the following:
1 Install the Defender Security Server and Defender Management (DMS)
software. Refer to your Defender documentation for installation information.
If DSS is already installed in your network, you can skip this step.

Figure 137: SNK
Configuration window
Entering information
on the SNK
Configuration
window
Chapter 10: Setting Up Authentication
Configuring authentication services
2 Register your Sidewinder G2 with the DMS software. Refer to your
Defender documentation for registration information.
Important: The Agent ID can consist of 1–16 ASCII characters. The Agent Key
must consist of exactly 16 hexadecimal digits. The values used in the DMS software
must also be entered on your Sidewinder G2 (in step 1 and step 2 on page 297.) If
the values are not identical, the Sidewinder G2 will not accept the login, SOCKS5,
Telnet, FTP, Web, or SSH proxy connections.
3 Use the DMS software to create accounts for users. Refer to the DMS
documentation you received from Symantec.
On the Sidewinder G2, do the following:
4 Start the Admin Console and select Services Configuration >
Authentication and click Configure SNK. The following window appears.
This window is used to configure SecureNet Key (SNK) authentication on the
Sidewinder G2. Follow the steps below.
Note: You must configure a primary or backup defender server (or both) before
you can enable SNK authentication.
1 In the Sidewinder Agent ID field, type the ID you used when you registered
the Sidewinder G2 with the WinDMS software. The ID must match the ID
created in step 2 on page 297 exactly or the connection will not be
accepted.
2 In the Sidewinder Agent Key field, type the key you used when you
registered the Sidewinder G2 with the WinDMS software. The key must
match the key created in step 2 on page 297 exactly or the connection will
not be accepted.
297

Chapter 10: Setting Up Authentication
Configuring authentication services
298
Figure 138: Windows
Domain configuration
window
3 In the Primary Defender Server area, configure a Primary Defender Server,
as follows:
a In the IP Address field, type the IP address used by the DSS system.
b In the Port Number field, type the port number used by the DSS system.
This number must be larger than 1024.
4 [Optional] In the Backup Defender Server area, do the following:
a In the IP Address field, type the IP address for the backup DSS system.
b In the Port Number field, type the port number used by the backup DSS
system.
5 Click OK to save your changes and return to the Authentication window.
Note: If you want to use SNK authentication after it is configured, make sure
you enable it in the Authentication window.
Setting up Windows Domain authentication
To configure Windows Domain authentication on the Sidewinder G2, in the
Admin Console select Services Configuration > Authentication and click
Configure Domain. The following window appears.

Entering information
on the Windows
Domain
Configuration
window
Adding or modifying
a Windows domain
controller entry
Chapter 10: Setting Up Authentication
Configuring authentication services
This window is used to configure your Sidewinder G2 to work with a Windows
primary domain controller (PDC) or backup domain controller (BDC).
Using this method also permits you to allow transparent browser
authentication. THis feature may be enabled on a per rule basis with any rule
that uses the HTTP or HTTPS proxy (Policy Configuration > Rules > Proxy >
New > Authentication tab). Windows Domain must be selected as the default
method, with the Allow transparent browser authentication option enabled.
Information on configuring the Windows Domain Controller to work with this
option is found in the related application note at
www.securecomputing.com/goto/appnotes.
Note: If the user’s browser does not support transparent browser authentication,
such as an older version of Netscape, the proxy will revert the traditional Windows
Domain authentication method, which prompts users for their credentials.
To configure Windows Domain authentication method, follow the steps below.
1 The Windows Domain Controllers table lists the Windows domain
controllers currently configured for the Sidewinder G2. To configure the
domain controllers, do one of the following:
• New—Click this button to create a new domain controller entry. See
“Adding or modifying a Windows domain controller entry” on page 299
for details.
• Modify—Click this button to modify the selected entry. See “Adding or
modifying a Windows domain controller entry” on page 299 for details.
• Delete—Click this button to remove the selected entry.
2 In the Login Prompt field, specify the login prompt that you want to display
to users when they log in. The default is Username.
3 In the Password Prompt field, specify the password prompt that you want
to display to users when they log in. The default is Password.
4 In the Failed Authentication Message field, specify the message that you
want to display if a user’s authentication attempt fails. The default is Login
incorrect.
5 Click OK to save your changes before returning to the Authentication
Configuration window.
Note: If you want to use Windows Domain authentication after it is configured,
make sure you enable it in the Authentication Configuration window.
The Domain Controller Configuration window is used to add or modify a
domain controller entry. Follow the steps below.
1 In the IP Address field, type the IP address used by the Windows domain
controller.
299

Chapter 10: Setting Up Authentication
Configuring SSO
300
The Port Number field displays the port used by the Windows domain controller.
The default value is 139. This field cannot be modified.
2 In the Windows Domain Controller Name field, type the name of this
Windows domain controller. Type only the host or computer name, not the
fully qualified name. You can determine the name by selecting My
Computer > Control Panel > Network on the Windows controller.
3 Click Add to add the entry to the list of Windows domain controllers.
Configuring SSO Single sign-on (SSO) works in conjunction with a specified authentication
method to cache a user’s initial authentication, thereby allowing access to
multiple services with a single successful authentication to the Sidewinder G2.
Figure 139: SSO
Configuration tab
This is done by storing the source IP address for a successful authentication in
a cache. All proxy rule services that require authentication will check that
cache for successful authentication. If the source IP address exists in the
cache, transparent authentication based on the initial authentication takes
place and the user is allowed access without manually re-authenticating.
You can configure SSO to expire cached authentications after a specified time
period has passed (for example, you may choose to require each user to reauthenticate
every two hours). You also have the option to require a user to reauthenticate
after a specified period of idle time (for example, a user must reauthenticate
if the cached authentication has not been accessed for one hour
or more). You also have the option to manually expire cached authentication
for a specific user(s) or for all users, at any time.
To configure SSO, in the Admin Console select Services Configuration >
Servers, and select the SSO server. To enable the SSO server, select the
check boxes for the appropriate burbs. To configure the SSO server, select the
Configuration tab. The following window appears.

Entering information
on the Single Sign
On Configuration
tab
Chapter 10: Setting Up Authentication
Configuring SSO
This window allows you to configure Single Sign On authentication on the
Sidewinder G2. Follow the steps below.
1 In the Authentication Methods Used to Establish SSO Credentials, select
the authentication methods that will be allowed to store cached
authentication credentials using SSO.
Note: Only authentication methods that have been configured and enabled will
be available to select in this window. For information on the available types of
authentication, see “Supported authentication methods” on page 277.
2 In the Default Method drop-down list, select the authentication method that
will be used if multiple methods are available and the user does not specify
a method to use during login.
3 If you want to require that a user log in via the SSO Web interface, select
the Require Web Login check box.
4 In the Web Login area, do the following:
a In the Port field, type the port that will be used to log in on the Web. (The
default port is 8111.)
b In the Edit Login Page Banner field, you can configure the Web page
banner that appears when a user successfully logs in. To view the
existing banner, click the corresponding View button. To modify the login
page banner, click the corresponding Edit HTML button. For information
on using the File Editor to configure the banner page, see “Using the
Admin Console File Editor” on page 26.
c In the Edit Logout Page Banner field, you can configure the Web page
banner that appears when a user successfully logs out. To view the
existing banner, click the corresponding View button. To modify the
logout page banner, click the corresponding Edit HTML button. For
information on using the File Editor to configure the banner page, see
“Using the Admin Console File Editor” on page 26.
5 In the Authenticate Inactive Users Every field, specify how often a user’s
account must remain inactive before they must re-authenticate, as follows:
a In the corresponding drop-down list, select the time increment you want
to use. Valid options are Seconds, Minutes, Hours, Days, Weeks,
Months, and Years.
b In the text box, specify the number of seconds, minutes, hours, etc.,
before a user will be required to re-authenticate.
6 In the Force Authentication Every fields, specify a time period in which a
user must re-authenticate regardless of whether the account is inactive or
being used, as follows:
a In the corresponding drop-down list, select the time increment you want
to use. Valid options are Seconds, Minutes, Hours, Days, Weeks,
Months, and Years.
b In the corresponding text box, specify the number of seconds, minutes,
hours before a user will be required to re-authenticate.
301

Chapter 10: Setting Up Authentication
Configuring SSO
Accessing the Web
login and logout
pages
302
7 Click the Save icon in the toolbar to save your changes and return to the
Authentication Configuration window.
8 Ensure that the pre-configured Single Sign-On proxy rule has been
included in your active rule group (Policy Configuration > Rules). The
Single Sign-On proxy rule is configured to use a pre-configured Secure
Web Application Defense called Single Sign-on, a Secure Web defense
that uses SSL decryption to increase the security of data transactions. By
default, that application defense uses the Default_SSL_Cert firewall
certificate created during the initial configuration.
9 Check the host name used in firewall certificate selected on the Single
Sign-on Secure Web application defense. Ensure that the host name
resolves to the IP address associated with the burb in which SSO is
enabled. For example, if SSO is enabled in the internal burb, the host name
in the associated firewall certificate should resolve to the internal burb’s IP
address.
Note: If you are enabling SSO in multiple burbs, you may require additional
Secure Web defenses, each with a different firewall certificate to match each
additional burb.
10 Ensure that SSO authentication is configured for each rule for which you
want to use SSO (Policy Configuration > Rules > New/Modify >
Authentication tab). See “Creating proxy rules” on page 222 for more
information.
End users will now be able to access multiple services with a single successful
authentication to the Sidewinder G2.
When Web Login is configured for SSO, any time a user attempts to access the
Web the login window will appear prompting them to authenticate. A user can
also access the authentication login page by directing their browser to:
https://SidewinderG2_address.com:8111/sidewinder/login.html
If a user wants to log out of the SSO cache manually (before their SSO
authentication cache expires), they can point their browser to:
https://SidewinderG2_address.com:8111/sidewinder/logout.html
If a browser is configured for the proxy, you will need to configure that browser
to NOT proxy requests going to the Sidewinder G2 on port 8111. The following
steps provide an example of configuring an exception using Netscape.
1 Open Netscape and select Edit > Preferences > Advanced > Proxies.
2 Select Manual Proxy Configuration.
3 In the No Proxy For field, type the URL for the Sidewinder G2 (for example,
G2name.example.com.
4 Click OK to save the information and exit.

Setting up
authentication
for services
Chapter 10: Setting Up Authentication
Setting up authentication for services
To require authentication for users who require any services that use
authentication (for example, HTTP, Web, SOCKS5, sshd, VPN, Telnet, FTP,
and the Admin Console), you will need to configure the appropriate proxy
rule(s) for each service, and ensure that they are included in the active proxy
rule group.
You can configure a proxy rule to support multiple authentication methods if
multiple methods have been configured on the Sidewinder G2. In this scenario,
a user can specify the authentication method that they want the Sidewinder G2
to use when they reply to a login prompt. For example, the following shows
how a user can specify each authentication method from the login prompt:
>: login_name:password
>: login_name:ldap
>: login_name:msnt
>: login_name:snk
>: login_name:securid
>: login_name:safeword
>: login_name:radius
Tip: You only need to enter the first three characters for the name of the
authentication method. For example, the following specifies minimum characters
needed for each method:
lda LDAP
msn Windows Domain
pas password
snk SNK
sec SecurID
saf SafeWord
rad Radius
Note: The Default Method drop-down list in the Authentication tab of the Rule
window selects the authentication method the Sidewinder G2 uses when the user
does not specify an authentication method during log in.
After you enable an authentication method for a specific proxy rule, users will
have to enter the information required by that method whenever they try to use
a service associated with that rule.
Tip: For standard password authentication, you should inform those users how
they can change their own log in password from their terminal or workstation using
a Web browser such as Netscape or Internet Explorer. See “How users can change
their own password” on page 308.
303

Chapter 10: Setting Up Authentication
Special authentication notes
Special
authentication
notes
304
This section provides some special considerations that users should be made
aware of regarding Telnet and FTP authenticated connections through the
Sidewinder G2.
• Changing user passwords and PINs for authentication methods
The Sidewinder G2 supports changing user passwords and PINs only
under the Telnet proxy. For example, users can change their DSS password
or their SafeWord PremierAccess PIN via the Telnet proxy. (Refer to the
documentation for your authentication method for information on the commands
used to change passwords and PINs.) Passwords and PINs cannot
be changed using the FTP, Web, or SOCKS5, proxy. The user must either
initiate a Telnet proxy session or they can contact their system administrator.
• Switching authentication methods during a log in session
The Sidewinder G2 allows you to use multiple authentication methods for a
given service (for example, users might use either SafeWord PremierAccess
or SecurID for Telnet authentication). When logging on, if a user specifies
the incorrect authentication method and authenticator, they cannot
then specify a different authentication method. The Sidewinder G2 does not
support changing warders in the middle of a session, so the user must
close the session with the incorrect authentication warder and start a new
session specifying the correct authentication warder.
• Sessions through SNK hang if a user ID is not entered before the
connection times out
If you are using SecureNet Key (SNK) for authentication, and a connection
times out before a Telnet or FTP user enters a user ID, the challenge or
password prompts are not sent and the session hangs. Users can escape
from a Telnet session and get a new prompt by simultaneously pressing the
Control and end bracket (]) keys. For FTP sessions, the process must be
terminated.
• Non-authenticated nontransparent FTP proxy prompts for
authentication
Administrators should instruct end users that they will be prompted to supply
a user name, authentication method, and destination, even if the associated
allow rule does not require authentication. This is because the nontransparent
FTP proxy needs the login and destination information in order
to determine which rule will allow the connection.
When end users attempt to connect to the FTP server, the Sidewinder G2
sends them the following prompt:
220-Firewall ftp proxy. You must login to the proxy first.
220 Use proxy-user:auth-method@destination.
Name (g2_ipaddr:proxy-user):
Instruct users to respond to the Name (g2_ipaddr:username): prompt
by entering the @ sign followed by the FTP server’s IP address, as shown
in this example:

Setting up
authentication
for Web sessions
Name (g2_ipaddr:proxy-user):@172.1.1.25
Chapter 10: Setting Up Authentication
Setting up authentication for Web sessions
Users who incorrectly put a user name before the prompt are still allowed
access to the FTP server through the non-transparent FTP rule that does
not require authentication. The Sidewinder G2 handles entries containing
user names that do not match any existing FTP rule and entries without a
user name in the same manner.
You can require users to enter a password before they are allowed Web
access. To do so requires that the user access the Web using either the Web
proxy server or the HTTP proxy, both of which can authenticate using either
fixed or one-time passwords, but cannot use a challenge/response form of
authentication.
Follow these steps to set up Web authentication.
1 Ensure that the authentication method you want to use is configured and
enabled. See “Configuring authentication services” on page 284.
2 Ensure that the Web proxy server or HTTP proxy is configured, enabled,
and is using the proper authentication method.
• To enable and configure the Web proxy server, see “Configuring the
Web proxy server” on page 383.
• To enable and configure the HTTP proxy, see “Configuring proxies” on
page 266.
3 Add or modify proxy rules as needed. You must create one or more rules
that define Web access between two burbs on your Sidewinder G2.
Note: When using standard password authentication, you may want to allow
users to change their own log in password from their terminal or workstation.
See “Allowing users to change their passwords” on page 306.
305

Chapter 10: Setting Up Authentication
Setting up authentication for administrators
Setting up
authentication
for
administrators
Allowing users
to change their
passwords
306
By default, all administrators who log into the Sidewinder G2 are authenticated
using standard password authentication. You can configure the Sidewinder G2
to require a stronger authentication for administrator log in methods. To do so,
see “Setting up authentication for services” on page 303 to modify the
appropriate proxy rule(s). For example, you might modify the Login Console
proxy rule.
When an administrator replies to a login: prompt during a console or Telnet
connection request, they can chose the authentication method the Sidewinder
G2 should use. For example:
>login: login_name:-password
>login: login_name:-ldap
>login: login_name:-msnt
>login: login_name:-snk
>login: login_name:-securid
>login: login_name:-safeword
>login: login_name:-radius
Note that this is similar to the response entered by your Telnet, FTP, SOCKS5,
and Web users (see “Setting up authentication for services” on page 303),
except that a dash (-) must precede the name of the authentication method.
Shortcuts cannot be used; you must enter the entire name.
The Sidewinder G2 changepw server allows external users to use a Web
browser to change their Sidewinder G2, SafeWord PremierAccess, or LDAP
login password. The changepw server runs on the firewall burb, and
communicates with other burbs via a proxy. To allow this process to occur, do
the following:
Note: As an administrator, you should inform users how they can change their
own password. See “How users can change their own password” on page 308.
1 Enable the changepw server, as follows:
a In the Admin Console, select Services Configuration > Servers, and
select changepw from the Servers list.
b Enable the changepw server by selecting the Enable radio button. (To
disable the server, select the Disable radio button.)
c Click the Save icon in the upper left portion of the window to save your
changes.
2 Create a changepw-form proxy rule and include it in the active proxy rule
group. Table 25 on page 307 summarizes the key settings for this proxy
rule. Refer to “Creating proxy rules” on page 222 for details on using the
Admin Console to create a proxy rule.

Chapter 10: Setting Up Authentication
Allowing users to change their passwords
Table 25: Proxy rule settings to allow users to change their login passwords
Criteria Setting
Proxy Name: burbname_changeform
Service Type: Proxy
Service: changepw-form
Action: Allow
Source Burb: Desired burb (for example, internal)
Destination Burb: Desired burb (for example, internal)
Source: Site dependent
Destination: localhost (a default host object)
Redirect Host: IPAddr: Firewall (a default IP address object)
User Groups: Site Dependent
Authentication: None
3 Enable the changepw_form proxy for the necessary burb(s).
a Start the Admin Console and select Services Configuration > Proxies.
The Proxies window appears.
b Select the changepw_form proxy from the list of proxy names and
enable it for the desired burbs.
c Click the Save icon in the toolbar to save your changes.
4 (Optional: Web proxy only) Update the ERR_SCC_EXPIRED_PASSWORD
file on the Sidewinder G2 by doing the following:
a Change to the /usr/local/squid/etc/errors directory by entering the
following command.
cd /usr/local/squid/etc/errors
b Create a backup copy of the ERR_SCC_EXPIRED_PASSWORD file.
cp ERR_SCC_EXPIRED_PASSWORD ERR_SCC_EXPIRED_PASSWORD.orig
c Modify the contents of the ERR_SCC_EXPIRED_PASSWORD file as
instructed in the file, for example:
• delete the line “Please follow the instructions your administrator has
given you in order to change your Web proxy password.”
• delete the “

Chapter 10: Setting Up Authentication
How users can change their own password
How users can
change their own
password
308
Updating the ERR_SCC_EXPIRED_PASSWORD file in this manner will
cause a link to appear within the user’s browser when their password
expires. The link provides a shortcut to the Password Change Request
Form. If needed you can further customize this file to provide additional
instructions to your users.
5 (Web proxy only) Restart the Web proxy server.
a From the Services Configuration > Servers and then select the
WebProxy from the list of server names.
b In the Control tab, select Disable and then click the Save icon.
c Select Enable and then click the Save icon.
Note: Active Web connections may be lost when the Web proxy server is
restarted.
Using standard password authentication, you can authenticate trusted and
Internet users who request SOCKS5, FTP, and Telnet access via proxies, and
you can authenticate trusted users who access the Web via the Sidewinder G2
Web proxy server. As an administrator, you should inform those users how
they can change their own password from their terminal or workstation by
using a Web browser. However, there are some restrictions:
• User can only change their own password if using standard password,
SafeWord PremierAccess, or LDAP authentication.
• To allow users to change their log in passwords, you must first configure the
Sidewinder G2 to allow this. See “Allowing users to change their
passwords” on page 306.
1 Start a Web browser.
2 Configure your browser not to proxy requests going to the Sidewinder G2
on port 1999. For example, if you are using a Netscape browser do the
following:
a Open Netscape and select Edit > Preferences > Advanced > Proxies.
b Select Manual Proxy Configuration.
c In the No Proxy For field, type the URL for the Sidewinder G2 (for
example, G2nameexample.com.
d Click OK to save the information and exit.
3 Open an HTTP connection to the Sidewinder G2. For example:
http://mysidewinder.example.com:1999/
A pre-defined HTML change password form appears.
4 Enter your user name.
5 Enter your current password. This is your current password for establishing
network connections.

Chapter 10: Setting Up Authentication
How users can change their own password
6 Enter your new password. This will be your new password for establishing
network connections.
7 Re-enter the new password. This confirms the spelling of the new
password.
8 Select one of the following password types:
• If you are changing a Sidewinder G2 login password, select Password.
• If you are changing a SafeWord PremierAccess login password, select
SafeWord.
• If you are changing an LDAP password, select LDAP.
9 Click Send Request.
This sends the change password request to the Sidewinder G2. You will be
notified if the request failed or if it is accepted. If the request is accepted,
the password database is updated and the new password must be used for
all future connections.
309

Chapter 10: Setting Up Authentication
How users can change their own password
310

11
CHAPTER
DNS (Domain Name
System)
In this chapter...
What is DNS?...............................................................................312
About mail exchanger records......................................................314
Configuring the internal network to use hosted DNS ...................315
Enabling and disabling your DNS server(s) .................................316
Advanced configurations ..............................................................317
Managing your current DNS configuration ...................................318
Configuring transparent name servers .........................................318
Configuring hosted DNS servers..................................................320
Reconfiguring DNS.......................................................................336
Manually editing DNS configuration files......................................342
DNS message logging..................................................................343
311

Chapter 11: DNS (Domain Name System)
What is DNS?
What is DNS? The domain name system (DNS) is a service that translates host names to IP
addresses, and vice versa. DNS is necessary because while computers use a
numeric addressing scheme to communicate with each other, most individuals
prefer to address computers by name. DNS acts as the translator, matching
computer names with their IP addresses.
312
Much of the traffic that flows into and out of your organization must at some
point reference a DNS server. In many organizations this server resides on a
separate, unsecured computer. The Sidewinder G2 provides the additional
option to host the DNS server directly on the Sidewinder G2, eliminating the
need for an additional computer.
The Sidewinder G2 offers two main DNS configurations: Transparent DNS and
Sidewinder-hosted DNS. The sections below explain each configuration
method.
Note: An excellent source of information on DNS is the Internet Software
Consortium Web site at www.isc.org. Some background information is also
provided in the Sidewinder G2 installation documentation. The book DNS and
BIND, by Albitz & Liu (O’Reilly & Associates, Inc.) is also a popular reference.
About transparent DNS
Transparent DNS represents a simplified DNS configuration. When transparent
DNS is configured for the Sidewinder G2, DNS traffic passes transparently
through the Sidewinder G2 using a proxy. The Sidewinder G2 uses proxy rules
that pass all DNS traffic by proxy to its appropriate burb. DNS requests are
then handled by the remote servers. Other machines do not “see” the
Sidewinder G2, which means there is minimal disruption to your current DNS
configurations throughout your network.
Configuring transparent DNS requires specifying the IP address of one or more
remote DNS servers. (Alternative server addresses may be used for
redundancy.) If a customer is using NAT through the Sidewinder G2, they
should also have an additional DNS server on the outside of their network. The
external DNS server handles the external zones of your network and its
addresses. This configuration allows you to control which addresses are visible
to the outside world.
Note: Transparent DNS is designed for simple DNS configurations. Complex DNS
configurations may require DNS services to be hosted directly on the Sidewinder
G2.

About Sidewinder hosted DNS
Chapter 11: DNS (Domain Name System)
What is DNS?
Sidewinder hosted DNS represents a more complex DNS configuration that
uses the integrated Sidewinder G2 DNS server. When configured for hosted
services, DNS servers run directly on the Sidewinder G2. This places the DNS
server(s) on a hardened operating system, preventing attacks against these
servers from penetrating your network.
In a hosted DNS configuration, the Sidewinder G2 requires information about
your DNS authority. Generally, there should be only one “master” name server
for any fully-qualified domain, (such as nyc.example.com) also called a “zone”.
There may be many “slave” servers, for redundancy and better performance,
but they derive their information from the one master for each domain.
You can configure Sidewinder hosted DNS to use a single server or split
servers as follows:
• Hosted single server DNS—In a Sidewinder G2 hosted single server
configuration, one DNS server is hosted on the Sidewinder G2. That server
handles all DNS queries. The server is protected by the Sidewinder G2
hardened OS, preventing attacks from penetrating your network. A single
server configuration is generally used when you have no concerns for
keeping your internal network architecture hidden, such as when your
Sidewinder G2 is acting as an “intrawall” between two sets of private
addresses. External hosts will need to be reconfigured to point to the
Sidewinder G2 servers.
• Hosted split server DNS—In a Sidewinder hosted split server configuration,
two DNS servers are hosted on the Sidewinder G2: one server (the external
name server) is bound to the external burb and the other server (the
“unbound” name server) is available for use by all internal burbs. Both
servers are protected by the Sidewinder G2 hardened OS, which is able to
prevent attacks against them from penetrating your network.
The security benefit of using a Sidewinder split server hosted configuration
is the ability to hide the DNS entries on the unbound server from those who
only have access to the external burb. External hosts will need to be reconfigured
to point to the Sidewinder G2 servers.
Important: You must use hosted split DNS if you want the Sidewinder G2 to
hide your private IP addresses (via Network Address Translation).
Tip: Secure Computing recommends splitting the Sidewinder G2 DNS servers
when using hosted DNS.
313

Chapter 11: DNS (Domain Name System)
About mail exchanger records
About mail
exchanger
records
314
Listed below are some additional points about running DNS on your
Sidewinder G2:
• Sidewinder G2 uses Berkeley Internet Name Domain (BIND 9).
• The boot files for the unbound and the Internet name servers are
/etc/named.conf.u and /etc/named.conf.i, respectively. The boot files
specify corresponding directories: /etc/namedb.u and
/etc/namedb.i. When you boot your Sidewinder G2, the name server
daemon (named) is started. The /etc/named.conf.u and
/etc/named.conf.i files specify whether the Sidewinder G2 is a master or a
slave name server and list the names of the files that contain the DNS
database records.
• If you choose to configure the Sidewinder G2 as a master name server on
either the unbound (internal) or Internet (external) side, you can modify the
/etc/namedb.u/domain-name.db and /etc/namedb.i/domain-name.db files
(where domain-name = your site’s domain name). You can add the default
information that is being advertised for these zones.
• The Sidewinder G2 contains a non-blocking DNS resolver to support
reverse IP address look-ups in the active proxy rule group, and name-toaddress
look-ups in the http proxy. The relevant resolver library calls are
gethostbyname() and gethostbyaddr(). The non-blocking DNS resolver
provides a small number of DNS resolver daemons (nbresd) that are
handed queries to resolve on behalf of the client.
When you set up Sidewinder hosted DNS services for your site, you need to
create mail exchanger (MX) records. MX records advertise that you are
accepting mail for a specific domain(s). If you do not create an MX record for
your domain, name servers and users on the Internet will not know how to
send e-mail to you. When an e-mail message is sent from a site on the
Internet, a DNS query is made in order to find the correct mail exchange (MX)
host for the destination domain. The sender’s mail process then sends the email
to the MX host. The Sidewinder G2, through the use of mailertables, will
forward the mail to the internal mail process, which in turn will forward it to the
internal mail host. See “Editing the mail configuration files” on page 354 for
more information on mailertables.
Consider the example shown in Figure 140. Someone in the Internet, Lloyd,
wants to send one of your users, Sharon, an e-mail message, but all Lloyd
knows is Sharon’s e-mail address: sharon@foo.com. The mailer at Lloyd’s site
uses DNS to find the MX record of foo.com. Lloyd’s message for Sharon is
then sent to the mailhost listed in the MX record for Sharon’s site.

Figure 140: Mail
exchanger example
Configuring the
internal network
to use hosted
DNS
Lloyd
(Request)
MX record
request for
foo.com
(Response)
e-mail message for
sharon@foo.com
Chapter 11: DNS (Domain Name System)
Configuring the internal network to use hosted DNS
name server for foo.com
MX record*
for foo.com
Sidewinder G2
fw.foo.com
* MX record for foo.com
fw.foo.com
A master name server stores and controls your site’s MX records. The master
name server may be in the external burb of your Sidewinder G2, or on a host
outside of your network (for example, your Internet service provider). If your
Sidewinder G2 controls the master name server, then you can make any
necessary changes to your MX records; if another host controls your master
name server, then changes have to be made on that host. For more
information on MX records see Chapter 5 of DNS and Bind by Albitz & Liu.
For information on creating MX records using the Admin Console, see “Using
the Master Zone Attributes tab” on page 329.
If you are going to use transparent proxies to provide Internet services to your
internal users, the internal client workstations must send their name server
queries to the Sidewinder G2 or to other internal name servers that forward
unresolved host names to the Sidewinder G2. There are two ways to set this
up:
• Reference the Sidewinder G2 in any name resolution configuration that the
client workstation may have. For example, a UNIX system uses the /etc/
resolv.conf file to list the name servers that system should query. A name
server reference for the Sidewinder G2 is all that is needed.
• Point client workstations at one or more internal name servers. These
name servers should be authoritative for the internal domain and
configured as slave forwarders, with the Sidewinder G2 as the forwarding
destination.
315

Chapter 11: DNS (Domain Name System)
Enabling and disabling your DNS server(s)
Enabling and
disabling your
DNS server(s)
316
This section describes how to determine the number of DNS servers currently
in use. It also describes how to use the Admin Console to enable or disable the
individual DNS servers.
Using master and slave servers in your network
Typically, a company will use two or more DNS servers to provide domain
name service to their customers. This provides for load balancing and
redundancy. When more than one DNS server is used, the local administrator
designates one DNS server to host the “master” zone files. The other DNS
servers are slave servers that merely retrieve copies of the zone files from the
master server. To outside users there is no indication or need to know about
which of the multiple servers is the master. They all provide equally
authoritative answers to all queries. The designation of which DNS server will
be the master is only significant to the DNS administrator, because changes
are made only at the master DNS server and not at the individual slave
servers.
Important: When DNS servers in an HA cluster, Secure Computing recommends
configuring the Sidewinder G2 name servers as DNS slaves for authoritative zones.
This allows the Master DNS servers to update both Sidewinder G2s in the HA
cluster. If you do not configure the Sidewinder G2 name servers as DNS slaves for
authoritative zones, DNS changes will not be made to the secondary Sidewinder
G2 unless it is rebooted.
Determining the number of DNS servers defined on
Sidewinder G2
You can use the Admin Console to display the number of DNS servers
currently defined on your Sidewinder G2. Select Services Configuration >
Servers and view the Server Name field:
• If the named-internet and named-unbound servers appear, it means there
are two DNS servers (split DNS).
• If only the named-unbound server appears, it means there is only one DNS
server (single DNS).
• If neither the named-internet nor named-unbound server appear, it means
Sidewinder G2 is using the DNS proxy (transparent DNS).
To modify the Sidewinder G2’s DNS configuration, you must use the
Reconfigure DNS window. See “Reconfiguring DNS” on page 336 for
information.

Advanced
configurations
Enabling and disabling hosted DNS servers
Chapter 11: DNS (Domain Name System)
Advanced configurations
When you configure Sidewinder hosted DNS services, the Sidewinder G2 will
use either one or two DNS servers. The DNS server(s) start automatically
when you boot the Sidewinder G2. If you need to manually enable or disable a
DNS server, follow the steps in this section.
Keep the following points in mind, however, if you decide to disable a
Sidewinder hosted DNS server.
• If you have one DNS server
In this situation the server is known as an unbound DNS server. If you disable
the DNS server, only connections that use IP addresses will still work;
those that use host names will not.
• If you have two DNS servers
This situation is also known as split DNS mode. Note the following:
– If you disable the Unbound DNS server, connections that use IP
addresses will still work; those that use host names will not.
– If you disable the Internet server, external connections that require host
names will not work unless the name is already cached (saved) in the
unbound name server’s database. Connections that use IP addresses
will work. E-mail will be placed in a queue since IP addresses cannot be
resolved.
– If you disable both name servers, connections will work only if they use
IP addresses rather than host names. Also, mail will not work and other
errors will happen as other parts of the system attempt to access the
network by name.
In either case, once you disable a server the server will remain disabled
until you enable it again.
Note: The following information applies only if you have a DNS server configured
on the Sidewinder G2.
If your site has multiple internal domains, and there are name servers for each
of these domains, the Sidewinder G2 must be designated as an authoritative
name server for all of the internal domains (the internal name servers also may
be authoritative for one or more of the internal domains). This must occur
regardless of whether the Sidewinder G2 is a master or a slave name server.
The Sidewinder G2 must be an authoritative name server for all internal
domains so that it can resolve queries for the internal domains. The Sidewinder
G2 will otherwise automatically forward these internal name queries to the
Internet, and the query will not be resolved.
317

Chapter 11: DNS (Domain Name System)
Managing your current DNS configuration
Managing your
current DNS
configuration
Configuring
transparent
name servers
318
In split DNS mode, if a DNS name occurs in the database of both servers, the
name will resolve differently depending on the server that is queried. This
occurs when the Sidewinder G2 is authoritative for the same domain both
internally and externally. Because of this issue, if you try to access the Internet
side of the Sidewinder G2 from an internal workstation you must use the
appropriate machine name. For example, if the name of your Sidewinder G2 is
“chloe,” then use the machine name “chloe-Internet.” This entry is
automatically created during installation. For more information on DNS see
DNS and BIND by Albitz & Liu, 3rd edition (O’Reilly).
You initially configure your DNS servers during the installation process. If you
want to make changes to your existing DNS configuration, you can use one of
two methods:
• Admin Console—Using the Admin Console, you can do the following:
– Configure DNS servers via Services Configuration > DNS. The DNS
server window enables you to configure the basic DNS settings as well
as configure many advanced options. See “Configuring transparent
name servers” on page 318 for details.
– Completely reconfigure your DNS settings (for example, change from
transparent to Sidewinder hosted or vice versa) via Tools > Reconfigure
DNS. See “Reconfiguring DNS” on page 336 for details.
Note: Using the Admin Console to modify your DNS configuration will remove
any comments you may have manually inserted into the DNS configuration
files.
• Manual—You can also manually edit the DNS configuration files. This
should only be attempted by highly skilled DNS administrators. See
“Manually editing DNS configuration files” on page 342 for details.
The sections that follow provide information on each method.
If you have configured DNS to use transparent services, you can add, modify,
or delete transparent name servers. In the Admin Console, select Services
Configuration > DNS. The Transparent DNS Configuration window appears.
Note: If you want to completely reconfigure your existing DNS configuration (for
example, change from transparent DNS to Sidewinder hosted DNS or vice versa),
you must use the Reconfigure DNS window. See “Reconfiguring DNS” on page 336
for details.

Figure 141: Transparent
DNS Configuration
window
About the
Transparent DNS
Configuration
window
Figure 142: Transparent
New/Modify Nameserver
window
About the New/
Modify Nameserver
window
Chapter 11: DNS (Domain Name System)
Configuring transparent name servers
This window allows you to configure name servers for transparent DNS
services. You can specify the burb to which the name servers will be assigned
from the Burb drop-down list. The order in which the servers appear indicates
the order in which Sidewinder G2 queries them.
• To delete a name server, select the name server and click Delete.
• To change the name servers’ order, select a name server and click the Up
and Down buttons as appropriate.
• To add a new name server to the list, click New. To modify a name server,
highlight the name server and click Modify. The Transparent: New/Modify
Nameserver window appears.
This window allows you to add a new name server to the list of name servers
configured for transparent services. Type the IP address for the name server
you want to add or modify in the Nameserver IP Address field, and click OK to
add the name server to the list.
319

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
Configuring
hosted DNS
servers
320
Figure 143: Sidewinder
Hosted DNS window
About the
Sidewinder hosted
DNS window
If you have configured DNS to use Sidewinder hosted services (single or split),
you can define various name server information. In the Admin Console, select
Services Configuration > DNS. The DNS window contains four tabs that allow
you to define specific name server information.
Note: If you want to completely reconfigure your existing DNS configuration (for
example, change from transparent DNS to Sidewinder hosted DNS or vice versa),
you must use the Reconfigure DNS window. See “Reconfiguring DNS” on page 336
for details.
This window allows you to configure your Sidewinder hosted DNS server(s). It
contains the following tabs.
• The Server Configuration tab is used to configure general information
about a name server. See “Configuring the Server Configuration tab” on
page 322 for details.
• The Zones tab defines each of the master and slave zones associated with
the selected name server. See “Configuring the Zones tab” on page 325 for
details.
• The Master Zone Attributes tab is used to configure attributes for each
master zone defined on the Zones tab. See “Using the Master Zone
Attributes tab” on page 329 for details.
• The Master Zone Contents tab defines the hosts associated with each
master zone defined on the Zones tab. See “Using the Master Zone
Contents tab” on page 333 for details.

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
Figure 144 illustrates the different DNS objects you can configure, how they
relate to each other, and which tab is used to configure each object.
Figure 144: DNS objects
and the tab used to DNS Object
DNS Object
configure each object Name server Zones (consists of
forward and reverse
lookups)
Where Defined
Where Defined
DNS Object
Individual hosts
within each zone
Where Defined
Server Configuration tab Zones tab Master Zone Attributes
tab and Master Zone
Contents tab
Name
Server
Zone
Zone
Zone
Zone
321

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
322
Figure 145: DNS Server
Configuration tab
About the Server
Configuration tab
Configuring the Server Configuration tab
The Server Configuration tab is used to define configuration settings for the
selected name server. When you select the Server Configuration tab a window
similar to the following appears.
This window allows you to define alternate name servers that will be contacted
if a query cannot be resolved by the selected name server. The alternate name
servers are called forwarders. This window is also used to define advanced
configuration settings for the name server. To modify the Server Configuration
tab, follow the steps below.
Note: To completely reconfigure your DNS settings (for example, change from
Sidewinder hosted single server to split server), click Reconfigure DNS.
1 In the Modify Server For field, select the name server that you want to
modify.
Note: The File Directory displays the name and location of the files used to
store information about this server. This field cannot be modified.
2 In the Do Forwarding field, specify whether the name server will forward
queries it cannot answer to another name server. In a split DNS
configuration, when modifying the unbound name server this field will
default to Yes and will forward these unresolved queries to the Internet
server (127.x.0.1, where x = the external [or Internet] burb number).
Forwarding occurs only on those queries for which the server is not authoritative
and does not have the answer in its cache.
3 [Conditional] If you selected Yes in the previous step, configure the Forward
Only field. Specify the following:

Entering information
on the Forwarding
IP Address window
Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
• If you select Yes, the name server will forward queries it cannot answer
to the name servers listed in the Forward To list only. This is the default.
• If you select No, the name server forwards the query to the name
servers listed in the Forward To list. If they cannot answer the query, the
name server attempts to contact the root server.
4 In the Forward To field, specify the alternate name servers that will be used
when attempting to resolve a query. This list is consulted only if Yes is
selected in the Do Forwarding field. If multiple name servers are defined,
the name servers are consulted in the order listed until the query is
resolved. In a split DNS configuration, when modifying the unbound name
server this list will by default contain four entries for the Internet name
server (127.x.0.1, where x = the external [or Internet] burb number).
Important: If you are using a split DNS configuration, Secure Computing
strongly recommends against defining additional alternate name servers for the
unbound name server. The Internet (or external) name server should be the
only alternate name server defined in this situation.
5 To add another entry to the list of authorized name servers, click New under
the Forward To list. See “Entering information on the Forwarding IP
Address window” on page 323 for information on adding a new entry.
6 To delete a name server from the Forward To list, highlight the name server
you want to delete and click Delete.
7 [Conditional] To modify an advanced configuration setting for the name
server, click Advanced. For more information on modifying the Advanced
Server Options window, see “Entering information on the Advanced Server
Options window” on page 324.
Important: Only experienced DNS administrators should modify an advanced
configuration setting.
8 Click the Save icon in the toolbar to save your changes. To configure
additional name server information, see “About the Zones tab” on page
325.
This window is used to add an entry to the list of alternate name servers. The
alternate name servers are consulted if the primary name server cannot
resolve a query. Follow the steps below.
1 In the Forward to IP Address field, type the IP address of the alternate
name server. Use the standard quad notation when typing the IP address
(for example, 1.1.1.1).
2 Click Add to save the specified IP address to the list of alternate name
servers.
3 When you are finished adding alternate name servers, click Close.
323

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
Entering information
on the Advanced
Server Options
window
324
The Advanced Server Options window is used to define some of the more
advanced DNS name server options.
• Do not change these options unless you are an experienced DNS system
administrator.
• By default, the options on this window are disabled, meaning there are no
restrictions. If your organization considers this to be a security risk, you
should use these options to limit the amount of interaction this name server
has with other devices. Use your organization’s security policy as a guide.
To modify advanced server options, follow the steps below.
1 To enable the notify option, select the corresponding check box. Enabling
this option allows you to specify whether the master server will notify all
slave servers when a zone file changes. The notification indicates to the
slaves that the contents of the master have changed and a zone transfer is
necessary.
If this field is not selected, the field defaults to Yes.
2 To enable the allow-query option, select the corresponding check box.
Selecting this option affects who is able to query this name server. The
options are the following:
• If not selected, all requesters are authorized to query the name server.
This is the default.
• If selected and contains IP addresses, only the requesters defined in the
allow-query list will be authorized to query this name server. Use the
New and Delete buttons to modify this list. See “Adding an IP address”
on page 325 for details on using the New button.
Note: If you select this option, be sure to include all IP addresses that might
need to query the server, such as the heartbeat burbs’ IP addresses,
loopback addresses, etc.
3 To enable the allow-transfer option, select the corresponding check box.
Selecting this option allows you to limit who is authorized to request zone
transfers from this name server.
• If not selected, all requesters are authorized to transfer zones from the
name server. This is the default.
• If selected and no IP addresses are added, no requesters will be
authorized to transfer zones from this name server.
• If selected and contains IP addresses, only the requesters defined in the
allow-transfer list will be authorized to transfer zones from this name
server. Use the New and Delete buttons to modify this list. See “Adding
an IP address” on page 325 for details on using the New button.
4 Click OK to save your changes.

Adding an IP
address
Figure 146: DNS Zones
window
Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
This window is used to add a new IP address to the selected list in the
Advanced Server Options window. To add a new IP address, type the IP
address of the name server you want to add in the IP Address field. Click Add
and then click Close to add the specified IP address to the name server list.
Configuring the Zones tab
A DNS server is responsible for serving one or more zones. A zone is a distinct
portion of the domain name space. A zone consists of a domain or a
subdomain (for example, securecomputing.com or
sales.securecomputing.com). Each zone can be configured as either a master,
slave or forward zone on this name server.
When you select the Zones tab, a window similar to the following appears.
About the Zones tab This tab is used to define zone information about the name server. Follow the
steps below.
Note: To completely reconfigure your DNS settings (for example, change from
Sidewinder hosted single server to split server), click Reconfigure DNS.
1 In the Modify Server For field, select the name server that you want to
modify.
2 The Zones list defines the zones for which the name server is authoritative.
This list initially contains a zone entry for each domain and each network
interface defined to the Sidewinder G2. You can add or delete server
entries as follows:
• To add a new zone to the list, click New and see “About the Zone List
window” on page 327 for details.
325

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
326
• To delete a zone, highlight a zone and click Delete.
Secure Computing strongly recommends against deleting or modifying the
following entries:
• Any 127 reverse zones (for example, 0.1.127.in-addr.arpa). These
zones represent local loopback addresses and are required.
• The zone with 192.239 in its name. This zone provides multicast
support for the Sidewinder G2 failover feature.
There can be two different types of entries in the Zone list:
• Reverse zones (for example, 4.3.in-addr.arpa): This format indicates the
entry provides reverse lookup functions for this zone.
• Forward zones (for example, example.com): This format indicates the
entry provides forward lookup functions for this zone.
The Related Zones list displays the zones that are related to the selected
zone. For example, if a forward zone is selected, the related reverse lookup
zones are displayed. This list cannot be modified.
3 In the Zone Type field, specify whether the selected zone is a master zone,
a slave zone, or a forward zone, as follows:
• Master—A master zone is a zone for which the name server is
authoritative. Many organizations define a master zone for each subdomain
within the network. Administrators should only make changes to
zones defined as a master.
Important:You should consider defining a matching reverse zone (an
in-addr.arpa zone) for each master zone you configure.
• Slave—A slave zone is a zone for which the name server is
authoritative. Unlike a master zone, however, the slave zone’s data is
periodically transferred from another name server that is also
authoritative for the zone (usually, the master). If you select Slave, the
Master Servers field becomes active. Be sure to use the Master Servers
field to define the name server that will provide zone transfer information
for this slave zone. Administrators should not make changes to zones
defined as a slave.
Caution:When changing a zone from slave to master, the Admin Console
changes the slave file into a master file and the file becomes the lookup
manager for the zone. The DNS server will have no problems understanding
and using the new master file. For large zones (class A or B), however, this
file may become too complex to be managed properly using the Admin
Console. Secure Computing recommends either leaving large zones as
slaves on the Sidewinder G2 or manually modifying these files.
• Forward—A forward zone allows you to specify that queries for names
in the zone are forwarded to another name server.

About the Zone List
window
About the Advanced
Zone Configuration
window
Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
4 In the Zone File Name field, specify the name of the file that is used to store
information about this zone. The file is located in the directory specified in
the File Directory field on the Server Configuration tab. Secure Computing
does not recommend changing this name.
5 [Conditional] When Zone Type is Forward, the Forwarders list defines one
or more forwarders for a zone. You can add or delete forwarder entries as
follows:
• To add a new forwarder to the list, click New and see “Adding an IP
address” on page 325 for details.
• To delete a forwarder, select that item and click Delete.
6 [Conditional] When the Zone Type is Slave, the Master Servers list defines
one or more master name servers that are authorized to transfer zone files
to the slave zone. You can add or delete server entries as follows:
• To add a new master server to the list, click New and see “Adding an IP
address” on page 325 for details.
• To delete a master server, highlight a server and click Delete.
7 [Conditional] To modify an advanced configuration setting for the selected
zone, click Advanced. For more information on modifying the Advanced
Server Options window, see “About the Advanced Zone Configuration
window” on page 327.
Important: Only experienced DNS administrators should modify an advanced
configuration setting.
8 Click the Save icon in the toolbar to save your changes. To configure
additional name server information, see “About the Zone List window” on
page 327.
This window is used to add a new zone entry. In the Zone Name field, type the
name of the forward or reverse zone you want to add to the list. Click Add and
then click Close to exit this window.
The Advanced Zone Configuration window is used to define some of the more
advanced zone configuration options. This window allows you to configure
certain options specifically for the selected zone, overriding similar options that
may be configured for the global name server (the Unbound or the Internet
name server). Follow the steps below.
Important: Only experienced DNS administrators should modify an advanced
configuration setting.
1 To enable the notify option, select the corresponding check box. Enabling
this option allows you to specify whether the master server will notify all
slave servers when the zone changes. The notification indicates to the
slaves that the contents of the master have changed and a zone transfer is
necessary. The name servers that are notified are those defined in the
Zone NS Records field on the Master Zone Attributes tab.
If this field is not selected, the field defaults to Yes.
327

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
328
2 To enable the allow-query option, select the corresponding check box.
Selecting this option affects who is able to query this zone. The options are
the following:
• If not selected, all requesters are authorized to query the zone. This is
the default.
• If selected and contains IP addresses, only the requesters defined in the
allow-query list will be authorized to query this zone. Use the New and
Delete buttons to modify this list. See “Adding an IP address” on page
325 for details on using the New button.
Note: If you select this option, be sure to include all IP addresses that might
need to query the zone, such as the heartbeat burbs’ IP addresses,
loopback addresses, etc.
3 To enable the allow-update option, select the corresponding check box.
Selecting this option allows you to specify from whom the zone will accept
dynamic DNS updates. If this option is selected, only the hosts in the allowupdate
list are authorized to update this zone. This option is only valid for
master zones. Use the New and Delete buttons to modify this list. See
“Adding an IP address” on page 325 for details on using the New button.
By default the allow-update option is not selected, meaning the server will
deny updates from all hosts.
4 To enable the allow-transfer option, select the corresponding check box.
Selecting this option allows you to limit who is authorized to request zone
transfers from this zone.
• If not selected, all requesters are authorized to transfer this zone from
the name server. This is the default.
• If selected and no IP addresses are added, no requesters will be
authorized to transfer this zone from the name server.
• If selected and contains IP addresses, only the requesters defined in the
allow-transfer list will be authorized to transfer the zone from the name
server. Use the New and Delete buttons to modify this list. See “Adding
an IP address” on page 325 for details on using the New button.

Figure 147: Master Zone
Attributes tab
About the Master
Zone Attributes tab
Using the Master Zone Attributes tab
Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
The Master Zone Attributes tab is used to configure attributes for each master
zone defined on the Zones tab. Slave zones are not included on this tab
because you can only define attributes for those zones for which you are the
master.
When you select the Master Zone Attributes tab a window similar to the
following appears.
This window is used to define the attributes of each master zone defined for
the selected name server. In particular, it defines the Name Server record(s)
and the Start of Authority (SOA) record for each master zone. The window also
enables you to define Mail Exchanger (MX) records for those entries that are
forward lookup zones. Follow the steps below.
Note: To completely reconfigure your DNS settings (for example, change from
Sidewinder hosted single server to split server), click Reconfigure DNS.
1 In the Modify Server For field, select the name server that you want to
modify.
The Master Zones list defines the zones for which the name server is master.
A plus sign (+) will appear in front of any forward lookup zone that contains
one or more sub-domains. Click the plus sign to view the subdomains.
To modify an entry in the list, click the entry name. A menu of options used
to characterize the selected entry is presented on the right side of the window.
Note: The Forward Zone Name/Reverse Zone Name field displays the full zone
name associated with the entry selected in the Master Zones list.
329

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
330
2 To modify the Zone SOA tab, click the tab and follow the sub-steps below.
The fields on the Zone SOA tab collectively define one Start Of Authority
(SOA) record. An SOA record controls how master and slave zones
interoperate.
The DNS Serial # field displays the revision number of this SOA record.
This field will increment by one each time you modify this zone. Slave
zones use this field to determine if their zone files are out-of-date. You cannot
modify this field. (See sub-step b for more details.)
a In the DNS Contact field, specify the name of the technical contact that
can answer questions about this zone. The name must be a fullyqualified
name, with the @ character replaced by a period (for example,
hostmaster.domain.com).
b In the Refresh (seconds) field, specify how often a slave will check this
zone for new zone files. The slave uses the DNS Serial # value to
determine if its zone files need to be updated. For example, if the
slave’s DNS serial number is 4 and the master zone’s DNS serial
number is 5, the slave knows that its zone files are out-of-date and it will
download the updated zone files. Values must be positive integers. The
default value is 3600 (1 hour).
c In the Retry (seconds) field, specify how long a slave should wait to try
another refresh following an unsuccessful refresh attempt. Values must
be positive integers.
d In the Expiration (seconds) field, specify how long a slave can go
without updating its data before expiring its data. For example, assume
you set this value to 604800 (one week). If the slave is unable to contact
this master zone for one week, the slave’s resource records will expire.
Queries to the slave will then be treated as if that DNS server is not
authoritative for that domain (zone), resulting in a recursive search or
forwarding, depending on how the slave is configured. Values must be
positive integers.
e In the TTL (seconds) field, specify the time to live (TTL) value. This
value defines how long a resource record from this zone can be cached
by another name server before it expires the record. The value specified
here is used as the default in records that do not specify a TTL value.
Values must be positive integers.
f To add a sub-domain to the selected zone, click Add Sub. This button is
only available if a forward lookup zone is selected in the Zones list. For
information on adding a sub-domain, see “Adding a forward lookup subdomain”
on page 331.
g To delete a sub-domain from the selected zone, click Delete Sub. This
button is only available if a forward lookup zone is selected in the Zones
list. See “Deleting a forward lookup sub-domain” on page 332 for
details.

Adding a forward
lookup sub-domain
Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
3 To modify the Zone Records tab, click the tab. This tab contains NS (Name
Server) and MX (Mail Exchange) records for forward zones. This tab
contains only NS Records for reverse zones.
The Name Servers table contains DNS NS records that indicate what
machines will act as name servers for this zone. By default the table contains
an entry for the machine you are currently using. (To add or delete an
entry use the New or Delete buttons, respectively. See “Adding an NS
record” on page 332 for details on adding a new entry.)
If this zone is configured to notify all slave servers when a zone file changes
(see “About the Advanced Zone Configuration window” on page 327 for a
description of the notify field), the notify commands are sent to all NS hosts
specified here.
The Zone MX Records list is available only if the selected zone entry is a
forward lookup entry. It is used to specify entries in the Mail Exchangers
table for the selected zone. The Mail Exchangers table contains DNS MX
records that indicate what machines will act as mail routers (mail exchangers)
for the selected domain. To add or delete an MX record entry use the
New or Delete buttons, respectively. See “Adding an MX record” on page
332 for details on adding a new MX record entry.
The Zone A Record field is available only if the selected zone entry is a forward
lookup entry. It defines a DNS A record (an Address record). A DNS A
record is used to map host names to IP addresses. The address you specify
must be entered using standard dotted quad notation (for example
172.14.207.27).
If the selected zone entry is a forward lookup entry, the TXT Record field is
available. This optional field allows you to enter comments or additional
information about this zone, such as sender id information.
4 Click the Save icon in the toolbar to save your changes. To configure
additional name server information, see “About the Master Zone Attributes
tab” on page 329.
This window is used to add a forward lookup sub-domain to the selected
forward lookup zone. By adding a sub-domain you are delegating authority for
a portion of the parent domain to the new sub-domain. Follow the steps below.
1 In the Forward Sub-Domain Name field, type the name of the sub-domain.
Do not type a fully qualified name. For example, assume you have a
domain named example.com that contains a sub-domain named west. You
would type west in this field rather than west.example.com.
2 In the Sub-Domain NS Records field, specify entries in the Name Servers
table for this sub-domain. The Name Servers table contains DNS NS
records that indicate what machines will act as name servers for this subdomain.
To add or delete an entry use the New or Delete buttons,
respectively. See “Adding an NS record” on page 332 for details on adding
a new entry.
3 [Optional] In the Sub-Domain MX Records field, specify entries in the Mail
331

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
Deleting a forward
lookup sub-domain
332
Exchangers table for this sub-domain. The Mail Exchangers table contains
DNS MX records that indicate what machines will act as mail routers (mail
exchangers) for the sub-domain. To add or delete an MX record entry use
the New or Delete buttons, respectively. See “Adding an MX record” on
page 332 for details on adding a new MX record entry.
This window is used to delete a sub-domain from a forward lookup zone. The
Domains in Zone field lists the domains defined in the zone.
1 To delete a domain, highlight the domain you want to delete and click
Delete Domain.
2 Click OK to save your changes. (Click Cancel to exit the window without
saving your changes.)
Adding an NS record This window is used to add a new NS record to the Name Servers table
associated with the selected zone or sub-domain. Follow the steps below.
Adding an MX
record
1 In the NS Record field, type the domain name associated with this NS
record. The name must be a fully-qualified name and must end with a
period. The name you specify should be a pre-existing domain name that
maps to a valid IP address.
2 Click Add to add the specified entry to the Name Servers table.
3 Click Close to exit the window.
This window is used to add a new MX record to the Name Servers table
associated with the selected zone, sub-domain, or host. Follow the steps
below.
Note: For more information on MX records, see “About mail exchanger records”
on page 314.
1 In the MX record field, type the fully-qualified name of the host that will act
as the mail exchange for this zone, sub-domain, or host.
2 In the Priority field, type a priority level for this record. Valid values are
1–65535. The lower the value, the higher the priority (for example, a value
of 1 will have a higher priority than a value of 10).
3 Click Add to save the new record.
4 Click Close to exit the window.

Figure 148: Master Zone
Contents tab
About the Master
Zone Contents tab
Using the Master Zone Contents tab
Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
The Master Zone Contents tab is used to define the hosts that are associated
with each master zone.
When you select the Master Zone Contents tab a window similar to the
following appears.
Note: If you are adding a large number of hosts (hundreds or thousands) to a
master zone, you may want to consider manually adding the required host
information directly to the appropriate DNS files using one of the available editors
on the Sidewinder G2 to save time. However, only experienced Sidewinder G2
administrators should attempt this. (Using the manual method will still require you
to manually define each host.)
This window is used to define the hosts that are associated with each master
zone. For each host you define in a forward lookup zone you should also
create a matching entry in the associated reverse lookup zone. Follow the
steps below.
Note: To completely reconfigure your DNS settings (for example, change from
Sidewinder hosted single server to split server), click Reconfigure DNS.
1 In the Modify Server For field, select the name server that you want to
modify.
The fields that are available on this tab will vary depending on whether a
zone, a host in a forward lookup zone, or a host in a reverse lookup zone is
selected.
333

Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
334
2 [Conditional] If you are modifying a zone, do the following:
a In the Master Zones area, select the zone you want to modify.
b To add a host to the selected zone, click Add Entry. If you are adding a
host to a forward lookup zone, see “Adding a new forward lookup entry”
on page 335 for details. If you are adding a host to a reverse lookup
zone, see “Adding a new reverse lookup entry” on page 336.
c To delete a host from the selected zone, click Delete Entry. See
“Deleting a host entry from a zone” on page 336 for details.
3 [Conditional] If you are modifying a host in a reverse lookup zone, the
following two fields appear:
• Name (Host portion of IP): This field appears only if a host is selected in
the list. The field displays the host portion of either the IP address or of
the fully-qualified domain name of this entry. You cannot modify this
field. If you need to change the host name you must delete the entry
from the list, then add the entry back using the new name.
• Fully-Qualified Domain Name: This field displays the domain name of
the host. You can modify this field by typing in a new value. Be sure to
type the fully-qualified domain name of the host.
Note: The Name field and the Fully-Qualified Name Entry field collectively
define a PTR Record for the selected reverse lookup zone. The PTR record is
used in a Reverse Addresses table and maps an IP address to a host name.
4 [Conditional] If a host in a forward lookup zone is selected, the following
fields appear:
• Entry Name: This field defines the host portion of the fully-qualified
domain name of this entry.
• A Record IP: This field defines a DNS A record (an Address record),
which is used to map host names to IP addresses. In this case the field
displays the IP address of the selected host. You can modify this field by
typing in a new value. The address you specify must be entered using
standard dotted quad notation (for example 172.14.207.27).
• CNAME Rec: This field defines a DNS CNAME record, which is used to
map an alias to its canonical name.The field, if populated, displays the
name of the Canonical Record of the selected host. You can modify this
field by typing in a new name. The name you specify must be entered
using the fully-qualified primary name of the domain.
Important:A host in a forward lookup zone requires either an A Record or a
CNAME Record.
• TXT Record: This field allows you to enter comments or additional
information about this zone, such as sender id information.

Adding a new
forward lookup
entry
Chapter 11: DNS (Domain Name System)
Configuring hosted DNS servers
• Entry MX Records: This field is used to specify entries in the Mail
Exchangers table for the selected host. The Mail Exchangers table
contains DNS MX records that indicate what machines will act as mail
routers (mail exchangers) for the selected host. To add or delete an MX
record entry use the New or Delete buttons, respectively. See “Adding
an MX record” on page 332 for details on adding a new MX record entry.
• HINFO-Type: This field provides information about a host’s hardware
type.
• HINFO-OS: This field provides information about a host’s operating
system.
Important:For security reasons, many organizations elect not to use the
HINFO fields.
5 Click the Save icon in the toolbar to save your changes.
This window is used to define a new host for a forward lookup zone. Follow the
steps below.
Note: The following fields collectively define an Address record.
1 In the Entry Name field, specify the host portion of the fully-qualified domain
name of this entry.
2 In the A Record IP field, specify a DNS A record (an Address record), which
is used to map host names to IP addresses. The address you specify must
be entered using standard dotted quad notation (for example
172.14.207.27). This field and the CNAME Rec field are mutually exclusive.
3 In the CNAME Rec field, specify a DNS CNAME record, which is used to
map an alias to its canonical name. The name you specify must be entered
using the fully-qualified primary name of the domain. This field and the A
Record IP field are mutually exclusive.
4 [Optional] In the TXT Record field, enter comments or additional information
about this zone, such as sender ID information.
5 [Optional] The Entry MX Records field lists entries in the Mail Exchangers
table for this host. The Mail Exchangers table contains DNS MX records
that indicate what machines will act as mail exchangers for the host. To add
or delete an MX record entry use the New or Delete buttons, respectively.
See “Adding an MX record” on page 332 for details on adding a new MX
record entry.
6 [Conditional] The HINFO-Type: field provides information about a host’s
hardware type.
7 [Conditional] The HINFO-OS field provides information about a host’s
operating system.
Important:For security reasons, many organizations elect not to use the
HINFO fields.
335

Chapter 11: DNS (Domain Name System)
Reconfiguring DNS
Adding a new
reverse lookup entry
Deleting a host
entry from a zone
Reconfiguring
DNS
336
8 For security reasons, many organizations elect not to use these fields.
9 Click Add to save the new entry.
10 Click Close to exit this window.
This window is used to define a new host for a reverse lookup zone. Follow the
steps below.
1 In the Entry Name field, specify the host portion of the IP address of this
entry.
2 In the Fully-Qualified Name Entry field, specify the domain name of the
host. Be sure to type the fully-qualified domain name of the host.
Note: The Entry Name field and the Fully-Qualified Name Entry field collectively
define a PTR Record for the selected reverse lookup zone. The PTR record is
used in a Reverse Addresses table and maps an IP address to a host name.
3 Click Add to save the new entry.
4 Click Close to exit this window.
This window is used to delete a host from the selected zone. The Hosts in
Zone field lists all the hosts currently defined within the selected zone. To
delete a host, highlight the host you want to delete and click Delete Host. You
can only delete one host at a time. Click OK to save your changes and exit the
window. (To cancel your changes, click Cancel.)
The Reconfigure DNS window allows you to completely reconfigure DNS on
your Sidewinder G2. Changes made by the DNS configuration utility take effect
immediately. You do not need to reboot the Sidewinder G2.
Table 26 summarizes the available DNS configuration options. (For more
detailed information on determining which DNS configuration best suits your
situation, refer to the Sidewinder G2 Perimeter Security Planning Guide.)
Note: Any active DNS servers on the Sidewinder G2 will be disabled during the
reconfiguration process.
Important: Any prior modifications you have made to your DNS configuration will
be lost when you save your changes. You will need to re-apply the modifications.

Table 26: DNS configuration options
DNS Configuration Options
Transparent
DNS
Hosted
DNS
Chapter 11: DNS (Domain Name System)
Reconfiguring DNS
Single Indicates that DNS traffic will be proxied through the Sidewinder G2.
This configuration is generally used when you plan to use your existing
DNS server. If you are using a single internal DNS server, external
users will have proxied access to your DNS server. External hosts will
be unaware that the Sidewinder G2 is “transparently” passing the DNS
traffic. See “Reconfiguring transparent DNS” on page 338 for more
information.
Split Indicates that DNS traffic will be proxied through the Sidewinder G2,
with a remote DNS server connected to each interface. DNS queries will
generally be handled by both your internal DNS server and your
external ISP. This configuration is more secure than using a single
name server because your external server can limit access to your
internal naming system. External hosts will be unaware that the
Sidewinder G2 is “transparently” passing the DNS traffic. See
“Reconfiguring transparent DNS” on page 338 for more information.
Single Indicates that only one DNS server is hosted on the Sidewinder G2 and
handles all DNS queries. The server is protected by the Sidewinder G2
hardened OS, preventing attacks against it from penetrating your
network. A single server configuration is generally used when you have
no concerns for keeping your internal network architecture hidden, such
as when your Sidewinder G2 is acting as an “intrawall” between two
sets of private addresses. External hosts will need to be reconfigured to
point to the Sidewinder G2 servers. See “Reconfiguring single server
hosted DNS” on page 339 for more information.
Split Indicates that two DNS servers are hosted on the Sidewinder G2: one
server (the external name server) is bound to the external burb and the
other server (the “unbound” name server) is available for use by all
internal burbs. Both servers are protected by the Sidewinder G2
hardened OS, which is able to prevent attacks against them from
penetrating your network. The security benefit of this configuration is the
ability to hide the DNS entries on the unbound server from those who
only have access to the external burb. External hosts will need to be
reconfigured to point to the Sidewinder G2 servers. See “Reconfiguring
split server hosted DNS” on page 340 for more information.
Important: You must use hosted split DNS if you want the Sidewinder
G2 to hide your private IP addresses when answering DNS queries.
DNS responses served by the Sidewinder G2’s public name server
would not display any private IP addresses.
337

Chapter 11: DNS (Domain Name System)
Reconfiguring DNS
338
Figure 149:
Reconfigure transparent
DNS window
About the
Reconfiguring
transparent DNS
window
Reconfiguring transparent DNS
To reconfigure DNS to use transparent services, using the Admin Console
select Tools > Reconfigure DNS. The Reconfigure DNS window appears.
This window allows you to reconfigure your DNS settings to use transparent
DNS services. Follow the steps below.
1 In the New DNS Configuration drop-down list, select Transparent.
2 To configure the Sidewinder G2 to use the internal name server(s), do the
following:
a Select the Internal Name Server check box.
b In the corresponding IP Address field, type the IP address of the name
server located in the internal burb (that is, your enterprise name server).
c [Optional] In the Alternate IP Address field, type the IP address of an
alternate name server.
d In the Burb drop-down list, select your internal burb.
3 To configure the Sidewinder G2 to use the external (Internet) name
server(s), do the following:
a Select the Internet Name Server check box.
b In the corresponding IP Address field, type the IP address of the name
server located in the external (Internet) burb (that is, your ISP’s name
server).
c [Optional] In the Alternate IP Address field, type the IP address of an
alternate name server.

Figure 150:
Reconfiguring Sidewinder
Hosted (single server)
DNS window
About the
Reconfiguring DNS:
Sidewinder Hosted
(single server)
window
Chapter 11: DNS (Domain Name System)
Reconfiguring DNS
d Click the Save icon in the toolbar to reconfigure your DNS settings. You
will receive a pop-up message informing you whether the
reconfiguration was successful.
Important: The pop-up message that appears may contain additional
information or warnings about your Sidewinder G2 configuration. Please read
this message carefully before you click OK.
Reconfiguring single server hosted DNS
To reconfigure DNS to use single server hosted services, using the Admin
Console select Tools > Reconfigure DNS. The Reconfigure DNS window
appears.
This window allows you to reconfigure your DNS settings to use hosted single
server DNS services. Follow the steps below.
1 In the New DNS Configuration drop-down list, select Sidewinder Hosted.
2 Select the 1 Server radio button.
3 In the Domain field, verify that the correct domain name appears.
4 In the Authority field, select one of the following options:
• Master: Select this option if the server you are defining will be a master
name server. A master name server contains name and address
information for every computer within its zone.
• Slave: Select this option if the server you are defining will be a slave
name server. A slave name server is similar to a master name server,
339

Chapter 11: DNS (Domain Name System)
Reconfiguring DNS
340
Figure 151:
Reconfiguring Sidewinder
Hosted (split server) DNS
window
except that it does not maintain its own original data. Instead, it
downloads data from another name server.
5 [Conditional] If you selected Slave in the previous step, type the IP address
of the master authority server in the Master IP field.
6 Click the Save icon in the toolbar to reconfigure your DNS settings. You will
receive a pop-up message informing you whether the reconfiguration was
successful.
Important: The pop-up message that appears may contain additional
information or warnings about your Sidewinder G2 configuration. Please read
this message carefully before you click OK.
Reconfiguring split server hosted DNS
To reconfigure DNS to use split server hosted services, using the Admin
Console select Tools > Reconfigure DNS. The Reconfigure DNS window
appears.

About the
Reconfiguring DNS:
Sidewinder Hosted
(split server)
window
Chapter 11: DNS (Domain Name System)
Reconfiguring DNS
This window allows you to reconfigure your DNS settings to use hosted split
server DNS services. Follow the steps below.
1 In the New DNS Configuration drop-down list, select Sidewinder Hosted.
2 Select the 2 Server radio button.
3 To configure the Unbound server, do the following:
a In the Domain field, verify that the correct domain name appears.
b In the Authority field, select one of the following options:
• Master: Select this option if the server you are defining will be a
master name server. A master name server contains name and
address information for every computer within its zone.
• Slave: Select this option if the server you are defining will be a slave
name server. A slave name server is similar to a master name
server, except that it does not maintain its own original data. Instead,
it downloads data from another name server.
c [Conditional] If you selected Slave in the previous step, type the IP
address of the master authority server in the Master IP field.
4 To configure the Internet server, do the following:
a In the Domain field, verify that the correct domain name appears.
b In the Authority field, select one of the following options:
• Master—Select this option if the server you are defining will be a
master name server. A master name server contains name and
address information for every computer within its zone.
• Slave—Select this option if the server you are defining will be a slave
name server. A slave name server is similar to a master name
server, except that it does not maintain its own original data. Instead,
it downloads data from another name server.
c [Conditional] If you selected Slave in the previous step, type the IP
address of the master authority server in the Master IP field.
5 Click the Save icon in the toolbar to reconfigure your DNS settings. You will
receive a pop-up message informing you whether the reconfiguration was
successful.
Important: The pop-up message that appears may contain additional
information or warnings about your Sidewinder G2 configuration. Please read
this window carefully before you click OK.
341

Chapter 11: DNS (Domain Name System)
Manually editing DNS configuration files
Manually editing
DNS
configuration
files
342
If you prefer to edit the DNS configuration files manually, follow these steps.
Note: Files with a u extension are for the unbound nameserver, and files with an
i extension are for the Internet nameserver.
Important: You should only edit zone files for a master name server. Never edit the
slave name server files. The file names shown below are for a master name server.
1 Log into the Sidewinder G2 and enter the following command to switch to
the admin role:
srole
The following two steps assume you have database files named
domain.db and reverse.db in your system. Substitute your file names
as required.
2 Open the /etc/namedb.u/domain.db and /etc/namedb.i/domain.db files in a
UNIX text editor and make the necessary changes.
3 Open the /etc/namedb.u/reverse.db and /etc/namedb.i/reverse.db files in a
UNIX text editor and make the necessary changes.
4 Open the /etc/named.conf.u and /etc/named.conf.i files in a UNIX text editor
and make the necessary changes.
Note: If you use the /etc/named.conf.* files to change an existing master zone
into a slave zone, you must also manually remove the old zone files in your
/etc/namedb.* directories.
5 If you have added new files, you must change the files to the correct Type
Enforcement types.
To do this, type the following command and insert the names of the file(s)
you edited in steps 2, 3 and 4. For non-Internet (unbound) burbs, in place of
x type the identifier u. For the Internet burb, in place of x type the index
number of the Internet burb. (Use the region show command to determine
the index number.)
chtype DNSx:conf filename
6 Increment the serial number after every change to the master files.
7 Enter the following command to restart DNS.
ndc restart
Note: Any files created by named daemons, such as zone backup files or query
log files, have types of DNSu:file or DNSx:file.
8 Check /var/log/daemon.log for any errors.

DNS message
logging
Chapter 11: DNS (Domain Name System)
DNS message logging
DNS messages, Type Enforcement errors and process limit errors are logged
in the following locations on the Sidewinder G2.
• /var/log/audit.raw: Contains information in the Sidewinder G2 audit format.
• /var/log/daemon.log: Contains traditional syslog format messages.
You can view the audit.raw file using the Audit windows in the Admin Console
(See Chapter 19 for more information). The daemon.log file can be viewed
using any text editor. (See Appendix A for more information on using the
different text editors.)
343

Chapter 11: DNS (Domain Name System)
DNS message logging
344

12
CHAPTER
Electronic Mail
In this chapter...
Overview of e-mail on Sidewinder G2 ..........................................346
Administering mail on Sidewinder G2 ..........................................350
Managing sendmail ......................................................................353
Reconfiguring mail........................................................................351
Editing the mail configuration files................................................354
Redirecting mail to a different destination ....................................364
Other sendmail features ...............................................................365
Managing mail queues .................................................................370
345

Chapter 12: Electronic Mail
Overview of e-mail on Sidewinder G2
Overview of
e-mail on
Sidewinder G2
346
The Sidewinder G2 uses the sendmail message transfer agent to receive and
route mail messages. When you run mail on a network protected by the
Sidewinder G2, all messages coming into and going out from your site must be
routed through the Sidewinder G2.
Mail server configuration options
The Sidewinder G2 offers two configuration options for handling mail:
Important: A newly installed Sidewinder G2 is not configured to pass mail between
burbs. If you want mail to pass through Sidewinder G2, you must run Tools >
Reconfigure Mail. See “Reconfiguring mail” on page 351 for more information.
• Transparent—This configuration option allows you to use transparent
SMTP services (without sendmail processes running directly on the
Sidewinder G2). Transparent SMTP service indicates that all inbound and
outbound mail passes by proxy through the Sidewinder G2, just as other
proxy traffic does. When you use transparent SMTP, the SMTP proxy is
enabled and policy controls for mail are enforced via the active policy rules.
A Mail rule group is automatically created during installation, but it does not
contain any rules. Mail filtering is limited when using transparent mail
services.
• Secure Split SMTP Servers (hosted on Sidewinder G2)—This configuration
option allows you to have two sendmail servers running directly on the
Sidewinder G2, each supported on its own burb: the external burb and one
non-Internet burb that you choose. The Sidewinder G2 sendmail servers
will route mail through the Sidewinder G2 only for these two burbs. This
configuration protects your internal mailhost from malicious attacks, and
offers a variety of additional mail-handling options. When using secure split
mail services, the Sidewinder G2 external sendmail server is the mail host
to which all external SMTP hosts will connect. The Sidewinder G2 internal
sendmail server will connect with internal hosts in its same burb.
Your internal mail host must run mail software that can accept incoming
messages from, and send outgoing messages to, the Sidewinder G2. This
system might be running sendmail or some other mail package such as
Microsoft Exchange or cc:Mail with a Simple Mail Transport Protocol
(SMTP) gateway.

Chapter 12: Electronic Mail
Overview of e-mail on Sidewinder G2
When you configure secure split SMTP services, there are three separate
sendmail servers that each have a different purpose.
• Local
The local server handles mail that is sent directly from the Sidewinder G2.
For example, if an administrator sends a mail message from the Sidewinder
G2, it is sent through the local server. This sendmail process runs in the
mtac domain and forwards all mail to the internal network side of the
Sidewinder G2.
• Internal
The internal server runs in a trusted burb that you specify when running
Reconfigure Mail. This sendmail daemon receives mail from one of three
sources:
– a host on the internal network
– a sendmail process transferring mail from the local sendmail server
– a sendmail process transferring mail from the external sendmail server
The internal server delivers mail to one of three places:
– If the message is for a user local to the Sidewinder G2, such as an
administrator with a mailbox on the Sidewinder G2, it delivers the
message to the user’s mailbox using the mail.local program.
– If the message is for a user on the internal network, it connects to the
mail host on the internal network and delivers the mail there.
– If the message is not for either of the above, it assumes the message is
for an external user and transfers the message to the external burb for
that user.
• External
The external server runs in the mta# domain (# is the burb index of the
Internet burb). This sendmail daemon receives mail from one of two
sources:
– a host on the external network
– a sendmail process transferring mail from the internal sendmail server
The external server delivers mail to one of two places:
• If the message is for an external user, it connects to an external host
and delivers the mail there.
• If the message is for a user local to the Sidewinder G2 (such as an
administrator) or for a user on the internal network, it transfers the
mail to the internal burb for delivery to that user.
347

Chapter 12: Electronic Mail
Overview of e-mail on Sidewinder G2
348
Mail filtering services on Sidewinder G2
The following mail filtering services can be configured using Mail Application
Defenses, and including them in the appropriate rule(s):
Note: You must have Secure Split SMTP mail servers configured to use mail
filtering.
• MIME/Virus/Spyware filtering—MIME/Virus/Spyware filtering is a licensed
service. You can configure filtering rules to specify the types of MIME
elements that will be allowed or denied, configure the type of virus and
spyware scanning you want to perform, configure infected file handling,
specify file attachment size restrictions, and determine whether mail
messages will be scanned as a whole (entire message is allowed or
denied) or in segments (attachments may be dropped if they do not meet
filtering criteria, but the acceptable portions of the mail message will still
reach the recipient). You can also configure all mail to be rejected if
scanning services become unavailable. See “Configuring the Mail
(Sendmail) MIME/Virus/Spyware tab” on page 177.
Important: You must license and configure additional services before the
MIME/Virus/Spyware filter rules you create will scan mail messages. See
“Configuring virus scanning services” on page 69.
• Spam/Fraud filtering—Spam and fraud filtering is a licensed service. Once
you are licensed for Anti-spam, you can enable or disable it on a per-rule
basis. See “Configuring the Mail (Sendmail) Control tab” on page 172.
If you enable spam and fraud filtering without licensing it, filtering will not be
performed.
• Key word search filtering—The Keyword Search filter allows you to filter
mail messages based on the presence of defined key words (character
strings). See “About the Keyword Search tab” on page 175. You must
enable the kmvfilter server in the appropriate burbs before the key word
search filter will function.
• Configure size limitations for mail messages—The size filter performs a
check on e-mail messages for the number of bytes the message contains,
including the message header. Messages that equal or exceed the
specified size you specify will be rejected. See “About the Mail (Sendmail)
Size tab” on page 174.
• Anti-relay controls—Anti-relay control uses access control to prevent your
mailhost from being used by a hacker as a relay point for spam to other
sites. This option is automatically enabled for all Mail defenses and cannot
be disabled. See “Configuring the Mail (Sendmail) Control tab” on page
172.

Sendmail differences on Sidewinder G2
Chapter 12: Electronic Mail
Overview of e-mail on Sidewinder G2
When using Sidewinder-hosted SMTP services, all mail for a user local to the
Sidewinder G2 goes to the internal mta domain for delivery. Local delivery does
not take place in the external mta domain or the mtac domain. Running
sendmail on the Sidewinder G2 works as it does in any other UNIX
environment, with the following exceptions:
• The Sidewinder G2 runs three separate sendmail servers (as described in
the previous section).
• Type Enforcement restricts sendmail so that its security flaws cannot be
exploited. For example, Sidewinder G2 users cannot execute shell scripts
or other executables through sendmail, as they could do on a standard
UNIX system.
• .forward files allow users to send their mail to another mailbox that may be
at a different location. For example, Sidewinder G2 administrators might
choose to forward their mail to a mailbox located on the internal network so
they receive all of their mail in one place. Administrators can use .forward
files, but these files cannot contain commands to run other programs, such
as program mailers (for example, procmail). For more information on
.forward files, see “Redirecting mail to a different destination” on page 364.
• If a server is too busy to send a message, or if the machine it is sending
mail to is not responding, the messages are sent to a mail queue. The
Sidewinder G2 has a separate queue for each sendmail server: /var/spool/
mqueue.#, /var/spool/mqueue.#, and /var/spool/mqueue.c (# = the burb
number).
Important: If mail cannot be delivered on the first attempt, it is placed in a
queue. By default, the system checks the queues every 30 minutes and
attempts redelivery.
You can check if there are messages in the mail queues by following the
steps described in “Managing mail queues” on page 370.
Mail is an extremely complex subject and can require a great deal of effort to
configure. If you want to additional information on managing mail, the best
resource is the book sendmail by Bryan Costales (O’Reilly & Associates, Inc.).
349

Chapter 12: Electronic Mail
Administering mail on Sidewinder G2
Administering
mail on
Sidewinder G2
350
Mail is configured on the Sidewinder G2 using the Reconfigure Mail tool. The
configuration process allows you to specify either transparent or secure split
(Sidewinder-hosted) mail services. If you select secure split services, you
specify a mail host on your internal network, and the necessary configuration
files are automatically sets up for you.
Once the Sidewinder G2 is configured, everything you need to run the mail
servers should already be set up:
• The three mail domains: mtac, mtaX, and mtaY (where X = the number of
the external burb, and Y = the number of an internal burb), are in place.
Sendmail is already configured to route mail among the three sendmail
servers.
• Mail addressed to users on your internal network will be forwarded to the
mail host you specified during configuration.
• Messages that are sent to the person administering a mail system are
generally addressed to “postmaster.” During configuration, you set up an
administrator’s account. Postmaster messages are automatically routed to
that user.
Note: You will need to configure your internal mail server to forward non-local mail
to the Sidewinder G2. This procedure differs depending on the type of mail program
your network runs. Refer to your mail software’s documentation for details.
To manually configure options for your mail servers, see “Managing sendmail”
on page 353.
To enable or disable the servers, see “Managing sendmail” on page 353.
To configure Application Defenses for mail services, see “Creating Mail
(Sendmail) Application Defenses” on page 172.
Viewing administrator mail messages on Sidewinder G2
Administrators can receive mail as soon as an account is created on the
Sidewinder G2. A mailbox will be created the first time an administrator sends
or receives a mail message. Mailboxes for Sidewinder G2 administrators are
stored in the /var/mail directory.
Important: Do not ignore the e-mail that accumulates on the Sidewinder G2 as it
contains important information about your network and Sidewinder G2 and also
uses disk space. Routinely read and delete mail sent to the Sidewinder G2, or have
it redirected elsewhere. To redirect mail to another destination, see “Redirecting
mail to a different destination” on page 364 or “Changing mail aliases” on page 369.

Reconfiguring
mail
Figure 152: Reconfigure
Mail window
Chapter 12: Electronic Mail
Reconfiguring mail
To view mail for a specific administrator account, follow the steps below.
1 At a Sidewinder G2 command prompt, log into the Sidewinder G2 using
your administrator user ID and password.
2 Enter the following command to change to the Admn role:
srole
3 Enter the following command to view a list of email messages addressed to
your mailbox:
mail
Note: Refer to the mail man page for detailed information on utilizing the mail
command. If you prefer, you may use an alternate mail program, such as Elm.
You can also configure your mail account to forward messages to an internal
email account.
The Reconfigure Mail window is used to configure mail on the Sidewinder G2.
In the Admin Console, select Tools > Reconfigure Mail. (You can also access
this window within the Configuration tab in the sendmail server window.) The
Reconfigure Mail window appears.
351

Chapter 12: Electronic Mail
Reconfiguring mail
About the
Reconfigure Mail
window
352
The Reconfigure Mail window allows you to set your initial mail configuration or
reconfigure your existing mail configuration. Follow the steps below.
Caution: If you manually edited any sendmail configuration files, changing your
mail configuration in the Reconfigure Mail window will overwrite the changes you
made. Also, if there is e-mail in the queue directory for a burb that will not be
specified in the new mail configuration, the e-mail will be deleted.
1 In the New SMTP Mode drop-down list, select the mail configuration mode
you want to configure. The current mode is listed in the Current SMTP
Mode field. The following options are available:
• Transparent—Use this option when you want to pass mail by proxy
through the Sidewinder G2. If you select this option, only the files
necessary to send administrative messages (including Sidewinder G2generated
alerts, messages, and logs) will be configured. The SMTP
proxy is automatically enabled.
• Secure Split SMTP Servers (Sidewinder-hosted)—Use this option to
use the Sidewinder G2’s hosted sendmail server(s). This configuration
allows you to take advantage of additional sendmail features, including
header stripping, spam and fraud control, mail routing and aliases, and
masquerading. For more information on configuring these features, see
“Other sendmail features” on page 365. The sendmail server is
automatically enabled.
2 In the Internal SMTP Burb field, select the burb in which your site’s internal
SMTP server resides.
3 In the Internal SMTP Mail Server field, type the fully qualified name of your
site’s internal SMTP server.
4 Click the Save icon in the toolbar (or click Apply if you are accessing this
window from the Server window) to reconfigure your mail mode. A
confirmation window will appear when the reconfiguration process is
complete.
5 [Conditional] If you accessed Reconfigure Mail from the Servers window,
click Close to return to the sendmail server Configuration tab.
6 Select Policy Configuration > Rules and create or modify the necessary
proxy rules:
• If you selected Transparent, use the SMTP proxy in your mail rule.
• If you selected Secure Split SMTP Servers, use the SMTP server in
your mail rule. Set the Destination Burb to All.
The Sidewinder G2 now has a new mail configuration.

Managing
sendmail
Figure 153: sendmail
window: Configuration tab
About the sendmail
Configuration tab
Chapter 12: Electronic Mail
Managing sendmail
You can perform many of the necessary sendmail configuration functions using
the Admin Console. To enable or disable the sendmail server, follow the steps
below.
1 In the Admin Console, select Services Configuration > Servers > and then
select sendmail.
2 To enable sendmail in a burb, select the corresponding check box for that
burb. To disable sendmail in a burb, deselect the check box.
3 Click the Save icon in the toolbar to save your changes.
4 To modify your existing mail configuration, select the Configuration tab.
The following window appears:
The sendmail Configuration tab allows you to edit some of the more common
mail configuration files, enable ACL rule checking, and also provides a shortcut
to the Reconfigure Mail window. You can perform the following actions:
• Edit common mail configuration files—This portion of the window displays
commonly used mail configuration files for the two burbs containing mail
servers. If you need to edit one of the files, select that file from the
appropriate list and then click Edit File. The selected file will be opened
using the File Editor. (For basic information on using the File Editor, see
“Using the Admin Console File Editor” on page 26. For detailed information
on editing mail configuration files, see “Editing the mail configuration files”
on page 354.)
• Enable ACL Rule Checking—This field is enabled by default and cannot be
disabled.
• Go to the Reconfigure Mail window—Click Reconfigure Mail to go directly
to the Reconfigure Mail window. The Reconfigure Mail window allows you
to completely reconfigure your existing mail configuration files or create a
default set of SMTP server configuration files. See “Reconfiguring mail” on
page 351 for more information.
353

Chapter 12: Electronic Mail
Editing the mail configuration files
Editing the mail
configuration
files
354
Figure 154: Sidewinder
G2 mailertables
Sendmail stores its configuration information in sendmail.cf files. These files
contain information such as which delivery agents to use and how to format
message headers. You should change your configuration options only if you
are directed to do so by Secure Computing, or if you are an experienced
sendmail user and want to customize the files for your site.
Sendmail allows you to create configuration files using macros written for the
m4 preprocessor. Sections 19.5 and 19.6 in the UNIX System Administration
Handbook describe these macros. You can also refer to the book sendmail by
Bryan Costales (O’Reilly & Associates, Inc.).
You set up two mailertables on the Sidewinder G2: one internal and one
external. The external mailertable, /etc/mail/mailertable.mta# (# = the number
of the external burb), processes the mail and directs it to the internal
mailertable. The internal mailertable, /etc/mail/mailertable.mta#
(# = the number of a trusted burb), sorts the mail by host name, and sends the
mail to the correct internal mail host. Figure 8-1 shows an example of the route
along which incoming mail messages travel.
Incoming e-mail
charlie@foo.com Sidewinder G2
lucy@sales.foo.com
linus@corp.foo.com
sally@ads.foo.com
Sidewinder G2 external mailertable
(/etc/mail/mailertable.mta#)
foo.com burbmailer-burb:localhost
.foo.com burbmailer-burb:localhost
Message destination
corphub
linus@corp.foo.com
foohub
sally@ads.foo.com
charlie@foo.com
saleshub
lucy@sales.foo.com
Sidewinder G2 internal mailertable
(/etc/mail/mailertable.mta#)
foo.com smtp:foohub
.foo.com smtp:foohub
corp.foo.com smtp:corphub
sales.foo.com smtp:saleshub
The Sidewinder G2 provides several different editors that you can use when
manually editing your mail files. The easiest method of modifying these files is
using the Admin Console. You may also use vi, emacs, or pico if you prefer.
To edit the mail configuration files using the Admin Console, follow these steps:
Caution: Only experienced administrators should modify sendmail configuration
files.

Chapter 12: Electronic Mail
Editing the mail configuration files
1 Log into the Admin Console and select Services Configuration > Servers.
2 Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3 Select the configuration file you want to modify in the appropriate burb
configuration file list. You may edit the following files for a burb:
Important: If you modify any of these files, click the Save icon in the toolbar to
rebuild the sendmail configuration and database files.
• Access Table—This file defines anti-relaying and anti-spamming
policies for the SMTP server.
• Aliases File—(Available only in the internal burb.) This file defines the
mail aliases that are used to redirect e-mail to another person or
location.
• Alternate Host Names File—This file identifies alternate host names by
which the Sidewinder G2 is known. E-mail addressed to any of the
alternate names is treated as local mail by the Sidewinder G2.
• Domain Table—This file provides a mapping from an old domain name
to a new domain name. For example, you might modify this file if your
organization’s external domain name changes.
• M4 Config File—This file defines the initial sendmail configuration.
Modify this file as needed to account for your site-specific requirements.
• Mailer Table—This file maps a domain to a mail relay that is responsible
for mail delivery in that domain.
Important: Only edit mail configuration files if it is necessary for your site’s email
functionality.
There are separate files for each sendmail daemon running on the
Sidewinder G2.
4 Save your changes, and close the file.
5 Open the appropriate mailertable file and edit as necessary.
Important: Only edit mailertable files if it is necessary for your site’s e-mail
functionality.
6
The mailertable files are named /etc/mail/mailertable.mta# (# = the appropriate
burb number).
Enter the correct domain, mailer, and host in the following format:
domain mailer:host
On the internal side of the network, the mailertable appears as:
.foo.com smtp:foohub
foo.com smtp:foohub
corp.foo.com smtp:foohub
sales.foo.com smtp:foohub
355

Chapter 12: Electronic Mail
Configuring advanced anti-spam and anti-fraud options
Configuring
advanced antispam
and antifraud
options
356
On the external side of the network, the mailertable should appear as:
foo.com burbmailer-burb:localhost
.foo.com burbmailer-burb:localhost
where burb = the external burb number and Y = the internal (trusted) burb
number.
The entries that begin with a dot act as a wildcard, matching anything with
that domain name. The entries that do not begin with a dot match the full
domain name. See the /usr/share/sendmail/README file for more information
on creating mailertables.
7 Save the changes you made to file and then close the file.
8 Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
Using the Admin Console, you can configure the following advanced anti-spam
and anti-fraud areas:
• Configure the Whitelist Configuration tab to specify domains, IP addresses,
and headers that will be allowed to pass through unmodified regardless of
any rules that have been created. For information on configuring a whitelist,
see “Configuring the Whitelist” on page 356.
• Configure the policy.cfg file to determine the actions that will be taken by
the spam filter on a per-burb basis when it encounters messages that are
suspected to be spam or fraud. To configure the policy.cfg file, see
“Configuring the policy.cfg file” on page 359.
Caution: Modifying the authority.cfg files may prevent the spam filter from starting.
Therefore, the authority.cfg file should not be modified.
Configuring the Whitelist
To configure a whitelist for the internal or external (Internet) burb, in the Admin
Console select Services Configuration > Servers and then select Spamfilter
from the list of servers. Select the Whitelist Configuration tab. The following
window appears.

Figure 155: Spamfilter:
Whitelist Configuration
tab
About the Whitelist
Configuration tab
Chapter 12: Electronic Mail
Configuring advanced anti-spam and anti-fraud options
The Whitelist Configuration tab allows you to specify domains, IP addresses,
and headers that will be allowed to pass through the Sidewinder G2
unmodified, regardless of any rules that have been created.
The Allowed Host Entries area contains a table listing all hosts that are
currently allowed. The table displays the host name, the burbs for which this
host is allowed, the host IP address, and a description of the host.
• To add a new host, click New and go to “About the New/Modify Host
Whitelist Entry window” below.
• To modify an existing host, highlight the host you want to modify and click
Modify and go to “About the New/Modify Host Whitelist Entry window”
below.
• To delete a host, highlight the host you want to delete and click Delete.
The Allowed Header and Regular Expression Entries area contains a table
that lists the substrings or regular expressions in a header that are currently
allowed. The table displays the entry name, the burbs for which the entry is
allowed, the header type (standard or custom), and a description of the entry.
• To add a new entry, click New and go to “About the New/Modify Header
Whitelist Entry window” below.
• To modify an existing entry, highlight the entry you want to modify and click
Modify and go to “About the New/Modify Header Whitelist Entry window”
below.
• To delete a entry, highlight the entry you want to delete and click Delete.
357

Chapter 12: Electronic Mail
Configuring advanced anti-spam and anti-fraud options
358
About the New/Modify Host Whitelist Entry window
To configure a new host or modify an existing host for the whitelist, follow the
steps below.
1 In the Entry Name field, type a descriptive name for the host.
2 In the Host field, select one of the following:
• IP Address—To specify the host IP address, select this option and type
the IP address in the corresponding text box. You can enter an entire IP
address (for example, 172.27.1.2) or only the significant portion of the
IP address (for example, 172.27).
Note: If you are only entering a portion of the IP address, ensure that it is
not followed by a period (.).
• Host Address—To specify the host address, select this option and type
the host address in the corresponding text box.
3 In the Burb Restriction field, specify the burbs for which this host will be
allowed:
• Apply rule to all burbs—Select this option to allow this host for all
burbs.
• Apply rule to Internet burb—Select this option to allow this host only for
the Internet burb.
• Apply rule to non-internet burbs—Select this option to allow this host
only for non-internet burbs.
4 [Optional] In the Description field, enter any useful information about this
host entry (for example, a brief description of the host).
5 Click OK to save the changes and return to the Whitelist Configuration tab.
About the New/Modify Header Whitelist Entry window
To configure a new header or modify an existing header, follow the steps
below.
1 In the Entry Name field, type a descriptive name for this header.
2 In the Header field, select one of the following:
• Standard—Select this option to specify a standard header (for example:
to, from, cc, etc.). Select the header from the drop-down list.
• Custom—Select this option to specify a custom header. Enter the
custom header in the corresponding text field.
3 In the Burb Restriction field, specify the burbs for which this host will be
allowed:
• Apply rule to all burbs—Select this option to allow this host for all
burbs.
• Apply rule to Internet burb—Select this option to allow this host only for
the Internet burb.

Chapter 12: Electronic Mail
Configuring advanced anti-spam and anti-fraud options
• Apply rule to non-internet burbs—Select this option to allow this host
only for non-internet burbs.
4 In the Regular Expression field, enter the desired expression to match in
the header (for example, @.*gov, @cloudmark.com)
Note: Ensure that you are familiar with regular expressions before attempting to
configure this field.
5 [Optional] In the Description field, enter any useful information about this
host entry (for example, a brief description of the host).
6 Click OK to save the changes and return to the Whitelist Configuration tab.
Configuring the policy.cfg file
The policy.cfg file allows you to determine the actions that will be taken by the
spam filter on a per-burb basis when it encounters messages that are
suspected to be spam or fraud, including identity theft and phishing messages.
These configuration options are stored in the /etc/sidewinder/authority/
policy.cfg file. The policy.cfg file contains a list of the actions that will be taken
based on the disposition of an email message (that is, the likelihood of the
message being spam).
The basic structure of each action is as follows:
threshold=85%; action=ADDHEADER; config=[header=
[X-SPAM]; value=[%p%%]]
where:
• threshold—This field indicates the confidence level that is assigned to an
action.
– A high confidence level indicates that a message is likely to be spam.
– A low confidence level indicates that a message is unlikely to be spam.
– Threshold values can be any integer from 0–100, specified as a
percentage.
– Each action must have a unique threshold value.
• action—This field specifies the action that will be taken for a message
based on the threshold defined. The available actions are described in the
following sections.
• config—The configuration options allow you to specify additional attributes
for a particular action. The available configuration options for each action
are described in the following sections.
359

Chapter 12: Electronic Mail
Configuring advanced anti-spam and anti-fraud options
360
Configuring a policy configuration file
This section provides steps to access the policy.cfg files. For information on
modifying a particular action, refer to the sections the follow this procedure.
1 Connect to the Sidewinder G2 using the Admin Console and select File
Editor. The File Editor window appears.
2 Click Start File Editor and select File > Open. The Open File window
appears.
3 Select the Firewall File radio button. The Open File window appears.
Each burb on Sidewinder G2 has a policy.cfgSMF file associated with it,
allowing you to configure different actions for different burbs on the
Sidewinder G2. To distinguish among files, the corresponding burb index
number is appended to each file (for example, policy.cfg.SMF1 is the configuration
file for burb index 1).
4 Type the following path in the File field:
/etc/sidewinder/authority/policy.cfg.SMFn
where n is the corresponding burb index for the burb you want to configure.
5 Click OK to open the file. The policy.cfg.SMF file for the burb you selected
is displayed.
Actions that are commented out (that is, the first character is a # sign) are
disabled. To enable an action, remove the # signs. To modify a particular
action refer to the previous sections.
About the ADDHEADER action
The ADDHEADER action will apply a new text header line to the message. The
new header can then be used as a flag to sort or discard messages that
contain that header text. The following two configuration options can be used
with this action:
• header—This option allows you to specify the text string that will act as the
name of the questionable header. The default value is X-SPAM.
• value—This option allows you to include the threshold value in the header.
The syntax for this option uses standard C language expansion syntax. The
only syntax supported for this option is %p%%. At run time, the %p portion
of this option is replaced with the specified threshold value and the %%
portion is translated to a single % sign.
The following is an example of a ADDHEADER action that will add a text
header of “X-SPAM **%” to the message:
threshold=**%;action=ADDHEADER;config=[header=X-
SPAM;value=[%p%%]]

About the COPY action
Chapter 12: Electronic Mail
Configuring advanced anti-spam and anti-fraud options
Important: If your site handles a large amount of spam messages, the disk space
required to store copies can become significant. You may need to delete the copied
mailboxes periodically in this case.
This action will deliver the message to the recipient, as well as store a copy of
the message in a designated location. The message can then be examined or
deleted from the mbox file by an administrator. The following options can be
specified for this action:
• path—The path for this value is preset as /var/spool/authority/copied. Do
not modify the path value.
• depth—This option indicates the depth of the file within the directory. The
default value is 0.
• default domain—This option allows you to specify the domain that will be
used if a recipient does not have a domain specified. The default is local.
• method—This option specifies whether or not a unique mailbox will be
created for each user in the designated directory, as follows:
– individual: Specify this method to create a unique mailbox for each
recipient.
– consolidated: Specify this option to create a single, central mailbox.
• cycle—If a consolidated mailbox is used, this option can be used to create
additional consolidated mailboxes. You can specify that a new mailbox be
created each hour (hourly) or each day (daily).
The following is an example of a COPY action:
threshold=**%;action=COPY;config=[path=./copied;
depth=0;default domain=local]
About the DROP action
This action deletes the message from the MTA and prevents it from being
delivered to its recipient. Dropped messages cannot be recovered. There are
no options that can be configured for this action.
The following is an example of a DROP action that will delete the message
from the MTA without delivering it to the recipient or saving a copy of the
message for later handling:
threshold=**%;action=DROP
361

Chapter 12: Electronic Mail
Configuring advanced anti-spam and anti-fraud options
362
About the REFUSE action
This action rejects suspected spam at the gateway and allows the sender to
receive a customized return message, simulating the absence of a mailbox.
The following options can be specified for this action:
• rcode—This option specifies the main SMTP response code. This is
specified in RFC 821.
• xcode—This option specifies the secondary SMTP response code. This is
specified in RFC 2034.
• msg—This option specifies the text that will be contained in the error
message that is returned to the sender. For example, Delivery denied.
Mailbox unknown.
The following is an example of a REFUSE action that will cause mail
suspected of being spam to be discarded at the gateway. The message
“Delivery Denied.” will be returned to the sender.
threshold=**%;action=REFUSE;config=[rcode=500;
xcode=5.0.0;text=[Delivery Denied.]]
About the SAVE action
Important: If your site handles a large amount of spam messages, the disk space
required to store saved messages can become significant. You may need to delete
the saved mailboxes periodically in this case.
This action stores the message in a designated location without delivering a
copy to the recipient. The message can then be examined, deleted, or
forwarded to the intended recipient by an administrator. The following options
can be specified for this action:
• path—The path for this value is preset as /var/spool/authority/saved. Do not
modify the path value.
• depth—This option indicates the depth of the file within the directory. The
default is 0.
• default domain—This option allows you to specify the domain that will be
used if a recipient does not have a domain specified. The default is local.
• method—This option specifies whether or not a unique mailbox will be
created for each user in the designated directory, as follows:
– individual: Specify this method to create a unique mailbox for each
recipient.
– consolidated: Specify this option to create a single, central mailbox.
• cycle—If a consolidated mailbox is used, this option can be used to create
additional consolidated mailboxes. You can specify that a new mailbox be
created each hour (hourly) or each day (daily).

Chapter 12: Electronic Mail
Configuring advanced anti-spam and anti-fraud options
The following is an example of a SAVE action that will save all messages in the
specified threshold to a single directory. A new directory will be created every
hour.
threshold=**%;action=SAVE;config=[path=./saved;
depth=0;defaultdomain=local;method-consolidated;
cycle=hourly]
About the TAG action
This action tags the message with a text string (such as “SPAM”) in the subject
of the message, and then delivers it to the recipient. The following options can
be specified for this action:
• target—This option specifies where the tag will be added. Currently, the tag
can only be added to the subject of a message.
• action—This option determines whether the message will be added to the
beginning (prefix) or end (postfix) of the message subject.
• text—This option specifies the actual text that will be added to the subject.
The text must be enclosed in brackets, and should consist of a short string
using uppercase characters (for example, SPAM), ending with a colon.
You can also include a confidence rating in the text portion of this tag. A
confidence rating provides a percentage rating, indicating the likelihood that
the email is spam using the Authority’s numerical spam confidence rating
system. To include the confidence rating in this tag, add the string %p%%
within the text brackets, following the colon (you must include a space
between the colon and the string), as shown in the example below. At run
time, the %p portion of this option is replaced with the specified threshold
value and the %% portion is translated to a single % sign.
The following is an example of a TAG action that will include the tag “SPAM” at
the beginning of the subject line:
threshold=**%;action=TAG;config=[target=subject;
action=prefix;text=[SPAM: %p%%]]
363

Chapter 12: Electronic Mail
Redirecting mail to a different destination
Redirecting mail
to a different
destination
364
If you want to redirect mail from your mailbox to a different destination, you
need to place a .forward file either in a user’s home directory or in the /root
directory of where you want the mail sent from. The following sections provide
information on how to create .forward files on the Sidewinder G2. (For
additional information on .forward files see Chapter 19 in the UNIX System
Administration Handbook.)
Creating a .forward file in a user’s home directory
This section describes how to create a .forward file in a user’s home directory.
Follow the steps below.
1 At a Sidewinder G2 command prompt, log into the Sidewinder G2 using
your administrator user ID and password.
2 Enter the following command to switch to the admn role:
srole
3 Enter the following command to change to the /home/username directory
(where username is a variable dependent on the user’s login).
cd /home/username
4 Use a text editor to create a new file called .forward.
Note: If you are not familiar with vi, emacs, or pico, SCC recommends using the
File Editor in the Admin Console as your text editor. See “Using the Admin
Console File Editor” on page 26.
5 Enter the address where you want to have your mail redirected.
For example:
lloyd@foo.com
6 Save your changes.
7 Use the following command to change the owner of the file (the user must
also be the owner of the file):
chown username /home/username/.forward
8 Use the following command to set the appropriate permissions:
chmod 644 /home/username/.forward
9 Use the following command to change the file’s type:
chtype User:frwd .forward

Other sendmail
features
Creating a .forward file in the root directory
Chapter 12: Electronic Mail
Other sendmail features
To create a .forward file in the root directory, follow the steps below.
1 At a Sidewinder G2 command prompt, log into the Sidewinder G2 using
your administrator user ID and password.
2 Enter the following command to switch to the admn role:
srole
3 Enter the following command to change to the /root directory.
cd /root
4 Use a text editor to create a new file called .forward.
Note: If you are not familiar with vi, emacs, or pico, SCC recommends using the
File Editor in the Admin Console as your text editor. See “Using the Admin
Console File Editor” on page 26.
5 Enter the address where you want to have your mail redirected.
For example:
chloe@foo.com
6 Save your changes.
7 Use the following command to change the file’s type.
chtype Admn:frwd .forward
The mail server is initially installed with default settings that enable basic mail
services. However, sendmail provides several additional features that you may
choose to configure:
• Header stripping—Enables you to remove header information from a
message to conceal internal host information from the outside world.
Note: Header information can only be removed for outbound mail (that is, mail
leaving the Sidewinder G2). Therefore, you should only enable header stripping
in the destination (or external) burb for a message. If you configure header
stripping in the source burb of a message, header stripping will not happen for
that message.
• Blackhole list—Enables you to eliminate unwanted and unsolicited e-mail.
The types of spam control you might implement include use of a Realtime
Blackhole list, Promiscuous Relaying, and so on.
• Mail routing—Enables you to reroute e-mail from one domain name to
another domain name.
• Mail aliases—Enables you to redirect inbound mail to another person or
location.
• Masquerading—Enables you to transform a local host address in the
header of an e-mail message into the address of a different host.
365

Chapter 12: Electronic Mail
Other sendmail features
366
Header stripping, the RealTime Blackhole list, and promiscuous relaying are
the most popular additional sendmail features. The details for implementing
these features are described in the sections that follow. For information on
implementing the other sendmail features, refer to the book sendmail by Bryan
Costales (O’Reilly & Associates, Inc.).
Configuring sendmail to strip message headers
During the normal operation of sendmail, the path a message traces is
appended to the message by each host through which the mail passes. This
enables internal host names and IP addresses to be allowed beyond the
Sidewinder G2.
You can configure sendmail to strip (remove) or scrub (change to a different
value) the following headers from messages leaving the Sidewinder G2.
• Received (stripped)
• X400-received (stripped)
• Via (stripped)
• Mail-from (stripped)
• Return-path (stripped)
• Message-id (scrubbed)
• Resent-message-id (scrubbed)
Perform the following steps to configure sendmail to strip or scrub headers.
1 Log into the Admin Console and select Services Configuration > Servers.
2 Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3 Select the M4 Config File in the external burb list and click Edit File.
4 Locate the C{STRIP_DOMAINS} line in the file and append the domain
name on which to perform header stripping. For example:
C{STRIP_DOMAINS} domainx
where domainx = the domain name on which to perform header stripping.
You can define multiple domains by entering multiple domain names on one
line (for example, C{STRIP_DOMAINS} abc.com xyz.com)
Note: STRIP_DOMAINS contains the list of domains that will trigger header
stripping. Each message processed by sendmail in the external burb will be
subjected to header stripping if it is received from a domain in this list.

5 Save the changes you made to file and then close the file.
Chapter 12: Electronic Mail
Other sendmail features
Note: Stripping the headers will not alter the To and From hosts. The To and
From hosts can be eliminated using rules in the sendmail configuration file. You
can also modify the To and From hosts using masquerading or by editing the
domain tables.
6 Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
Configuring sendmail to use the RealTime Blackhole list
Sendmail is able to use the services of the RealTime Blackhole List. The
Blackhole List, a list of known spam domain names, is maintained by an
organization called MAPS (Mail Abuse Prevention System). The mail server
checks each mail message against the Blackhole list. Any e-mail message
originating from a domain in the list will be rejected.
Note: You must subscribe to the MAPS Blackhole List in order to use it. Go to
www.mail-abuse.com for details.
To configure the Sidewinder G2 to use the Realtime Blackhole List, follow the
steps below.
1 Log into the Admin Console and select Services Configuration > Servers.
2 Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3 Select the M4 Config File in the external burb list and click Edit File.
4 Add the following line to the file.
FEATURE(‘dnsbl’, ‘hostname’)dnl
The hostname that you enter in the above line will depend on the type of
service for which you have subscribed. MAPS will provide you with the correct
hostname (for example, blackholes.mail-abuse.org) to use when you
subscribe to their list.
5 Save the changes you made to file and then close the file.
6 Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
367

Chapter 12: Electronic Mail
Other sendmail features
368
Figure 156: Type of
relayed message typically
rejected by the
Sidewinder G2
Sendmail and promiscuous relaying
Promiscuous relaying is the inappropriate use of an intermediate mail server to
send mail messages. A message that is sent from client A to mail server B but
that is first routed through mail server C is an example of promiscuous relaying.
This technique is often used by hackers to send unfriendly or unwanted mail
from mail servers other than their own.
On the Sidewinder G2, sendmail is by default configured to BLOCK relayed
mail, preventing the Sidewinder G2 from inadvertently acting as a relay. This
means any message not originating from or destined to the Sidewinder G2
domain is considered spam and will be rejected. Note that the sender of the
message is not relevant (sender names can be spoofed). Figure 156 illustrates
the type of relayed message that will be rejected.
bad
hacker
innocent
victim
Internet
mail
server
Sidewinder G2
domain
If you choose to ALLOW promiscuous relaying, perform the following steps.
(The Sidewinder G2 initially configures sendmail to BLOCK relayed mail.)
1 Log into the Admin Console and select Services Configuration > Servers.
2 Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3 Select the M4 Config File for the burb that is running sendmail and click
Edit File.
4 Add the following line to the file.
FEATURE(‘promiscuous_relay’)dnl
5 Save the changes you made to file and then close the file.
6 Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.

Allowing or denying mail on a user basis
Chapter 12: Electronic Mail
Other sendmail features
By default sendmail will allow or deny mail on a domain basis. However, you
can also instruct sendmail to allow or deny mail to/from specific users within a
domain. To do this, follow the steps below:
1 Log into the Admin Console and select Services Configuration > Servers.
2 Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3 Select the Access Table file for the appropriate burb and click Edit File.
4 Add user-based allow (relay) and/or deny (reject) information to the access
table.
For example, if you want to allow mail addressed to Lloyd and Sharon but
deny mail addressed to everyone else, you would add the following lines:
# Allow mail addressed to these users
To:Lloyd@example.com RELAY
To:Sharon@example.com RELAY
# Deny mail for everyone else
To:example.com REJECT
5 Save the changes you made to file and then close the file.
Note: For additional information, see the README file in the
/usr/share/sendmail directory on the Sidewinder G2.
6 Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
Changing mail aliases
Aliases allow you to redirect mail to another person or location. (Individual
users can also use a .forward file for this purpose, see “Redirecting mail to a
different destination” on page 364.) Aliases are generally used for redirecting
mail addressed to system users such as “postmaster.” On the Sidewinder G2,
messages and other files are often e-mailed to root. By default, a root alias is
created for the administrator you set up when you configured your system. For
more information about mail aliases see Chapter 19 of the UNIX System
Administration Handbook.
Aliases are stored in the /etc/sidewinder/sendmail directory. Follow the steps
below to edit this file:
369

Chapter 12: Electronic Mail
Managing mail queues
Managing mail
queues
370
1 Log into the Admin Console and select Services Configuration > Servers.
2 Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3 Select the Aliases file for the burb that is running sendmail and click Edit
File.
To redirect messages to a different user, type the user name after the colon
for the account you want to redirect. For example, if you want to direct
root’s messages to user name piper, you would locate the root line in the
file and edit it to look like this:
root: piper
4 Save the changes you made to file and then close the file.
5 Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
6 To deny or restrict certain SMTP connections, add an appropriate proxy
rule.
If a sendmail message cannot be delivered, (for example, if the destination
system is down) messages are temporarily placed in queues until they can be
delivered. There are separate queues for each server: /var/spool/mqueue.c
(local) and /var/spool/mqueue.# for the Internet and the trusted burbs. You
should check the queues periodically. If there are a lot of messages that are
several days old, you may have a problem with your system or its
configuration.
To view the mail queue output, type the following command:
mailq
The output of this command will list the messages currently in the queue you
chose, along with information about each message. Each message is assigned
a unique identification number, which is shown in the first column.
Listing the burbname Queue
Mail queue is empty
Listing the burbname Queue
Mail queue is empty
Listing the burbname Queue
Mail queue is empty

Chapter 12: Electronic Mail
Managing mail queues
By default, undelivered e-mail messages will remain in the mail queues 30
minutes before another delivery attempt is made. If you want to change the
length of time e-mail messages remain in the mail queues before another
delivery attempt is made, follow the steps below.
1 Log into the Admin Console, and select Services Configuration > Servers.
2 Select the sendmail server Configuration tab. Separate configuration files
are maintained for each burb.
3 Select the M4 Config File for the burb that is running sendmail, and click
Edit File.
4 Scroll to the Set the Queue Interval area and edit the following line:
define(`confQUEUE_INTERVAL', `Xm')dnl
where:
X is the amount of time that the message will remain in the queue before an
attempt is made to resend the message.
m indicates that the time will be measured in minutes. You can also use
other time measurements, such as seconds (s), hours (h), days (d), etc. if
desired.
Note: The default value is 30 minutes.
5 Save the changes you made to file and then close the file.
6 Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
371

Chapter 12: Electronic Mail
Managing mail queues
372

13
CHAPTER
Setting Up Web
Services
In this chapter...
An overview of Web services on Sidewinder G2..........................374
Implementation options for Web access ......................................376
Using the HTTP proxy ..................................................................378
Using the Web proxy server .........................................................381
Configuring the Web proxy server................................................383
Configuring browsers for the Web proxy server ...........................389
373

Chapter 13: Setting Up Web Services
An overview of Web services on Sidewinder G2
An overview of
Web services on
Sidewinder G2
374
Figure 157: Web access
for users on your internal
network
The Sidewinder G2 allows you to control connections between your internal
network(s) and the World Wide Web. Using Application Defenses, you can
configure the appropriate rules to protect a client (outgoing traffic), server
(incoming traffic), or both behind your Sidewinder G2. You can also configure
whether you will allow transparent, non-transparent, or both connections on a
per-rule basis.
Note: For information on configuring Application Defenses, see Chapter 6.
The following two sections provide a summary of the three most common types
of Web access that you can configure on the Sidewinder G2.
Web access for users on your internal network
Your internal users can access Web servers on the Internet or on a trusted
network. In either case, access can be regulated using a Web proxy (HTTP or
HTTPS), the Web proxy server, or both. When internal users have access to an
external Web server, it is called "outbound traffic."
internal network
internal
Web site
Web server
DMZ burb
Web proxy
Internet
external network
Web server
Web site
Access to your Web server by untrusted external users
You can set up a Web server on a network controlled by your Sidewinder G2.
The Web server should be contained on an isolated burb and network.
Untrusted external users will be able to access this Web server only if a Web
proxy is enabled on the Sidewinder G2. You can configure a Web proxy
(HTTP/HTTPS), the Web proxy server, or both to allow external users passage
through the Sidewinder G2 to the Web server. When external users have
access to an internal Web server, the traffic is called “inbound traffic.”

Figure 158: Access to
your Web server by
untrusted external users
Figure 159: Access to
the internal network by
trusted external users
internal network
internal
Web site
Web server
DMZ burb
Web proxy
Chapter 13: Setting Up Web Services
An overview of Web services on Sidewinder G2
Internet
external network
external user
Access to your internal network by trusted external users
You can configure clientless VPN (SSL-based VPN) services for your trusted
external users. Clientless VPN enables trusted external users (for example,
remote employees) to establish an SSL connection to the internal network
without requiring a dedicated VPN client. Trusted external users can establish
a VPN connection from any client that is capable of handling SSL (such as a
standard Web browser). A common example of using clientless VPN is to allow
a trusted external user access to an internal mail server, such as Microsoft
Exchange ® Server, as shown in Figure 159. For information on configuring the
Sidewinder G2 to allow clientless VPN for trusted remote users, see “Setting
up clientless VPN access for trusted remote users” on page 379.
Web server
internal mail
server
internal network
HTTPS
proxy
Internet
external network
= VPN tunnel
= Data
trusted
clientless VPN user
375

Chapter 13: Setting Up Web Services
Implementation options for Web access
Implementation
options for Web
access
376
Figure 160: Option 1:
The HTTP proxy passes
all Web traffic
Web access can be controlled using a Web proxy (HTTP or HTTPS), the Web
proxy server, or both. These Web options are typically used in one of three
configuration options, as shown in the following examples:
• Option 1: HTTP proxy regulates all Web traffic.
• Option 2: Web proxy server regulates all Web traffic.
• Option 3: Web proxy server regulates traffic from the trusted burbs and the
HTTP proxy regulates traffic from the Internet burb.
Option 1: HTTP proxy passes all Web traffic
Option 1 depicts a scenario in which the HTTP (or HTTPS) proxy regulates
Web traffic moving between all burbs on the Sidewinder G2. Using the
appropriate Web Application Defenses within your HTTP/HTTPS proxy rules,
you can configure URL properties, perform request and reply header filtering,
perform MIME/anti-virus filtering, and deny certain types of Web content. You
can also configure whether allowed connections can be transparent, nontransparent,
or both. If you configure transparent HTTP, it will appear to a user
that they are connecting directly to Web server rather than connecting to the
Sidewinder G2 first. The HTTPS proxy also allows you perform SSL
decryption. Figure 160 illustrates the HTTP proxy regulating all Web traffic.
internal user
internal
Web site
Web server
DMZ burb
HTTP proxy
Internet
internal network external network
Option 2: Web proxy server regulates all Web traffic
external user
Web server
Web site
In Option 2, the Web proxy server regulates Web traffic between all burbs. This
option is generally used in larger companies that have security policies about
how employees can use the Web. The Web proxy server is the best option if
you want to provide caching services on the Sidewinder G2. In general,
caching does not apply to Internet users that access a Web site on your
internal network. (Option 3 illustrates a more likely scenarios for using the
caching feature.)
Note: For more information on using the Web proxy server, refer to “Using the
Web proxy server” on page 381.

Figure 161: Option 2:
The Web proxy server
regulates all Web traffic
Figure 162: Option 3:
Web proxy server
regulates traffic from the
trusted burbs while HTTP
proxy passes traffic from
the Internet burb
internal user
Web server
Chapter 13: Setting Up Web Services
Implementation options for Web access
Internet
internal network external network
Web server
Web site
Option 3: Web proxy server regulates traffic from the internal
burbs and the HTTP proxy passes traffic from the Internet burb
Option 3 depicts a scenario using both the HTTP proxy and the Web proxy
server. In this scenario, the HTTP proxy regulates Web traffic coming from the
Internet to a Web server on a trusted internal network. The Web proxy server is
configured to regulate Web traffic that is initiated from an internal burb. The
Web server being accessed can reside on another isolated burb, or on the
external burb.
internal user
internal
Web site
DMZ burb
Web proxy
Server
internal
Web site
Web server
DMZ burb
HTTP proxy
Web proxy
server
Internet
internal network external network
external user
external user
Web server
Web site
377

Chapter 13: Setting Up Web Services
Using the HTTP proxy
Using the HTTP
proxy
378
Figure 163: Standard
(transparent) HTTP proxy
Figure 164: Nontransparent
HTTP proxy
Using the appropriate Web Application Defenses, you can configure additional
HTTP proxy rules that control URL properties, perform request and reply
header filtering, perform MIME/anti-virus filtering, and deny certain types of
Web content. You can also configure whether connections will be transparent
or non-transparent. If you configure transparent HTTP, it will appear to a user
that they are connecting directly to the Web server rather than connecting to
the Sidewinder G2 first. See “Creating Web or Secure Web Application
Defenses” on page 156.
If using the HTTP proxy, caching is not available
If you configured your Sidewinder G2 to use the default Internet Services rule,
your active proxy rule group includes the HTTP service. This rule allows Web
access from your internal network to external networks using the HTTP proxy.
Users on your internal network can connect to the Web using any Web
browser; the connections will be routed through the Sidewinder G2 on port 80.
Figure 163 depicts access to external Web servers via an HTTP proxy rule
using port 80 allowing transparent connections. Figure 164 depicts access to
Web servers via non-transparent HTTP proxy rule using ports other than 80.
(Transparency is configured on a per-rule basis via Application Defenses.)
Note: For information on configuring the HTTP proxy, see “HTTP/HTTPS
considerations” on page 259.
Web
browser
port 80
port 8080
internal
network
internal
network
http
proxy
Sidewinder G2
Web
browser port 8080
nt_http
or any other
port
proxy
Sidewinder G2
external
network
port 80
external
network
port 80
or any other
port
Internet
Internet
Web site
Web server
Web site
Web server

Setting up Web access using the HTTP proxy
Chapter 13: Setting Up Web Services
Using the HTTP proxy
The following steps provide an overview of the tasks you must do to set up
Web access using the HTTP proxy on port 80.
Note: During the Quick Start Wizard, you had the option to allow Internet services.
If they were allowed, the Internet Services rule, and its proxies, were enabled and
added to the active rule group.
1 Using the Admin Console, select Services Configuration > Proxies and
check the HTTP proxy’s Enabled in Burb column. If the HTTP proxy is not
enabled in the burbs where you want to allow HTTP traffic to originate,
enable the appropriate burbs in the Proxy Properties tab.
2 Select Policy Configuration > Rules and configure the appropriate proxy
rules to manage Web access. You can create HTTP proxy rules to control
from which internal systems users can browse and to which external
systems they can connect. You can also configure advanced HTTP
properties (such as transparency and MIME/virus/spyware filtering) for a
rule via Application Defenses. (See Chapter 6 for information on creating
Application Defenses, and Chapter 8 for information on creating rules.)
3 Place the HTTP proxy rules into the active rule group.
4 Test the HTTP proxy rule(s).
After you enable the proxy and place the rules in the active rule group, you
should test HTTP access by starting a Web browser from one of your internal
systems, and entering the address of a Web site you know is valid—for
example, you could attempt to access Secure Computing at the following
URL: http://www.securecomputing.com.
Note: Make sure you use a system that is allowed HTTP access.
Setting up clientless VPN access for trusted remote users
This section provides guidance on configuring clientless VPN access for your
trusted remote users. When configuring clientless VPN access, you can
configure whether or not the Sidewinder G2 will require proxy authentication. If
you configure the Sidewinder G2 to require proxy authentication, you must use
SSO authentication. Follow the steps below.
Note: You must have SSL Decryption and Strong Cryptography licensed to
configure clientless VPN services.
1 Enable the HTTPS proxy for the appropriate burbs. For information on
enabling proxies, see “Configuring proxies” on page 266.
379

Chapter 13: Setting Up Web Services
Using the HTTP proxy
380
2 Create an IP address network object for the protected server to which your
remote trusted users will be connecting (for example, a Microsoft Exchange
Server). For information on creating an IP address network object, see
“Configuring IP address objects” on page 145.
3 Create a Secure Web Application Defense with the following configuration:
Note: For more information on configuring a Secure Web Application Defense,
see “Creating Web or Secure Web Application Defenses” on page 156.
a In the Type field, select Server.
b Select the Decrypt Web Traffic check box.
c [Optional] If you are configuring remote access to an internal Microsoft
Exchange Server, select the Rewrite Microsoft OWA HTTP check box.
d Select the appropriate Firewall Certificate.
e Select the Encryption/Decryption Methods you want to allow.
f [Optional] Configure additional Secure Web Server Enforcements.
g Click the Save icon to save the new defense.
4 Create an HTTPS proxy rule to allow access. The fields listed below must
be configured as specified:
Note: You can configure rule fields that are not listed below as you see fit. For
more information on creating proxy rules, see “Creating proxy rules” on page
222.
• General tab—Service Type=Proxy, Service=HTTPS, Action=Allow
• Source/Dest tab—Redirect Host=IP Address network object for the
protected server, Redirect Port=80
• [Optional] Authentication tab—If you want to require users to
authenticate via the proxy before being allowed access, you will need to
select Authenticate using SSO.
• [Optional] Time tab—Configure as needed.
• Application Defense tab—Select the defense you created in
step 3.
5 Add the HTTPS proxy rule to the active proxy rule group.
Once this rule is included in the active rule group, the Sidewinder G2 is
ready to allow trusted remote users access to the internal network.
How trusted remote users gain access to the internal network
This section lists the steps required for trusted remote users to gain access to
a protected internal server. The procedure will vary depending on whether you
have configured the HTTPS proxy rule to require authentication.

Using the Web
proxy server
Figure 165: Sidewinder
G2 Web proxy server
If a user is not required to authenticate via the proxy:
Chapter 13: Setting Up Web Services
Using the Web proxy server
1 Point your browser to the Sidewinder G2 decrypting HTTPS proxy (for
example, https://SWG2_address.com).Your Web browser may prompt you
to approve the certificate that is presented by the Sidewinder G2.
2 Authenticate to the server. If your server requires authentication, an
authentication prompt will appear. When you successfully authenticate, you
will be allowed to access that server.
If a user is required to authenticate via the proxy:
1 Point your browser to the Sidewinder G2 SSO direct login page and
authenticate.
2 [Conditional] If the server you are accessing requires certificate validation,
you will need to approve the certificate before you can authenticate to the
server.
3 Authenticate to the server. If your server requires authentication, an
authentication prompt will appear. When you successfully authenticate, you
will be allowed to access that server.
To allow Web access from an internal burb to an external burb using the Web
proxy server, you will need to set up the appropriate proxy rule and enable the
Web proxy server. Once the Web proxy server is enabled, users on that
internal burb can connect to the Web using a Web browser by pointing at port
3128 (or whatever port you have configured to use for the Web proxy server).
Figure 165 shows an example Web proxy server configuration.
Web
browser
port 3128
internal
network
Sidewinder G2
external
network
Internet
port 80
Web server
Web site
port 8080
(or any port
number you configured)
By using the Web proxy server, you gain support for Web caching on the
Sidewinder G2. Web caching can improve performance of a user’s Web
browser by caching Web documents in the Sidewinder G2 cache memory.
When a user accesses a Web site, each new Web page that the caching
server downloads is also saved in cache memory. The next time the user
requests that page, the caching server retrieves it from the cache rather than
downloading it from the network a second time.
If you use the Web proxy server in non-transparent mode, all Web browsers on
your internal workstations must be configured to point to the Sidewinder G2
internal name and to whatever port you have configured for the Web proxy
server. For information on what users need to do to configure their Web
browser, see “Configuring browsers for the Web proxy server” on page 389.
381

Chapter 13: Setting Up Web Services
Using the Web proxy server
382
Setting up Web access using the Web proxy server
The following steps provide an overview of the tasks you must do to set up
Web access using the Web proxy server.
1 Configure the appropriate proxy rules to restrict Web access.
Once you enable the Web proxy server, you must configure one or more
proxy rules to control the burbs from which users can browse, and to which
burbs they can connect. See Chapter 8 for detailed information on setting
up proxy rules.
When configuring the proxy rule for a Web proxy server connection, be sure
to specify Server in the Service Type field.
2 Configure and enable the Web proxy server. See “Configuring the Web
proxy server” on page 383.
3 [Optional] Configure authentication Web users.
You can configure the Sidewinder G2 to authenticate all users requesting
Web service using either a basic UNIX password or stronger authentication
methods before the Sidewinder G2 makes the network connection. Refer to
“Configuring authentication services” on page 284 for details on the authentication
methods supported by the Sidewinder G2.
4 Inform users how to configure their Web browsers. See “Configuring
browsers for the Web proxy server” on page 389.
5 Test a Web connection.
You can test the Web proxy server by starting a Web browser from one of
your internal systems, and entering the address of a Web site you know is
valid—for example, you could attempt to access Secure Computing at the
following URL: http://www.securecomputing.com.
Note: Make sure you use a system from which you did not deny access.
Error messages when using the Web proxy server
If you configure a Web proxy server proxy rule to deny a particular Web
connection and that connection is attempted by a user, the message Access
Denied by Firewall Access Rules is sent to the user. This message is
stored in the following file:
/usr/local/squid/etc/cvs/errors/ERR_SCC_DENIED
The message that appears can be modified by editing the file above.
Note: You must be in the Admn domain to edit this file.
If the file does not exist or is empty, the following message is issued to the
user:
Forbidden by proxy ACL check

Configuring the
Web proxy
server
Figure 166: Web proxy
server window: Control
tab
Configuring the Web
proxy server Control
tab
Figure 167: Web Proxy
Server window:
Configuration tab
To configure the Web proxy server, follow the steps below.
Chapter 13: Setting Up Web Services
Configuring the Web proxy server
1 In the Admin Console, select Services Configuration > Servers. The
Servers window appears.
2 Select WebProxy from the Server Name list. The Control tab for the Web
proxy server appears.
The Control tab allows you to enable or disable the Web proxy server. Follow
the steps below.
1 Select Enable to enable the Web proxy server.
2 To configure the properties for the Web proxy server, click the Configuration
tab. Follow the step below to configure the Configuration tab.
383

Chapter 13: Setting Up Web Services
Configuring the Web proxy server
Configuring the Web
Proxy Server
Configuration tab
384
The WebProxy Configuration tab allows you to determine how the WebProxy
server will be used in your system. Follow the steps below.
Note: The authentication method used by Squid is determined by the
authentication method specified within the proxy rule.
1 If you want to use SmartFilter to control Web access, select the Enable
SmartFilter Control List check box. If SmartFilter is enabled, you must
enter your SmartFilter subscription information in the SmartFilter window.
Note: The Web proxy server only supports SmartFilter version 3.x. Support of
4.x is provided via the Web/Secure Web Application Defenses. For more
information on the SmartFilter option, see Appendix E.
2 If you want the client IP address to be included in the request header, select
the Include Client Address in Requests check box.
3 Specify the amount of time you want to allow before a timeout occurs by
entering a numeral in the Timeout for HTTP Requests field, and then select
a unit of measurement from the drop-down list. The default is 30 seconds.
4 Configure the client connections that you want to allow. All client
connections that are currently configured are displayed in the Allow Client
Connections On area of the Configuration tab.
Note: Do not configure more than 31 entries in this list.
The following configuration options are available:
• New—Click this button to add a new client connection. The
Configuration: Allowed Client Connections window appears. For specific
information on adding a new client connection, refer to “Adding or
modifying a client connection” on page 385.
• Modify—Select the client connection you want to modify and click this
button to make changes to an existing client connection. The
Configuration: Allowed Client Connections window appears. For specific
information on changing a client connection, refer to “Adding or
modifying a client connection” on page 385.
• Delete—Select the client connection you want to delete and click this
button to delete an existing client connection. A confirmation window
appears. Click Yes to confirm the deletion. Click No to cancel the
request without deleting the client connection.
5 Click the save icon in the toolbar to save your changes.

Figure 168: Web Proxy
Server window: Cache tab
Configuring the Web
Proxy Server Cache
tab
Adding or modifying a client connection
Chapter 13: Setting Up Web Services
Configuring the Web proxy server
To add or modify a client connection in the Configuration: Allowed Client
Connections window, follow the steps below.
1 Specify the burb on which you want the WebProxy server to listen from the
Burb Name drop-down list.
2 Specify the port number on which you want the WebProxy server to listen in
the Port Number field. You can use the drop-down list to select a predefined
port, or you can type a port number into the field.
3 Specify the type of IP address that you want the WebProxy server to listen
on from the Address drop-down list. The following options are available:
• Any—Select this option if you want to allow the Web Proxy server to
listen on any IP address for the burb that you selected.
• Designated—Select this option if you want to specify the address on
which the WebProxy server will listen. Enter the IP address in the
available field. The address you specify must be located in the burb you
selected in the Burb Name field.
4 Click Add to add this client connection to the list of WebProxy server client
connections (click OK if you are modifying the client connection).
5 To add an additional client connection, repeat step 1–step 4.
6 When you are finished adding or modifying client connections, click Close.
Configuring caching options
To configure the caching options for the Web Proxy server, select Services
Configuration > Servers. The Servers window appears. Select WebProxy from
the Server Name list, and then click the Cache tab. The following window
appears:
The WebProxy server Cache tab allows you to define disk and memory
characteristics for the Web proxy server. Disk caching allows Web browsers to
store information on the Sidewinder G2 for frequently-used sites, so
information does not have to be downloaded each time a site is accessed. To
configure the WebProxy server using the Cache tab, follow the steps below.
385

Chapter 13: Setting Up Web Services
Configuring the Web proxy server
386
Figure 169: Web Proxy
Server window: Filtering
tab
1 Specify the name of the cache root directory in the Directory field. This is
the name of the directory in which cached files will be stored. The default
directory is /var/cache.
2 Specify the maximum amount of disk space (in MB) that can be used for
disk caching in the Maximum disk usage field. You should specify a value of
1 or greater. Note the following:
• Specifying zero (0) does not turn off caching. To disable caching, you
must edit the file named squid.conf.template.
• The cache limit specified here is an approximate limit. That is, the actual
cached data may exceed what you specify in this field.
3 Specify the maximum amount of memory that can be used for disk caching
in the Maximum memory usage field.
4 In the Delete unused items after field, specify how long items will remain in
the cache directory before they are deleted
5 Click the save icon in the toolbar to save your changes. It may take a few
minutes for any changes on this window to take effect.
Configuring HTTP filtering options
Select Services Configuration > Servers. The Servers window appears. Select
WebProxy from the Server Name list, and then click the Filtering tab. The
following window appears:

Configuring Web
Proxy Server HTTP
filtering
Figure 170: Web Proxy
Server window: Advanced
tab
Chapter 13: Setting Up Web Services
Configuring the Web proxy server
The WebProxy server Filtering tab allows you to define HTTP header filtering.
To configure the WebProxy server filtering, select the type of HTTP header
filtering you want, if any. The following options are available:
• None—Select this option if you do not want to use HTTP header filtering.
• Standard—Select this option if you want to deny the a basic set of headers
(the headers that will be denied are automatically selected for you).
• Paranoid—Select this option if you want to allow only the headers that
RFC-compliant. (All other headers will be denied.)
• Custom—Select this option if you want to configure which HTTP header
types you will allow and deny. When you select a header in the header list,
you can also determine whether to Allow or Deny the headers you select in
the Filter Option field. You can also add, delete, or clear HTTP header
types in the HTTP Header Types list, as follows:
– To add a new HTTP header type, click New. The New Custom Header
Type window appears. Enter the new header type and click OK.
– To delete a custom HTTP header type, click Delete. The Select a
Custom Header Type to delete window appears. This window contains a
list of custom HTTP header types that have been created. To delete a
custom header, select the header you want to delete and click OK. (The
Delete button is grayed out if you do not have any custom headers
configured.)
– To clear all HTTP header types from the HTTP Header Types list, click
Clear.
Manually editing the configuration file
Select Services Configuration > Servers. The Servers window appears. Select
WebProxy from the Server Name list, and then click the Advanced tab. The
following window appears:
387

Chapter 13: Setting Up Web Services
Configuring the Web proxy server
Configuring the Web
Proxy Server
Advanced tab
388
The WebProxy server Advanced tab allows you to edit the squid.conf.template
file directly rather than through the Web Proxy Server windows. The Advanced
window contains only one button labelled Edit Squid Configuration. This
button allows you to edit the squid.conf.template file manually using the File
Editor.
Important: If you manually edit the squid.conf.template file using the File Editor (or
via command line) you will need to run cf www reconfigure to update squid.conf
and re-read the configuration files. Only an experienced administrator should
manually edit the squid.conf.template file directly.
The tabbed information on the Web Proxy Server windows is a subset of the
information in the squid.conf.template file. The tabs include the information
most likely to be changed. When you enter or update information on any of the
tabs of the Web Proxy Server window, you are actually updating the
squid.conf.template file.
When you enter or update information on any of the tabs, the Edit Squid
Configuration button becomes inactive until you click the Save icon in the
upper left portion of the window. This is to prevent the changes that you have
made using the Admin Console to become overwritten by manual changes you
might make to the file. When you click the Save icon, the Edit Squid
Configuration button becomes active again.
Changing to transparent mode
The Web proxy server is in non-transparent mode when Sidewinder G2 is
initially installed. If you want the Web proxy server to operate in transparent
mode, do the following. (For information on transparent vs. non-transparent
mode, see “Transparent & non-transparent proxies” on page 254.)
1 Select Services Configuration > Servers. Select WebProxy in the list of
server names, then click the Advanced tab.
2 Click Edit Squid Configuration.
Note: If desired, you can also edit this file using a text editor such as vi, pico, or
emacs. The file resides in /etc/sidewinder/proxy/squid/squid.conf.template.
Set the following values within the "HTTP ACCELLERATION" lines in this
file.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
3 Save and close the file.
4 Click the Configuration tab and configure the Web proxy server to listen on
port 80. See “Configuring the Web Proxy Server Configuration tab” on page
384 for details.
5 Click the save icon in the toolbar to save your changes.

Configuring
browsers for the
Web proxy
server
Chapter 13: Setting Up Web Services
Configuring browsers for the Web proxy server
You should inform users on your internal network how they should configure
their Web browsers to use the Web proxy server.
Note: You should not need to configure your browsers if you are in transparent
mode.
To set up the browsers to work with the Web proxy server for Web connections,
there are two basic steps:
• Specify the Sidewinder G2 fully qualified host name or IP address in the
browser’s proxy line.
• Specify port number 3128 or whatever port you configured for the Web
proxy server.
Below are the setup procedures for recent versions of Mozilla Firefox, Internet
Explorer, and Netscape. If your users have older versions, consider providing
them with the latest version. For other browsers, consult that browser’s
documentation for defining an HTTP proxy server.
Mozilla Firefox 1.0
To configure Mozilla Firefox for the Web proxy server, do the following:
1 Start the Mozilla Firefox browser and select Tools > Options.
2 Click Connection Settings.
3 Select the Manual Proxy Configuration radio button.
4 In the HTTP Proxy field, enter the fully qualified host name or IP address of
your Sidewinder G2. For example, SWG2name.example.com
5 In the corresponding Port field, enter 3128 or whatever port you configured
for the Web proxy server.
6 Click OK.
Internet Explorer 4.0
To configure Internet Explorer 4.0 for the Web proxy server, do the following:
1 Open the Control Panel window.
2 Double click the Internet icon.
3 Click the Connection tab. In the Proxy Server section enable the option titled
Access the Internet using a proxy server.
4 Fill in the text boxes next to HTTP Proxy and Port.
389

Chapter 13: Setting Up Web Services
Configuring browsers for the Web proxy server
390
• For the HTTP Proxy field, enter the fully qualified host name or IP
address of your Sidewinder G2. For example,
SWG2name.example.com
• For the port field, enter 3128 or whatever port you configured for the
Web proxy server.
5 Click OK.
Internet Explorer 5.x/6.x
To configure Internet Explorer 5.x for the Web proxy server, do the following:
1 Start the Internet Explorer browser and select Tools > Internet Options.
2 Click the Connections tab.
3 Click LAN Settings.
4 Check the Use a Proxy Server box.
• For the Address field, enter the fully qualified host name or IP address
of your Sidewinder G2. For example, SWG2name.example.com
• For the Port field, enter 3128 or whatever port you configured for the
Web proxy server.
5 Click OK.
Netscape version 6.x/7.x
To configure Netscape 6.x/7.xfor the Web proxy server, do the following:
Important: As an administrator, be aware that some versions of Netscape will
remember the user ID and password after the browser is closed and will not reauthenticate
a user after the browser is restarted. This is a security concern when
multiple users share a workstation or do not lock their systems.
1 Start the Netscape browser and select Edit > Preferences.
2 Select the Advanced > Proxies category.
3 Select Manual proxy configuration.
4 Fill in the text boxes next to HTTP Proxy and Port as follows:
• For the HTTP Proxy field, enter the fully qualified host name or IP
address of your Sidewinder G2. For example,
SWG2name.example.com.
• For the Port field, enter 3128 (or whatever port you configured for the
Web proxy server).
5 Click OK.

Certain browsers on UNIX
Chapter 13: Setting Up Web Services
Configuring browsers for the Web proxy server
For some UNIX browsers that do not have a proxy configuration screen, you
must set the http_proxy environment variable to http://sidewinder.com:3128/.
To do so, edit either the C shell or the Bourne shell, as follows:
• Enter the following command in the C shell (CSH):
setenv http_proxy http://SWG2name.example.com:3128/
• Enter the following command in the Bourne shell:
http_proxy="http://SWG2name.example.com:3128/"
391

Chapter 13: Setting Up Web Services
Configuring browsers for the Web proxy server
392

14
CHAPTER
Configuring Virtual
Private Networks
In this chapter...
Sidewinder G2 VPN overview ......................................................394
Configuring the ISAKMP server ...................................................402
Configuring the Certificate server.................................................404
Understanding virtual burbs .........................................................405
Configuring client address pools ..................................................407
Configuring Certificate Management............................................415
Importing and exporting certificates .............................................431
Configuring VPN Security Associations .......................................438
Example VPN Scenarios ..............................................................450
393

Chapter 14: Configuring Virtual Private Networks
Sidewinder G2 VPN overview
Sidewinder G2
VPN overview
394
Figure 171:
Sidewinder G2s, an IPSec
or IKE remote site, or a
VPN client machine
The Sidewinder G2 VPN solution provides secure data transmission through
an encryption and decryption process. The Sidewinder G2 uses the Internet
Key Exchange (IKE) to support this process. The Sidewinder G2 also supports
the use of manually configured encryption keys.
Toronto
London
Certificate
server
Internet
Any IPSec
remote site
VPN client
Sydney
One of the most advanced features of the Sidewinder G2 VPN solution is the
fact that VPN has been embedded into the architecture, making it an operating
characteristic of the OS. This integration not only lets you apply access rules to
VPNs in exactly the same way you do for physically connected networks but
also means that you use the Sidewinder G2 VPN solution to coordinate
corporate-wide network security policies.
As companies expand to new locations and employees spend more time
working out of the office, VPN solutions are becoming more and more
important to businesses. Consider the value of encrypting and authenticating
data in these situations:
• passing traffic from Sidewinder G2 to Sidewinder G2 between offices
located in different cities.
• passing traffic from employees working remotely to your network.

Protecting your
information
What are encryption
and authentication?
An introduction to IPSec technology
Chapter 14: Configuring Virtual Private Networks
Sidewinder G2 VPN overview
The Internet is a broadcast medium that is used to send information. While
information is in transit, anyone can choose to monitor or intercept this
information.
Sending information beyond your Sidewinder G2 via the Internet is like sending
an unsealed envelope of important information via a courier service: you must
trust that the courier will not read or steal the information.
To address this danger, an organization known as IETF (Internet Engineering
Task Force) developed a standard for protecting data on unprotected (or
untrusted) networks such as the Internet. The standard has become known as
IPSec, meaning Internet-Protocol Security. In brief, IPSec calls for encrypting
the data before it leaves the local host, then decrypting it (removing its “cloak”
of encryption) when it is received at the destination or remote host. Once it is
decrypted, the data assumes its original form and can be read as intended. No
matter how long or circuitous its route through the Internet, the data remains
private by virtue of its encryption.
The two main components of IPSec security are encryption and authentication.
• Encryption — Encryption is the means by which plain text is “cloaked.” It
ensures that the transmitted data remains private and unreadable until
properly decrypted. The Sidewinder G2 uses an encryption key to encipher
and decipher each unit of data sent between your site and the “partner” or
remote VPN site. (See “About IPSec keys” on page 396.)
• Authentication — VPN authentication prevents unauthorized individuals
from tampering with the contents of the data being transmitted. It also
prevents them from creating messages that claim to come from a particular
place but are actually sent from somewhere else (such as the hacker’s
home computer). Authentication is accomplished through two methods:
– Data-integrity checking, which allows the receiver to verify whether the
data was modified or corrupted during transmission.
– Sender identification, which allows the receiver to verify whether the
data transmission originated from the source that claims to have sent it.
When used together, encryption and authentication are very much like writing
an encoded message, sealing it in an envelope, and then signing your name
across the flap. The receiver can first verify that the signature is yours as a
means of determining the origin of the message. Next, the receiver can
determine if the contents have been viewed or altered by checking that the
envelope seal has not been compromised. Once the receiver is assured of the
authenticity of the message, they can decode the contents and “trust” that the
contents are as intended.
395

Chapter 14: Configuring Virtual Private Networks
Sidewinder G2 VPN overview
396
VPN configuration options
VPN involves establishing an association (or a trust relationship) between your
Sidewinder G2 and an IPSec-compliant remote Sidewinder G2, host, or client.
(These entities are referred to as “VPN peers.”) Once this trust relationship is
defined, data sent between the two ends is encrypted and then authenticated
before it is transmitted. There are three important concepts that comprise the
Sidewinder G2 VPN:
• IPSec keys, which determine how the information is encrypted and
decrypted, and may be manually or automatically exchanged.
• certificates, pre-shared passwords, and extended authentication, which
authenticate the VPN peer.
• tunnel or transport encapsulation, two methods of how header information
is passed.
Understanding the options associated with each concept will assist you greatly
in creating your security association. Study the following information to help
you determine which VPN configuration best suits your network environment.
About IPSec keys
A key is a number that is used to electronically sign, encrypt and authenticate
data when you send it, and decrypt and authenticate your data when it is
received. When a VPN is established between two sites, two keys are
generated for each remote end: an encryption key and an authentication key.
To prevent these keys from being guessed or calculated by a third party, a key
is a large number. Encryption and authentication (or session) keys are unique
to each VPN security association you create.
Once generated, these keys are exchanged (either automatically or manually)
between the sites, so that each end of the VPN knows the other end’s keys.
To generate key pairs, the Sidewinder G2 gives you two options:
• Manual key generation — If the remote site is not Internet Key Exchange
(IKE)-compliant, you may want to choose the manual method of key
generation. With this method, the Sidewinder G2 provides randomlygenerated
encryption and authentication keys (or you can create your own)
which you must copy and pass to the remote end of the VPN via secure email,
diskette, or telephone. Repeat this process each time you generate
keys. Manual keys are more labor intensive than automatic keys and rarely
used.
• Automatic key generation using IKE — If the remote end of your VPN uses
the IKE protocol, the Sidewinder G2 can manage the generation of session
keys between sites automatically. This process also regularly changes the
keys to avoid key-guessing attacks. Automatic keys are very common in
today’s network environments.

Authenticating IKE VPNs
Chapter 14: Configuring Virtual Private Networks
Sidewinder G2 VPN overview
If you are using manual key generation, each time you generate session keys
you must communicate directly with the other end of the VPN via telephone,
diskette, or e-mail. By contacting the remote end of the VPN each time you
change session keys, you manually verify that the remote end is actually whom
they claim to be.
With automatic key generation, once you gather the initial information for the
remote end of the VPN, there is no further direct contact between you and the
remote end of the VPN. Session keys are automatically and continually
generated and updated based on this initial identifying information. As a result,
the Sidewinder G2 requires a way to assure that the machine with which you
are negotiating session keys is actually whom they claim to be - a way to
authenticate the other end of the VPN. To allow automatic key generation, the
Sidewinder G2 offers the following authentication techniques:
• a pre-shared password — When you must generate keys, the Sidewinder
G2 and the remote end must both use the agreed upon password, defined
during the initial configuration of the VPN, to authenticate each peer.
• a single certificate — Single certificate authentication requires that the
Sidewinder G2 generate a certificate and private key to be kept on the
Sidewinder G2 and a certificate and private key to be exported and installed
on a client. Each certificate, once installed on its end of a VPN connection,
acts as a trust point. A single certificate (also referred to as a “self-signed
certificate”) differs from Certificate Authority (CA) based certificates in that
no root certificate is necessary.
• a Certificate Authority policy — The Sidewinder G2 can be configured to
trust certificates from a particular certificate authority (CA). Thus, it will trust
any certificate that is signed by a particular CA and meets certain
administrator-configured requirements on the identity contained within the
certificate. Because of the nature of this type of policy, Secure Computing
recommends that only locally administered Certificate Authorities be used
in this type of policy. Certificate authorities are described further in
“Configuring Certificate Management” later in this chapter.
Transport mode vs. tunnel mode
There are two methods for encapsulating packets in a VPN connection:
transport mode and tunnel mode. The following paragraphs provide a
description of each method.
• Transport mode — In transport mode, only the data portion of the packet
gets encrypted. This means that if a packet is intercepted, a hacker will not
be able to read your information, but will be able to determine where it is
going and where it has originated. This mode existed before firewalls and
was designed for host-to-host communications.
397

Chapter 14: Configuring Virtual Private Networks
Sidewinder G2 VPN overview
398
• Tunnel mode — In tunnel mode, both the header information and the data
is encrypted and a new packet header is attached. The encryption and new
packet header act as a secure cloak or “tunnel” for the data inside. If the
packet is intercepted, a hacker will not be able to determine any information
about the true origin, final destination or data contained within the packet.
This mode is designed to address the needs of hosts that exist behind a
Sidewinder G2. Because the packet header is encrypted, private source or
destination IP addresses can remain hidden.
Configuring hardware acceleration for VPN
When configuring VPNs you have the option of utilizing a Sidewinder G2
premium feature called VPN hardware acceleration, which is implemented
using a hardware accelerator. When you use a hardware accelerator,
Sidewinder G2 performance may improve because the VPN encryption,
decryption, and authentication tasks are pushed down to the board level. This
frees up the Sidewinder G2 to perform other tasks and in some cases
increases the throughput of your VPN traffic.
Note: Hardware acceleration cannot be used for policies protected only by
authentication (known as Authentication Header or AH).
To implement VPN hardware acceleration you must do the following:
• Install a hardware accelerator. Consult the product documentation for the
accelerator and chassis.
• License both the VPN and the hardware acceleration premium features.
See “Activating the Sidewinder G2 license” on page 55 for licensing
information.
• Enable the VPN hardware acceleration feature. This is accomplished in the
Admin Console by selecting Firewall Administration > Interface
Configuration, then enabling the Enable vpn_acceleration check box in the
Hardware Capabilities area. See “Modifying the interface configuration” on
page 83 for details.
Important: When selecting the IPSec crypto algorithms to use with VPN traffic
that will be accelerated, do not use the cast128 or AES algorithms. The current
supported hardware acceleration boards do not support this algorithm. The
IPSec crypto algorithms are defined on the Crypto tab of the Security
Associations window.

Configuring a VPN client
Chapter 14: Configuring Virtual Private Networks
Sidewinder G2 VPN overview
To establish an encrypted session between a laptop or desktop computer with
the Sidewinder G2 and gain access to a trusted network, the user needs to
install a VPN client. For details on installing and configuring your VPN client,
consult your product documentation.
In many cases the VPN client will be SoftRemote ® . Secure Computing and
SafeNet partner to make that VPN client available from Secure Computing.
When you order your SoftRemote client software from Secure Computing, you
receive a copy of the VPN Administration Guide available. This guide is also
available at www.securecomputing.com/goto/manuals. It provides detailed
instructions for implementing a VPN using a Sidewinder G2 and SoftRemote.
Extended Authentication for VPN
The Extended Authentication (XAUTH) option provides an additional level of
security to your VPN network. In addition to the normal authentication checks
inherent during the negotiation process at the start of every VPN association,
Extended Authentication goes one step further by requiring the person
requesting the VPN connection to validate their identity. The Extended
Authentication option is most useful if you have travelling employees that
connect remotely to your network using laptop computers. If a laptop computer
is stolen, without Extended Authentication it might be possible for an outsider
to illegally access your network. This is because the information needed to
establish the VPN connection (the self-signed certificate, etc.) is saved within
the VPN client software. When Extended Authentication is used, however, a
connection will not be established until the user enters an additional piece of
authentication information that is not saved on the computer—either a onetime
password, passcode, or PIN. This additional level of authentication
renders the VPN capabilities of the laptop useless when in the hands of a thief.
Implementing Extended Authentication on the Sidewinder G2 is a simple two
step process.
1 Specify the authentication method(s) that are available on your Sidewinder
G2 See “Supported authentication methods” on page 277 for information on
supported methods.
Do this by selecting VPN Configuration > ISAKMP Server, then enabling
the desired methods in the Available Authentication Methods field. See
“Configuring the ISAKMP server” on page 402 for details.
399

Chapter 14: Configuring Virtual Private Networks
Sidewinder G2 VPN overview
Table 27: VPN Authentication options
400
Authentication Summary
2 Enable Extended Authentication for the desired VPN security
association(s).
This is accomplished by selecting VPN Configuration > Security Associations
and then clicking the Require Extended Authentication check box.
See “Entering information on the Authentication tab” on page 442 for more
details.
Note: Extended Authentication must also be enabled on the remote client. See
your client software documentation for information on configuring and enabling
Extended Authentication.
What type of VPN authentication should I use?
The Sidewinder G2 supports four different VPN authentication methods. The
characteristics of a VPN peer determine which type of authentication best fits
your VPN configuration. Extended authentication may be added to any
automated authentication method for increased security.
Note: Extended authentication not available for Sidewinder G2-to-Sidewinder G2
configurations or any configuration that uses a manual key exchange.
Manual key VPN • authenticates using a manual key exchanged over a telephone or other secure
connection - keying information is cumbersome to enter and not changed often,
which reduces security
• uncommon in today’s networks, but used for resolving interoperability problems
with other vendors’ IPSec products
• cannot be used for dynamic IP-assigned clients or gateways
• each VPN peer requires its own Sidewinder G2 VPN configuration
Automatic key shared
password VPN
• primary authentication is password sharing with the VPN peer, recommended to
use with Extended Authentication
• ideally suited for travelling and home users when paired with a strong extended
authentication, such as SafeWord PremierAccess
• may be used with dynamic IP-assigned clients, but the clients must be configured
to use Aggressive Mode.
• single Sidewinder G2 VPN configuration can be used to administer many VPN
clients
More...

Authentication Summary
Automatic key single
certificate VPN
Automatic key
certificate authoritybased
VPN
Chapter 14: Configuring Virtual Private Networks
Sidewinder G2 VPN overview
• authenticates using a self-signed public certificate - each VPN peer must first
import the corresponding peer’s certificate
• ideally used for a small number of remote clients
• used with dynamic IP-assigned clients and gateways
• each peer certificate requires its own Sidewinder G2 security association
• authenticates each VPN peer by using a certificate signed by a certificate authority
trusted by the other peer
• ideally suited for roving client VPN peers (such as those using laptop computers)
• used with dynamic IP-assigned clients and gateways
• single Sidewinder G2 security association can be used to administer many VPN
clients.
General guidelines for selecting a VPN authentication type
Here are some general guidelines to follow when you are deciding which type
of VPN to use:
• If the VPN peer is not a Secure Computing product, and all other types of
VPN methods do not work, try the manual key VPN.
• For a small number of VPN peer clients with dynamically assigned IP
addresses, the single certificate VPN is a cost-effective solution. A shared
password VPN in conjunction with Extended Authentication is also an
option.
• If the VPN peer has a static IP address, the pre-shared password VPN is
the easiest to configure. Extended Authentication would not be used in a
gateway to gateway configuration as there is no one to provide the
challenge/response.
• If there is a large number of VPN peer clients with dynamically assigned-IP
addresses (such as a traveling sales force), the CA-based VPN is often the
easiest to configure and maintain. Another popular option is to use a preshared
password VPN in conjunction with Extended Authentication.
401

Chapter 14: Configuring Virtual Private Networks
Configuring the ISAKMP server
Configuring the
ISAKMP server
402
Figure 172: ISAKMP
Server window
Configuring the
ISAKMP Server
window
If you are using automatic key exchange, you will need to configure the
Internet Security Association and Key Management Protocol (ISAKMP) server
before using any automatic key VPNs. To configure the ISAKMP server, select
VPN Configuration > ISAKMP Server. The following window appears.
The ISAKMP server is used by the Sidewinder G2 to generate and exchange
keys for VPN sessions. To configure the ISAKMP server, follow the steps
below.
1 In the Burbs to Listen on box, select the burbs that will have access to the
ISAKMP server. A check mark appears next to each burb that has access
to the server.
2 To allow ISAKMP to send and receive certificates with remote peers using
the ISAKMP protocol, select the Allow Certificate Negotiation check box.
(If you de-select this option, all certificates used to authenticate remote
peers must either be in the local certificate database or be accessible via
LDAP.)
3 In the P1 Retries field, specify the number of times ISAKMP will attempt to
resend a packet for which it has not received a response.
4 In the P1 Retry Timeout field, specify the number of seconds ISAKMP will
use for an initial timeout before resending a packet.
5 In the Audit Level field, select the type of auditing that should be performed
on the ISAKMP server. The options are:
• Error—Logs only major errors.
• Normal—Logs only major errors and informational messages.
• Verbose—Logs all errors and informational messages.
• Debug—Logs all errors and informational messages. Also logs all
debug information.

Chapter 14: Configuring Virtual Private Networks
Configuring the ISAKMP server
• Trace—Logs all errors and informational messages. Also logs debug
and function trace information.
6 In the Available Authentication Methods field, select the authentication
method(s) you want to be made available for VPN associations that use
Extended Authentication. A check mark appears when an authentication
button is selected. See “Extended Authentication for VPN” on page 399 for
a detailed description of Extended Authentication.
Note: You must configure an authentication method before it can be selected.
See “Configuring authentication services” on page 284 for more information.
7 If two or more authentication methods are selected, you should specify a
default method from the Default drop-down list. If a default method is not
selected, the first method selected in the list will be the default method.
8 Click the Save icon in the toolbar to save your changes.
Allowing access to the ISAKMP server
An ISAKMP rule is required in order to allow access to and from the ISAKMP
server. “Creating proxy rules” on page 222 describes how to define a proxy
rule. The ISAKMP proxy rule must contain the following values:
• Service Type = Server
• Service = isakmp
• Source Burb = the Internet burb
• Destination Burb = the Internet burb
• Source address = All Source Addresses (or addresses of remote VPN
peers)
• Destination address = a network object representing the IP address of the
Internet burb, or a netgroup that contains a network object representing the
IP address of the Internet burb
This ISAKMP rule is implicitly bi-directional, meaning it enables ISAKMP traffic
in both directions.
Enabling/disabling the ISAKMP server
Perform the following steps to enable or disable the ISAKMP server.
1 In the Admin Console, select Services Configuration > Servers.
2 Select isakmp from the list of server names.
3 Click Enable or Disable.
4 Click the Save icon in the toolbar.
403

Chapter 14: Configuring Virtual Private Networks
Configuring the Certificate server
Configuring the
Certificate server
404
Figure 173: Server
Control window:
Configuration tab
About the
Certificate Server
Configuration tab
The Certificate server performs a number of functions, including providing
support for the certificate management daemon (CMD) and for an optional
external LDAP server. If the LDAP function is configured, it can be used to
automatically retrieve certificates and Certificate Revocation Lists (CRLs) from
a Version 2 or Version 3 Lightweight Directory Access Protocol (LDAP) Server.
The Sidewinder G2 will attempt to retrieve any certificates and (optionally) any
CRLs that it needs to validate certificates in CA-based VPN. Note that the
LDAP functionality is used only for non-Netscape Certificate Authorities (for
example Baltimore, Entrust, and etc.).
Note: In addition to configuring the Certificate server, a root certificate from the
Certificate Authority must be imported into the Certificate Authorities tab for a
certificate issued by the CA to validate.
To configure the Certificate server, select Services Configuration > Servers.
Select cmd in the list of server names, and then select the Configuration tab.
The following window appears.
The Certificate Server Configuration tab allows you to configure the Certificate
Server. Follow the steps below.
Important: Many of the functions you can perform on this window require the use
of the CMD server. See “Activating the Sidewinder G2 license” on page 55 for
instructions on enabling the CMD server.
1 To enable the LDAP feature, select the Use LDAP to search for Certificates
and CRLs check box, and follow the sub-steps below. If enabled, the
Sidewinder G2 will attempt to retrieve the certificates and CRLs it needs
from an LDAP server.
a In the LDAP Server Address field, type the IP address of the LDAP
server.
b In the LDAP Server Port field, type the port number on which the LDAP
server listens. The port number is typically 389, but the server can be
configured to listen on different ports.

Understanding
virtual burbs
Chapter 14: Configuring Virtual Private Networks
Understanding virtual burbs
c In the LDAP Timeout field, specify the maximum time (in seconds) that
CMD will wait while performing an LDAP search. The valid range is
between 0 and 3600 seconds. The recommend value is between 5 and
300 seconds.
2 In the Maximum Validated Key Cache Size field, specify the maximum
number of validated keys that will be stored in cache memory. Caching
validated keys can increase system performance. Valid ranges are
0–500. A value of 0 indicates that no keys will be cached. For most systems
a value of 100 is sufficient.
3 In the Certificate Key Cache Lifetime field, specify the maximum amount of
time a certificate can remain in the validated key cache before it must be revalidated.
The valid range is 0–168 hours (1 week). A value of 0 indicates
that the certificate keys must be re-validated with each use.
4 Select the Perform CRL Checking check box to enable CRL checking. If
this option is disabled, CRL lists will not be consulted when validating
certificates.
5 In the CRL Retrieval Interval for CAs drop-down list, specify how often a
CA is queried in order to retrieve a new CRL.
6 In the Audit Level drop-down list, select the type of auditing that should be
performed on this server. The options are:
• Error—Logs only major errors.
• Normal—Logs only major errors and informational messages.
• Verbose—Logs all errors and informational messages.
• Debug—Logs all errors and informational messages. Also logs all
debug information.
• Trace—Logs all errors and informational messages. Logs all debug and
function trace information.
7 Click the Save icon in the toolbar.
A virtual burb is a burb that does not contain a network interface card (NIC).
The sole purpose of a virtual burb is to serve as a logical endpoint for a VPN
association. Terminating a VPN association in a virtual burb accomplishes two
important goals:
• It separates VPN traffic from non-VPN traffic.
• It enables you to enforce a security policy that applies strictly to your VPN
users.
Consider a VPN policy that is implemented without the use of a virtual burb.
Not only will VPN traffic mix with non-VPN traffic, but there is no way to enforce
a different set of rules for the VPN traffic. This is because proxies and rules are
applied on burb basis, not to specific traffic within a burb. By terminating the
VPN in a virtual burb you effectively isolate the VPN traffic from non-VPN
traffic. Plus, you are able to configure a unique set of rules for the virtual burb
405

Chapter 14: Configuring Virtual Private Networks
Understanding virtual burbs
406
Figure 174: Virtual burb
vs. a non-virtual burb VPN
implementation
that allow you to control precisely what your VPN users can or cannot do.
Figure 174 illustrates this concept.
VPN without a virtual burb
Sidewinder G2
Internal
network
Trusted Internet
burb burb
Proxies
VPN with a virtual burb
Sidewinder G2
Internal
network
Trusted
burb
Proxies
Proxies
Virtual
burb
= VPN tunnel
= Data
Internet
burb
Internet
Internet
Non-VPN
Client
VPN
Client
Non-VPN
Client
VPN
Client
Note: Both VPN implementations depicted in Figure 174 represent “proxied” VPNs
because proxies must be used to move VPN data between burbs. The use of
proxies enables you to control the resources that a VPN client has access to on
your internal network.
A virtual burb can support all the same services as a normal burb. If traffic
coming from the virtual burb is destined to the Sidewinder G2 itself (for
example, DNS or SSH) the rule that allows traffic across that burb must specify
a NAT address of localhost. If localhost is not specified, the Sidewinder G2 will
not be able to route traffic back to the originator.
You can define up to 64 physical and virtual burbs. For example, if you have
two distinct types of VPN associations and you want to apply a different set of
rules to each type, create two virtual burbs, then configure the required proxies
and rules for each virtual burb.
One question that might come to mind when using a virtual burb is: “How does
VPN traffic get to the virtual burb if it doesn’t have a network card?” All VPN
traffic originating from the Internet initially arrives via the network interface card
in the Internet burb. A VPN security association, however, can internally route
and logically terminate VPN traffic in any burb on the Sidewinder G2. By
defining a security association to terminate the VPN in a virtual burb, the VPN
traffic is automatically routed to that virtual burb within the Sidewinder G2.
Thus, the trusted network now recognizes the virtual burb as the source burb
for your VPN traffic. From the virtual burb, a proxy and rule are needed to move
the traffic to a trusted burb with network access.

Create the virtual
burb
Configure proxies
and rules
Terminate the
desired VPN
association in the
virtual burb
Configuring
client address
pools
Chapter 14: Configuring Virtual Private Networks
Configuring client address pools
Creating and using a virtual burb with a VPN
This section explains how to create a virtual burb on the Sidewinder G2 and
how to use it in a VPN association.
1 In the Admin Console, select Firewall Administration > Burb
Configuration.
2 Click New.
a In the Burb Name field, type the name for your virtual burb.
b Click OK.
3 Click the Save icon.
4 In the Admin Console, select Services Configuration > Proxies and enable
the desired proxies in the virtual burb.
5 Select Policy Configuration > Rules and define the rules that allow access
to and from the virtual burb.
Note: Be sure to add any rules you create to the active proxy rule group.
The virtual burb should be specified as either the source or destination
burb, depending on the type of rule being defined.
6 Terminate the desired VPN security association(s) in the virtual burb.
See “Configuring VPN Security Associations” on page 438 for information
on creating or modifying a VPN association.
Client address pools are used to simplify the management of VPN clients.
They do so by having the Sidewinder G2 manage certain configuration details
on behalf of the client. All the client needs is:
• Client software that supports ISAKMP mode-config exchange
• Authorization information (a client certificate, a password, etc.)
• The address of the Sidewinder G2
Here is how it works: you create a “pool” of IP addresses that will be used by
remote clients when they attempt to make a VPN connection. When a client
attempts a connection, the Sidewinder G2 assigns it one of the IP addresses
available in the address pool. The Sidewinder G2 also negotiates with the
client to determine other VPN requirements, such as which DNS and/or WINS
servers will be made available to the client. If the negotiation is successful, the
client is connected and the VPN association is established.
407

Chapter 14: Configuring Virtual Private Networks
Configuring client address pools
408
Figure 175: Client
Address Pools
Note: To date, not all VPN client software supports the negotiation of every client
address pool parameter. Be sure to verify that your client(s) support the necessary
features.
The number of IP addresses available in the client address pool is dictated by
the value defined in the Virtual Subnet field. Even though the client may have a
fixed IP address, the address used within the VPN association is the address
assigned to it from the address pool. The address pool works for both fixed and
dynamic clients. This means that in the scenarios described at the end of this
chapter, address pools could be used in scenario 2 or scenario 3.
You can create multiple client address pools if desired. Grouping VPN clients
into distinct pools allows you to limit the resources the clients in each group
can access.
The following sections explain how to configure client address pools.
Configuring a new client address pool
To configure a new Client Address Pool, select VPN Configuration > Client
Address Pools. The following window appears.

About the Client
Address Pools
window
About the New Pool
window
Chapter 14: Configuring Virtual Private Networks
Configuring client address pools
This window allows you to create and modify client address pools. You can
perform the following actions in this window:
• Create a new client address pool—To create a new client address pool,
click New in the Pools area. The New Pool window appears. See “About
the New Pool window” on page 409.
• Delete a client address pool—To delete a client address pool, highlight the
pool in the Pool list and click Delete. Click Yes to confirm the deletion.
• Configure a client address pool—To configure the client address pool tabs,
see the following:
– For information on configuring the Subnets tab, see “Configuring the
Subnets tab” on page 410.
– For information on configuring the Servers tab, see “Configuring the
DNS and/or WINS servers” on page 411.
– For information on configuring the Fixed IP Map tab, see “Configuring
the fixed IP map” on page 413.
The New Pool window allows you to create a new client address pool. Follow
the steps below.
1 In the Pool Name field, type the name of the new address pool.
2 In the Virtual Subnet field, specify the network portion of the IP addresses
that will be used in the client address pool, and the number of bits to use in
the network mask. The network mask specifies the significant portion of the
IP address.
3 In the Define the Local Subnets available to remote clients area, configure
the local networks that will be available to remote clients that establish a
VPN association using an address from the client address pool. The
following options are available:
• Create a new local subnet—Click New to define a new entry in the Local
Subnet List. See “Adding or modifying a subnet address” on page 411
for details.
• Modify a local subnet—Select the subnet you want to modify and click
Modify to modify an existing entry in the Local Subnet List. See “Adding
or modifying a subnet address” on page 411 for details.
• Delete a local subnet—Select the subnet you want to delete and click
Delete to delete an existing entry from the Local Subnet List.
4 Click Add to add the new client address pool. To configure the Server tab,
see “Configuring the Subnets tab” on page 410. To configure the Fixed IP
Map tab, see “Configuring the DNS and/or WINS servers” on page 411.
409

Chapter 14: Configuring Virtual Private Networks
Configuring client address pools
410
Figure 176: Client
Address Pools: Subnets
tab
Configuring the
Subnets tab
Configuring the Subnets tab
To configure the virtual subnet address, select VPN Configuration > Client
Address Pools and select the client address pool that you want to configure
from the Pools list. The following tab appears.
The Subnets tab allows you to define the virtual address subnet for this
address pool. You can also specify any local networks that you want to be
accessible to remote clients using this pool. Follow the steps below.
1 Configure the Virtual Subnet List. This list defines the virtual subnets that
define the IP address ranges that are available within this pool. The
following options are available:
• Create a new virtual subnet—Click New to define a new entry in the
Local Subnet List. See “Adding or modifying a subnet address” for
details.
• Modify a virtual subnet—Select the subnet you want to modify and click
Modify to modify an existing entry in the Local Subnet List. See “Adding
or modifying a subnet address” on page 411 for details.
• Delete a virtual subnet—Select the subnet you want to delete and click
Delete to delete an existing entry from the Local Subnet List.
2 Configure the Local Subnet List. This list defines the local networks
available to remote clients that establish a VPN association using an
address from the client address pool. The following options are available:
• Create a new local subnet—Click New to define a new entry in the Local
Subnet List. See “Adding or modifying a subnet address” for details.
• Modify a local subnet—Select the subnet you want to modify and click
Modify to modify an existing entry in the Local Subnet List. See “Adding
or modifying a subnet address” on page 411 for details.

Adding or modifying
a subnet address
Figure 177: Client
Address Pools:
Servers tab
Chapter 14: Configuring Virtual Private Networks
Configuring client address pools
• Delete a local subnet—Select the subnet you want to delete and click
Delete to delete an existing entry from the Local Subnet List.
Important: The client machine’s IP address should not match the internal
network’s subnet, as this configuration could cause internal routing and connectivity
issues.
To add or modify an IP address/netmask combination in the New/Modify
Virtual/Local Subnet window, follow the steps below.
1 In the Virtual/Local Subnet field, type the IP address that will be used to
define:
• For the Virtual Subnet field—The network portion of the IP addresses
used in the client address pool.
• For the Local Subnet List—The network portion of the local network
that will be made available to the VPN clients.
2 In the netmask field, specify the number of bits to use in the network mask.
The network mask specifies the significant portion of the IP address.
3 Click Add.
4 Click the Save icon.
Configuring the DNS and/or WINS servers
To configure the DNS and/or WINS servers, select VPN Configuration > Client
Address Pools. Create a new entry or select an existing one, and then select
the Servers tab. The following window appears.
411

Chapter 14: Configuring Virtual Private Networks
Configuring client address pools
Configuring the
Servers tab
Adding or modifying
a server
412
The Servers tab is used to define the DNS server(s) and/or the WINS server(s)
that will be made available to remote clients. These servers provide name and
address resolution services for devices within the local network. The DNS
servers you specify can reside on the Sidewinder G2 or be located on another
machine in a local or remote network. WINS servers are never located on the
Sidewinder G2. To configure the Servers tab, follow the steps below.
1 The DNS Servers box lists the DNS servers that will be made available to
VPN clients that establish a connection using an address from the client
address pool. The following options are available:
• New—Click this button to create a new DNS server. See “Adding or
modifying a server” for details.
• Modify—Select a DNS server and click Modify to modify an existing
DNS server. See “Adding or modifying a server” for details.
• Delete—Select the DNS server and click Delete to delete an existing
DNS server.
2 The NBNS/WINS Servers box lists the NBNS and WINS servers that will be
made available to VPN clients that establish a connection using an address
from the client address pool. The following options are available:
• New: Click this button to create a new NBNS/WINS server. See “Adding
or modifying a server” on page 412 for details.
• Modify: Select a NBNS/WINS server and click Modify to modify an
existing NBNS/WINS server. See “Adding or modifying a server” on
page 412 for details.
• Delete: Select the NBNS/WINS server and click Delete to delete an
existing NBNS/WINS server.
To add or modify a server entry in the New/Modify DNS or NBNS/WINS server
window, follow the steps below.
1 In the DNS Server or NBNS/WINS field, type or change the IP address that
specifies the location of the DNS or WINS server.
2 Click Add to add the IP address to the server list.
3 Repeat step 1 and step 2 for each additional IP address you want to add.
4 When you are finished adding/modifying IP addresses, click Add.
5 To save changes to the Servers tab, click the Save icon.

Figure 178: Client
Address Pools:
Fixed IP Map tab
About the Fixed IP
Map tab
Configuring the fixed IP map
Chapter 14: Configuring Virtual Private Networks
Configuring client address pools
To configure the fixed IP map, select VPN Configuration > Client Address
Pools. Create a new entry or select an existing one, and then select the Fixed
IP Map tab. The following window appears.
The Fixed IP Map tab is used to define fixed addresses for selected clients. It
enables each of the specified clients to connect to the Sidewinder G2 using
their own unique IP address. It effectively reserves a specific IP address for a
specified client. The fixed addresses you specify must be within the range of
available IP address as defined by the client address pools.
Caution: Do not use network or broadcast addresses when mapping IP addresses
to client IDs. These addresses are reserved and are not considered valid values for
client address mappings. For example, if your address range is 192.168.105.0/24,
then 192.168.105.0 (the network address) and 192.168.105.255 (the broadcast
address) should not be used in a fixed IP client mapping. The network address is
that address whose masked portion is all 0s, and the broadcast address is that
address whose masked portion is all 1s.
One of the benefits of assigning fixed IP addresses to selected clients is that it
allows you to govern what each client can do. For example, you might restrict
access to certain clients, and you might grant additional privileges to other
clients. You do this by creating a network object for a selected IP address and
then using the network object within a rule.
The Fixed IP Map tab contains a Fixed IP Client Address Mappings box that
lists the current IP address/client mappings. Each unique IP address can
appear in the table only once. Multiple identities representing a single client,
however, can be mapped to one IP address. You can add, modify, or delete
entries by using one of the buttons described below.
413

Chapter 14: Configuring Virtual Private Networks
Configuring client address pools
Adding or modifying
fixed IP entries
414
• New—Click this button to define a new fixed IP client address mapping.
See “Adding or modifying fixed IP entries” on page 414 for details.
• Modify—Select an entry and click this button to modify a fixed IP client
address mapping. See “Adding or modifying fixed IP entries” on page 414
for details.
• Delete—Select an entry and click this button to delete a fixed IP client
address mapping.
The Fixed IP Map tab allow you to create a client address mapping entry or to
modify an existing entry. Each entry consists of two fields: an IP address and
one or more client IDs. To add or modify a fixed IP entry, follow the steps below.
1 In the IP Address field, enter the fixed IP address that will be associated
with this mapping. The IP address must be within the virtual subnet for this
pool.
2 Configure the client identification strings for this entry. All entries listed in
the Client Identification Strings box will be mapped to the associated IP
address. Because a client can use one of several different IDs (a
distinguished name, an e-mail address, etc.) when negotiating a session,
you can map multiple IDs to one IP address. However, you cannot map two
separate clients to the same address.
Defining all the possible IDs for a client means you will be ready regardless
of which ID is presented during the negotiation. Note that if a user will be
using Extended Authentication, their user name will override any other ID.
Use the following buttons to configure client identification strings:
Note: Each client identification string must be entered separately.
• New—Click this button to add a new client identifier. See “Adding or
modifying a client identification string” on page 415 for details.
• Modify—Click this button to modify an existing client identifier. See
“Adding or modifying a client identification string” on page 415 for
details.
• Delete—Click this button to delete an existing client identifier.
3 When you have finished configuring the client identification strings, click
Add to add the new pool entry to the list.
Note: Clicking Close without clicking Add first will cancel any changes.

Adding or modifying
a client
identification string
Configuring
Certificate
Management
Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
To create or modify a client identifier, follow the steps below.
1 Type the new client identifier in the Client ID field. You can type any of the
possible identifiers:
• Distinguished name
• E-mail address
• Domain name
• IP address
• XAUTH username
Tip: The XAUTH username overrides all other client identification values. If the
user will be using extended authentication, you should only add that user name
for fixed IP mapping.
2 Click Add to add the client ID to the list.
3 To create additional client IDs, repeat step 1 and step 2 for each client ID.
4 Click the Save icon.
If you are using automatic key generation and intend to use certificates for
authentication, you should configure the certificate and/or Certificate Authority
(CA) server information before you set up the VPN. This eliminates the need to
configure certificates and CAs during the VPN process. To configure certificate
or CA information, follow these general steps.
1 Review the section “Selecting a trusted source” on page 419 for details on
certificates and CAs.
2 Decide if you will use a public CA server, your private CA server, or selfsigned
certificates generated by the Sidewinder G2 (which can be used
between two Sidewinder G2s or between a Sidewinder G2 and a VPN
client machine).
3 If you are using a public or private CA server, go to “Configuring and
displaying CA root certificates” on page 420. You may also want to add
remote identities to be used in conjunction with a Certificate Authority
policy. See “Configuring and displaying Remote Identities” on page 422.
4 If you are using self-signed certificates, refer to the section titled
“Configuring and displaying firewall certificates” on page 424.
5 If you are configuring a VPN between the Sidewinder G2 and a machine
running the client version of the Sidewinder G2 VPN solution, and if you are
not using a CA, you must create a remote certificate, export it, then import
the certificate into the VPN client. Refer to the section titled “Exporting
remote or firewall certificates” on page 435.
415

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
416
Understanding Distinguished Name syntax
The Certificate Manager supports using distinguished names (DN) for a
number of purposes, including identifying the subject of an X.509 certificate.
DNs need to be entered using the proper syntax. As defined in the X.500
specifications, a DN is an Abstract Syntax Notation One (ASN.1) value. Within
an X.509 certificate, a DN is represented as a binary value. When it is
necessary to represent a DN in a human–readable format, as when entering
information into the Certificate Manager, the Sidewinder G2 uses the string
syntax defined by RFC 2253. This section summarizes the DN string syntax
through a series of examples.
Note: For more information on this string syntax, visit http://www.ietf.org/rfc.html
and search for RFC 2253, “Lightweight Directory Access Protocol (v3): UTF-8
String Representation of Distinguished Names.”
A distinguished name (DN) consists of a sequence of identity components,
each composed of a type tag and a value. The components of a DN are sets of
attribute type/value pairs. The attribute type indicates the type of the item, and
the attribute value holds its contents. Each type/value pair consists of an X.500
attribute type and attribute value, separated by an equal sign (‘=’). In the
example CN=Jane Smith, “CN” is the attribute type and “Jane Smith” is the
value.
The attribute type/value pairs are separated by commas (‘,’). This example
shows a DN made up of three components:
CN=Jane Smith, OU=Sales, O=Secure Computing
Plan out your organization’s certificate identification needs before creating any
DNs. DNs have a hierarchical structure, reading from most specific to least
specific. No preset hierarchy of attribute type exists, but the structure for a
given organization need to be consistent. In this example, the organization
Secure Computing has organizational units, making the organizational unit
attribute type more specific than the organization attribute type.
CN=Jane Smith, OU=Sales, O=Secure Computing
CN=Ira Stewart, OU=Engineering, O=Secure Computing
An attribute type is specified by a tag string associated with the X.500 attribute
being represented. The Sidewinder G2 supports the attribute tag strings
displayed in Table 28, which includes the most common ones recommended
by RFC 2253. The tag strings are not case sensitive.

Table 28: Supported X.500 Attribute Type Tags
Tag String X.500 Attribute Name
Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
The attribute value holds the actual content of the identity information, and is
constrained by the associated attribute type. For the supported attribute types,
Table 28 shows the corresponding string type (which limits the allowed set of
characters) and its maximum length. For example, given “CN=Jane Smith” as
a name component, the string “Jane Smith” is of type DirectoryString, and is
constrained to a maximum of 64 characters. The maximum number of
characters allowed in a DN (that is, the number of characters for all attribute
values added together) is 1024.
Table 29 defines the allowed character set for each of the character string
types used in Table 28.
Table 29: Character String Types
Character String
Type
C CountryName PrintableString 2
CN CommonName DirectoryString 64
Email Address EmailAddress IA5String 128
L LocalityName DirectoryString 128
O OrganizationName DirectoryString 64
OU OrganizationUnitName DirectoryString 64
SN Surname DirectoryString 128
ST StateName DirectoryString 128
Street StreetAddress DirectoryString 128
UID UserID DirectoryString 128
Character String
Type
Allowed Characters
DirectoryString All 8 bit characters without encoding
All non–8 bit characters with UTF–8 encoding
PrintableString A–Z, a–z, 0–9, ()+-./:=?, comma (‘,’), space (‘ ‘),
apostrophe (‘’’)
IA5String All 7 bit characters
Max. # of
Characters
417

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
418
When representing attribute values, be careful when using special characters.
The following characters have special meaning in the string syntax and must
be escaped with a backslash character (‘\’):
• comma (‘,’)
• equal sign (‘=’)
• plus sign (‘+’)
• less than sign (‘’)
• pound sign (‘#’)
• semicolon (‘;’)
• backslash (‘\’)
• quotation (‘”’).
All other printable ASCII characters represent themselves. Non–printable
ASCII must be escaped by preceding the ordinal value of the character in twodigit
hexadecimal with a backslash (for example. the BEL character, which has
an ordinal value of seven, would be represented by \07). Here are some
examples of the escape conventions:
CN=Jane Smith\,DDS, OU=Sales, O=Secure Computing
CN=\4a\61\6e\65\20Smith, OU=Sales, O=Secure Computing
Attribute values may optionally be contained within double-quote characters, in
which case only the backslash (‘\’), double quote (‘”’), and non–printable ASCII
characters need to be escaped. Here the double-quotes eliminate the need to
escape the CN’s comma:
CN=”Jane Smith,DDS”, OU=Sales, O=Secure Computing
Note: Entries containing backslashes or double–quotes will appear “normalized”
(without extra characters or spaces) in the GUI once they are saved.
Use this supported syntax when entering information on the Admin Console’s
Certificate Manager tabs.
Note: For additional information on DN syntax, see RFCs 2044, 2252, 2253, and
2256.

Single certificate
versus Certificate
Authority trusted
sources
Public versus
private Certificate
Authorities
Selecting a trusted source
Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
If you have decided to use certificate authentication, you must choose whether
to use a single certificate or Certificate Authority root certificate. In both
methods, when a key is generated, the trust point (the Sidewinder G2 or a
trusted CA like Netscape, Baltimore, Entrust, etc.) places the key in an
electronic envelope called an X.509 certificate. Every certificate contains a
collection of information about the entity possessing the private key (the
Sidewinder G2 or VPN client). This information may include an identity, a
company name, and a residency.
Note: If you select Netscape as a CA server, note that only Netscape version 4.2
is supported at this time.
To validate this information, a certificate must be electronically verified and
witnessed by a trusted source. A CA based trusted source is best designed for
larger deployments and allows for greater flexibility, as both the root (general
authoritative certificate from the CA) and personal certificates may be retrieved
online. However, a CA configuration does require managing the Certificate
Authority server or paying someone else to manage it for you. A Sidewinder G2
self-signed trust source is best for very small deployments, as a separate
security association must be created for each client. Certificates must be
exported from the Sidewinder G2 and then installed on each client.
If you are planning to use a specific Certificate Authority to validate certificates
created on the Sidewinder G2, or as part of a group of trusted CAs from which
Sidewinder G2 can directly import certificates, you should set up these CAs
before you begin configuring a VPN. You can use the following types of CA
servers:
• a private CA server — You can purchase and install your own CA server
and configure this server as the trusted authority for any VPNs you
establish. This is an ideal solution for companies that prefer to only allow
VPNs with certificates signed by a CA server on their own protected
network.
Note: Before you begin, you must install the CA server and make its URL
accessible to the Sidewinder G2. For details on installing and configuring a
private CA server, review the manufacturer’s documentation.
• a public CA server — you can choose to accept certificates signed by
trusted CAs administered elsewhere. This option allows remote machines
to use one certificate for VPNs with more than one corporate partner.
419

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
420
Figure 179:
Certificate Management:
Certificate Authorities tab
About the
Certificate
Authorities tab
Configuring and displaying CA root certificates
This section explains how to configure the Certificate Authorities tab and
display the imported signed root certificate.
In the Admin Console, select Services Configuration > Certificate
Management, then click the Certificate Authorities tab. The following window
appears.
The Certificate Authorities tab allows you to view the list of available certificate
authorities (CAs). CAs are used to validate (sign) certificates that are used in a
VPN connection. To display the properties of a specific certificate, select the
certificate from within the Cert Authorities list. Its properties are displayed on
the right portion of the window. For a description of these properties, see
“Adding a Certificate Authority” on page 421.
From this tab, you can perform the following actions:
• Add a new certificate to the list—Click New and see “Adding a Certificate
Authority” on page 421 for details.
• Delete a certificate from the list—Select the certificate you want to delete
and click Delete.
Note: A Certificate Authority cannot be deleted if it is currently being used by
one or more Security Associations (the Delete button is disabled).
• Retrieve a certificate—Click Get CA Cert to query the CA and import a
certificate for the selected CA. The selected CA must be either Netscape
4.2 or an SCEP CA.

Adding a Certificate
Authority
Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
• Export a certificate—Click Export to export a CA certificate from local
cache to a file and/or a screen.
• Retrieve a CRL—Click Get CRL to manually retrieve a new Certificate
Revocation List (CRL) for this CA. A CRL identifies certificates that have
been revoked. CRLs expire on a regular basis, which is why you must
periodically obtain a new CRL. You generally only need to manually get a
CRL for Netscape CAs when the CA is initially added. After that CRLs are
automatically updated every 15 minutes or so for Netscape 4.2 CAs.
Note: If you do not have access to either a Netscape CA or have access to an
LDAP directory, you should disable the Perform CRL Checking button on the
Certificate Server window.
The New Certificate Authority window enables you to add a new Certificate
Authority to the list of CAs used when authorizing certificates in a Sidewinder
G2 VPN connection. To add a new Certificate Authority, follow the steps below.
1 In the CA Name field, type a name for this certificate authority. Only
alphanumeric characters are accepted in this field.
2 In the Type drop-down list, select the type of CA used by your location.
Valid options are:
• Manual—Indicates the necessary files are obtained and loaded by an
administrator rather than by a CA.
• Netscape 4.2—Indicates that a Netscape version 4.2 CA is being
defined.
• SCEP (Simple Certificate Enrollment Protocol)—Indicates the CA being
defined supports this widely-used certificate enrollment protocol. The
CA can be of any type (Netscape 4.2, Baltimore, Entrust, VeriSign, etc.)
as long as it supports SCEP.
3 [Conditional] In the File field, type the name and location of the root
certificate for the CA, or click Browse to browse your network directories for
the location of the root certificate. The root certificate is used to verify
certificates issued by this CA. (This field is available only if you select
Manual in the Type field.)
Note: Valid file formats are .pem and .der. For information on obtaining a root
certificate, see the documentation that accompanied the CA.
4 [Conditional] In the URL field, type the URL address of the Netscape CA in
the URL field. Certificates that need to be signed by the CA are sent to this
address. (This field is available only if you select Netscape or SCEP in the
Type field.)
5 [Optional] In the CA Id field, type the value used to identify this specific CA.
Check with your CA administrator to determine the identifier to use. Many
administrators use the fully-qualified domain name of the CA as the
identifier. (This field is available only if you select SCEP in the Type field.)
421

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
Exporting a
Certificate Authority
422
6 Click Add to add the CA to the Certificate Authority list. To define another
certificate authority, repeat step 1–step 5.
7 Click the Save icon.
The Export Certificate window allows you to export the selected certificate from
the Sidewinder G2 to a separate file and/or to the screen. The certificate can
be written to a file on the hard drive of a workstation, or it can be written to a
transportable medium such as a floppy diskette or an zip disk. You can export
only the certificate, or both the certificate and the private key.
1 Select the Export Certificate (Typical) radio button.
2 Select the export destination:
• Export Certificate To File—To export the certificate to a file, select this
option and proceed to step 3.
• Export Certificate To Screen—Select this option to export the certificate
to the screen.
3 [Conditional] If you are exporting the certificate to file, do the following:
• In the File field, type the name and location of the file to which the client
(or firewall) certificate will be written. If you want to overwrite an existing
file, but you are not certain of the path name or the file name, click
Browse.
• In the Format field, select the appropriate format for the file.
4 Click OK to export the certificate to the desired location.
The certificate has now been exported.
Configuring and displaying Remote Identities
Remote Identities can be created for two purposes. If you choose to have a
Certificate Authority policy defined for a VPN (whereby a group of trusted CAs
is authorized to issue certificates for access to the VPN), you will also require a
list of Remote Identities. Remote Identities are used as part of a Security
Association to determine which remote certificates from a CA may be used to
authenticate to a VPN. You may also be required to configure a remote identity
to be used in a Security Association for a software client, such as the SafeNet
SoftRemote client, using pre-shared passwords.
In the Admin Console, select Services Configuration > Certificate
Management, then select the Remote Identities tab. The following window
appears.

Figure 180:
Remote Identities tab
About the Remote
Identities tab
Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
In this tab you can view and modify the list of available remote identities.
Remote identities are used to identify the authorized users who take part in a
Security Association and either have been issued a certificate from a particular
CA or use a VPN client configured with a pre-shared password. For example,
as part of a remote identity you might define a Distinguished Name that
authorizes only people from the Sales department of Bizco corporation.
In this tab, you can perform the following actions:
• To display the properties of a specific identity, select the identity from within
the list. Its properties are displayed on the right portion of the window.
• To modify an identity, make the desired changes and click the Save icon.
For specific information on modifying the properties that appear for a
remote identity, see “Adding or modifying a Remote Identity” on page 424.
• To create a new remote identity, click New, and see “Adding or modifying a
Remote Identity” on page 424 for details.
• To delete an existing identity, highlight the identity you want to delete and
click Delete.
423

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
Adding or modifying
a Remote Identity
424
The Create New Remote Identity window enables you to add a new remote
identity. You can also modify an existing remote identity within the Remote
Identities tab. To add or modify a remote identity, follow the steps below.
Tip: An asterisk can be used as a wildcard when defining the fields on this window.
(Other special characters are not allowed.) For example; *, O=bizco, C=us
represents all users at Bizco.
1 In the Identity Name field, type a name for this Remote Identity.
2 In the Distinguished Name field, create a distinguished name. See
“Understanding Distinguished Name syntax” on page 416 for information on
the format that should be used.
Note: The order of the specified distinguished name fields must match the
order listed in the certificate.
3 [Optional] In the E-Mail Address field, enter the e-mail address(es) to which
you want to restrict access. Enter one e-mail address per identity or use a
wildcard to indicate all e-mail addresses, such as *@example.com.
4 [Optional] In the Domain Name field, type the specific domain name to
which you want to restrict access. Enter one domain name per identity or
use a wildcard to indicate all domain names, such as *.example.com.
5 [Optional] In the IP Address field, type the unique IP address or group of IP
addresses to which you want to restrict access. For example: 182.19.0.0/16
indicates that only users with IP addresses beginning with 182.19 (as
contained in the certificate) will be authorized to use the VPN.
6 Click Add to add the identity to the Identities list.
7 To define additional remote IDs, repeat step 1–step 6.
8 Click the Save icon.
Configuring and displaying firewall certificates
A firewall certificate is used to identify the Sidewinder G2 to a potential peer in
a VPN connection. When creating a certificate for the Sidewinder G2, you have
the option to submit the certificate to a CA for validation, or have the
Sidewinder G2 generate a self-signed certificate. You should create these
certificates before you begin configuring a VPN.
In the Admin Console, select Services Configuration > Certificate
Management, then select the Firewall Certificates tab. The following window
appears.

Figure 181:
Firewall certificates
About the Firewall
Certificates tab
Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
The Firewall Certificates tab enables you to view the list of available
certificates. The Sidewinder G2 will use a firewall certificate to identify itself to a
peer in a VPN connection. To display the properties of a specific certificate,
select the certificate from within the list and its properties are displayed on the
right portion of the window. For a description of these properties, see “Adding a
firewall certificate” on page 426.
From this tab, you can perform the following actions:
Note: You cannot modify the properties of a certificate from this window. To modify
a certificate you must delete it and then add it back using the new properties.
• Add a firewall certificate—Click New to add a certificate to the Certificate
list. See “Adding a firewall certificate” on page 426 for details.
• Delete a firewall certificate—Select the certificate and click Delete to
remove the selected certificate from the Certificate list.
Note: A certificate cannot be deleted if it is currently used by one or more areas
(for example, Security Associations, Application Defenses, etc.).
• Import a firewall certificate—Click Import to import an existing certificate
and its related private key file. See “Importing a firewall certificate” on page
432 for more information.
• Export a firewall certificate—Click Export to export the selected certificate
to a file. The export function is generally used when capturing the certificate
information needed by a remote partner such as a VPN client. See
“Exporting remote or firewall certificates” on page 435 for more details.
• Retrieve a certificate—If a certificate request has been submitted to be
signed by a CA, click the Query button to query the CA to see if the
certificate is approved. If yes, the Status field will change to SIGNED and
the approved certificate will be retrieved.
425

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
Adding a firewall
certificate
426
If the certificate request is Manual PKCS10, click the Load button to load
the signed certificate from a file supplied by the CA.
Note: By default, Netscape CAs and CAs that support the Simple Certificate
Enrollment Protocol (SCEP) are checked every 15 minutes for any certificates
waiting to be signed.
The Create New Firewall Certificate window enables you to add a certificate to
the Firewall Certificate list. To add a certificate, follow the steps below.
Note: The default certificate key size is 1024 bits. The default lifetime for selfsigned
certificates created on the Sidewinder G2 is five years.
1 In the Certificate Name field, type a name for this certificate.
2 In the Distinguished Name field, create a distinguished name. See
“Understanding Distinguished Name syntax” on page 416 for information on
the format that should be used. Note the following:
• The order of the specified distinguished name fields must match the
order listed in the certificate.
• Some CAs will not support the optional identity types specified in step 3
through step 5.
3 [Optional] In the E-Mail Address field, type the email address associated
with this firewall certificate.
4 [Optional] In the Domain Name field, type the domain name associated with
this firewall certificate.
5 [Optional] In the IP Address field, type the IP address associated with this
firewall certificate.
6 In the Submit to CA drop-down list, select the enrollment method to which
the certificate will be submitted for signing. The valid options are:
• Self Signed—Indicates the new certificate will be signed by the firewall
rather than by a CA.
• Manual PKCS10—Indicates the certificate enrollment request will be
placed in a PKCS10 envelope and exported to the file designated in the
Generated PKCS10 File field.
• The name of the CA to which the certificate is submitted for signing. The
CA can be either private (one you own and manage) or it can be public
(a trusted CA administered elsewhere).
7 In the Signature Type field, select the encryption format that will be used
when signing the certificate. Valid options are RSA or DSA.

Figure 182:
Remote certificates
defined on the Sidewinder
G2
Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
8 [Conditional] Depending on the method you select in the Submit to CA field,
the Other Parameters area may contain additional fields, as described
below:
• If you selected Manual PKCS10 in the Submit to CA field, the Generated
PKCS10 File field appears. Specify the name and location of the file that
will contain the signed certificate, or click Browse to browse the network
directories for the location of the file you want to specify. This file
contains a PKCS10 “envelope” that is used to send a certificate to a CA
for signing.
• If you selected a method that uses SCEP, you will need to provide a
password in the SCEP Password field that appears.
9 [Conditional] In the Format field, select the appropriate format for your
PKCS10 certificate request.
10 Click Add to add the certificate to the Certificates list. To define additional
certificates repeat step 1 through step 9.
11 Click the Save icon.
Configuring and displaying remote certificates
A remote certificate identifies one or more peers that can be involved in a VPN
connection with a Sidewinder G2. The Sidewinder G2 can import existing
certificates into its Remote Certificates database, or it can create new remote
certificates. In either case, all certificates should be in place before you begin
configuring a VPN.
In the Admin Console, select Services Configuration > Certificate
Management, then select the Remote Certificates tab. The following window
appears.
427

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
About the Remote
Certificates tab
Adding a remote
certificate
428
The Remote Certificates tab enables you to view the list of available remote
certificates. These certificates represent the potential peers with which
Sidewinder G2 can establish a VPN connection. To display the properties of a
specific certificate, select the certificate from within the list. Its properties are
displayed on the right portion of the window. For a description of these
properties, see “Adding a remote certificate”.
Note: You cannot modify the properties of a certificate from this window. To modify
a certificate you must delete it and then add it back using the new properties.
From this window, you can perform the following actions:
• Add a new certificate to the Certificate list—Click New and see “Adding a
remote certificate” on page 428 for details.
• Delete a certificate from the list—Select the certificate you want to delete
and click Delete.
• Import certificates—Click Import and see “Importing a remote certificate”
on page 434.
• Export certificates—Click Export and see “Exporting remote or firewall
certificates” on page 435.
• Query the CA for Certificate status—If a certificate request has been
submitted to be signed by a CA, click the Query button to query the CA to
see if the certificate is approved. If yes, the Status field will change to
SIGNED and the approved certificate will be retrieved.
If the certificate request is Manual PKCS10, click the Load button to query
and retrieve the signed certificate.
Note: By default, Netscape CAs and CAs that support the Simple Certificate
Enrollment Protocol (SCEP) are checked every 15 minutes for any certificates
waiting to be signed.
The Create New Remote Certificate window enables you to add a certificate to
the Remote Certificate list. To add a remote certificate, follow the steps below.
Note: The default certificate key size is 1024 bits. The default lifetime for selfsigned
certificates created on the Sidewinder G2 is five years.
1 In the Certificate Name field, type a name for this certificate.
2 In the Distinguished Name field, create a distinguished name. See
“Understanding Distinguished Name syntax” on page 416 for information on
the format that should be used. Note the following:
• The order of the specified distinguished name fields must match the
order listed in the certificate.
• Some CAs will not support the optional identity types specified in step 3
through step 5.

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
3 [Optional] In the E-Mail Address field, type the email address associated
with this remote certificate.
4 [Optional] In the Domain Name field, type the domain name associated with
this remote certificate.
5 [Optional] In the IP Address field, type the IP address associated with this
remote certificate.
6 In the Submit to CA drop-down list, select the enrollment method to which
the certificate will be submitted for signing. The valid options are:
• Self Signed: Indicates the new certificate will be signed by the
Sidewinder G2 rather than by a CA.
• Manual PKCS10: Indicates the certificate enrollment request will be
placed in a PKCS10 envelope and exported to the file designated in the
Generated PKCS10 File field.
• The name of the CA to which the certificate is submitted for signing. The
CA can be either private (one you own and manage) or it can be public
(a trusted CA administered elsewhere).
Note: The CA option is only available if a CA is already configured on the
Certificate Authorities tab.
7 In the Signature Type box, select the encryption format that will be used
when signing the certificate. Valid options are RSA or DSA.
8 [Conditional] In the Generated PKCS10 File field, specify the name and
location of the file that will contain the signature request, or click Browse to
browse the network directories for the file location.
This file contains a PKCS10 “envelope” that is used to send a certificate to
a CA for signing. This field is available only if Manual PKCS10 is specified in
the Submit to CA field.
Note: To create a new file using the Browse button, enter the name and
extension (allowed file formats are binary or .pem).
9 [Conditional] In the Format field, select the appropriate format for your
PKCS10 certificate request.
10 [Conditional] In the SCEP Password field, type a password for this
certificate. You will need this password if you ever need the CA to revoke
this certificate. The password may not contain spaces or single quotes. This
field is available only if the Submit to CA field displays a CA of type SCEP.
11 Click Add to add the certificate to the Certificates list.
12 To define additional certificates, repeat step 1–11 for each certificate you
want to add.
13 Click the Save icon.
429

Chapter 14: Configuring Virtual Private Networks
Configuring Certificate Management
430
Figure 183: SSL
Certificates tab
Configuring the SSL
Cert tab
Assigning new certificates for Admin Console and
synchronization services
The default SSL certificates are unique to each Sidewinder G2. However, if you
would like to change your default certificate for any reason, follow the steps in
this section.
Note: Keep in mind, it is the certificates on the Sidewinder G2 end that you are
changing, not on the client end.
Before assigning a new certificate to these services you must first create the
new certificates. You should create two new certificates, one for the Admin
Console service and one for the synchronization server. You create the
certificates from the Firewall Certificates tab. Each certificate must be:
• a firewall certificate
• a self-signed certificate
• of type RSA/DSA
See “Configuring and displaying firewall certificates” on page 424 for
information on creating a firewall certificate.
To assign a new certificate for the Admin Console or the synchronization
server, in the Admin Console, select Services Configuration > Certificate
Management, then select the SSL Certificates tab.
This tab is used to assign a new SSL certificate to the Admin Console service
(cobra) or the synchronization server (synchronization).
The SSL Certificate tab allows you to view the proxies to which you can assign
new certificates and identifies the name of the certificate currently assigned to
each proxy. The certificate will either be 1) the default certificate or 2) a selfsigned,
RSA/DSA firewall certificate that is defined on the Firewall Certificates
tab.

Selecting a new
proxy certificate
Importing and
exporting
certificates
Figure 184: Load
Certificate for PKCS 10
Request window
Chapter 14: Configuring Virtual Private Networks
Importing and exporting certificates
To assign a new certificate to a selected proxy, click Modify. See “Selecting a
new proxy certificate” on page 431 for details.
Note: You will receive a warning message if you click Modify and there is not at
least one self-signed RSA/DSA firewall certificate currently defined on the
Sidewinder G2. See “Configuring and displaying firewall certificates” on page 424
for information on defining this type of certificate.
The Proxy Certificate Selection window is used to assign a new certificate to
the selected proxy. To assign a certificate to a proxy, follow the steps below.
1 In the Certificate drop-down list, select the new certificate to assign to this
proxy (the proxy name is displayed in the Proxy Name field). Only selfsigned,
RSA/DSA firewall certificates that are defined on the Firewall
Certificate tab are displayed in this list.
2 Click OK to save the change and to exit the window, or click Cancel to exit
the window without saving the change.
3 Click the Save icon.
Once the certificates have been generated, they need to be exported and
transferred to a VPN client such as SafeNet SoftRemote or to another
Sidewinder G2. Similarly, you may want to import certificates into the
Sidewinder G2 originally created on another system. This section walks you
through importing and exporting certificates on the Sidewinder G2.
Loading manual remote or firewall certificates
If you chose to create a manual certificate, you must retrieve the certificate
after it is signed by the CA; the Sidewinder G2 will not retrieve it automatically.
For this process, the Load button appears when an unsigned requested
certificate name is highlighted. Clicking this button will initiate the process to
retrieve and import the certificate. After clicking Load, the following window
appears.
431

Chapter 14: Configuring Virtual Private Networks
Importing and exporting certificates
About the Load
Certificate for PKCS
10 Request window
432
The Load Certificate for PKCS 10 Request window is used to load signed
certificates. It also functions to query an LDAP server for wether or not a
requested certificated is signed. To load a signed certificate, follow the steps
below.
1 In the Certificate Source field, select the source location of the certificate.
The following options are available:
• File: Indicates you will manually specify the location of the certificate.
• LDAP: Indicates you will access the services of an LDAP (Lightweight
Directory Access Protocol) directory to locate the certificate. The LDAP
server can be version 2 or version 3.
• Pasted PEM Certificate: Indicates you will paste or type in the certificate
from another source, such as another open application window or
personal communication.
2 [Conditional] In the Certificate from File field, if the certificate source is a
file, type the location or Browse to the location.
3 [Conditional] In the Manual (pasted) PEM Certificate field, if the certificate
source is a Pasted PEM Certificate, type or paste the certificate in this field.
4 Click OK to issue a query command for your requested certificate, or click
Cancel cancel the certificate request.
If you click OK and the certificate is available, it will automatically be
imported and the status will change to SIGNED.
5 Click the Save icon.
Importing a firewall certificate
You can import a certificate to the list of firewall certificates defined on the
Sidewinder G2.
To import a firewall certificate, in the Admin Console, select Services
Configuration > Certificate Management, then select the Firewall Certificates
tab and click Import. The following window appears.
Note: The displayed fields will vary slightly, depending on the which import source
you select.

Figure 185: Import
Firewall Certificate
window
Configuring the
Import Firewall
Certificate window
Chapter 14: Configuring Virtual Private Networks
Importing and exporting certificates
The Import Firewall Certificate window is used to import a certificate to the
Firewall Certificates list. To import a certificate, follow the steps below.
1 In the Import Source field, select either File or Encrypted FIle (PKCS12).
Note: The available fields will vary based on the import source you select.
• If you select File, you must identify the file on the Import Certificate
From File field.
• If you select Encrypted FIle (PKCS12), specify the certificate and key
file.
2 In the Certificate Name field, type a local name for the certificate you are
importing.
3 In the Import Certificate From File or the Import Certificate/Key field, type
the name and location of the certificate file you will import. You may also
click Browse to browse the network directories for the location of the file(s)
you want to specify.
4 [Conditional] In the Private Key File field, type the name and location of the
private key file associated with this certificate, or click Browse to browse
the network directories for the location of the file(s) you want to specify. The
file can be in either PK1 or PK8 format. (This field is only available if the
Import Source field displays File.)
5 [Conditional] In the Password field, enter the password to decrypt the
imported file. This password must match the password given when the file
was encrypted. (This field is only available if the Import Source field
displays Encrypted File(PKCS12).)
433

Chapter 14: Configuring Virtual Private Networks
Importing and exporting certificates
434
Figure 186: Import
Remote Certificate
window
Configuring the
Import Remote
Certificate window
Importing a remote certificate
To import a certificate to the list of remote certificates defined on the
Sidewinder G2, using the Admin Console select Services Configuration >
Certificate Management, then select the Remote Certificates tab and click
Import. The following window appears.
The Import Remote Certificate window is used to import a certificate to the
Remote Certificates list. To import a remote certificate, follow the steps below.
1 In the Import source field, select the source location of the certificate.
• File: Indicates you will manually specify the location of the certificate
file.
• Encrypted File: Indicates you will manually specify the locations of the
certificate and private key file.
• LDAP: Indicates that you will access the services of an LDAP
(Lightweight Directory Access Protocol) directory to locate the
certificate. The LDAP server can be version 2 or version 3.
• Paste PEM Certificate: Indicates you will import the certificate by
performing a cut and paste. The Distinguished Name field will change to
become the Manual (pasted) PEM Certificate field. Paste the certificate
into this area.
2 In the Certificate Name field, type a local name for the certificate you are
importing.
3 [Conditional] In the Import Certificate From File field, type the name and
location of the certificate file you will import, or click Browse to browse the
network directories for the location. (This field is available only if the Import
source field displays File.)
4 [Conditional] In the Password field, enter the password to decrypt the
imported file. This password must match the password given when the file
was encrypted. (This field is only available if the Import Source field
displays Encrypted File.)

Chapter 14: Configuring Virtual Private Networks
Importing and exporting certificates
5 [Conditional] In the Distinguished Name field, create a distinguished name.
See “Understanding Distinguished Name syntax” on page 416 for
information on the format that should be used.
Note: The order of the specified distinguished name fields must match the
order listed in the certificate.
6 Click OK to import the remote certificate, or click Cancel to cancel the
request.
7 Click the Save icon.
Exporting remote or firewall certificates
You can export certificates from either the Remote Certificates tab or the
Firewall Certificates tab. The procedure you use is very simple and is the same
from either tab. The reasons you export a certificate from one tab rather than
the other, however, are quite different, as described below.
• Exporting a Remote Certificate—You are most likely to export a remote
certificate if users in your organization use a VPN client to establish a VPN
connection between their laptops or desktop PCs and the Sidewinder G2.
The VPN client requires the use of a certificate to identify itself during the
VPN connection negotiations. It is possible to use the Sidewinder G2 to
create a self-signed certificate for the VPN client. Once it is created it may
be converted to a new file format and then exported. From there it is
imported to the VPN client program.
• Exporting a Firewall Certificate—This is used to export the firewall
certificate to a remote peer. This allows the remote peer to recognize the
Sidewinder G2. On the remote peer the firewall certificate is imported as a
remote certificate.
To export a certificate, in the Admin Console, select Services Configuration >
Certificate Management, then select either the Remote Certificates tab or the
Firewall Certificates tab. Select the certificate you wish to export and click
Export. The following window appears.
Note: The tab you select depends upon your reason for exporting the certificate.
See the explanation in the previous paragraphs.
435

Chapter 14: Configuring Virtual Private Networks
Importing and exporting certificates
436
Figure 187: Export
Firewall Certificate
window
Configuring the
Export Certificate
window
The Export Certificate window allows you to export the selected certificate from
the Sidewinder G2 to a separate file and/or to the screen. The certificate can
be written to a file on the hard drive of a workstation, or it can be written to a
transportable medium such as a floppy diskette or an zip disk. You can export
only the certificate, or both the certificate and the private key.
Exporting only the certificate
To export a certificate only, follow the steps below.
1 Select the Export Certificate (Typical) radio button.
2 Select the export destination:
• Export Certificate To File—To export the certificate to a file, select this
option and proceed to step 3.
• Export Certificate To Screen—Select this option to export the certificate
to the screen.
3 [Conditional] If you are exporting the certificate to file, do the following:
• In the File field, type the name and location of the file to which the client
(or firewall) certificate will be written. If you want to overwrite an existing
file, but you are not certain of the path name or the file name, click
Browse.
• In the Format field, select the appropriate format for the file.
4 Click OK to export the certificate to the desired location.

Exporting both the certificate and private key
Chapter 14: Configuring Virtual Private Networks
Importing and exporting certificates
To export both a certificate and private key, follow the steps below.
1 Specify whether the certificate and private key will be exported as one file
or two files by selecting one of the following options:
• Export Certificate and Private Key as one file (PKCS12)—Select this
option to export both the certificate and private key as a single file, and
proceed to
• Export Certificate and Private Key as two files (PKCS1, PKCS8,
X.509)—Select this option to export the certificate and private key as
two separate files.
2 [Conditional] To export the certificate and private key as a single file, do the
following:
a In the File field, type the name and location of the file to which the client
(or firewall) certificate will be written. If you want to overwrite an existing
file but you are not certain of the path name or the file name, click
Browse. (The Format displays the file format.)
b In the Password field, enter the password that will be used to encrypt
the certificate file.
c In the Confirm Password field, re-enter the password that your entered
in the Password field.
d Click OK to export the certificate and private key as a single file.
3 [Conditional] To export the certificate and private key as two separate files,
do the following:
a In the Certificate File field, type the name and location of the file to
which the client or firewall certificate will be written. If you want to
overwrite an existing file but you are not certain of the path name or the
file name, click Browse. In the Format field, select the appropriate
format for the file.
b In the Private Key File field, type the name and location of the file to
which the key will be written. If you want to overwrite an existing file but
you are not certain of the path name or the file name, click Browse. In
the Format field, select the appropriate format for the file.
Important: If you use a transportable medium to store the private key file (for
example .pk1, .pk8, or pk12), the medium should be destroyed or reformatted
after the private key information has been imported to the appropriate VPN
client.
c Click OK to export the certificate and private key as separate files.
437

Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
Configuring VPN
Security
Associations
438
Figure 188:
VPNs defined on
Sidewinder G2
To configure a new VPN, you must perform the following steps:
1 Choose whether the VPN is connecting to a single machine or a gateway
that provides access for multiple machines.
2 Determine whether the IP address the VPN is connecting to is always the
same (static) or whether it changes (dynamic). If it is static, you must
provide the IP address of the machine.
Important: The remote end can only be dynamic if automatic key management
is chosen.
3 Decide if you want to automatically manage the exchange and use of keys
(using IKE) or if you want to enter the session key manually at the remote
end.
• For automatic key exchange, you must decide on the type of
authentication (either password or certificate) to be used between the
Sidewinder G2 and the remote end.
• For manual key exchange, you must decide on the type of
authentication and encryption used between the Sidewinder G2 and the
remote end and exchange these keys and Security Parameters Index
(SPI) values with the remote end via a secure method (diskette,
encrypted e-mail or telephone). You are also required to provide the
authentication and encryption keys provided by the remote end.
Displaying and configuring a VPN Security Association
This section explains how to display and configure VPN associations. In the
Admin Console, select VPN Configuration > Security Associations. The
following window appears.

About the Security
Associations
window
Figure 189: Security
Associations: Active VPNs
window
About the Active
VPNs window
Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
You use the Security Associations window to view the current list of VPN
associations currently defined on the Sidewinder G2 and check the status of
VPNs. You can also add, modify, or delete VPN associations.
To add or modify a VPN association, click Add or Modify and see “Defining a
VPN Security Association” on page 440 for details.
To delete a VPN association, select the VPN association you want to delete,
and click Delete.
To display which VPNs have active sessions, click Current VPN Status. The
Security Associations: Active VPNs window appears.
This window allows you to view the status of all configured VPNs. The various
statuses include:
• Idle—No active session.
• Active—One or more VPNs have active sessions established for this VPN.
Click Refresh to update the information. Click Close to return to the main
window.
439

Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
440
Figure 190: General tab
on the VPN Properties
window
Defining a VPN Security Association
When you click New or Modify from the Security Associations window, the VPN
Properties window appears. This window is used to add or modify VPN
associations. The window contains four tabs that are used to enter distinct
information about a VPN association.
Configuring the General tab
The General tab is used to enter basic information about the VPN association.
To configure the General tab, follow the steps below.
1 In the Name field, type the name of this VPN.
2 In the Enabled field, select Yes to enable this VPN association, or select No
to disable it.
3 In the Encapsulation field, select one of the following:
• Tunnel—The more popular form of VPN encapsulation. Both the data
and the source and destination IP addresses are encrypted within the
encapsulated payload.
• Transport—The native form of VPN. Transport mode encrypts the data
but the source and destination IP addresses are not concealed.
See “Transport mode vs. tunnel mode” on page 397 for a more detailed
explanation of these terms.
4 In the Burb drop-down list, select the burb to which you want to assign this
VPN. The Sidewinder G2 terminates each VPN in a burb so that access
rules may be applied to the VPN.

Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
5 In the Mode field, specify how the remote end is operating. The valid
options are:
• Fixed IP—Select this option if the IP address of the remote end is
always the same. You must also provide the IP address of the remote
end in the Remote IP field.
• Dynamic IP Client—Select this option if the remote end is a device
whose IP address is not fixed. Example: A salesperson that gains
Internet access from a laptop.
• Dynamic IP Restricted Client—Select this option if the remote end is a
device whose IP address is not fixed. Example: A salesperson that
gains Internet access from a laptop. The difference between this option
and Dynamic IP Client is that the remote end is assigned a virtual IP
address from a range specified by using either a Client Address Pool or
a range of acceptable external IP addresses. You restrict the range of IP
addresses available to the remote end by using either the Client
Address Pool field or the Dynamic Virtual Address Range field.
Important:You can only use Dynamic IP Client or Dynamic IP Restricted
Client if automatic key management is used.
6 [Conditional] Determine if you want remote clients to make connections
using only the IP addresses contained within one of the available client
address pools. If so, use the Client Address Pool drop-down list arrow to
select the client address pool you want to use. With this option, the
Sidewinder G2 selects an IP address from the available pool and assigns it
to the client. (This field is available only if you select Fixed IP or Dynamic IP
Restricted Client in the Mode field.)
Note: See “Configuring client address pools” on page 407 for information on
creating a client address pool.
7 In the Local IP field, indicate which IP address to use as the local gateway
by selecting one of the following:
• Use Localhost IP—Select this option to have the Sidewinder G2 assign
the IP address. The Sidewinder G2 uses its routing table to
automatically determine which interface or alias address is associated
with a route to reach the remote gateway.
• Specify IP—Select this option to configure a specific IP address. This IP
address should be one of the Sidewinder G2’s interface or alias
addresses, and that interface must have a route to reach the remote
gateway.
Note: If configuring a VPN for an HA cluster, be sure to use the localhost option
or specify an alias shared by the cluster.
8 To add or modify a local network address to the Local Network/IP list (a list
of network names or IP addresses the Sidewinder G2 can use in a VPN
association), click New or Modify, respectively. See “Adding or modifying an
IP address” for details.
441

Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
Adding or modifying
an IP address
442
9 [Conditional] In the Remote IP field, type the IP address of the remote
client. This field is available only if you select Fixed IP in the Mode field.
10 [Conditional] If you selected Fixed IP in the Mode field, to add or modify an
entry to the Remote Network / IP list, click New or Modify, respectively. This
lists the IP addresses with which a VPN association can be made. The
addresses specified here typically represent a real network located behind
the client’s Sidewinder G2. See “Adding or modifying an IP address” for
details.
11 [Conditional] If you selected Dynamic IP Restricted Client in the Mode field,
to add or modify an entry to the Dynamic Virtual Address Range list, click
New or Modify, respectively. This list defines the range of addresses a client
can use when initiating a VPN connection. The addresses specified here do
not represent a real network but are virtual addresses. With this option the
client assigns their own IP address, although the address must be within
the approved address range.
12 [Optional] In the Comments field, type a short description for this VPN
association.
Note: You must input information from the Authentication tab before you can save
this Security Association entry. See “Configuring password information on the
Authentication tab” on page 443 for instructions.
The Local Network List window is used to define the range of IP addresses that
can be used in a VPN association. To add or modify an IP address, follow the
steps below.
1 In the IP Address field, type the IP address used in this VPN association.
2 In the Number of bits in Netmask field, use the up/down arrows to select
the number of bits that are significant in the network mask. The value
specified is used to identify the network portion of the IP address.
3 Click Add to add the IP address, and then click Close. To exit the window
without adding the IP address, click Close without clicking Add.
Entering information on the Authentication tab
To prevent access to the VPN from Internet hosts masquerading as the VPN
peer, various means of authenticating the peer are available. The
Authentication tab defines the authentication method that will be used in this
VPN association. It also defines the characteristics of the selected
authentication method. You can select four different methods:
• Password—Select this option if you and the remote end want to use a
password to verify the key exchange. The same password must be used on
both ends of this association. See “Configuring password information on
the Authentication tab” on page 443 for detailed information.

Configuring
password
information on the
Authentication tab
Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
• Certificate + Certificate Authority—Select this option if you want to use one
or more trusted CAs and Remote Identities to validate the certificate of the
remote end. This method is commonly used by organizations that have
many remote users who must access resources behind the Sidewinder G2.
See “Entering Certificate + Certificate Authority information on the
Authentication tab” on page 445 for detailed information.
• Single certificate—Select this option if you want to validate the remote end
using a self-signed certificate generated by the Sidewinder G2, or using a
certificate generated by a CA server. This method is commonly used by
organizations that have a small number of people that travel but need
secure access to your network. See “Entering Single Certificate information
on the Authentication tab” on page 446 for detailed information.
• Manual—Select this option if you want to exchange session keys manually
(for example over the phone). See “Entering Manual information on the
Authentication tab” on page 447 for detailed information.
The first three methods are automatic methods, meaning the session keys are
managed automatically between the Sidewinder G2 and the remote end. The
ISAKMP server must be enabled on the Sidewinder G2 in order to
automatically generate and exchange session keys. See “Configuring the
ISAKMP server” on page 402 for information. The remote end of the VPN must
also support ISAKMP.
With the manual method, matching session keys must be entered manually at
the Sidewinder G2 remote end. Each of these authentication methods are
described in the following sections.
The password information tabs in the Authentication window are used to define
password authentication for this VPN association. The password is used to
authenticate both peers in a potential VPN association. To configure password
information, follow the steps below.
Note: Password-based authentication should only be used with fixed IPconfigured
VPN or with extended authentication.
On the General sub-tab
1 In the Enter Password field, type the password to be used each time
automatic key exchange takes place.
2 In the Verify Password field, confirm the password in the field provided.
3 [Conditional] Select the Require Extended Authentication check box if you
want to use Extended Authentication. This check box is available only if an
authentication method is configured for the ISAKMP server. See “Extended
Authentication for VPN” on page 399 for more information on extended
authentication.
443

Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
444
On the Identities sub-tab
The Identities sub-tab is used to define unique identities for the following:
• Firewall Identity is included in the response to the remote client and
confirms to the client that it has established a VPN association with the
correct endpoint.
• Remote Identity is used to match a client identity with a particular security
association; the Sidewinder G2 can then use this information to determine
the password the client should be using. The remote identity is optional for
Fixed IP VPN associations because the Sidewinder G2 can use the IP
address to determine who the client is and thus what password the client
should be using.
1 In the Firewall Identity Type field, select the type of identity to use when
identifying the Sidewinder G2 to the remote client. Valid options are:
• E-mail address
• Fully Qualified Domain Name
• IP Address
Note: E-mail addresses are not recommended, as they are rarely used in the
context of a security gateway.
2 In the Value field, type the actual value used as the firewall identity. The
value must be of the type specified in the Firewall Identity Type field (for
example, if you selected IP Address in the Firewall Identity Type field, you
must type an IP address in the Value field.
3 Select the Gateway IP Address radio button if the Sidewinder G2 should
use the IP address of a Fixed IP client to determine what password the
client should be using.
4 Select the Remote Identities radio button if the Sidewinder G2 should use a
remote identity to determine the ID of the client. Valid identities for this
association should be moved from the Available list to the Trusted list.
5 [Optional] Click Remote Identities to go the Remote Identities window. This
is useful if you want to use an identity that has yet to be created. When you
add the identity and click Close, you will return to the Password
Authentication Identities tab.
6 Complete this tab by doing one of the following:
• If you intend to change the Crypto or Advanced tab settings, go directly
to the next tab without clicking Add or Close.
• If you do not intend to change the Crypto or Advanced tab settings, click
Add and then click Close. Click the Save icon.
• If you do not want to save this Security Association entry, click Close
without clicking Add.

Entering Certificate
+ Certificate
Authority
information on the
Authentication tab
Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
The Certificate + Certificate Authority tabs in the Authentication window are
used to define certificate and certificate authority authentication for this VPN
association. This means each peer must be validated using certificates and
remote identities before entering into this VPN association. To configure the
certificate and certificate authority tabs, follow the steps below.
1 Select the Firewall Credentials sub-tab.
2 In the Firewall Certificate drop-down list, select the certificate that will be
used to identify the Sidewinder G2 to the remote peer. You can also click
the Firewall Certificates button to go to the Firewall Certificates window.
This is useful if you want to use a certificate that has yet to be created.
3 In the Firewall Identity Type field, select the type of identity to use when
identifying the Sidewinder G2 to the remote client. Only those identities
defined within the selected firewall certificate will be available in this field
Valid options are:
• E-Mail
• Fully Qualified Domain Name
• IP Address
• Distinguished Name
The Value field contains the actual value used as the Sidewinder G2 identity.
This value is filled-in automatically using the information from the
selected certificate. The field cannot be edited.
4 [Conditional] Select the Require Extended Authentication check box if you
want to use Extended Authentication. This check box is available only if an
authentication method is configured for the ISAKMP server. See “Extended
Authentication for VPN” on page 399 for more information on extended
authentication.
5 Select the Remote Credentials sub-tab.
6 In the list of Available Certificate Authorities, select a CA you want to add
as a trusted CA and click the ==>> button to add the CA to the Trusted List.
You can add several trusted CAs. To select a CA that has yet to be defined,
click the Cert Authorities button to go to the Certificate Authorities window.
In this window you can define the needed CA, and then return here.
7 In the list of Available Remote Identities, select a remote identity you want
to add to the Trusted identity list and click the ==>> button. You can add
several trusted remote identities. To select an identity that has yet to be
defined, click Remote Identities to go to the Remote Identities window. This
window allows you to define the needed identity, and then return here.
8 Complete this tab by doing one of the following:
• If you intend to change the Crypto or Advanced tab settings, go directly
to the next tab without clicking Add or Close.
• If you do not intend to change the Crypto or Advanced tab settings, click
Add and then click Close. Click the Save icon to save your changes.
• If you do not want to save this Security Association entry, click Close
without clicking Add.
445

Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
Entering Single
Certificate
information on the
Authentication tab
446
The Single Certificate screen in the Authentication window is used to define
single certificate authentication for this VPN association. This means the
remote peer must use the selected remote certificate for authentication before
entering into this VPN association. To enter certificate authentication
information, follow the steps below.
1 In the Firewall Certificate drop-down list of available certificates, select the
certificate used to authenticate the key exchange. To create or import a
certificate, click the Firewall Certs button to go to the Firewall Certificates
window. See “Configuring and displaying firewall certificates” on page 424
and “Importing a firewall certificate” on page 432 earlier in this chapter for
details.
2 In the Remote Certificate drop-down list, select the certificate used on the
remote end of the VPN. To create or import a certificate, click the Remote
Certs button to go to the Remote Certificates window. See “Configuring and
displaying remote certificates” on page 427 and “Importing a remote
certificate” on page 434 for details.
3 In the Firewall Identity Type field select the type of identity to use when
identifying the Sidewinder G2 to the remote client. Only those identities
defined within the selected firewall certificate will be available in this field.
Valid options are:
• Distinguished Name
• E-mail address
• Fully Qualified Domain Name
• IP Address
The Value field contains the actual value used as the firewall identity. This
value is filled-in automatically using the information from the selected certificate.
The field cannot be edited.
4 [Conditional] Select the Require Extended Authentication check box if you
want to use Extended Authentication. This check box is available only if an
authentication method is configured for the ISAKMP server. See “Extended
Authentication for VPN” on page 399 for more information on extended
authentication.
5 Complete this tab by doing one of the following:
• If you intend to change the Crypto or Advanced tab settings, go directly
to the next tab without clicking Add or Close.
• If you do not intend to change the Crypto or Advanced tab settings, click
Add and then click Close. Click the Save icon to save your changes.
• If you do not want to save this Security Association entry, click Close
without clicking Add.

Entering Manual
information on the
Authentication tab
Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
The Manual screen in the Authentication window is used to define manual
authentication for this VPN association. This means that only a remote peer
that has entered the exact same manual key value will have access through
this VPN association. To configure manual authentication, follow the steps
below.
1 In the IPSEC Transformations drop-down list, select the appropriate form of
IPsec transformation. The valid options are:
• Authentication Header (AH)—Provides authentication only.
• Encapsulating Security Payload (ESP)—Provides encryption only.
• Separate AH + ESP—Performs separate transformations for
authentication and encryption.
• Combined ESP + AH—Performs a single transformation that provides
authentication and encryption.
2 In the Authentication Hash drop-down list, select the type of authentication
you and the remote end have chosen to use. The valid options are:
• HMAC-SHA1-96
• HMAC-MD5-96
3 In the Encryption drop-down list, select the type of encryption you and the
remote end have chosen to use. The choices are:
Encryption type Key length
AES256 256-bit
AES128 128-bit
CAST128 128-bit
3DES 168-bit
DES 56-bit
Null 0
4 To define keys and SPI index values, click Generate Keys. You can type
your own unique key and SPI index, but it is not recommended.
Since manually generating random keys is difficult, the Sidewinder G2 provides
randomly generated authentication and encryption keys and Security
Parameters Index (SPI) value for you and the remote end to use. It is highly
recommended that you use the default keys provided. You must send these
keys and SPI values to the remote end for them to use.
Note: The individual key and SPI fields listed below may become available or
unavailable depending on the value selected in the IPsec Transformations field.
• AH Inbound Key and SPI
• AH Outbound Key and SPI
447

Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
448
• ESP Inbound Key and SPI
• ESP Outbound Key and SPI
Important: Once you have chosen the keys, they must be kept a secret. You
should only exchange the keys by a secure method, such as floppy disk,
encrypted e-mail (such as PGP) or via the telephone. If attackers learn the key,
they can decrypt all of your VPN traffic.
5 To complete the manual key exchange, you must exchange these keys and
Security Parameters Index (SPI) values with the remote end via a secure
method (diskette, encrypted e-mail or telephone).
Note: The inbound and outbound keys/SPIs are entered in the opposite fields
on the remote end.
• In the Authentication section, type the key and SPI used by the remote
end.
• In the Encryption section, type the key and SPI used by the remote end.
Important: You must be sure to type the key correctly or the VPN will not work.
Entering information on the Crypto tab
The Crypto tab defines the cryptographic and hashing algorithms used to
authenticate the peer in this VPN association. The information on this tab is
only used with automatic key exchange (that is, Authentication Method =
Password, Certificate + Certificate Authority, or Single Certificate on the
Authentication tab). To configure the Crypto tab follow the steps below.
1 In the IPSEC Crypto Algorithms area, select an algorithm from the
Available list of available encryption algorithms, and click the ==>> button
to move it to the Accept list. You can have multiple algorithms in the Accept
list.
Use the Up and Down buttons to organize the algorithms according to your
preference. The first algorithm that appears in the Accept list will be used.
Note: The Null option contains an encryption header but does not specify an
encryption algorithm. It is generally only used during testing. Compare this to
the None option, which does not contain an encryption header.
2 In the IPSEC Hashing Algorithms area, select an algorithm from the
Available list of available hashing algorithms, and click the ==>> button to
move it to the Accept list. You can have multiple algorithms in the Accept
list.
Use the Up and Down buttons to organize the algorithms according to your
preference. The first algorithm that appears in the Accept list will be used.

Entering information
on the Advanced tab
Chapter 14: Configuring Virtual Private Networks
Configuring VPN Security Associations
The Advanced tab defines some of the more arcane points of a VPN
association. As a general rule only administrators that are highly-schooled in
the nuts and bolts of VPN should modify the information on this tab. The
information on this tab is only used with automatic key exchange (that is
Authentication Method = Password, Certificate + Certificate Authority, or Single
Certificate on the Authentication tab). The Advanced tab contains the following
fields and buttons.
Phase 1 (ISAKMP) Rekey data fields
• Hard Limits—Indicates how often the system must negotiate for new
ISAKMP keys and how much ISAKMP traffic this phase can protect. The
defaults are 3600 seconds (1 hour) and 0 (meaning no limit to the amount
of traffic).
• Soft Percentage—Indicates how far in advance of the hard limit to begin
negotiating for new keys. This makes sure you have some new keys on
hand by the time the hard limit expires.
• P1 Crypto—Specifies the crypto algorithm to use during Phase 1.
• P1 Hash: Specifies the hash algorithm to use during Phase 1.
• P1 Oakley—Indicates the Diffie-Hellman group to use for the PFS
derivation of ISAKMP keys.
• Force XAuth on Rekey—Select this option to force XAuth to be performed
each time the phase 1 session is started or renegotiated.
• Relax Strict Identity Matching—Select this option to relax the identity
matching restrictions. If you are experiencing issues associated with
identity processing with the remote VPN peer, selecting this option can
improve interoperability.
Phase 2 (IPSEC) Rekey data fields
• Hard Lifetimes—Indicates how often the system must negotiate for new
IPsec keys and how much traffic it can encrypt. The defaults are 700
seconds and 0 (meaning no traffic limit).
• Soft Percentage—Indicates how far in advance of the hard limit to begin
negotiating for new keys. This makes sure you have some new keys on
hand by the time the hard limit expires.
• Negotiate As Single Host—If this option is enabled it indicates that every
possible combination of source and destination must establish a separate
VPN association. Do not use this option unless directed to do so by Secure
Computing Corporation.
• Forced Rekey—Forces the association to rekey when the limits are
reached, even if no traffic has passed through the VPN since the last rekey.
Important: SCC strongly recommends enabling the Forced Rekey option if
you are using SafeNet SoftRemote and have XAUTH configured.
449

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
Example VPN
Scenarios
450
Caution: Do not enable the Forced Rekey option if you have One-To-Many
configured and are using static IP addresses for your VPNs. Doing so will cause all
Sidewinder G2s in the cluster to attempt to instantiate the VPN at the same time,
resulting in failure.
• PFS—(Perfect Forward Secrecy) If this option is enabled it ensures that the
key material associated with each IPsec security association cannot be
derived from the key material used to authenticate the remote peer during
the ISAKMP negotiation. If a key is compromised by a hacker, the
information available to that hacker is dependent on whether you select
Identity or Key Only.
– Identity: Indicates that a Phase 1 negotiation is performed for every
Phase 2. This means the identity will not be revealed even if the key is
compromised; only the data protected by that key will be accessible.
The downside is that system performance may be hurt because of the
many negotiations.
– Key Only: Phase 1 negotiations are not performed for every Phase 2.
This will increase performance but may allow access to the identity if the
key is compromised.
• Oakley Group: Indicates the Diffie-Hellman group to use for the PFS
derivation of IPsec keys. Available only if the PFS option is enabled.
The following sections describe three typical VPN scenarios. Each scenario
begins by describing a particular VPN requirement. It then explains how to
implement the solution using the Admin Console. These scenarios assume the
following:
• The CMD server is enabled on the Sidewinder G2. (This server is enabled
by default.)
• The ISAKMP server is enabled on the appropriate burb. See “Configuring
the ISAKMP server” on page 402 for information on enabling this server. In
the scenarios that follow, it is assumed the server is enabled on the Internet
burb.
• The proper rule(s) are defined to allow ISAKMP traffic on the proper
burb(s). In the scenarios that follow it is assumed a rule has been defined
that allows ISAKMP traffic on the Internet burb.
Note: The values used in the following scenarios are for demonstration purposes
only.

Figure 191: VPN
between two corporate
offices
Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
Scenario 1: G2-to-G2 VPN via shared password
The easiest type of VPN association to configure is one that uses a shared
password for authentication. A shared password is typically used to establish a
VPN association between two corporate offices that have static IP addresses.
Such a situation occurs if you have a business partner that requires access to
your network, or if you have one or more corporate divisions located in different
cities.
The following figure provides the sample configuration information used in this
scenario.
The requirements
This VPN scenario requires the following:
• A VPN connection between two corporate offices
• Shared password authentication
• Static IP addresses for each peer in the VPN association
How it is done
Sidewinder G2
50.1.0.0/16 100.1.1.1
fw.west.example.com
The following steps show the fields on the VPN menus that must be defined in
order to create this VPN association. The configuration steps are performed on
the Sidewinder G2 named fw.east.example.com.
In the Admin Console, select VPN Configuration > Security Associations, and
then click New to configure a new association.
1 On the General tab:
• Name = corporate_west
• Encapsulation = Tunnel
• Mode = Fixed IP
• Enabled = Yes
• Burb = Trusted
• Local IP = localhost
200.1.1.1
Sidewinder G2
Internet
burb
Trusted
burb
fw.east.example.com
250.1.1.0/24
451

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
452
• Remote IP = 100.1.1.1
• Client Address Pool =
• Local Network / IP = 250.1.1.0/24
• Remote Network / IP = 50.1.0.0/16
Note: When configuring the Sidewinder G2 named fw.west.example.com, the
Local Network/IP and the Remote Network/IP values are reversed and the
Remote IP value is 200.1.1.1.
2 On the Authentication tab:
• Authentication method = password
• Enter password = samplepassword
• Verify password = samplepassword
3 On the Crypto tab: Order the algorithms to match that of the other
Sidewinder G2.
4 On the Advanced tab: No changes needed.
5 Click Add to save the new VPN security association.
6 Click the Save icon.
Summary
And that is it. The VPN can be used as soon as the other Sidewinder G2 is
configured. The same type of information is entered at the other Sidewinder
G2, changing the IP addresses as appropriate.
Scenario 2: Simple deployment of remote users
A common reason for using a VPN is to allow your travelling employees to
connect to your corporate network from a remote site. This connection is
typically made between an employee’s laptop computer and your corporate
Sidewinder G2. In this type of VPN association, single (also known as “selfsigned”)
certificates are generated by the Sidewinder G2 and distributed to
each client. This type of VPN can be used with dynamic IP-assigned clients
and gateways. One association must be created for each client, so this type of
VPN is typically used only if you have a small number of remote clients.
The following figure provides the sample configuration information used in this
scenario. Note that the remote end of this VPN connection (from the
Sidewinder G2 point of view) is a laptop that will be using a dynamic IP
address.

Figure 192: One VPN
association per client
VPN
Client A
VPN
Client B
The assumptions
This VPN scenario assumes the following:
Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
• A VPN connection between a remote computer and the Sidewinder G2
• A self-signed firewall certificate that is generated by the Sidewinder G2
• One or more remote certificates that is generated by the Sidewinder G2
and distributed to the clients
• One VPN association per client
• Each VPN association is terminated in the Virtual burb
• VPN clients should have access to the 250.1.1.0 network but not the
192.168.182.0 network
• All clients make connections using a virtual IP address assigned from a
client address pool
• All clients use VPN client software that supports mode-config
Important: When determining your deployment method, consider what steps will
you take to ensure the protection of your private key material. Allowing
unauthorized access to your private key material could compromise your entire
network.
How it is done
Internet
Sidewinder G2
200.1.1.1 Internet
burb
Trusted
burb
250.1.1.0/24
Host
Virtual
burb
fw.east.example.com
Router
192.168.182.0
The following steps show the fields on the VPN menus that must be defined in
order to create this VPN association. The basic idea is to:
• Create a firewall certificate that identifies the Sidewinder G2. Export this
certificate to each client.
• Create a remote certificate that uniquely identifies each client. Export each
certificate to the respective client.
• Create a client address pool.
• Create a VPN association for each client.
Host
453

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
454
1 In the Admin Console, select Services Configuration > Certificate
Management, and then enter the following information on each tab:
a On the Firewall Certificates tab, click New and create a firewall
certificate by specify the following:
• Certificate Name = MyFirewall_cert
• Distinguished Name: CN=MyFirewall,O=bizco,C=US
• Submit to CA = Self Signed
• Signature Type = RSA
• Click Add.
• Click the Save icon.
b [Optional] On the Firewall Certificates tab, click Export and export the
firewall certificate by specify the following:
• Destination = File
• Export Private Key to File: Click Browse and specify where you want
to save the private key. The private key is often saved to an
accessible location (portable storage device or protected network)
for distribution to the client.
• Export Firewall Certificate to File: Click Browse and specify where
you want to save the firewall certificate. The firewall certificate is
often saved to an accessible location (portable storage device or
protected network) for distribution to the client.
• Click OK.
c On the Remote Certificates tab click New and create a self-signed
certificate for a client by specify the following:
• Certificate Name = Sales_A
• Distinguished Name: CN=Sales_A,O=bizco,C=US
• Submit to CA = Self Signed
• Signature Type = RSA
Important:If you are using SafeNet SoftRemote as your client software, you
must create this file using the PKS12 extension.
• Click Add.
• Click the Save icon.
d Repeat step 1c for each remote client.
e On the Remote Certificates tab, click Export and export the remote
certificate by specify the following:
• Destination = File
• Export Client Private Key to File: Click Browse and specify where
you want to save the private key.
• Export Client Certificate to File: Click Browse and specify where you
want to save the client certificate.
• Format: Select the appropriate format for the client private key and
client certificate in the corresponding Format drop-down lists.

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
• Click OK.
f Repeat step 1e for each remote client. When you are finished you
should have the firewall certificate as well as either the PKCS12formatted
object or the certificate/key file pair for that client saved to a
location accessible by the remote client (portable storage device or
network)
2 In the Admin Console, select VPN Configuration > Client Address Pools,
and then click New to create a new client address pool.
Using a client address pool lets you define which local networks the clients
can access. For this example, assume you want to permit access to the
250.1.1.0 network but not the 192.168.182 network.
Note: Your client software must support this capability. SafeNet SoftRemote
currently does not support this capability—it must be manually configured with
information about the locally protected subnet.
a Enter New Pool Name = SalesPool
b Virtual Subnet = 10.1.1.32/27
c Click New. In the Local Subnet field, enter 250.1.1.0/24 and then click
Add.
d Click Add to add the new pool.
Note: The Subnet and Number of Bits in Netmask fields work in concert to
determine the network portion of the addresses in the pool as well as the
total number of addresses in the pool. The values shown here provide 30
possible addresses: 10.1.1.33 - 10.1.1.62. Modify these two values as
appropriate for your situation. (For example, in this scenario you might
alternatively specify IP Address = 10.1.1.16 and Netmask = 28, creating 14
possible addresses: 10.1.1.17 - 10.1.1.30.)
e On the Servers tab: If the client software you are using supports this
mode-config capability, specify your internal DNS and WINS servers
here.
f Click Add.
3 In the Admin Console, select VPN Configuration > Security Associations,
and then click New to configure a new association.
a On the General tab:
• Name = Sales_A
• Encapsulation = Tunnel
• Mode = Dynamic IP Restricted Client
• Enabled = Yes
• Burb = Virtual
• Local IP = localhost
• Client Address Pool = SalesPool
455

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
456
b On the Authentication tab:
• Authentication method = Single Certificate
• Firewall Certificate = Select the certificate you created in step 1A
• Remote Certificate = Select the certificate you created in step 1C for
this client
c On the Crypto tab: Order the algorithms to match that of the client
d On the Advanced tab: No changes needed
e Click Add to save the new VPN association.
f Click the Save icon to save your changes.
4 Repeat step 3 for each client, changing the name in step 3A and the remote
certificate in step 3B as appropriate.
Summary
Each individual VPN connection can be used as soon as the remote clients are
configured. Each client will need the client-specific certificate and private key
information you saved in steps 1B and 1C in order to configure their end of the
VPN connection. If you saved this information to diskette you can either hand it
to them in person, mail it to them, or perform the imports while the machine is
within a trusted network. It is not safe to distribute certificate and private key
information via e-mail.
Note: The configuration described above restricts VPN traffic by terminating it in a
virtual burb. Proxies and rule entries must be configured to specify what access the
VPN clients have to the trusted network.
Scenario 3: Large scale deployment of clients
This scenario is similar to Scenario 2 except that instead of a small number of
remote clients it assumes you have hundreds or even thousands of remote
clients. Because it is unreasonable to create a unique VPN association for
each client, a Certificate Authority (CA) will be used. The CA, in conjunction
with the remote identities you define, allows you to create one VPN that is
accessible by all of the clients.
The following figure provides the sample configuration information used in this
scenario.

Figure 193: One VPN
association for all clients
VPN
Client A
VPN
Client B
VPN
Client ZZZ
The assumptions
This VPN scenario assumes the following:
Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
• A VPN connection between a Sidewinder G2 and many clients
• A Certificate Authority-based VPN
• A single VPN association for all clients with a like security policy rather than
one association per client
• The VPN association is terminated in a virtual burb
• The clients can have dynamic or static IP addresses
• VPN clients should have access to the 250.1.1.0 network but not the
192.168.182.0 network
• All clients make connections using a virtual IP address assigned from a
client address pool
• All clients are using VPN client software that supports mode-config
Note: It is assumed in this scenario that the clients do not have access to the CA
and must rely on the Sidewinder G2 to create and distribute the necessary
certificates and private keys.
How it is done
Internet
Sidewinder G2
200.1.1.1 Internet
burb
Trusted
burb
250.1.1.0/24
Host
Virtual
burb
fw.east.example.com
Router
192.168.182.0
The following steps show the fields on the VPN menus that must be defined in
order to create this VPN association. The basic idea is to:
• Define the CA used with this VPN
• Create a firewall certificate that is signed by the CA
• Create one or more identities that define who is authorized to use this VPN
• Create a client address pool
• Create the VPN security association
• Create the client certificates for each client
Host
457

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
458
• Provide certificate information and/or files to clients as necessary
Tip: Some VPN client software, such as SafeNet SoftRemote, allow users to selfenroll
online to obtain their personal certificates, which can greatly reduce
administrative effort. See the VPN Admin Guide for more details.
1 In the Admin Console, select Services Configuration > Certificate
Management, and then enter the following information on each tab.
a On the Certificate Authorities tab, click New and create a CA by
specifying the following:
• CA Name = BizcoCA
• Type = SCEP (or whatever value is appropriate)
• URL = http://10.18.128.8
• Click Add.
• Click the Save icon to save your changes.
• Click Get CA Cert (Retrieves the CA Cert from the URL address.)
• Click Get CRL (Retrieves the Certificate Revocation List for this CA.)
b On the Firewall Certificates tab, click New and create a firewall
certificate by specifying the following:
• Certificate Name = BizcoFW_by_CA
• Distinguished Name: CN=BizcoFW_by_CA,O=Bizco,C=US
• Submit to CA = BizcoCA
• Signature Type = RSA
• Click Add.
• Click the Save icon to save your changes.
At this point the Status field for this certificate will be PENDING. This is
because the request has been sent to the CA but the certificate has yet
to be created. The status will remain PENDING until the CA administrator
approves your request.
• Click Query. This queries the CA to see if the certificate is approved.
If yes, the Status field will change to SIGNED and the certificate is
imported.
Note: The Sidewinder G2 automatically queries the CA every 15 minutes to
see if the request has been accepted. If the request has been accepted, the
Sidewinder G2 will retrieve the resulting certificate.
c On the Remote Identities tab, click New and create one or more
identities that define who is authorized to use this VPN.
• Identity Name = Sales_force
• Distinguished Name: CN=*,OU=sales,O=bizco,C=us
• Click Add.
• Click Close.
• Click the Save icon to save your changes.

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
2 In the Admin Console, VPN Configuration > Client Address Pools, and
then click New to create a new client address pool.
Using a client address pool lets you define which local networks the clients
can access. For this example, assume you want to permit access to the
250.1.1.0 network but not the 192.168.182 network.
Note: Your client software must support this capability. SafeNet SoftRemote
currently does not support this capability—it must be manually configured with
information about the locally protected subnet.
a Enter New Pool Name = SalesPool
b Virtual Subnet = 10.1.1.0/24
c Click New. In the Local Subnet field, enter 250.1.1.0/24 and then click
Add.
d Click Add to add the new pool.
Note: The IP Address and Number of Bits in Netmask fields work in concert to
determine the network portion of the addresses in the pool as well as the total
number of addresses in the pool. The values shown here provide 254 possible
addresses: 10.1.1.0–10.1.1.255. Modify these two values as appropriate for
your situation.
e On the Servers tab:
If the client software you are using supports this mode-config capability,
specify your internal DNS and WINS servers here.
f Click Add.
g Click the Save icon to save your changes.
3 In the Admin Console, VPN Configuration > Security Associations, and
then click New to configure a new association.
a On the General tab:
• Name = Large_scale_sales
• Encapsulation = Tunnel
• Mode = Dynamic IP Restricted Client
• Enabled = Yes
• Burb = Virtual
• Local IP = localhost
• Client Address Pool = VPNPool
b On the Authentication tab:
• Authentication method = Certificate + Certificate Authority
• Firewall Certificate = BizcoFW_by_CA (created in step 1B)
• Certificate Authorities = BizcoCA (created in step 1A)
• Remote Identities = Sales_force (created in step 1C)
c On the Crypto tab: Order the algorithms to match that of the client.
459

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
460
d On the Advanced tab: No changes needed
e Click Add to save the new VPN association.
f Click the Save icon to save your changes.
4 In the Admin Console, Services Configuration > Certificate Management.
On the Remote Certificates tab click New and create a certificate for a
client by specifying the following:
Note: You can skip this step and step 5 for those clients that have online access
to the CA. These clients can create and retrieve their own certificates.
• Certificate Name = Sales_A
• Distinguished Name: CN=Sales_A,OU=sales,O=bizco,C=US
• Submit to CA = BizcoCA
• Signature Type = RSA
• Private Key: Click Browse and specify where you want to save the
private key associated with this certificate. In this scenario it is
common to save the certificate to the same location as the exported
firewall certificate.
• Certificate: Click Browse and specify where you want to save this
certificate. In this scenario it is common to save the certificate to the
same location as the private key and the exported firewall certificate.
• Click Add.
• Click the Save icon to save your changes.
5 In the Admin Console, Services Configuration > Certificate Management.
Export the CA certificate and the firewall certificate to the same location
used in step 4.
a On the Certificate Authorities tab, select the CA certificate you created
in step 1A, then click Export and export the certificate by specifying the
following:
• Destination = File
• Generated CA Certificate File: Click Browse and specify where you
want to save the CA certificate. Add the .pem extension to the file
name.
• Click OK.
b [Optional] On the Firewall Certificates tab, select the firewall certificate
you created in step 1B, then click Export and export the certificate by
specifying the following:
• Destination = File
• Export Firewall Certificate to File: Click Browse and specify where
you want to save the firewall certificate. Add the .pem extension to
the file name.
• Click OK.
6 Repeat steps 4 and 5 for each remote client.

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
When you are finished your storage location should have four items for
each remote client: the CA certificate, the firewall certificate, the unique private
key for the client, and the remote certificate for the client.
Summary
Sidewinder G2 is ready to accept connections across this VPN as soon as the
remote clients are configured. In order to configure their end of the VPN
connection, each client will need the client-specific certificate and private key
information you saved in step 4 as well as the firewall and CA certificates
created in step 5. If you saved this information to diskette you can either
distribute the information in person or mail it to them, or perform the imports
while the machine is within a trusted network. It is not safe to distribute
certificate and private key information via e-mail.
Note: The configuration described above restricts VPN traffic by terminating the
VPN association in a virtual burb. Proxies and rules must be configured to specify
what access the VPN clients have to the trusted network.
461

Chapter 14: Configuring Virtual Private Networks
Example VPN Scenarios
462

15
CHAPTER
Configuring the SNMP
Agent
In this chapter...
SNMP and Sidewinder G2 ...........................................................464
Setting up the SNMP agent on Sidewinder G2 ............................467
About the management station ....................................................470
Communication with systems in an external network...................471
463

Chapter 15: Configuring the SNMP Agent
SNMP and Sidewinder G2
SNMP and
Sidewinder G2
464
Figure 194: Managing
distributed systems using
SNMP
This section introduces SNMP concepts and explains how to configure the
Sidewinder G2 SNMP agent. It also explains what needs to be done to allow
Sidewinder G2 to send or route messages to remote systems in an external
network.
Sidewinder G2 supports SNMPv1 and SNMPv2c. SNMP is the industry
standard for network management. You can set up SNMP agent software that
allows the Sidewinder G2 to be monitored by SNMP compliant network
management stations located on an internal or external network. You can also
configure the Sidewinder G2 to route SNMP messages between a
management station inside the Sidewinder G2 and an SNMP agent on a
system in an external network.
Note: The SNMP agent cannot run in the Firewall burb. Although only one SNMP
agent is allowed to operate on the Sidewinder G2, access through other burbs is
supported using the UDP proxy. In addition, SNMP will only accept requests
addressed to the first interface in a burb.
SNMP basics
A network that is managed using SNMP involves two primary components: a
manager (management station) and a number of managed nodes. The
management station is typically a PC or UNIX workstation running network
management software such as Hewlett-Packard’s OpenView ® Windows or
Novell ManageWise. Managed nodes are networking devices such as routers
or Sidewinder G2s that contain an SNMP agent. Figure 194 shows a
management station communicating with SNMP nodes to obtain network
configuration information.
SNMP
Managemen
t Station
Sidewinder G2
(managed node)
R
router
(managed node)
server
(managed node)

Figure 195: Community
name within an SNMP
message
Chapter 15: Configuring the SNMP Agent
SNMP and Sidewinder G2
The management station displays a graphical representation of a network’s
topology through a Windows-based environment. In general, network
managers can monitor each SNMP node (including the Sidewinder G2) by
clicking an icon representing each node in the network’s topology.
A management station in the internal or external network can request
information from a managed node’s SNMP agent. The SNMP management
station sends a managed node Get and GetNext SNMP messages to retrieve
node-specific parameters and variables, called objects. The message
response from the managed system provides the SNMP administrator with
information on a node’s device names, status, network connections, etc.
Important: SNMPv1 agents typically allow Get, GetNext, and Set requests from the
management station. However, the Sidewinder G2 SNMPv1 agent does not
support Set requests. This prevents a management system from sending
commands to change variables or parameters in the Sidewinder G2.
Each managed node can send an unsolicited event notification message,
called a trap, to a management station when it detects certain system events.
For example, you can configure the SNMP agent in the Sidewinder G2 to issue
a trap whenever an unauthorized user tries to read, write, or execute a
protected file on the Sidewinder G2. (Refer to “Sidewinder G2 SNMP traps” on
page 579 for a list of all traps supported by Sidewinder G2.)
When setting up SNMP management, a network administrator assigns the
management station and the nodes it will manage a community name. As
shown in Figure 195, the community name is in the authentication header in
each SNMP message exchanged between a management station and a
managed node.
VERSION
COMMUNITY
NAME
SNMP COMMAND: GET, GETNEXTREQUEST, ETC.
The SNMP agent treats the community name like a password to validate the
identity of a management station. For example, suppose a management
station sends a get request to retrieve information from a managed node’s
SNMP agent. If the community name within the get request is not also used by
the SNMP agent, the agent will not return information to the management
station.
Caution: To increase security on your network, do not use common default names
such as “public” or “private,” which can be easily guessed.
Both the management station and the managed node also contain
Management Information Bases (MIBs) that store information about the
managed objects. Currently, the SNMP agent on Sidewinder G2 supports
465

Chapter 15: Configuring the SNMP Agent
SNMP and Sidewinder G2
466
standard MIB II objects, the Host Resources MIB (RFC1514), and the
Sidewinder G2-specific MIB objects. MIBs are discussed in greater detail in
“Sidewinder G2 SNMP MIBs” on page 466.
Note: The MIBs used for compiling the SNMP agent for the Sidewinder G2 are
located in /etc/sidewinder/snmp.
If you need more information on SNMP, an excellent source is Managing
Internetworks with SNMP by Mark A. Miller, P.E. (M&T Books).
Sidewinder G2 SNMP traps
An SNMP trap is an alert message that is sent as an unsolicited transmission
of information from a managed node (router, Sidewinder G2, etc.) to a
management station. Most management stations can be configured to either:
(1) display received traps in a pop-up window, or (2) automatically dial a phone
number; such as a pager number.
The Sidewinder G2 SNMP agent supports a basic trap, called the ColdStart
trap, that is sent whenever Sidewinder G2’s SNMP agent is enabled. It is also
sent if the Admin Console modifies the SNMP configuration file
(/etc/sidewinder/snmp/snmpd.conf). You cannot disable the ColdStart trap.
You also have the option to configure Sidewinder G2 to send audit alert SNMP
traps when an audit event triggers a response in Sidewinder G2. Additional
information about requesting and configuring SNMP traps is available in
“Sidewinder G2 SNMP traps” on page 579.
Sidewinder G2 SNMP MIBs
Management Information Bases (MIBs) are associated with both the
management station and the SNMP agent in the Sidewinder G2. The
Sidewinder G2 SNMP agent supports two MIB structures (as well as a Host
MIB).
• mib2—This is a standard SNMP MIB as defined in RFC-1213.
• sccMibSw—This is a Sidewinder G2-specific MIB provided by Secure
Computing Corporation. Figure 196 shows the location of the Sidewinder
G2 MIB structures within the SNMP root hierarchy.
Note: MIBs that are used to compile the SNMP agent for the Sidewinder G2 are
located in /etc/sidewinder/snmp.
All individual objects (parameters and variables) managed by an SNMP
management station are part of an object group within an MIB. For example,
the swProxy group stores information about currently-defined proxies on the
system. The information might include the proxy name and the current status
of the proxy.

Figure 196: MIBs
supported by the
Sidewinder G2 SNMP
agent
Setting up the
SNMP agent on
Sidewinder G2
Chapter 15: Configuring the SNMP Agent
Setting up the SNMP agent on Sidewinder G2
When a management station requests information from the Sidewinder G2
SNMP agent, the SNMP agent may or may not associate the returned
information with a specific burb.
system
interfaces
mgmt
mib2
iso
org
dod
internet
ip tcp
icmp udp
snmp
private
enterprises
scc
sccMibs
sccMibSw
swProxy swBurb
Note: A burb is a type enforced network area used to isolate network interfaces
from each other. A burb is identified by a unique name (internal, external, etc.) as
assigned during the Sidewinder G2 installation process.
This section explains how to use the Admin Console to configure the SNMP
agent on the Sidewinder G2.
The SNMP agent may be enabled in any single burb that is not the Firewall
burb. It cannot be enabled on multiple burbs. To allow SNMP management
stations that reside in other burbs for the SNMP agent, you must create an
allow rule for SNMP and enable the SNMP proxy in the appropriate burb(s).
The source burb for this rule should consist of a network object group that
contains only SNMP management station IP addresses. The destination burb
should specify the destination IP address for the burb in which SNMP is
running. For information on configuring network objects, see “Displaying
network objects and netgroups” on page 139. For information on configuring an
SNMP Application Defense, see “Creating SNMP Application Defenses” on
page 198.
Note: If you are configuring SNMP on a Sidewinder G2 that is part of an HA
cluster, all Sidewinder G2 queries must use the HA cluster address.
467

Chapter 15: Configuring the SNMP Agent
Setting up the SNMP agent on Sidewinder G2
468
Figure 197: SNMP
Configuration window
Entering information
on the SNMP Server
Configuration tab
To set up the SNMP agent, in the Admin Console select Services
Configuration > Servers. Select snmpd in the list of server names, and then
click the Configuration tab. The following window appears.
This window is used to enter configuration information for the SNMP agent.
Follow the steps below.
1 [Optional] In the Location field, type a description of the physical location of
your Sidewinder G2.
2 [Optional] In the Contact field, type your Sidewinder G2 administrator user
name.
3 In the Enable Authentication Failure Trap field, select Yes to enable
authentication failure traps, or No to disable authentication failure traps. If
you click Yes, the Sidewinder G2 will send authentication failure traps to all
configured management stations whenever the Sidewinder G2 detects an
unauthenticated Get command.
4 In the Allowed Get Communities you can view all of the community names
authorized to retrieve MIB information. The community name is part of the
authentication header in all SNMP messages. The Sidewinder G2 SNMP
agent checks the community name in all SNMP messages it receives to
verify the identity of a manager.
To add, modify, or delete communities, use the New, Modify, and Delete
buttons located directly beneath the list. See “Defining a community name”
on page 469 for information on adding or modifying a community name.
Note: The SNMP daemon will not start unless a community name is specified.
By default, if you do not specify an Allowed Get Community name, the only
Allowed Get Community is “public.”

Defining a
community name
Defining a trap
destination
Chapter 15: Configuring the SNMP Agent
Setting up the SNMP agent on Sidewinder G2
5 In the Trap Destinations field, you can view all of the hosts that will receive
traps generated by the Sidewinder G2 SNMP agent. To add, modify, or
delete trap destinations, use the New, Modify, and Delete buttons located
directly beneath the list. See “Defining a trap destination” on page 469 for
information on adding a new trap destination name or IP address.
Note: By default, if you do not specify a trap destination community name, the
Sidewinder G2 uses the community name “public.”
6 Click the Save icon in the toolbar to apply the changes. If the SNMP agent
is enabled, a ColdStart trap is issued to all configured trap destinations
whenever you save configuration changes.
The Allowed Get Community window enables you to add or modify names in
the list of authorized community names. As an SNMP agent, the Sidewinder
G2 will only respond to requests from management stations that belong to a
community in this list. Follow the steps below.
1 In the Community Name field, type the name you want added to the list of
allowed communities.
2 Click Add to add the community to the list (or OK if you are modifying a
community) and return to the Configuration tab.
The Trap Destination window enables you to define a new host or to modify an
existing host in the Trap Destination list. The hosts in this list will receive traps
issued by the Sidewinder G2. Follow the steps below.
1 In the Host Name or Address field, type the name or IP address of the host
you want added to the Trap Destinations list.
2 [Optional] In the Community name field, type the community name
associated with this host.
3 Click Add to add the trap destination to the list (or OK if you are modifying a
trap destination) and return to the Configuration tab.
Enabling/disabling the SNMP server
Perform the following steps to enable or disable the SNMP server.
1 Define an allow all rule for the SNMP agent. SNMP queries will not be
allowed through the Sidewinder G2 until this rule is part of the active rule
group. For information on creating rules, see “Creating proxy rules” on page
222.
2 In the Admin Console select Services Configuration > Servers.
469

Chapter 15: Configuring the SNMP Agent
About the management station
About the
management
station
470
3 Select snmpd from the list of server names, and then click the Control tab.
Select the burb for which the SNMP agent will be enabled or disabled.
The SNMP agent can only be enabled for one burb, and it cannot be
enabled for the Firewall burb. Enabling the SNMP server will cause the
Sidewinder G2 to send a ColdStart trap to the management station(s).
4 Click the Save icon.
The administrator of the SNMP management station should be made aware of
the following in order to retrieve information from the Sidewinder G2 SNMP
agent:
• Sidewinder G2 host name or IP address
This is needed to set up communication with the Sidewinder G2. Note the
following:
– If the burb in which the SNMP agent is running contains more than one
interface, specify the address of the first interface in the burb. The
SNMP agent will only respond to the first interface in the burb.
– If you are using High Availability (HA), specify the shared HA common
IP address or host name, not the actual interface address or host name.
• Community names configured in the Sidewinder G2 SNMP agent
This is needed to allow the management station to retrieve MIB objects
from the SNMP agent.
• MIB information
This may be needed to properly translate the object identifications. Be sure
to inform the administrator that the Sidewinder G2 supports the Host
Resources MIB.
Important: On the Sidewinder G2, all Secure Computing Corporation MIB files are
located in the /etc/sidewinder/snmp directory. If for some reason these files cannot
be accessed from the Sidewinder G2, they can be downloaded via an FTP client or
Web browser. The MIB files are scc-mib and scc-sw-mib.
To retrieve the files using anonymous FTP, use an FTP client and log into
ftp.securecomputing.com. The directory where the files are located is /pub/mibs.
To retrieve the files using a Web browser, point the browser to
ftp://ftp.securecomputing.com/pub/mibs/.

Communication
with systems in
an external
network
Figure 198: Sidewinder
G2 serving as an SNMP
agent for internal or
external management
station
Chapter 15: Configuring the SNMP Agent
Communication with systems in an external network
You can route (or forward) SNMP messages between a management station
behind the Sidewinder G2 and any SNMP managed node on the other side of
the Sidewinder G2. You can also allow an external management station to
access the Sidewinder G2 SNMP agent. Both of these scenarios require the
use of a UDP proxy.
Important: A UDP proxy is not needed to allow the Sidewinder G2 SNMP agent to
communicate with a management station in an internal network (behind the
Sidewinder G2).
Figure 198 summarizes which SNMP configurations require you to configure a
UDP proxy.
internal
SNMP
mgmt.
station
(OpenView)
no
proxy
needed
internal
network
SNMP
agent
UDP
proxy
external
network
UDP
proxy
SNMP
agent
Internet
The Sidewinder G2 UDP proxy sends SNMP requests and messages via UDP
port 161. The Sidewinder G2 UDP proxy sends SNMP traps to an external
management station via UDP port 162.
The SNMP agent cannot run in the Firewall burb. Although only one SNMP
agent is allowed to operate on the Sidewinder G2, access through other burbs
is supported using the UDP proxy.
Note: Refer to “Setting up a new proxy” on page 270 for information on configuring
a UDP proxy.
R
external
SNMP
mgmt.
station
471

Chapter 15: Configuring the SNMP Agent
Communication with systems in an external network
472

16
CHAPTER
One-To-Many Clusters
In this chapter...
Overview ......................................................................................474
Example scenario using a One-To-Many cluster..........................476
Configuring One-To-Many ............................................................477
Understanding the One-To-Many tree structure ...........................484
473

Chapter 16: One-To-Many Clusters
Overview
Overview If your organization uses two or more Sidewinder G2s, the One-To-Many
feature allows you to easily manage your Sidewinder G2s at one time.
Changes you make in the Admin Console to your primary Sidewinder G2 are
automatically replicated to each secondary Sidewinder G2. The changes are
made to each secondary Sidewinder G2 immediately, in real time.
474
Figure 199: A typical
One-To-Many and Cloning
implementation
You are most likely to use One-To-Many if you are managing several
Sidewinder G2s that are located in the same network, which is the case if you
are using load balancing hardware. This scenario is depicted in Figure 199.
Note: When implementing One-To-Many, the preferred setup is to configure each
Sidewinder G2 with a dedicated cluster burb, allowing all communication between
cluster Sidewinder G2s to be contained within its own burb.
Sidewinder G2
administrator
Load
balancing
hardware
Your local
network
Primary
Secondary
Secondary
Load
balancing
hardware Internet
The One-To-Many feature is implemented in a “clustering” scheme. Clustering
is used when you introduce a load balancing tool (as shown in Figure 199) into
your network. All of the Sidewinder G2s reside in the same network and are
basically either backups of one another or are being used to share the network
load. In this scenario, each Sidewinder G2 will have the same basic
configuration (excluding host names and IP addresses).
Tip: If you require centralized management to handle many Sidewinder G2s
across multiple networks, you may want to consider implementing the Sidewinder
G2 Enterprise Manager INSTEAD of using One-To-Many. For information on the
Sidewinder G2 Enterprise Manager, go to Secure Computing’s Web site at
www.securecomputing.com.

Considerations when using One-To-Many
Chapter 16: One-To-Many Clusters
Overview
Please note the following considerations when using One-To-Many.
• All Sidewinder G2s must be at the same version level.
• You can define only one primary Sidewinder G2 for each cluster.
• A Sidewinder G2 that is part of an HA cluster cannot participate in a One-
To-Many cluster.
• You cannot use a G2 Enterprise Manager to manage a Sidewinder G2 that
belongs to a One-To-Many cluster.
• DNS services must be configured identically on all Sidewinder G2s that are
part of the cluster.
• You should not connect directly to a Sidewinder G2 that is designated as a
secondary Sidewinder G2, unless you are configuring DNS.
• See “Understanding the One-To-Many tree structure” on page 484 for
details on configuring non-synchronized areas for secondary Sidewinder
G2s.
• If you have VPNs configured, you must ensure that your load balancers are
configured to send all traffic for a given VPN security association to a single
Sidewinder G2 within the cluster.
• The burb names must be identical for each Sidewinder G2.
• The corresponding burbs and NICs on each Sidewinder G2 must all be on
the same networks. For example:
Burb Primary A Secondary B Secondary C
Internet 10.1.182.15 10.1.182.25 10.1.182.35
Web 192.168.183.15 192.168.183.25 192.168.183.35
Cluster 192.168.184.15 192.168.184.25 192.168.184.35
Using IP aliases, redirected addresses, and multiple address
translation in proxy rules
If you use IP aliases, redirected addresses, or multiple address translation
(MAT) in any of the rules created on either the primary Sidewinder G2 or on a
secondary Sidewinder G2, this may cause problems in a One-To-Many cluster.
This is because IP aliases, redirected addresses, and MAT define addresses
that are specific to a Sidewinder G2. A Sidewinder G2 that requires a unique IP
address in a rule is not a good candidate for inclusion in a One-To-Many
relationship.
However, if a Sidewinder G2 uses IP aliases or redirected addresses, you can
still include it in a One-To-Many cluster by doing the following:
475

Chapter 16: One-To-Many Clusters
Example scenario using a One-To-Many cluster
Example
scenario using a
One-To-Many
cluster
476
Figure 200: Sample
network configuration for
One-To-Many
Note: This procedure will not work with MAT.
1 Define a group that contains all the alias IP addresses and redirected
addresses used by your Sidewinder G2s.
2 Use the group name in the rule rather than the specific IP address.
The group name will replace the unique IP alias or a redirected address in
the rule.
In the following example, there are three Sidewinder G2s protecting a local
network. Network traffic is load balanced across the Sidewinder G2s using a
load balancing tool such as Radware FireProof or F5 Networks BIG-IP ®
Controller, similar to the configuration depicted in Figure 199.
Because each Sidewinder G2 will be configured almost identically, the One-To-
Many feature simplifies the management process. Any configuration changes
you make from the primary Sidewinder G2 will automatically be implemented
on each of the secondary Sidewinder G2s, ensuring that all of your Sidewinder
G2s remain synchronized.
Example scenario requirements
This scenario requires the following:
• Two or more Sidewinder G2s running at the same version.
• A load balancing tool such as a Radware FireProof or F5 Networks BIG-IP ®
Controller.
• The IP addresses used to access each Sidewinder G2 must all reside in a
burb of the same name. For example, in the sample network configuration
shown in Figure 200, if you are accessing the Sidewinder G2s from the
internal network, all IP addresses used to access the Sidewinder G2 must
reside in the burb named internal.
External Network = 192.168.182.x
Burb Name:
external
Burb Name:
cluster
Burb Name:
internal
A
192.168.182.1
10.1.183.1
Internal Network = 10.1.183.x
Burb Name:
external
Burb Name:
cluster
Burb Name:
internal
B
192.168.182.2
10.1.183.2
Burb Name:
external
Burb Name:
cluster
Burb Name:
internal
C
192.168.182.3
10.1.0.1 10.1.0.1
10.1.0.2 10.1.0.3
10.1.183.3

Configuring One-
To-Many
Chapter 16: One-To-Many Clusters
Configuring One-To-Many
The following steps explain how to initiate a One-To-Many relationship
between multiple Sidewinder G2s. Note the following before configuring your
Sidewinder G2s:
• A Sidewinder G2 cannot participate in a One-To-Many relationship if it is
part of an HA cluster.
• If a participating Sidewinder G2 has rules that use an IP alias or a redirect
address, see “Using IP aliases, redirected addresses, and multiple address
translation in proxy rules” on page 475.
Configuring a dedicated cluster burb for each Sidewinder
G2
Secure Computing recommends configuring a dedicated cluster burb when
setting up One-To-Many. This should be done prior to configuring your
Sidewinder G2s for One-To-Many. To add and configure the cluster burb,
follow the steps below.
1 Ensure that the Sidewinder G2 has an interface that can be dedicated to
internal One-To-Many communication.
2 In the Admin Console, connect to the Sidewinder G2 and select Firewall
Management > Burb Configuration and create a cluster burb. See
“Modifying the burb configuration” on page 82 for more information.
Important: The burb name for the cluster burb must be the same for each
Sidewinder G2 this will be participating in the One-To-Many cluster.
3 Click the Save icon on the toolbar.
4 Go to Firewall Administration > Interface Configuration to assign an
address and the cluster burb to the appropriate interface. (Be sure to select
Enable Interface.)See “Modifying the interface configuration” on page 83 for
more information.
5 Click the Save icon on the toolbar. (You do not need to reboot at this time.)
6 Repeat these steps for each Sidewinder G2 that will be participating in the
One-To-Many cluster.
477

Chapter 16: One-To-Many Clusters
Configuring One-To-Many
478
Configuring the primary in a new One-To-Many cluster
This section provides instruction on configuring your primary for One-To-Many.
Follow the steps below.
Important: It is recommended that you perform a system backup before
configuring One-To-Many. See “Backing up system files” on page 638 for details.
Note: The entrelayd server will automatically become enabled in the cluster burb
when you configure One-To-Many.
1 Start the Admin Console, and log into the Sidewinder G2 that will become
the primary.
2 In the tool bar, select the icon to launch the State Change Wizard. (You
3
can also access the State Change Wizard by clicking the Sidewinder G2
icon in the Admin Console tree and then clicking the Change link.) The
Welcome window appears.
Click Next.
4 Select Not Enterprise Managed and click Next.
5 Select One-To-Many Cluster and click Next.
6 Select Create New Cluster and click Next.
7 In the One-To-Many Communication Configuration window, do the
following:
a In the Cluster Burb field, select the burb that will be used for intracluster
policy communication. This is generally a dedicated burb. For
information on creating a dedicated cluster burb, see “Configuring a
dedicated cluster burb for each Sidewinder G2” on page 477.
b In the Primary IP Address field, select the IP address of the burb you
selected in step a.
Note: This address is required when you are joining additional Sidewinder
G2s to the One-To-Many cluster.
8 Click Next. The State Change Summary window displays a list of the
actions that will be performed when you click Execute.
If you want to make changes to your configuration before executing, click
Back to navigate to the appropriate window(s) and make the necessary
changes.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If the
transition is successful, the Success window appears displaying the new
state.
To add an additional cluster member, see “Adding a secondary” on page
479.

Figure 201: One To
Many Management
window
About the One To
Many Management
window
Adding a secondary
Chapter 16: One-To-Many Clusters
Configuring One-To-Many
Once you have created a One-To-Many cluster with a primary, you can add
one or more secondaries to be managed. Adding a secondary to a One-To-
Many cluster creates a placeholder for that Sidewinder G2 within that cluster.
Once you have added the Sidewinder G2, you will need to join that Sidewinder
G2 to the cluster before it can be managed by the primary.
Using the Admin Console, connect to the primary One-To-Many cluster
member, and click One To Many Management in the Admin Console tree. The
One To Many Management window appears.
Tip: You can also get to this window by clicking the icon in the toolbar.
In this window, you can do the following:
• Add a secondary—To add a secondary to your One-To-Many cluster, click
New. The Add Cluster Members window appears. See “About the Add
Cluster Member window” on page 480 for information on configuring this
window.
• View the status of a One-To-Many cluster—To view the status of a One-To-
Many cluster, click Cluster Status. The Cluster Member Status window
appears. For information on viewing the status of a cluster, see “Viewing
the status of a One-To-Many cluster” on page 481.
• Modify the primary IP address—To change the primary IP address, click
Modify Primary Address. The Modify Primary Address window appears.
For information on modifying the IP address to determine which Sidewinder
G2 is the primary, see “Changing the primary in a One-To-Many cluster” on
page 482.
479

Chapter 16: One-To-Many Clusters
Configuring One-To-Many
About the Add
Cluster Member
window
480
This window allows you to add a secondary to a One-To-Many cluster.
Note: You will need to join the Sidewinder G2 to the One-To-Many cluster once
you have added the placeholder before it can participate in the One-To-Many
cluster.
1 In the Cluster Member Name field, type the name of the secondary.
2 In the IP Address field, type the IP address in the cluster burb of the
secondary.
3 In the Registration Key field, create the registration key for this Sidewinder
G2. This is a one-time key that you will use to register the Sidewinder G2 to
the One-To-Many cluster.
The key must be at least one character long and may consist of alphanumeric
characters, hyphens (-), and underscores (_).
4 Click Add to return to the One To Many Management window. The
secondary will appear in the One To Many Cluster Members table.
5 To register this Sidewinder G2 to a One-To-Many cluster, go to “Joining a
secondary to an existing One-To-Many cluster” on page 480.
Joining a secondary to an existing One-To-Many cluster
To join a Sidewinder G2 to an existing One-To-Many cluster, follow the steps
below.
1 If you have not already done so, add a placeholder for the Sidewinder G2 in
the One-To-Many cluster. See “Adding a secondary” on page 479 for more
information.
2 Connect to the Sidewinder G2 that will be joining the One-To-Many cluster
using the Admin Console.
3 In the tool bar, select the icon to launch the State Change Wizard. (You
4
can also access the State Change Wizard by clicking the Sidewinder G2
icon in the Admin Console tree and then clicking the Change link.) The
Welcome window appears.
Click Next.
5 Select Not Enterprise Managed and click Next.
6 Select One-To-Many Cluster and click Next.
7 Select Join Existing Cluster and click Next.
8 In the Gathering information to join cluster window, configure the following
fields:
a In the Primary IP Address field, type the IP address in the cluster burb
of the primary to which you are registering the secondary.

Chapter 16: One-To-Many Clusters
Configuring One-To-Many
b In the Cluster Member Name field, enter the name of the secondary that
you are registering (this is the name you entered when you added the
Sidewinder G2 to the One-To-Many cluster).
c In the Registration Key field, enter the registration key for this One-To-
Many cluster (this is the unique, one-time key that you created for the
secondary when you added it to the One-To-Many cluster).
9 Click Next. The State Change Summary window displays a list of the
actions that will be performed when you click Execute.
If you want to make changes to your configuration before executing, click
Back to navigate to the appropriate window(s) and make the necessary
changes.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If the
transition is successful the Success window appears, displaying the new
state.
When the Sidewinder G2 is successfully joined to the One-To-Many cluster,
it will reboot automatically. When the Sidewinder G2 reboots, it will be synchronized
with the primary, and the One-To-Many cluster will appear in the
Admin Console tree as a single Sidewinder G2 icon. See “Understanding
the One-To-Many tree structure” on page 484 for information on managing
your One-To-Many cluster.
Viewing the status of a One-To-Many cluster
To view the status of a One-To-Many cluster, using the Admin Console,
connect to the primary and select One to Many Management. The One to Many
Management window appears. Follow the steps below.
1 In the One to Many Management window, click Cluster Status. The Cluster
Member Status window appears.
The Cluster Member Status window consists of a table that lists each
Sidewinder G2 in the One-To-Many cluster by row, and provides the following
information:
• Member Name—This column lists the name of each Sidewinder G2 that
is included in the One-To-Many cluster.
• Registration State—This column indicates whether the Sidewinder G2
is Active (synchronized and running), Unregistered (running but not
registered and synchronized), or Inactive (registered, but has not yet
been initially synchronized with the primary).
481

Chapter 16: One-To-Many Clusters
Configuring One-To-Many
About the Modify
Primary Address
window
482
• Communications—This column indicates whether a remote Sidewinder
G2 is responding. A value of Up indicates that communication is
available. A value of Down indicates that the Sidewinder G2 is offline or
otherwise not responding.
• Policy State—This column indicates whether the Sidewinder G2 policy
is synchronized with the primary. A value of Up to date indicates that the
Sidewinder G2 is synchronized with the primary configuration. A value
of Not up to date indicates that the Sidewinder G2 is not synchronized
with the primary.
Changing the primary in a One-To-Many cluster
Under certain circumstances, you may need to designate a secondary as the
primary (for example, if the primary will be down indefinitely). To transfer
primary status to a secondary, follow the steps below.
Note: When you change the primary, all of the secondaries will be rebooted.
1 In the Admin Console, add a new Sidewinder G2 icon for the secondary
that you want to become the primary by clicking the New Firewall icon
and entering the appropriate information. (This is necessary because when
you register a secondary to a One-To-Many cluster, the icon for the
secondary is removed by default.)
Note: For information on adding a Sidewinder G2 to the Admin Console, see
“Adding a Sidewinder G2 to the Admin Console” on page 20.
2 Connect directly to the secondary by clicking the secondary that you added
in the previous step. You will receive a warning message stating that you
should only modify information on the primary. Ignore this message.
3 Select the One To Many Management option at the top of the secondary
tree. The One To Many Management window appears.
4 In the One To Many Cluster Member window, select Modify Primary
Address. The Modify Primary Address window appears. See “About the
Modify Primary Address window” on page 482.
This window allows you to select a new Sidewinder G2 to take over as the
primary.
1 In the Cluster Burb drop-down list, select the cluster burb.
2 In the One to Many Primary IP Address drop-down list, select the cluster IP
address for this Sidewinder G2.
3 Click OK. You will be prompted to verify your decision. Click Yes to transfer
primary status to this Sidewinder G2. The secondaries that will be managed
by the new primary will be rebooted at this time. When the secondaries
finish rebooting, they will recognize the new primary.

Chapter 16: One-To-Many Clusters
Configuring One-To-Many
Removing Sidewinder G2s from a One-To-Many cluster
The following procedures allow you to delete one or more Sidewinder G2s from
a One-To-Many cluster. This will cause the Sidewinder G2(s) to revert to a
stand-alone Sidewinder G2. Follow the steps below.
Removing a secondary from a One-To-Many cluster
To remove a secondary from a One-To-Many cluster, follow the steps below.
Repeat for each secondary you want to remove.
1 Using the Admin Console, connect to the primary.
2 Select the One To Many Management option at the top of the Sidewinder
G2 tree. The One To Many Cluster Management window appears.
3 Select the Sidewinder G2 that you want to remove from the cluster, and
click Delete. You will be prompted to confirm your decision. Click Yes.
A pop-up window appears informing you that the secondary will be rebooted.
Click OK to reboot the secondary. When the Sidewinder G2 reboots, it
will no longer be part of the One-To-Many cluster and will be managed by
making a direct connection to that Sidewinder G2. Changes will no longer
be replicated to the Sidewinder G2. To make a direct connection to the
stand-alone Sidewinder G2, you will need to create a new Sidewinder G2
icon in the Admin Console tree branch. See “Adding a Sidewinder G2 to the
Admin Console” on page 20.
Removing the primary from a One-To-Many cluster
To remove the primary from a One-To-Many cluster, follow the steps below.
Note: You must remove all of the secondaries from the One-To-Many cluster
before you can access the State Change Wizard to remove the primary.
1 Connect to the One-To-Many cluster using the Admin Console.
2 In the tool bar, select the icon to launch the State Change Wizard. (You
3
can also access the State Change Wizard by selecting the dashboard at the
top of the Admin Console tree and then clicking the Change link.) The
Welcome window appears.
Click Next.
4 Select Change To Standalone Firewall.
5 Click Next. The State Change Summary window displays a list of the
actions that will be performed when you click Execute.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If the
transition is successful the Success window appears, displaying the new
state.
483

Chapter 16: One-To-Many Clusters
Understanding the One-To-Many tree structure
Understanding
the One-To-Many
tree structure
484
Figure 202: Example of
an individually configured
area
When the Sidewinder G2 is successfully removed from the One-To-Many
cluster, it will reboot automatically. When the Sidewinder G2 reboots, it will
be a standalone Sidewinder G2.
The Admin Console tree structure is slightly different in a One-To-Many cluster
environment. When you configure One-To-Many, all Sidewinder G2s are
managed within a single Admin Console connection to the primary. All
secondary icons are removed from the tree.
Areas within the primary connection that are synchronized (that is, areas in
which the information for all Sidewinder G2s must be the same) will appear as
a single tree option within the primary. When you modify information within
those areas, it will automatically be applied to all Sidewinder G2s that are part
of the One-To-Many cluster.
Information specific to individual Sidewinder G2s within the One-To-Many
cluster that cannot be synchronized between Sidewinder G2s (such as
Configuration Backup and Audit) will include a sub-folder within the primary
that provides an icon for each Sidewinder G2 in the One-To-Many cluster. To
modify these features, select the individual Sidewinder G2 icon and make the
changes. These changes will apply only to the Sidewinder G2 that you have
selected and will not be overwritten by the primary.
Important: DNS is the only exception to this structure. To configure DNS settings
on a secondary, you will need to add the secondary server icon and connect
directly to that Sidewinder G2. All other features should be configured using the
primary connection to avoid being overwritten. (For information on adding a
Sidewinder G2 server icon, see “Adding a Sidewinder G2 to the Admin Console” on
page 20.)
Figure 202 below demonstrates the difference between individually configured
areas of the One-To-Many cluster (Configuration Backup and Date and Time)
and a synchronized area of the One-To-Many cluster (Burb Configuration).
Burb Configuration is synchronized
(changes made are sent to all
Sidewinder G2s within the One-To-
Many cluster, and you cannot select
a Sidewinder G2.
Configuration Backup and Date and
Time are configured on an individual
Sidewinder G2 basis.
To modify individually configured information for a particular Sidewinder G2,
simply select that icon for the Sidewinder G2 and make the desired changes.
Changes to an individual Sidewinder G2 will be applied only to that Sidewinder
G2 and will not be overwritten by changes made to the other Sidewinder G2.

Chapter 16: One-To-Many Clusters
Understanding the One-To-Many tree structure
The following tables summarize which features are synchronized and which
features are configured individually in a One-To-Many cluster:
Features that are synchronized in a One-To-Many cluster
• Policy Configuration • SmartFilter
• Proxies • VPN Configuration
• Servers (excludes
sendmail configuration
files)
• IPS Attack Responses
• Static Routing • Burb Configuration
• Authentication • System Responses
• Certificate
Management
• UI Access Control
• Scanner • Firewall Accounts
Features that are configured individually in a One-To-Many cluster
• Dashboard • Firewall License
• Servers: Sendmail only • Interface Configuration
• DNSa • Routing (Dynamic and
Routed)
• Software Management
• System Shutdown
• Audit Viewing • Reconfigure DNS
• Reports • Reconfigure Mail
• Configuration Backup • File Editor
• Date and Time
a. DNS must be configured by connecting directly to the secondary. All other features
listed in this table are configured using the primary connection. To connect
directly to the secondary, you will need to create a new Sidewinder G2 icon for the
secondary and then connect to the Sidewinder G2 using that Sidewinder G2 icon.
(This is because the icon for the secondary is removed from the Admin Console tree
branch when it is successfully added to a cluster.) For information on adding a
Sidewinder G2 to the Admin Console, see “Adding a Sidewinder G2 to the Admin
Console” on page 20.
485

Chapter 16: One-To-Many Clusters
Understanding the One-To-Many tree structure
486

17
CHAPTER
High Availability
In this chapter...
How High Availability works .........................................................488
HA configuration options ..............................................................489
Configuring HA.............................................................................492
Understanding the HA cluster tree structure ................................502
Managing an HA cluster ...............................................................503
487

Chapter 17: High Availability
How High Availability works
How High
Availability
works
488
Figure 203: Basic HA configuration
*In a load sharing HA cluster, the internal
and external cluster common IP addresses
are shared between Sidewinder G2s.
In a failover HA cluster, they are assigned
to the primary.
High Availability requires two Sidewinder G2s that can be configured either for
load sharing (both the primary and secondary Sidewinder G2s actively process
traffic), or with one Sidewinder G2 acting as a standby Sidewinder G2 that
does not process traffic unless it is called upon to take over for the primary in
the event that the current primary becomes unavailable. A cluster of
Sidewinder G2s configured and registered for HA are known as an HA cluster.
As shown in Figure 203, configuring an HA cluster requires at least three burbs
for each Sidewinder G2: an internal burb, an external burb, and a heartbeat
burb. Creating a separate heartbeat burb allows all HA cluster traffic (including
the heartbeat message as well as any stateful session IP Filter traffic) to pass
between the HA cluster Sidewinder G2s in its own burb, and does not impact
regular network traffic. HA cluster Sidewinder G2s must reside on the same
network. The heartbeat burbs of the HA pair must be physically connected
using one of the following:
• A crossover cable (recommended)
• A straight cable, if using em interfaces
• A standard network connection using a switch
aaa.aaa.aaa.1
aaa.aaa.aaa.5*
cluster common
IP address
aaa.aaa.aaa.3
primary Sidewinder G2
internal burb external burb
heartbeat burb
ccc.ccc.ccc.1
ccc.ccc.ccc.5
cluster common
IP address
ccc.ccc.ccc.3
heartbeat burb
secondary/standby
Sidewinder G2
bbb.bbb.bbb.1
bbb.bbb.bbb.5*
cluster common
IP address
bbb.bbb.bbb.3
Internet

HA configuration
options
Chapter 17: High Availability
HA configuration options
To implement an HA cluster in your network, you will need one additional
“cluster common” IP address for each network. The HA cluster will use these
addresses as IP alias addresses. The table below summarizes the IP
addresses needed for this HA configuration.
In this example, all users in the internal or external network must use the
cluster address (aaa.aaa.aaa.5 or bbb.bbb.bbb.5, respectively). Only system
administrators should know about the other IP addresses. The same concept
applies for DNS names.
Tip: When configuring an existing single Sidewinder G2 configuration to become
an HA cluster, consider using the existing interface addresses as the cluster
addresses and getting new IP addresses for the actual NICs. This lessens the
impact on your users, who will not have to change their perception of the
“Sidewinder G2” address.
You can configure HA to perform load sharing (with both Sidewinder G2s
actively processing traffic) or failover (with one Sidewinder G2 processing
traffic and the other Sidewinder G2 standing by as a hot backup). The following
sections discuss each HA configuration option.
Load sharing HA
internal burb external burb heartbeat burb
primary IP aaa.aaa.aaa.1 bbb.bbb.bbb.1 ccc.ccc.ccc.1
secondary/standby
IP
cluster common IP aaa.aaa.aaa.5 a
aaa.aaa.aaa.3 bbb.bbb.bbb.3 ccc.ccc.ccc.3
bbb.bbb.bbb.5 a
ccc.ccc.ccc.5
a. In a load sharing HA cluster, the internal and external cluster common IP
addresses are shared between Sidewinder G2s. In a failover HA cluster, they are
assigned to the primary.
Load sharing HA, also referred to as active-active HA, consists of two
Sidewinder G2s that actively process traffic in a load sharing capacity. When a
secondary is registered to an HA cluster, synchronized areas will be
overwritten by the HA cluster configuration to match the primary. (To determine
which areas are synchronized, see “Managing an HA cluster” on page 503.)
Each Sidewinder G2 maintains its own private (individual) address, the cluster
common address for each interface (excluding the heartbeat interface), and
any other alias addresses. The Sidewinder G2s are then able to coordinate
traffic processing on a single shared IP address using a multicast Ethernet
address to ensure that each connection (and the packets associated with that
connection) is handled by the same Sidewinder G2. To configure load sharing
HA, both Sidewinder G2s must have the same hardware configuration (e.g.,
CPU speed, memory, active NICs).
489

Chapter 17: High Availability
HA configuration options
490
In a load sharing HA configuration, the primary is assigned the cluster address
for the heartbeat burb as an alias, allowing it to communicate with the
secondary. When the secondary or standby is brought online, it activates its
interface IP addresses. The primary will then begin to “multicast” a heartbeat
message. The heartbeat uses IPSec authentication (AH) to ensure that the
messages are correct. The secondary “listens” for this heartbeat and sends an
acknowledgement to the primary. If one of the Sidewinder G2s become
unavailable (that is, a heartbeat message or acknowledgement is not received
by a Sidewinder G2 for the specified amount of time), the remaining
Sidewinder G2 takes over and assumes responsibility for processing all traffic.
If one of the Sidewinder G2s unexpectedly becomes unavailable and the
remaining Sidewinder G2 takes over processing all traffic, any active proxy
sessions and non-stateful IP filter sessions that were assigned to the
unavailable Sidewinder G2 will be lost. IP Filter sessions that are configured for
stateful session failover will not be lost.
If you know in advance that a Sidewinder G2 will need to be shut down, you
can reduce the number of lost connections by scheduling the shutdown (rather
than shutting down immediately). When a shutdown is scheduled for a later
time, a soft shutdown will be performed to reduce the number of sessions that
are lost. For information on soft shutdown, see “Scheduling a soft shutdown for
an HA cluster Sidewinder G2” on page 510.
Certain connections in a load sharing HA cluster will be assigned to the
primary. For example, connections that are used for Sidewinder G2
management purposes (Admin Console, telnet, SSH) that are addressed to the
shared cluster address will be assigned to the primary. In the event that the
primary becomes unavailable, new connections will be assigned to the new
primary, and existing connections will remain in tact. SNMP connections that
are addressed to the shared address will also be assigned to the primary.
Connections that are specifically addressed to an individual Sidewinder G2
address, will be assigned to the specified Sidewinder G2.
Failover HA
Failover HA consists of one Sidewinder G2 (the primary) actively processing
traffic with the standby acting as a hot backup. When a standby Sidewinder G2
is registered to an HA cluster, synchronized areas will be overwritten by the HA
cluster configuration. (To determine which areas are synchronized, see
“Managing an HA cluster” on page 503.) Once registered, the standby monitors
the primary through an Ethernet-based “heartbeat” mechanism that functions
between Sidewinder G2s. If the standby determines that the primary is
unavailable, the standby takes over and assumes the role of the primary. When
a standby takes over networking functions, any active proxy sessions through
the primary are lost. IP Filter sessions that are configured for stateful session
failover will not be lost.

You can configure failover HA in one of two ways:
Chapter 17: High Availability
HA configuration options
• primary-standby—In a primary-standby configuration, if the primary
becomes unavailable, the standby takes over as the acting primary only
until the primary becomes available again. (This option is generally used if
you have Sidewinder G2s that do not share the same hardware
configuration.)
• peer-to-peer— In a peer-to-peer configuration, both Sidewinder G2s are
configured as standbys with the same takeover time setting. This allows
whichever Sidewinder G2 boots up first to act as the primary. If the primary
becomes unavailable, the peer Sidewinder G2 (acting as the standby) will
take over as the primary and will remain as the acting primary until it
becomes unavailable, at which time the peer will again take over as the
acting primary. This is the recommended failover HA configuration.
However, to configure peer-to-peer HA, both Sidewinder G2s must have
similar hardware configurations.
When the primary is brought online, it activates both the cluster and interface
IP addresses. (Remember, you must inform all users that the cluster address is
the Sidewinder G2 address, so all traffic still passes through the primary.)
When the secondary or standby is brought online, it activates its interface IP
addresses. The primary will then begin to “multicast” a heartbeat message.
The heartbeat uses IPSec authentication (AH) to ensure that the messages
are correct. The secondary or standby “listens” for this heartbeat.
Suppose the primary is accidentally powered off for a period of time. When the
standby does not receive a heartbeat signal for a number of seconds (based
on the takeover setting of the standby), it sets the cluster common IP
addresses on its interfaces. In the process, the standby clears its address
resolution protocol (ARP) cache and attempts to generate a “gratuitous ARP.”
Most systems will immediately determine that the standby is now responsible
for the addresses by which the primary is known, and new connections will be
established through the new acting primary.
Note: Unfortunately, there may be a number of reasons why the gratuitous ARP is
not received: a remote system may not recognize the message, the message may
be blocked by certain switches, it may fail due to timing issues, etc. Often this can
be resolved by flushing the ARP caches in the remote system. Many of these
remote systems have ways to shorten the time that entries stay in the ARP cache;
these should be set to time periods in the three to five minute range.
If you configured a primary-standby configuration, when the Sidewinder G2
that is configured as the primary is powered on or reactivated, it will begin
sending a heartbeat message. When the standby (temporarily acting as the
primary) receives the heartbeat message, it immediately drops the cluster
common IP addresses so the primary can again assume responsibility.
Established connections through the standby will continue to run for a period of
time, but eventually all traffic will again pass through the primary. (In a peer-to-
491

Chapter 17: High Availability
Configuring HA
492
peer configuration, the Sidewinder G2 that takes over as the acting primary will
remain as the primary until it becomes unavailable.)
Note: When a takeover event occurs, there can be a number of netprobe events
detected when connections take time to detect the switch of systems.
Configuring HA This section provides the basic information you need to configure an HA
cluster. Before you begin, sketch a diagram showing your planned
configuration (similar to the diagram in Figure 203) for reference. Include the
following items on your diagram:
• interfaces
• IP addresses
• HA cluster common IP addresses
• burb names
Before you configure HA, the following conditions must be met:
• Both Sidewinder G2s must be at the same version.
• A dedicated heartbeat burb and interface must be configured on each
Sidewinder G2.
Note: For load sharing HA, the interface used for the heartbeat burb must be at
least as fast as the fastest load sharing interfaces on your Sidewinder G2. For
information on configuring the heartbeat burb, see “Configuring the heartbeat
burbs” on page 493.
• If planning to use VLANs, for best results configure the VLANs before
creating the HA cluster.
• You can only assign one interface per burb when configuring load-sharing
HA. (This includes VLANs.)
• The following areas must be configured identically on both Sidewinder G2s
before you configure HA:
– number and types of interfaces
– number of burbs
– burb names (burb names are case-sensitive)
– burb indices
– DNS configuration (For example, if the primary is configured to use
transparent DNS, the secondary must also be configured to use
transparent DNS. If the DNS configuration types are not the same, DNS
will not work on the secondary once HA is configured.)
Note: All other configuration information will be overwritten on the secondary/
standby when HA is configured.

Configuring the heartbeat burbs
Chapter 17: High Availability
Configuring HA
You must configure a dedicated heartbeat burb and interface on each
Sidewinder G2 before configuring an HA cluster. Follow the steps below for
each Sidewinder G2.
1 Ensure that the Sidewinder G2 has an interface that can be dedicated to
HA traffic.
Note: For load sharing, the interface used for the heartbeat burb must be at
least as fast as the fastest load sharing interfaces on your Sidewinder G2.
2 In the Admin Console, connect to the Sidewinder G2 and create a
heartbeat burb (select Firewall Administration > Burb Configuration). For
troubleshooting purposes, select the Respond to ICMP echo and
timestamp check box. See “Modifying the burb configuration” on page 82
for detailed information on creating a new burb.
3 Click the Save icon in the toolbar.
4 Go to Firewall Administration > Interface Configuration and assign the
heartbeat burb and IP address to the appropriate interface. (Be sure to
enable the interface.) See “Modifying the interface configuration” on page
83 for detailed information on configuring a new interface.
5 Click the Save icon in the toolbar. (You do not need to reboot at this time.)
6 Repeat these steps for each Sidewinder G2 that will be participating in the
HA cluster.
7 When you have configured a heartbeat burb and interface for each
Sidewinder G2, be sure to test the network connectivity between the two
Sidewinder G2s for the heartbeat interface.
Important: Network connectivity must exist between the Sidewinder G2s’
heartbeat burbs to successfully configure HA.
Configuring Sidewinder G2 for HA
Once you have configured a heartbeat burb for each Sidewinder G2 and have
verified network connectivity between the Sidewinder G2s on the heartbeat
interface, you can configure the Sidewinder G2s for HA. Follow the steps
below.
Important: It is recommended that you perform a system backup before
configuring HA. See “Backing up system files” on page 638 for details.
493

Chapter 17: High Availability
Configuring HA
494
Configuring the first Sidewinder G2 in a new HA cluster
To configure the first Sidewinder G2 in a new HA cluster, follow the steps
below.
1 Connect to the Sidewinder G2 that will become the primary using the Admin
Console.
Note: If you are planning to configure a load sharing or peer-to-peer HA cluster,
it does not matter which Sidewinder G2 you configure first.
2 Configure all functions and features other than HA.
3 Verify that you have a dedicated heartbeat burb and interface configured for
HA on this Sidewinder G2. See “Configuring the heartbeat burbs” on page
493 for instructions.
4 In the tool bar, click to launch the State Change Wizard. (You can also
5
access the State Change Wizard by selecting the dashboard and then
clicking the Change link.) The Welcome window appears. Read the
Welcome window and then click Next.
Select Not Enterprise Managed and then click Next.
6 Select HA Cluster and then click Next.
7 Select Create New Cluster and then click Next.
8 Select the HA configuration that you want to create, and then click Next.
Note: To configure peer-to-peer HA or load sharing HA, both Sidewinder G2s
must have the same hardware configuration.
• Peer-To-Peer HA—Both Sidewinder G2s are configured as standbys
with the same takeover time setting. Whichever Sidewinder G2 boots up
first will act as the primary. If the primary becomes unavailable, the peer
(acting as the standby) will take over as the primary and will remain as
the acting primary until it becomes unavailable, at which time the peer
will again take over as the acting primary. This is the recommended
failover HA configuration.
• Load-Sharing HA—Load sharing HA consists of two Sidewinder G2s
that actively process traffic in a load sharing capacity. For more
information on load sharing HA, see “Load sharing HA” on page 489.
• Primary-Standby HA—If the primary becomes unavailable, the standby
takes over as the acting primary only until the primary becomes
available again. (This option is generally used if you have Sidewinder
G2s that do not share the same hardware configuration.) For more
information on primary-standby HA, see “Failover HA” on page 490.
9 [Conditional] In the High Availability Takeover Time window, specify the
number of seconds that the primary must be unavailable before the
secondary/standby will begin the takeover process. The default value is 13
seconds.

Chapter 17: High Availability
Configuring HA
Note: This window does not appear if you selected the primary-secondary HA
option. For primary-secondary HA, the takeover time is 3 seconds for the
primary and 13 seconds for the secondary by default and cannot be modified in
the State Change Wizard.
Click Next. The High Availability Cluster Common Addresses window
appears.
10 The High Availability Cluster Common Addresses window allows you to
configure the cluster common addresses for the interfaces in your HA
cluster. It also allows you to specify the heartbeat burb, which is responsible
for sending and receiving heartbeats. Do the following, and then click Next:
a Select the interface row that you want to configure, and click Configure.
The High Availability Aliases window appears.
b In the Cluster Common IP Address field, type the common IP address
for the interface that will be shared between Sidewinder G2s within the
HA cluster.
Note: The cluster address is the address most systems should use to
communicate with or through the Sidewinder G2, meaning that DNS, default
routes, etc. need to be aware of this address.
c Click OK.
d Repeat step a through step c for each interface that will use HA.
e In the Heartbeat Burb drop-down list, select the burb that HA will use to
send or receive heartbeats. (A heartbeat is a short message that is sent
out at specific intervals to verify whether a Sidewinder G2 is
operational.) This must be a dedicated burb.
f [Optional] If you want to skip the advanced configuration windows and
use the default values, select the Use default advanced High
Availability properties and skip advanced screens check box.
If you select this check box, the following configuration options will be
made automatically:
• IPSec authentication password and authentication type will be
automatically selected.
• HA identification cluster ID and multicast address will be
automatically assigned.
• Remote test configuration options will not be configured.
If you want to modify or configure any of these properties, deselect the
Use default advanced High Availability properties and skip advanced
screens check box and click Next to access the Advanced General
Properties and Advanced Network Properties windows.
11 [Conditional] The High Availability Advanced General Properties window
allows you to configure IPSec Authentication values and High Availability
identification values. Modify any of the following values:
495

Chapter 17: High Availability
Configuring HA
496
Note: This window does not appear if you selected the Use default advanced
High Availability properties and skip advanced screens check box in the High
Availability Cluster Common Addresses window.
• High Availability Password—Type the password to be used to generate
the authentication key for IPSec. This password must be the same for
both Sidewinder G2s because they share the same virtual firewall ID.
• Authentication Type—Select one of the following:
– SHA1: Select this option if using HMAC-SHA1 authentication.
– MD5: Select this option if using HMAC-MD5 authentication.
• Cluster ID—Select an ID that will be assigned to the HA cluster. This
allows you to distinguish between and manage multiple HA clusters, if
needed. Each Sidewinder G2 with an HA cluster must be assigned the
same cluster ID. Valid values are 1–255.
• Multicast Address—This field displays the address of the multicast
group used for HA purposes in the heartbeat burb. The default address
is 239.192.0.1. To modify the address, click Edit Address.
When you have finished configuring this window, click Next.
12 [Conditional] The High Availability Advanced Network Properties window
allows you to configure interface testing and force ARP reset properties. To
configure interface testing and/or ARP reset properties, do the following
and then click Next.
This window does not appear if you selected the Use default advanced
High Availability properties and skip advanced screens check box in the
High Availability Cluster Common Addresses window.
Note: For more information on interface testing with HA, see “Interface
configuration issues with HA” on page 666.
a In the Interface Test area, configure any remote test IP addresses for
networks that you want to periodically ping, as follows:
Note: If you specify 255.255.255.255 in this field, HA will only test the status
of the interface rather than send data to verify that the interface is up. This
functionality is not intended for use in the heartbeat burb.
• Select the network row that you want to modify, and click Modify.
The Remote Test window appears.
• In the Remote Test IP field, enter the IP address that the Sidewinder
G2 will periodically ping. The remote address must be a highly
reliable system that is directly attached to the Sidewinder G2
network, but does not belong to either cluster member.
For example, if you use a VRRP (Virtual Router Redundancy Protocol)
cluster, you can specify the VRRP address of the router as your
remote ping address. (However, some VRRP routing clusters will
only respond to pings if the configured primary router is currently acting
as the primary. If you are using this type of VRRP routing cluster,
you should use an alternative remote address.)

Chapter 17: High Availability
Configuring HA
For load sharing HA, if remote ping fails on one of the two cluster
members, that member will become unavailable until the remote
interface is again detected. If there is only one active cluster member
and a remote ping failure is detected, that member will audit the failure
and remain in the cluster until another member joins the cluster
(without a ping failure), or until the remote system is detected.
• Click OK to return to the High Availability Advanced Network
Properties window.
b In the Ping the Remote Test IP field, specify how often (in seconds) the
HA cluster will ping the remote address to ensure that an interface and
path are operational.
c In the Consecutive ping failures before takeover field, specify the
number of failed ping attempts that must occur before a secondary/
standby takes over as the primary.
If the primary becomes unavailable immediately after a ping attempt has
been issued, the time it takes for a secondary/standby to take over will
be slightly longer (this is because it will take close to an entire test interval
before the first failure is detected).
d [Conditional] The Force ARP Reset area lists the IP address and burb of
each system that you determine needs to update its ARP cache with the
new cluster alias IP. Use this area to list all systems that are known to
ignore gratuitous ARPs, but that need to know the new cluster alias.
Note: This area is not available if you are configuring Load Sharing HA.
To define a system to be included in the Force ARP Reset list, click
New. The Force ARP Reset window appears. Enter the IP Address and
select the burb for the system, and then click OK.
To modify an entry, select the appropriate entry and click Modify.
To delete an IP address from the list, select the address and click
Delete.
13 The State Change Summary window displays a list of the actions that will
be performed when you click Execute.
Important: The Sidewinder G2 will be automatically rebooted after the
transition process is complete. Carefully review the changes before you click
Execute, as changes you make after initially executing the state change will
require an additional reboot.
If you want to make changes to your configuration before executing, click
Back to navigate to the appropriate window(s) and make the necessary
changes.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If the
transition is successful the Success window appears, displaying the new
state, and the Sidewinder G2 will automatically reboot. Click Finish.
497

Chapter 17: High Availability
Configuring HA
498
To add an additional cluster member, see “Joining a Sidewinder G2 to an
existing HA cluster” on page 498.
Joining a Sidewinder G2 to an existing HA cluster
Joining a Sidewinder G2 to an existing HA cluster, requires two steps:
• Add a placeholder in the HA cluster for that Sidewinder G2 in the High
Availability Common Parameters window. See “Adding a placeholder in the
HA cluster” on page 498.
• Join the Sidewinder G2 to the HA cluster using the State Change Wizard.
See “Joining a Sidewinder G2 to an existing HA cluster” on page 499.
Note: You must have a dedicated heartbeat burb configured on each Sidewinder
G2 that you register to an HA cluster. See “Configuring the heartbeat burbs” on
page 493 for instructions.
Adding a placeholder in the HA cluster
Adding a Sidewinder G2 to an HA cluster creates a placeholder for that
Sidewinder G2 within that HA cluster. Once you have added the Sidewinder G2
to the HA cluster, you will need to join the Sidewinder G2 to the HA cluster
using the State Change Wizard.
To add a placeholder for the new Sidewinder G2 in the existing HA cluster, do
the following:
1 Connect to the HA cluster using the Admin Console, and select High
Availability in the Admin Console tree. The High Availability Common
Parameters tab appears.
2 In the Pair Members area, click New. The Add New Firewall window
appears.
3 In the Name field, enter the name of the Sidewinder G2 you are adding the
HA cluster.
4 [Conditional] If you selected the Primary/Standby HA mode, in the Takeover
Time field, select the number of seconds that the primary must be
unavailable before the secondary/standby will begin the takeover process.
The default value is 13 seconds.
Note: This field does not appear if you selected peer-to-peer HA or loadsharing
HA.
5 In the IP Address in Heartbeat Burb field, enter the individual IP address (in
the heartbeat burb) of the Sidewinder G2 that you are adding to the HA
cluster.

Chapter 17: High Availability
Configuring HA
6 In the Registration Key field, create the registration key for this HA cluster.
The key must be at least one character long and may consist of
alphanumeric characters, hyphens (-), and underscores (_).
Important: You will need the registration key when you join the Sidewinder G2
to the HA cluster using the State Change Wizard.
7 Click Add to add the Sidewinder G2 to the HA cluster. You can now join the
Sidewinder G2 to the HA cluster using the State Change Wizard. See
“Joining a Sidewinder G2 to an existing HA cluster” on page 499.
Joining a Sidewinder G2 to an existing HA cluster
To join a Sidewinder G2 to an existing HA cluster, follow the steps below.
Note: You must add a placeholder for the Sidewinder G2 in the HA cluster before
you will be able to join the HA cluster. See “Adding a placeholder in the HA cluster”
on page 498.
1 Connect to the Sidewinder G2 that will be joining the HA cluster using the
Admin Console.
2 In the toolbar, click to launch the State Change Wizard. (You can also
3
access the State Change Wizard by selecting the dashboard and then
clicking the Change link.) The Welcome window appears.
Click Next.
4 Select Not Enterprise Managed and click Next.
5 Select HA Cluster and click Next.
6 Select Join Existing HA Cluster and click Next.
7 In the Gathering information to join cluster window, configure the following
fields:
• Partner’s Heartbeat Burb IP Address—Enter the heartbeat IP address
of the HA partner.
Important:This is the actual heartbeat IP address for the HA partner, not the
cluster common heartbeat IP address.
• Cluster Member Name—Enter the name of the Sidewinder G2 that you
are joining to the HA cluster (the name you entered when you added
this Sidewinder G2 to the HA cluster).
• Registration Key—Enter the registration key for the HA cluster (the key
that you created when you added this Sidewinder G2 to the HA cluster
in step 6 on page 499).
8 Click Next. The State Change Summary window displays a list of the
actions that will be performed when you click Execute.
Important: The Sidewinder G2 will be rebooted after the transition process is
complete. Carefully review the changes before you click Execute, as changes
you make after executing the state change will require an additional reboot.
499

Chapter 17: High Availability
Configuring HA
500
If you want to make changes to your configuration before executing, click
Back to navigate to the appropriate window(s) and make the necessary
changes.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If the
transition is successful the Success window appears, displaying the new
state.
When the Sidewinder G2 is successfully joined to the HA cluster, it will
reboot automatically. When the Sidewinder G2 reboots, it will be synchronized
with the primary, and the HA cluster will appear in the Admin Console
tree as a single Sidewinder G2 icon. See “Managing an HA cluster” on
page 503 for information on managing your HA cluster.
Enabling and disabling load sharing for an HA cluster
If you have an HA cluster configured and want to enable or disable load
sharing, follow the steps below.
Note: For more information on load sharing HA, see “Load sharing HA” on page
489.
1 In the Admin Console, connect to the HA cluster and select
High Availability.
2 Click the plus sign (+) in front of the High Availability branch to display the
individual icons for each Sidewinder G2 that is part of the HA cluster.
3 Select the primary icon. The Local Parameters tab appears.
To determine which Sidewinder G2 is the primary, select High Availability,
and then select the Common Parameters tab and click Cluster Status.
4 In the Cluster Mode area, enable or disable load sharing by selecting the
appropriate cluster mode as follows:
• Designate as part of a Load Sharing High Availability Cluster—Select
this option if you want to enable load sharing for the HA cluster (both
Sidewinder G2s actively process traffic).
• Designate as part of a Primary/Standby High Availability Cluster—
Select this option if you want to disable load sharing HA and convert the
HA cluster to a failover HA cluster (only one Sidewinder G2 processes
traffic, with the other Sidewinder G2 acting as a hot backup).

Removing a
secondary/standby
from an HA cluster
Removing the
primary from an HA
cluster
5 Click the Save icon in the toolbar.
Chapter 17: High Availability
Configuring HA
6 Wait 60 seconds to allow the Sidewinder G2s to synchronize, and then
reboot each Sidewinder G2 that is part of the HA cluster. It is important that
the second Sidewinder G2 be rebooted before the primary is finished
rebooting.
Important: If you do not begin the reboot process for the second Sidewinder
G2 before the primary finishes rebooting, it will detect that the second
Sidewinder G2 is configured for a different cluster mode, and the HA cluster will
not function properly. If this happens, you will need to reboot each Sidewinder
G2 to synchronize the HA cluster.
Removing a Sidewinder G2 from an HA cluster
To remove a secondary/standby from an HA cluster, follow the steps below.
1 Connect to the HA cluster and select High Availability in the Admin
Console tree. The Common Parameters window appears.
2 In the Pair Members table, highlight the secondary/standby and then click
Delete.
When the Sidewinder G2 is removed from the HA cluster, it will automatically
reboot and become a functioning stand-alone Sidewinder G2.
You must remove the secondary/standby from the HA cluster before you can
remove the primary from the HA cluster. Once you have removed the
secondary/standby from an HA cluster, follow the steps below to remove the
primary from the HA cluster:
1 Connect to the HA cluster.
2 Access the State Change Wizard by selecting the dashboard at the top of
the Admin Console tree and then clicking the Change link. The Welcome
window appears.
3 Click Next.
4 Select Change To Standalone State, and then click Next.
5 The State Change Summary window appears listing the actions that will be
performed when you click Execute. To remove the primary from the HA
cluster and return it to the standalone state, click Execute. The Sidewinder
G2 will automatically reboot. Once the Sidewinder G2 is rebooted, it will
become a functioning standalone Sidewinder G2.
To cancel the wizard without making any changes, click Cancel.
Important: Once the Sidewinder G2 has finished rebooting, the IP address in
the Admin Console Connection window will still display the cluster common IP
address. Before connecting to the standalone Sidewinder G2, you will need to
manually change the IP address back to the Sidewinder G2’s individual
address.
501

Chapter 17: High Availability
Understanding the HA cluster tree structure
Understanding
the HA cluster
tree structure
502
Figure 204: Example of
an individually configured
area
Figure 205: Special HA
and Interface
Configuration options
The Admin Console tree structure is slightly different for an HA cluster. As
explained above, when you configure an HA cluster, both Sidewinder G2s are
managed within a single Admin Console connection.
Areas of the HA cluster that are synchronized (that is, areas in which the
information for both Sidewinder G2s must be the same and remains in sync via
the synchronization server) will appear with a single tree option. When you
modify information within those areas, the information will automatically be
updated for both Sidewinder G2s.
Information specific to individual Sidewinder G2s within the HA cluster (such as
configuration backup and restore) will include a sub-folder (indicated by a plus
[+] sign) that contains an icon for each Sidewinder G2 that is part of the HA
cluster. To modify information within these areas, expand the tree branch,
select the appropriate Sidewinder G2, and make the desired changes. Nonsynchronized
modifications to an individual Sidewinder G2 will be applied only
to that Sidewinder G2 and will not be overwritten by changes made to the other
Sidewinder G2.
Figure 204 below demonstrates the difference between an individually
configured area of the HA cluster (Reports) and a synchronized area of the HA
cluster (Burb Configuration).
Reporting is configured on an individual
Sidewinder G2 basis.
Burb Configuration is synchronized, and does
not allow you to select a Sidewinder G2.
The High Availability and Interface Configuration areas within the HA cluster
tree include some areas that are synchronized and some areas that are
configured on an individual Sidewinder G2 basis, as shown in Figure 205
below.
Synchronized HA information is configured by
selecting the main HA option.
HA information specific to a single Sidewinder G2
is configured by selecting a Sidewinder G2.
Synchronized information is configured by
selecting the main Interface Configuration option
Interface information specific to a single
Sidewinder G2 is configured by selecting
that Sidewinder G2.
The following lists summarize the features that are synchronized and the
features that are configured individually in an HA cluster.

Managing an HA
cluster
Features that are synchronized within an HA cluster
• Policy Configuration • VPN
• Proxies • IPS Attack Responses
Features that are configured individually within an HA cluster
Chapter 17: High Availability
Managing an HA cluster
• Servers • High Availability (Common Parameters)
• Routing • Burb Configuration
• Authentication • Firewall Accounts
• Certificate Management • Interface Alias IP addresses
• Scanner • System Responses
• SmartFilter • UI Access Control
• Dashboard • Firewall License
• DNS a
• Interface Configuration
• Audit • Software Management
• Reports • System Shutdown
• High Availability (Local Parameters) • Reconfigure DNS
• Configuration Backup • Reconfigure Mail
• Date and Time • File Editor
a. DNS must be configured by connecting directly to the secondary/standby. All other
features listed in this table are configured using the HA cluster connection. To connect
directly to the secondary/standby, you will need to add a new Sidewinder G2 to the
Admin Console using the Sidewinder G2’s actual IP address, and then connect to the
Sidewinder G2 directly. (This is because the secondary/standby is removed from the
Admin Console tree branch when it is successfully added to the HA cluster.) For information
on adding a Sidewinder G2 to the Admin Console, see “Connecting directly to a
secondary/standby” on page 511.
Once you have configured an HA cluster, the HA cluster will be represented in
the Admin Console tree by a single Sidewinder G2 icon. When you connect to
the HA cluster, you will use the HA cluster common IP address that you
created when you configured HA. This allows you to manage both Sidewinder
G2s by connecting to the HA cluster.
Important: If you connect directly to a single Sidewinder G2 outside of the HA
cluster, changes you make to synchronized areas for that Sidewinder G2 will be
overwritten by the HA cluster configuration. For information on when and how to
connect directly to a single Sidewinder G2 that is part of an HA cluster, see
“Connecting directly to a secondary/standby” on page 511.
503

Chapter 17: High Availability
Managing an HA cluster
504
Figure 206: Common
Parameters tab
About the Common
Parameters tab
Caution: If you modify your hardware interface configuration, HA will not function
until the Sidewinder G2 is rebooted.
Modifying HA common parameters
The Common Parameters tab allows you to configure properties that are
common to the HA cluster. To configure common HA parameters, connect to
the HA cluster using the Admin Console and select High Availability. The
following window appears:
The Common Parameters tab specifies the parameters that will affect all
Sidewinder G2s in your HA configuration. Follow the steps below.
1 In the High Availability Identification area, do the following:
a In the Cluster ID field, select an ID that is assigned to the HA cluster.
This allows you to distinguish between and manage multiple HA
clusters, if needed. Each Sidewinder G2 with an HA cluster must be
assigned the same cluster ID. Valid values are 1–255.
b The Multicast Group Address field displays the address of the multicast
group used for HA purposes on the heartbeat burb. The default address
is 239.192.0.1. To modify the address, click Edit address. See
“Changing the multicast address” on page 507 for details on modifying
the multicast group address.
c In the Heartbeat Burb drop-down list, select the burb that HA will use to
send or receive a heartbeat. A heartbeat is a short message that is sent
out at specific intervals to verify whether a Sidewinder G2 is operational.
The heartbeat, session information, and configuration information are
also transferred between the heartbeat burbs

Chapter 17: High Availability
Managing an HA cluster
This must be a dedicated heartbeat burb. For information on configuring
a dedicated heartbeat burb, see “Configuring the heartbeat burbs” on
page 493.
d In the Heartbeat Verification Burb drop-down list, select the burb that
HA will use to send or receive a mini-heartbeat. This should be a burb
that regularly passes traffic, such as the internal burb.
This mini-heartbeat helps protect against false failover events by doing
the following:
• If the Sidewinder G2 does not detect the heartbeat but does detect
the mini-heartbeat, the HA cluster does not fail over. An audit
message is generated, alerting the administrator to check the
heartbeat burbs’ connectivity.
Important: Loss of communications on the heartbeat burb causes
diminished HA services. For load sharing, the active secondary no longer
shares the session load; it goes to a standby state. For non-load sharing,
the standby cannot receive updated information about new ipfilter sessions
established on the primary. Maintain high availability service to your network
by troubleshooting the heartbeat burbs’ communication problems as soon
as possible.
• If the Sidewinder G2 does not detect either the heartbeat or the miniheartbeat,
the HA cluster fails over.
Additional information on heartbeat verification is available in knowledge
base article 3848.
2 In the IPSec Authentication area, do the following:
• In the Authentication Type field, select the type of IPSec authentication
to use for HA:
—SHA1: Select this option if using HMAC-SHA1 authentication.
—MD5: Select this option if using HMAC-MD5 authentication
e In the Password field, type the password that will be used to generate
the authentication key for IPSec. This password must be the same for
both Sidewinder G2s because they share the same virtual firewall ID.
3 [Conditional] The Pair Members table lists the Sidewinder G2s that have
been added to the HA cluster. To add a Sidewinder G2 to the Pair Members
table, see “Adding a placeholder in the HA cluster” on page 498. To view
the status of the cluster, click Cluster Status. A pop-up window will appear
displaying the status of each Sidewinder G2. To close the status information
window, click Close.
This table is not available until you successfully promote a primary. Once
the primary has been promoted, you can add a second Sidewinder G2 to
the HA cluster. However, you must join the second Sidewinder G2 before it
will become functional within the HA cluster. See “Joining a Sidewinder G2
to an existing HA cluster” on page 499 for information on registering a
Sidewinder G2 to an HA cluster.
505

Chapter 17: High Availability
Managing an HA cluster
506
4 [Conditional] To define a system that requires ARP cache updates, in the
Force ARP Reset area, click New and see “Configuring an entry in the
Force ARP Reset area” on page 507. (This option is not used for load
sharing HA.)
The Force ARP Reset area lists the IP address and burb of each system
that you determine needs to update its ARP cache with the new cluster
alias IP. Use this area to list all systems that are known to ignore gratuitous
ARPs, but that need to know the new cluster alias. (To delete an IP address
from the list, highlight the address and click Delete.)
5 In the Interface Test area, do the following:
a In the Time Between Tests field, specify how often (in seconds) the HA
cluster will ping the remote address to ensure that an interface and path
are operational.
b In the Consecutive Failures field, specify the number of failed ping
attempts that must occur before a secondary/standby takes over as the
primary.
Note: If the primary becomes unavailable immediately after a ping attempt has
been issued, the time it takes for a secondary/standby to take over will be
slightly longer (this is because it will take close to an entire test interval before
the first failure is detected).
6 The Interfaces table identifies the burb, HA cluster address, network
address, remote test IP address, and cluster MAC address for each
interface.
The Cluster MAC column is a read-only column that displays the MAC
address for each cluster interface that is defined. Depending on the type of
router you are using, this address may be required to configure the router if
you have load sharing HA configured. The Cluster MAC is used for all
shared cluster addresses and aliases on that interface.
You must define a shared address for each interface being backed up via
HA. To define a new interface, click New. To modify an HA common IP
address, highlight the interface you want to modify, and click Modify. See
“Configuring an entry in the Interfaces table” on page 507 for details. To
delete an interface, highlight the interface and click Delete.
Important: If multiple IP addresses are desired on a single NIC and HA is
configured on the Sidewinder G2, only the HA common IP address is defined
here. All non-HA alias IP addresses are defined in the Interface Configuration
window.
7 When you are finished configuring the HA parameters for this Sidewinder
G2, click the Save icon to save your changes.
8 Select Firewall Administration > System Shutdown and reboot to the
operational kernel. Your changes will not take effect until the reboot
completes.

Changing the multicast address
Chapter 17: High Availability
Managing an HA cluster
The Edit Multicast Group window allows you to specify different multicast
addresses for an HA cluster. Do not specify an address that conflicts with other
multicast groups on the heartbeat burb. Addresses in the range of 239.192.0.0
to 239.251.255.255 have been reserved by RFC 2365 for locally administered
multicast addresses. Boundary routers should be configured to not pass your
selected address if such a feature exists.
To restore the default address (239.192.0.1), click Restore Default.
Important: If the default is not used, you should change the reverse lookup files in
DNS to allow DNS reverse resolution of the multicast address. Refer to the
/etc/namedb.u/failover.rev file.
Configuring an entry in the Force ARP Reset area
The Force ARP Reset window allows you to specify the IP address and its
associated burb for each system that would ignore the gratuitous ARP
containing the new cluster alias. To add this information, follow the steps
below.
Note: The Force ARP Reset area is not used for load sharing HA.
1 In the IP Address field, enter the system’s IP address.
2 In the Burb field, select the burb that connects to that system’s network.
3 Click OK to save the information, or click Close to close the window without
saving your changes.
Configuring an entry in the Interfaces table
The Common IP window allows you to specify the cluster common IP address
for your interfaces. You will need to configure a common IP address for each
interface that uses HA. Follow the steps below.
Note: Be sure to add the common IP address and the associated domain name to
your DNS service.
1 In the Burb drop-down list, select the appropriate burb.
Note: The Network Address field displays the local IP address for this
Sidewinder G2.
2 In the Common IP Address field, type the common IP address for the
interface that is shared between the primary and secondaries when they
become active.
The cluster address is the address most systems should use to communicate
with or through the Sidewinder G2, meaning that DNS, default routes,
etc. need to know this address.
507

Chapter 17: High Availability
Managing an HA cluster
508
Figure 207: Local
Parameters tab
3 [Optional] In the Remote Test IP field, specify the address that the
Sidewinder G2 will periodically ping.
The remote address must be a highly reliable system that is directly
attached to the Sidewinder G2 network. For example, if you use a VRRP
(Virtual Router Redundancy Protocol) cluster, you can specify the VRRP
address of the router as your remote ping address. (However, some VRRP
routing clusters will only respond to pings if the configured primary router is
currently acting as the primary. If you are using this type of VRRP routing
cluster, you should use an alternative remote address.)
For load sharing HA, if remote ping fails on one of the two cluster members,
that member will become unavailable until the remote interface is again
detected. If there is only one active cluster member and a remote ping failure
is detected, that member will audit the failure and remain in the cluster
until another member joins the cluster (without a ping failure), or until the
remote system is detected.
Note: If you specify 255.255.255.255 in this field, HA will only test the status of
the interface rather than send data to verify that the interface is up.
4 Click OK to save the cluster address information and return to the Local
Parameters tab. (To exit the window without saving your changes, click
Cancel.)
Modifying HA local parameters
To configure local HA parameters, connect to the Sidewinder G2 using the
Admin Console and select Firewall Administration > High Availability. (If you
have already configured HA, the High Availability option will appear directly
beneath the Sidewinder G2 icon.) Select the Local Parameters tab. The
following window appears:

About the Local
Parameters tab
Chapter 17: High Availability
Managing an HA cluster
The Local Parameters tab specifies the parameters that are unique to a
particular Sidewinder G2 in your HA configuration. Follow the steps below.
1 In the Cluster Mode area, select one of the following options:
• Designate as part of a Load Sharing High Availability Cluster—Select
this option if you want to configure load sharing HA (both Sidewinder
G2s actively process traffic).
• Designate as part of a Primary/Standby High Availability Cluster—
Select this option if you want to configure failover HA (only one
Sidewinder G2 processes traffic, with the other Sidewinder G2 acting as
a hot backup).
Note: To configure load sharing HA or peer-to-peer failover HA, the Sidewinder
G2s must have the same hardware configuration. For more information on each
HA configuration option, see “HA configuration options” on page 489.
2 [Conditional] If you selected Primary-Standby in the previous step, select
one of the following options in the Cluster Mode area:
• Primary—Select this option if this will be the primary in your network.
(This option is only used for the dedicated primary-standby HA
configuration.)
• Standby—Select this option if this Sidewinder G2 is a standby in your
network, or if you are configuring peer-to-peer HA.
Note: For peer-to-peer HA, you must configure each Sidewinder G2 as a
standby.
3 In the Control field, select Enabled to enable HA for this Sidewinder G2. (To
disable HA, select Disabled.)
Note: You must reboot before the HA configuration will take effect.
4 [Conditional] In the Takeover Time field specify the number of seconds that
the primary must be unavailable before the secondary/standby will begin
the takeover process.
Note: If the primary in an HA cluster goes into failure mode and the secondary/
standby is not available, the primary will remain as the primary, but the
Takeover Time value for that Sidewinder G2 will change to one, ensuring that if
a secondary/standby becomes available, it can take over as the primary.
The secondary/standby Takeover Time value will differ depending on the
type of HA configuration you are using:
• Load sharing Takeover Time—The takeover time for load sharing HA
cluster Sidewinder G2s must be the same for EACH Sidewinder G2 that
is participating in the HA configuration. The default value is 13 seconds
for load sharing configurations.
509

Chapter 17: High Availability
Managing an HA cluster
510
• Primary-standby Takeover Time—The takeover time for the primary is 3
seconds by default and cannot be modified. This value ensures that the
designated primary will become the actual primary when it is activated.
The default for the standby is 13.
Note: If you assign a standby Takeover Time value that is too close to 3
seconds, the standby may attempt to take over as the primary during
periods when the primary is too busy processing data traffic to send the
heartbeat.
• Peer-to-peer Takeover Time—The takeover time for load sharing HA
cluster Sidewinder G2s must be the same for EACH Sidewinder G2 that
is participating in the HA configuration. The default value is 13 seconds
for load sharing configurations.
Scheduling a soft shutdown for an HA cluster Sidewinder
G2
When a Sidewinder G2 that belongs to an HA cluster is shutdown by an
administrator (for example, to perform scheduled maintenance), a soft
shutdown will automatically occur (assuming the shutdown time is not
immediate). A soft shutdown provides a buffer period before the actual
shutdown occurs, allowing the Sidewinder G2 to stop accepting new
connections, while allowing most existing connections to complete before the
Sidewinder G2 actually shuts down. IP filter processing is also transferred to
the remaining Sidewinder G2.
By default, the soft shutdown process will begin 30 minutes prior to a
scheduled shutdown. If the shutdown is scheduled to occur in less than 30
minutes, the soft shutdown process will begin immediately and will remain in
effect until the actual shutdown time occurs. You can also manually increase or
decrease the length of the soft shutdown period.
For example, suppose you configure the Sidewinder G2 to shutdown in two
hours using the default soft shutdown of 30 minutes. The Sidewinder G2 will
continue to accept and process connections for 1.5 hours. When the
Sidewinder G2 is 30 minutes from the shutdown time, it will stop accepting new
connections and existing connections will have 30 minutes to complete. After
the soft shutdown period completes, the Sidewinder G2 will shutdown and will
be unavailable until it is rebooted.
The soft shutdown feature is specified via command line. If you schedule a
shutdown using the Admin Console, the default soft shutdown time will be
applied. The following bullets provide examples of configuring an HA cluster
Sidewinder G2 for shutdown:

Chapter 17: High Availability
Managing an HA cluster
• If you want the soft shutdown process to begin immediately, use the
following command (the Sidewinder G2 must be shutdown or manually
rebooted once the soft shutdown process is complete):
cf failover softshutdown
• To configure soft shutdown to occur for a specific amount of time, as
follows:
shutdown -s [soft_shutdown_time] [shutdown_time]
The soft_shutdown_time specifies that amount of time that soft shutdown
will occur. The shutdown_time specifies the time at which the
actual shutdown will occur. Each variable can be specified either as a number
of minutes or as an exact date and time. If you are specifying the number
of minutes, you must include a plus (+) sign in front of the minutes.
For example, if you want the Sidewinder G2 to shutdown on Saturday, June
12, 2004 at 11:00 am with a 15 minute soft shutdown period, you would
enter the following command:
shutdown -s +15 0406121100
In this case, the soft shutdown process would begin at 10:45 am, and the
Sidewinder G2 would shutdown at 11:00 am on the specified day.
If you want the Sidewinder G2 to begin the soft shutdown at 6:00 am with
an actual shutdown at 6:20 am, you would enter the following command:
shutdown -s 0600 0620
Note: For a complete listing of shutdown options, refer to the shutdown man
page.
You can cancel a scheduled shutdown at anytime prior to the final 30 minute
period by entering the shutdown -c command. However, once the Sidewinder
G2 has entered soft shutdown mode, this command will no longer cancel the
soft shutdown process. When the soft shutdown process is complete, you will
need to reboot the Sidewinder G2 before it will properly function as part of the
HA cluster.
Connecting directly to a secondary/standby
When you have an HA cluster configured, most areas for each Sidewinder G2
are managed by connecting to the HA cluster address. However, if your
Sidewinder G2s are configured for secure split SMTP mail and/or hosted DNS,
you will need to connect directly to the secondary/standby to manage those
areas. (You can still manage the primary for these areas by connecting to the
HA cluster.)
To connect directly to a Sidewinder G2 that is part of an HA cluster, do the
following:
511

Chapter 17: High Availability
Managing an HA cluster
512
1 In the Admin Console, add the Sidewinder G2 to which you want to
connect. See “Adding a Sidewinder G2 to the Admin Console” on page 20.
Be sure to use the Sidewinder G2’s actual IP address, not the common IP
address.
2 Connect directly to that Sidewinder G2, and make the necessary changes.
When you connect directly to a Sidewinder G2 that is part of an HA cluster, a
warning message will appear explaining that any changes you make may be
overwritten by the cluster configuration. Modifications made to the SMTP and/
or DNS areas will not be overwritten if you have configured secure split SMTP
mail and/or hosted DNS.

18
CHAPTER
Monitoring
In this chapter...
Monitoring Sidewinder G2 status using the dashboard................514
Viewing device information...........................................................515
Viewing network traffic information...............................................518
Viewing IPS attack and system event summaries........................521
Monitoring Sidewinder G2 status using the command line ..........525
513

Chapter 18: Monitoring
Monitoring Sidewinder G2 status using the dashboard
Monitoring
Sidewinder G2
status using the
dashboard
514
Figure 208: The
dashboard
The Admin Console allows you to monitor status information on your
Sidewinder G2 using its dashboard. The monitord server records data about
the system and traffic status. Auditbots detect packets and traffic patterns that
may be of interest to administrators. The dashboard gathers this data from
those and other Sidewinder G2 components and provides a centralized view of
important system and audit data. This window displays summary data and
specific audit events.
For additional audit information, see Chapter 19.
The dashboard allows you to monitor the following Sidewinder G2 areas:
• Device information (version, uptime, configuration state, etc.)
• Network traffic (active VPN and proxy sessions, interface status, etc.)
• Recently detected attack activity
• System events (hardware and software failures, log overflows, etc.)
You can set this information to refresh automatically or on demand.
When you log into the Admin Console, the dashboard displays. To view the
dashboard at any other time, click the top node of the tree labeled
sidewinderg2 Dashboard. A window similar to the following appears.

About the
dashboard
Viewing device
information
Figure 209: Dashboard:
Device Information area
Chapter 18: Monitoring
Viewing device information
The dashboard allows you to monitor various Sidewinder G2 areas. It displays
statistics recorded since the last reboot. From the dashboard, you can:
• Monitor Sidewinder G2’s status — Monitor general system information,
what traffic is passing through the Sidewinder G2, and system and attack
events. For more information on each area, see the following sections:
– “Viewing device information” on page 515
– “Viewing network traffic information” on page 518
– “Viewing IPS attack and system event summaries” on page 521
• View additional information — Learn more about any given area by
clicking the appropriate link or magnifying glass .
• Change the refresh rate — Indicate how often the dashboard will refresh by
using the Refresh Rate field. Valid values range from 30 seconds to 30
minutes. There is also a Manual Refresh option. The default is 5 minutes.
When you modify the refresh rate, the change will not take effect until the
next scheduled refresh time. To make the change take effect immediately,
change the refresh value and click the Refresh icon.
• Launch the State Change Wizard — Start the State Change Wizard by
clicking the Change link.
• Disconnect — Disconnect the current Admin Console session by clicking
the Disconnect button.
The dashboard’s Device Information area, shown in Figure 209, displays basic
system information. The device information that this area monitors includes:
the Sidewinder G2’s host name, the amount of time since the last reboot, the
Sidewinder G2’s date and time, the current Sidewinder G2 version, the serial
number, and basic system resource date for the whole system, with the option
to view process-specific data as well.
515

Chapter 18: Monitoring
Viewing device information
516
Figure 210: System
Resources: Process Use
tab
About the System
Resources: Process
Use tab
In this area, you can do the following:
• Click Change to change this Sidewinder G2’s state. This starts the State
Change Wizard. Use the wizard to create a cluster, join an existing cluster,
or join an enterprise (also known as registering to a G2 Enterprise
Manager).
Tip: Before using the State Change Wizard, determine if your Sidewinder G2 is
prepared to change its state. Refer to the ”One-To-Many Clusters” chapter and
the “High Availability” chapter in the Sidewinder G2 Administration Guide, and
the “Managing Registered Sidewinder G2s” chapter in the G2 Enterprise
Manager Administration Guide for more information.
• Click System Resources to view process use and disk use information.
Both tabs appear in a separate pop-up window.
• Receive feedback that a system resource may be experiencing trouble. If
the value turns red, the memory or disk may be getting too full and requires
attention. Click System Resources to view more information.
This tab displays the status of each process that is currently running on this
Sidewinder G2. It provides the following details for each process:
• Process — This column displays the name of each running process.
• CPU — This column displays the percentage of CPU currently being used.
• Process Size — This column displays the amount of memory a process is
using.
• Resident Memory — This column displays the amount of physical memory
a process is using.
On this window, you can do the following:
• Click Refresh to update this tab’s data.
• Click the Disk Use tab to view a disk usage snapshot. The window shown in
Figure 211 appears.
• Click Close to close this window.

Figure 211: System
information: Disk Use tab
About the System
Information: Disk
Use tab
Chapter 18: Monitoring
Viewing device information
This tab displays how much of the Sidewinder G2’s hard disk space is currently
being used. It provides the following details for each disk partition:
• Mounted On — This column displays the name of each disk partition.
• Percent Used — The column displays the percent of that partition being
used.
• Used — This column displays the amount of a given partition being used.
• Available — This column displays the amount of disk space available for
use in the given partition.
• Description — This column displays a description of the disk partition.
On this window, you can do the following:
• Click Refresh to update this tab’s data.
• Click the Process Use tab to view a process usage snapshot. The window
shown in Figure 210 appears.
• Click Close to close this window.
517

Chapter 18: Monitoring
Viewing network traffic information
Viewing network
traffic
information
518
Figure 212: Dashboard:
Network Traffic area
The dashboard’s Network Traffic area, shown in Figure 212, displays
information on network traffic passing through the Sidewinder G2. View
information such as number of interfaces up and receiving traffic, number of
active IP Filter rules, number of active VPN sessions, and number of active
proxy connections.
Use this area of the dashboard to monitor the following:
• Interface Status — Displays the status of all physical and VLAN interfaces
in the Sidewinder G2 and the total number of inbound/outbound bytes
processed since startup.
Click Interface Status to view additional information about each interface.
See “About the Network Traffic: Interface Status window” on page 519 for
more information.
• IP Filter Sessions — Displays the number of IP Filter sessions that are
currently open on this Sidewinder G2. An IP Filter rule must have Stateful
Packet Inspection enabled to create a session.
• VPN Sessions — Click VPN Sessions to view additional information about
configured VPNs. See “About the Network Traffic: Active VPNs window” on
page 519 for more information.
• Proxy Connections — This area lists each proxy that is currently passing
traffic and the number of instances.
Click Proxy Connections to view additional information about current proxy
connections. See “About the Network Traffic: Proxy Connections window”
on page 520 for more information.

Figure 213: Network
Traffic: Interface Status
window
About the Network
Traffic: Interface
Status window
Figure 214: Network
Traffic: Active VPNs
window
About the Network
Traffic: Active VPNs
window
Chapter 18: Monitoring
Viewing network traffic information
This window provides traffic information for each of the physical and VLAN
network interfaces on this Sidewinder G2.
• Interface — Displays the name of the interface
• IP Address — Displays the IP address assigned to that interface
• Status — Displays if the interface’s status is up (ready for an active network
connection) or down (will not accept an active network connection)
• Connected — Displays Connected if Sidewinder G2 detects an active
network connection and Disconnected if it does not
You can also view this information at a command line interface by typing
netstat -is.
When you are finished viewing the status, click Close.
This window allows you to monitor the status of all configured VPNs. The
statuses include:
• Idle — No active session.
• Active — One or more VPNs have active sessions established for this
VPN.
Click Refresh to update the information. Click Close to return to the main
window.
519

Chapter 18: Monitoring
Viewing network traffic information
520
Figure 215: Network
Traffic: Proxy
Connections window
About the Network
Traffic: Proxy
Connections
window
Figure 216: Network
Traffic: TCP State
Information window
About the Network
Traffic: TCP State
Information window
This window allows you to monitor the type and number of active proxy
sessions going through Sidewinder G2. Information provided includes:
• Name — Name of the proxy passing traffic
• Count — Number of current instances
On this window, you can:
• Click Refresh to update the information.
• Click Close to return to the main window.
This window allows you to monitor the various states of the TCP proxy
connections going through Sidewinder G2. Information provided includes:
• TCP State — Indicates the different possible states of a TCP connection
• Count — Number of TCP sessions
• Description — Describes the TCP state
On this window, you can:
• Click Refresh to update the information.
• Click Close to return to the main window.

Viewing IPS
attack and
system event
summaries
Chapter 18: Monitoring
Viewing IPS attack and system event summaries
The statistics summary area of the dashboard displays a summary of the audit
events Sidewinder G2 detects. By default, Sidewinder G2 audits packet and
traffic patterns it assumes to be an attack. It also audits system events
administrators tend to consider important. Each predefined audit event is
related to a severity. The dashboard summarizes the audit events for a given
time frame, providing administrators a quick overview of audit activity. View
additional details by clicking the magnifying glasses, links, and audit rows.
Understanding audit event severities
IPS attack audit events are based on anomaly detection. They are not
necessarily detecting a specific attack attempt, but are detecting unexpected or
suspicious deviations from allowed packets and patterns. The severities
represent the assumed risk to the Sidewinder G2 and its protected system if
the attack had not been blocked. For example, an attack event generated by a
commonly occurring packet that is used to gather information is considered a
warning. An attack event made up of packets that appear to be crafted and, if
not blocked, could crash a vulnerable system are considered severe or critical.
Administrators should immediately investigate all critical attacks. Table 30
defines each severity in more detail.
Table 30: Definitions of IPS attack event severities
Severity Definition
Critical Indicates activity that is definitely an attack and that could have
significantly affected a protected system had it not been
prevented.
At the command line, these audit events are classified as
emergency, alert, critical, and fatal priorities.
Severe Indicates activity that represents a likely significant attack or
policy violation.
At the command line, these audit events are classified as a
major priority.
Warning Indicates activity that may be an attack or information
gathering, or that represents a minor attempted violation of the
site security policy (for example, attempting to use a restricted
FTP command).
At the command line, these audit events are classified as
minor or trivial priorities.
521

Chapter 18: Monitoring
Viewing IPS attack and system event summaries
522
Figure 217: Summary statistics area
System audit events are generated by expected and unexpected system
behavior. The severities are generally based on the type of action, if any, an
administrator should take in response to the event. Whereas a critical event
generally requires immediate investigation, a warning generally requires no
action from the administrator. Table 31 defines each severity in more detail.
Table 31: Definitions of system event severities
Severity Definition
Critical Indicates that a system component or subsystem stopped
working, that the system is going down (expectedly or
unexpectedly), or that the system is not expected to work again
without intervention.
At the command line, these audit events are classified as
emergency, alert, critical, and fatal priorities.
Severe Indicates something is occurring in the system that an
administrator should know.
At the command line, these audit events are classified as a
major priority.
Warning Indicates something is occurring in the system that an
administrator might want to know or might consider trivial.
At the command line, these audit events are classified as minor
or trivial priorities.
Viewing the summary statistics
The summary statistics areas is located in the lower portion of the dashboard.

Figure 218: Attacks by
Service window
About the Attacks
by Service window
In this area, you can:
Chapter 18: Monitoring
Viewing IPS attack and system event summaries
• Change the displayed statistics based on time period by selecting different
options in the Display summary statistics for drop-down list. The range of
options vary depending on the Sidewinder G2’s uptime.
• View audit data for any system event or attack category by clicking the
magnifying glass .
• View a snapshot of all attacks listed by service by clicking
Attacks by Service. See “About the Attacks by Service window” on page
523 for more information.
• View and save attack audit data by clicking Most Recent IPS Attacks.
• View an individual audit record by double-clicking that audit event’s row.
See “About the Audit Record window” on page 524 for more information.
Use this area of the dashboard to monitor the following:
• System events by severity — Lists system audit events according to
severity
• Attacks by severity — Lists audit attack events according to severity
• Attacks by service — Lists audit attack events according to service
• Most recent IPS attacks — Displays the audit events for recent attacks
Note: Use the Admin Console’s IPS Attack Responses and System Event
Responses to determine how Sidewinder G2 reacts to different audit events. For
more information, see the “IPS Attack and System Event Responses” chapter.
This window displays audit of suspect traffic. Information provided includes:
• Name — Name of the service being attacked
• Count — Number of attack instances
On this window, you can:
• Click Refresh to update the information.
• Select a service and click Show Audit to see the audit output. You can also
view the audit by clicking the magnifying glass on the main window.
• Click Close to return to the main window.
523

Chapter 18: Monitoring
Viewing IPS attack and system event summaries
524
Figure 219: Audit
Record window
About the Audit
Record window
When you double-click an audit event in the table, the detailed audit
information for that attack appears in a pop-up window. The displayed fields
vary, depending on the audit type. In general, the data in an audit message is a
tag name followed by a colon and the tag’s value. The following table provides
examples and descriptions of fields that may appear in an audit record.
More information on audit fields is available using acat -c |more at a
command line interface and in the Sidewinder Export Format application note
at www.securecomputing.com/goto/appnotes.
Table 32: Audit data field examples
Tag Description
facility The event facility code for the event that audited the message,
such as the kernel or FTP
area The area in the facility that audited the message, such as
a_nil_area or a_proxylib
type The event type code, such as t_attack
category The event category code, such as c_policy_violation
priority The event priority, such as p_major
*id IDs that may appear include the process ID (pid), the real user
ID (ruid), the effective user ID (euid), the process family ID (fid)
and login ID (logid)
srcservice/
destservice
srcburb/
destburb
The source or destination service name (/etc/services)
The source or destination burb number
reason The reason the Sidewinder G2 generated an audit record

Monitoring
Sidewinder G2
status using the
command line
Chapter 18: Monitoring
Monitoring Sidewinder G2 status using the command line
In addition to what is available on the dashboard, you can use the following
commands to check the Sidewinder G2’s system and network status.
Checking system status
Using the commands described in the sections that follow, you can display
information on the current status of your network connections and take a look
at what is happening on the system.
CPU usage
CPU usage allows you to obtain information on system performance. To view
CPU usage information, enter the following commands at a Sidewinder G2
command prompt:
vmstat
uptime
top
Process status
To view the status of all processes currently running on the Sidewinder G2,
enter the following command at a Sidewinder G2 command prompt:
ps -axd
This information is useful for tasks such as determining which processes are
using a lot of CPU time. The ps command allows you to look at information
about the processes running on the system. This command is a variation on
the standard UNIX process status command in that it includes information on
the Sidewinder G2 domains. To display process information from the UNIX
prompt, enter one of the following commands at a Sidewinder G2 command
prompt:
• To list process information as well as information on the real domains in
which processes are operating, enter the ps -D command. Real domains
control the interaction between one process and other processes.
• To list process information as well as information on the effective domains
in which processes are operating, enter the ps -d command. Effective
domains control the interaction between a process and files.
Note: In most cases, the information displayed for either the real domain (RDOM)
or the effective domain (EDOM) will be the same.
525

Chapter 18: Monitoring
Monitoring Sidewinder G2 status using the command line
526
In addition to the information you normally get with the ps command, you see
domain information similar to the following:
RDOM PID TT STAT TIME COMMAND
Rlg0 7418 p2 IW+ 0:01.30 .u (tcsh)
tcp0 9806 pd Is+ 0:02.05 -tcsh (tcsh)
where:
• EDOM or RDOM — domain name
• PID — process identification number
• TT — terminal line from which the process was initiated
• STAT — current status of the process
• TIME — total amount of CPU time used by the process
• COMMAND — command line used to start the process
Disk usage
To view statistics about the amount of free disk space on a file system, enter
the following command at a Sidewinder G2 command prompt:
df
This information is useful to determine which file systems are using the most
disk space.
who
To view who is currently logged onto your Sidewinder G2, enter the following
command at a Sidewinder G2 prompt:
who
When you use this utility, you can see the user’s login name, console name,
the date and time of their login, and their host name (if it is not a local host).
lloyd console Aug 8 16:12 (rock.foo.bar)
lloyd ttyp0 Aug 7 21:34 (10.1.1.1)

finger
Chapter 18: Monitoring
Monitoring Sidewinder G2 status using the command line
To obtain information about local Sidewinder G2 users, type the following
command at a Sidewinder G2 prompt:
finger
When you use this command, you can find out the user names of people at
your site, the exact terminal they are logged in on, when they last logged in,
and how long they have been logged in.
Login Name Tty Idle Login Time Office Office Phone
lloyd Lloyd Frank *p0 2 Aug 8 16:12 ABC,Inc. 555-1234
lloyd Lloyd Frank *p3 19:03 Aug 7 21:34 ABC,Inc. 555-1234
Checking network status
Using the commands described in the sections that follow, you can display
information on the status of your network connections, routing tables, and
network utilities. These commands can provide “snapshots” of different aspects
of your system with command line outputs.
Note: Output for netstat -i queries will display shared addresses with a plus
(+) sign.
Active network connections
To view the status of any active TCP or UDP connections on the Sidewinder
G2, enter the following command:
netstat -f inet
Active connections/services
To view the status of all sockets on the Sidewinder G2, enter the following
command at a Sidewinder G2 command prompt:
netstat -af inet
Network interfaces
To view the status of the Sidewinder G2’s network interfaces, enter the
following command at a Sidewinder G2 command prompt:
netstat -i -n
527

Chapter 18: Monitoring
Monitoring Sidewinder G2 status using the command line
528
Routing tables
To view the status of the Sidewinder G2 Operational kernel’s available routes
and their status, enter the following command at a Sidewinder G2 command
prompt:
netstat -r
route get
The route get command looks up the route for a destination and displays the
route in the window. To view this information, enter the following command at a
Sidewinder G2 command prompt:
route get ipaddress
The following shows sample output for this command:
route to: rock
destination: rock
gateway: xx.xx.xx.xx
interface: ef2
if address: xx.xx.xx.x
burb: y
flags:
nslookup
The nslookup command queries the DNS database to get all of the
information that is available about a particular address. The output includes the
name and address of the DNS server used to provide the information, the
name of the system you asked about and other data that might be available,
such as where e-mail is delivered for the domain.
To view this information, enter either of the following commands at a
Sidewinder G2 command prompt:
nslookup ipaddress
OR
nslookup hostname
The following shows sample output for this command.
Server: localhost.foo.bar
Address: 10.2.2.2
Non-authoritative answer:
Name: sharon.foo.bar
Address: 10.1.1.1

dig
Chapter 18: Monitoring
Monitoring Sidewinder G2 status using the command line
The dig (Domain Information Groper) command gathers information from
DNS based on an IP address, and obtains the corresponding host name.
dig -x ipaddress any any
; Dig 2.1 homer
;; res options: init recurs defnam dnsrch
;; got answer:
“->>HEADER

Chapter 18: Monitoring
Monitoring Sidewinder G2 status using the command line
530
ping
The ping command checks whether an Internet system is running by sending
packets that the remote system should echo back. As output, ping lists how
much time it took for the message to travel to the other system and back, the
total number of packets sent and received, the percent of packets lost, and the
average and maximum time it took for a round trip. To view this information,
enter the following command:
ping -c 5 ipaddress
traceroute
The traceroute command provides information on the gateways an IP
packet must pass through to get to a destination. As input, the command needs
the host name or IP address of the destination system. It then sends these IP
packets from your Sidewinder G2 to that address. As output, it lists the host
names and IP addresses of each system the packets were handed off to and
how long it took to send each packet back and forth.
To view this information, enter the following command at a Sidewinder G2
command prompt.
traceroute -m 50 -p 33500 ipaddress

19
CHAPTER
Auditing and Reporting
In this chapter...
Overview of the audit process ......................................................532
Auditing on the Sidewinder G2.....................................................533
Logging application messages using syslog ................................548
Generating reports using the Admin Console ..............................551
Generating reports using Sidewinder G2 Security Reporter ........559
Formatting & exporting audit data for use with external tools ......560
531

Chapter 19: Auditing and Reporting
Overview of the audit process
Overview of the
audit process
532
Figure 220: The audit
flow
Monitoring, auditing, reporting, and attack and system event responses are
closely related pieces of the audit process. They function together to provide
information to you about the activity on your Sidewinder G2. On the Sidewinder
G2, you can monitor the status of various processes in real time, view stored
audit information, generate detailed reports, and have Sidewinder G2 respond
to audit events by alerting administrators and ignoring hosts sending malicious
packets. The diagram below demonstrates how these pieces are related in the
audit flow.
Monitoring
Using the Admin Console,
you can monitor Sidewinder
G2 activity and status in
real time using the dashboard.
Auditing
auditd reads /dev/audit
and places the
information into
audit.raw.
This is the recorded
audit stream. This is
now "history" and
contains everything that
might be worth viewing.
Reporting
programs kernel
live audit stream
aka /dev/audit.....
auditd
/var/log/audit.raw
auditdbd
auditdb
auditbotd
auditbotd has a threshold
and can trigger a response
(see Chapter 20).
Using the Admin Console,
you can filter and view
audit information.
This is an SQL database of
information maintained by
auditdbd. It contains all
relevant audit information.
Using Sidewinder G2 Security Reporter,
the Admin Console, or a third-party tool,
you can generate detailed, easy-to-read
reports.

Auditing on the
Sidewinder G2
Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
Auditing is one of the most important features on the Sidewinder G2. The
Sidewinder G2 generates audit each time the Sidewinder G2 or any
Sidewinder G2 service is stopped or started. Audit is also generated when any
of the Sidewinder G2’s audit facilities are modified. Other relevant audit
information that is captured includes identification and authentication attempts
(successful and failed), network communication (including the presumed
addresses of the source and destination subject), administrative connections
(using srole), and modifications to your security policy or system configuration
(including all administrator activity, such as changing the system time).
Audit can be viewed and monitored using tools such as Sidewinder G2’s
dashboard, audit viewing and reporting windows, and the off-box Sidewinder
G2 Security Reporter. Sidewinder G2 can also be configured to send alerts for
particular types of audit using IPS Attack Responses and System Event
Responses.
The Sidewinder G2’s audit facilities monitor the state of log files to minimize the
risk of lost data. Log files are compressed, labeled, and stored on a daily basis,
and a new “current” log file is created. Using this mechanism, no audit data is
lost during the storage transition.
The amount of available audit storage space is monitored very closely on the
Sidewinder G2 via the rollaudit and logcheck utilities to monitor the log file size
and rotate log files as needed. (For information on using rollaudit, see
“Rollaudit cron jobs” on page 599. For information on using the logcheck utility,
refer to the logcheck man page.)
There are three main components to the Sidewinder G2 audit process:
• auditd — This is the audit logging daemon. This daemon listens to the
Sidewinder G2 audit device and writes the information to log files. The log
files provide a complete record of audit events that can be viewed by an
administrator. auditd sends all audit data to a binary file called
/var/log/audit.raw.
• auditbotd — The Sidewinder G2 uses a daemon called auditbotd to
listen to the audit device and gather the security-relevant information it
finds. The auditbot daemon tracks these events and uses its configuration
to determine when the data might be indicating a problem and require a
response, such as an attempted break-in. If it does detect an audit event
that has a configured response, Sidewinder G2 responds accordingly. For
more information on configuring IPS attack and system event responses,
refer to Chapter 20.
• auditdbd — This daemon maintains the audit database. auditdbd monitors
the audit stream and sends reporting information to the MySQL database
called auditdb. The auditdbd server is disabled by default.
Important: Reporting services are not available until the auditdbd server is
enabled. For information on enabling the auditdbd server, see “Enabling and
disabling servers” on page 65.
533

Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
534
To view a list of audit databases, enter the following command:
cf audit listdb
A list of audit databases appears. The database named auditdb_1 generally
contains the previous day’s information. The database named
auditdb_2 is generally from two days ago, and so on.
Understanding audit file names
The /var/log/audit.raw files contains all audit information and network probe
audits contained on the Sidewinder G2 in a binary format. When the file is
rolled, a timestamp is appended to the file name. The easiest method for
viewing the contents of the audit.raw files is to use the Admin Console’s Audit
Viewing window. Refer to “Viewing audit information” on page 534.
Tip: If you prefer to view the file contents via command line, refer to the
showaudit and acat man pages.
Audit log files use one of two file suffixes:
• *.gz — This suffix is for files in compressed format. These files may be
decompressed using acat or showaudit. The default file name format is
audit.raw.YYYYMMDDhhmmssZZZ.YYYYMMDDhhmmssZZZ.gz, where
the variables represent date and time (including time zone) of the beginning
and end of that audit file’s contents. For example,
20051231020000CST.20060101020000CST.gz is a file that contains audit
data from December 31, 2005 at 2:00 am to January 1, 2006 at 2:00 am.
• *.raw — This suffix is for files in raw audit format. These are binary
formatted files that can be viewed in ASCII format using the Admin Console
or command line.
Viewing audit information
Using the Admin Console, you can view the information contained in the audit
log files. The Admin Console Audit Viewing window allows you to view audit
information in real time, or for a specific time frame that you select. You can
also apply filters to view specific types of audit information within a specific time
frame. To view audit information using the Admin Console, follow the steps
below.
Using the Admin Console, select Audit and Reports > Audit Viewing. The
following window appears.

Figure 221: Audit
Viewing: View Mode tab
About the View
Mode tab
Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
This tab allows you to configure the type of audit information you want to view.
You can view the audit events via the Admin Console, or you can export the
audit events to a text file for viewing or printing. Follow the steps below.
1 In the Select a Viewing Mode area, select one of the following:
• Real Time — Select this option and go to step 3 if you want to view
streaming audit in real time.
• Snapshot — Select this option and continue to step 2 if you want to view
audit messages within a specific time frame.
Important: The Audit Data Timespan field (located in the top portion of the
Audit Data window) displays the range of audit data that is available on the
Sidewinder G2 for viewing. If you select Snapshot mode, the audit time frame
you select must fall within this range.
2 [Conditional] If you selected Snapshot mode, specify the start and end time
for the period of audit data that you want to view, as follows:
a Select the start and end months in the corresponding month drop-down
lists.
b Select the start and end years in the corresponding year lists. You can
either use the up and down arrows to advance the time ahead or back,
or you can click in the field and modify it manually.
c Select the start and end days in the corresponding calendars by clicking
the appropriate dates.
d Select the start and end time in the corresponding Time fields. You can
either use the up and down arrows to advance the time ahead or back,
or you can click in the field and modify it manually.
Tip: To set the start date to the earliest available date, click Start of Data. To
set the end date to the current date and time, click Now. The date and time
fields will automatically fill in the correct information.
535

Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
536
Figure 222: Snapshot
Audit Data window
3 In the Lines Per Page field, type the number of audit events that you want
available within each page of audit. Valid values are 5–500. For example, if
you select 50 audit events per page, you can scroll through 50 events at a
time.
Use the scroll bar to view all audit events within a page if needed.
4 [Conditional] If you want to set up filtering options for the audit data, select
the Filtering tab and see “Filtering audit data” on page 539.
5 Once you have configured the time frame of audit events, do one of the
following:
• To export the audit information to a text file that you can edit and print,
click Export and see “Exporting audit data” on page 538.
Note: The Export option is only available if you selected Snapshot in step 1.
• To view the results of your audit query in the Audit Data window, click
View. The Audit Data window appears as a separate pop-up window.
About the Audit Data window
This window allows you to view the audit events that you selected in the Audit
Viewing window. Each audit event appears as a single row in the table. Use the
scroll bars to view all of the information in the table. If you selected Real Time
audit data, the table will be grayed out and will populate with audit events as
they happen in real time. You cannot modify the table or events while real time
audit is running.

Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
The number of audit events you can scroll through on each page is dependent
on the Lines Per Page value you entered in the Audit Viewing window (see
page 535). For example, if you selected 50 audit events per page, you can
scroll through 50 events at a time. To move to the next 50 events, click Next
Page or Previous Page, accordingly.
When you click an audit event in the table, the detailed audit information for
that audit event is displayed in the bottom portion of the window (it also
appears in the Info column). The following information is displayed in the table:
Note: Some audit types will not contain information for each table column. If a
column is blank, that information does not apply for that particular audit event.
• Time — This row lists the time at which an audit event occurred.
• Type — This row lists the type of each audit event (for example,
Administration configuration change indicates that the audit event
represents a configuration change made on the Sidewinder G2).
• Service — This row lists the service type associated with an audit event.
• Source IP — This row lists the source IP address associated with an audit
event.
• Source Burb — This row lists the source burb associated with an audit
event.
• Dest IP — This row lists the destination IP address associated with an audit
event.
• Dest Burb — This row lists the destination burb associated with an audit
event.
• Info — This row provides detailed audit information associated with an
audit event. (This information is also displayed in the bottom portion of the
window if you click an audit event.)
Ordering the audit event table
Initially, the audit events are listed in chronological order. However, you can reorder
any column alphabetically or numerically by clicking the heading. You
can also right-click a heading to select a default filtering option or create a
custom filter. For information on filtering tables, see “Admin Console
conventions” on page 25.
To view the details of a particular audit event in the real time audit results, you
must first click Stop to end real time audit. This will enable the table and allow
you to use the window as you would if you were viewing a snapshot of audit
events.
Important: If you click Stop when viewing audit events in real time and then click
Start, the table will be cleared and new real time audit events will be displayed as
they happen.
537

Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
538
Figure 223: Export Audit
Data window
About the Export
Audit Data window
Saving audit events
To save some or all audit events listed in the Audit Viewing window, do one of
the following:
• To save all of the audit events listed, click Save All. The Export Audit Data
window appears. (Click Browse to specify a location in which to save the
audit information.) To save the information, click Save (or click Save and
View to save the file and launch the file for viewing).
• To save selected audit events, press and hold the Ctrl key while clicking in
the row of each audit event you want to save. When you have selected all
of the audit events you want to save, click Save Selected. The Export Audit
Data window appears. (Click Browse to specify a location in which to save
the audit information.) To save the information, click Save (or click Save and
View to save the file and launch the file for viewing).
Exporting audit data
To export audit data to a text file that can be viewed and printed, click Export in
the Audit Viewing window (or Save/Save and View in the Audit Data window). A
message appears warning you that the export process may take a while,
depending on the number of results you are exporting. Click Yes to continue
the Export process. The Export Audit Data window appears. (If you want to
cancel the export action, click No.)
Tip: If you do not want the warning message to appear each time you export audit
data, select the Don’t Show Dialog Again check box.
This window allows you to export the audit data you specified in the Audit
Viewing or Audit Data window. Follow the steps below.
1 In the Filename field, specify the file name and location for the audit data
you are exporting.
2 To specify the location where the file will be saved, click Browse and select
the desired path.

Figure 224: Audit
Veiwing: Filtering tab
About the Audit
Viewing: Filtering
tab
Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
3 In the Export Format area, select one of the following:
• ASCII Audit — Select this option to save the audit information in ASCII
format. This allows you to open the file using any standard text editor,
such as Notepad.
• ASCII Sidewinder Export Format — Select this option if you want to
convert the data into ASCII text and export it in the Sidewinder Export
Format (SEF). This format is used in the Sidewinder G2 Security
Reporter and can also be used with third-party reporting tools.
4 To save the file, select one of the following:
• Click Save to save the file to the specified location for later viewing.
• Click Save and View to save the file to the specified location and launch
the file using a standard text editing program (such as Notepad).
• Click Close to exit the window without saving the file.
Filtering audit data
To filter the type of audit data you want to view, select the Filtering tab in the
Audit Viewing window. The Filtering tab appears.
This tab allows you to configure filters to display or exclude certain types of
audit events. Follow the steps below.
1 In the Audit Types area, select the types of audit events that you want to
view. For descriptions of these filters, see Table 33 on page 540.
To select all of the filters, click Select All. To clear all of the filters and clear
any current selections, click Deselect All.
539

Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
540
2 In the Advanced area, you can further refine the filter(s) you selected by
specifying any of the following information:
• Source Burb — Select this option to receive audit events generated by
the source burb.
• Source IP Address — Select this option to receive audit events
generated by the source IP address.
• Number Of Bits — If you selected Source IP, type the number of bits for
the source IP address that you want to filter.
• Destination Burb — Select this option to receive audit events generated
by the destination burb.
• Destination IP Address — Select this option to receive audit events
generated by the destination burb.
• Number Of Bits — If you selected Destination IP, type the number of
bits for the destination IP address that you want to filter.
• Service — Select this option and enter a service name to receive only
audit events generated by that service.
3 To customize the filter expression to view more specialized audit
information, select the Custom check box. For example, if you want to view
HTTP attack audit events for a user named Lloyd, you would type the
following information in this field:
type t_attack and cmd httpp and username Lloyd
You can also use the pre-defined filters as building blocks to create your
own custom filter. To do this, you will need to clear the Custom check box,
select the pre-defined filters that you want to use, and then select the Custom
check box. You can then modify the filter as needed without having to
create it completely from scratch.
You cannot save a customized filter that you create in the Audit Filtering
window. However, you can create and save custom filters using
cf audit. Filters that you create will appear in the filter list when you next
access the Filtering tab.
For detailed instructions on creating custom audit filters, refer to the
sacap_filter man page. See “Creating custom audit filters” on page 544
for more information.
Table 33: Pre-defined audit filters
Attack Description
ACL deny Detects when a connection is denied by a rule in the active
policy.
Access Control List Detects all ACL audit events.
Application
Defense violation
all
Detects attacks of all severities that violate active policy
defined by Application Defenses. This attack category
includes spam filter attacks and keyword filter failure
attacks.
More...

Attack Description
Application
Defense violation
severe
Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
Detects when severe attacks violate active policy defined
by Application Defenses, including spam filter reject and
keyword filter reject audits.
DOS all Detects Denial of Service attacks of all severities. This
attack category also detects all severities of TCP SYN
attacks and proxy flood attacks.
DOS severe Detects severe Denial of Service attacks. This attack
category also detects TCP SYN attacks and proxy flood
attacks. Severe attacks indicate something is occurring
that an administrator should know.
HA failover Detects when a failover IP address changes because a
High Availability cluster failed over to its secondary/
standby.
IPFilter deny Detects when a connection is denied by the active IP Filter
policy.
IPSEC error Detects when traffic generates IPSEC errors.
TCP SYN attack Detects a possible attempt to overrun the Sidewinder G2
with connection attempts.
Type Enforcement Detects when there is a TE violation due to an
unauthorized user or process attempting to perform an
illegal operation.
VPN Detects VPN audit events.
all audit Detects all attack and system events, regardless of type.
attack all Detects attack events of all severities. This option also
detects all severities of Application Defense violation
attacks, buffer overflow attacks, DOS attacks, general
attacks, policy violation attacks, protocol violation attacks,
and content security violation attacks.
attack severe Detects severe attacks. This option also detects
Application Defense violation attacks, buffer overflow
attacks, general attacks, DOS attacks, policy violation
attacks, protocol violation attacks, and content security
violation attacks. Severe attacks indicate something is
occurring that an administrator should know.
buffer overflow
attack
Detects attempted buffer overflow attacks targeted at
systems protected by the Sidewinder G2.
config change Detects when the Sidewinder G2’s configuration changes.
More...
541

Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
542
Attack Description
content security
violation
content security
violation severe
denied
authentication
Detects attacks of all severities that are content security
violations. This attack category detects spam, keyword
reject, mime virus change, and mime virus reject attacks.
Detects severe attacks that are content security violations.
This attack category detects spam, keyword reject, mime
virus change, and mime virus reject attacks. Severe
attacks indicate something is occurring that an
administrator should know.
Detects when a user attempts to authenticate and enters
invalid data. For example, if a user is required to enter a
password and entered it incorrectly, the denied auth event
would log the event.
error Detects all system events identified as AUDIT_T_ERROR
in the audit stream.
general attack all Detects general attacks of all severities that do not fall into
the pre-defined categories.
general attack
severe
hardware software
failure
host license
exceeded
keyword filter
failure
Detects severe general attacks that do not fall into the predefined
categories. Severe attacks indicate something is
occurring that an administrator should know.
Detects when a hardware or software component fails.
Detects when the number of hosts protected by the
Sidewinder G2 exceeds the number of licensed hosts.
Detects when an SMTP mail message is rejected due to a
configured keyword filter.
license expiration Detects when a licensed feature is about to expire.
log overflow Detects when the log partition is close to filling up.
mime virus Detects when a connection is rejected due to the MIME or
Anti-virus policy.
network probe Detects network probe attacks, which occur any time a
user attempts to connect or send a message to a TCP or
UDP port which has no service.
network traffic Detects all connections that successfully pass through the
Sidewinder G2.
not config change Detects all attack and system events that are not
configuration changes.
More...

Attack Description
Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
policy violation all Detects attacks of all severities that violate the active
policy. This attack category also detects all severities of
failed authentication attacks, ACL and IP Filter deny
attacks, and Type Enforcement error attacks.
policy violation
severe
Detects severe attacks that violate the active policy. This
attack category also detects failed authentication attacks,
ACL and IP Filter deny attacks, and Type Enforcement
error attacks. Severe attacks indicate something is
occurring that an administrator should know.
power failure Detects when an Uninterruptible Power Supply (UPS)
device detects a power failure and the Sidewinder G2 is
running on UPS battery power.
protocol violation
all
protocol violation
severe
Detects attacks of all severities that violate protocol
compliance.
Detects severe attacks that violate proxy protocols (HTTP,
Telnet, FTP, etc.). Severe attacks indicate something is
occurring that an administrator should know.
proxy flood Detects potential connection attack attempts. A connection
attack is defined as one or more addresses launching
numerous proxy connection attempts to try and flood the
system. When NSS receives more connection attempts
than it can handle for a proxy, new connections to that
proxy are briefly delayed (to allow the proxy to “catch up”),
and the attack is audited.
spam filter failure Detects when an SMTP mail message is classified as
spam by the spam filtering policy.
syslog Detects all audit attacks and system events created via
syslog.
system all Detects all system events of all severities, including power
failures, hardware and software failures, failover events,
license expiration, host license exceeded, log overflows,
and IPSEC errors.
system critical Detects all critical system events, including power failures,
hardware failures, critical software failures, and failover
events. Critical system events indicate a component or
subsystem stopped working, that the system is going down
(expectedly or unexpectedly), or that the system is not
expected to work again without intervention.
More...
543

Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
544
Attack Description
system critical and
severe
Creating custom audit filters
The Custom option in the Filter By field allows you to define a custom filter to
view more specialized audit information. The basic structure includes
specifying:
• The type or facility for which you want to search, using one of the following
formats:
– name (AUDIT_T_TYPE as in AUDIT_T_ATTACK, AUDIT_F_FACILITY
as in AUDIT_F_LOGIN)
– short message (attack, login)
– short message prepended with classification indicator (t_attack, f_login)
Note: This format appears in audit records and is useful when copying or
pasting directly from audit output.
• Additional fields to further specify the audit results. Fields can be separated
by Boolean operators (and, or, not) and grouped by parentheses.
The following examples demonstrate the basic structure used to create custom
audit filters.
Note: Table 34 provides a list of the available fields (for example, facility, type,
service, user, etc.) that you can use to filter your audit search.
Example 1: Filtering for login records
The following example shows the format used to display all system login
records (successful and unsuccessful):
facility f_login
Detects critical and severe system events including power
failures, hardware failures, critical and severe software
failures, failover events, license expiration, log overflows,
and IPSEC errors. Critical system events indicate a
component or subsystem stopped working, that the
system is going down (expectedly or unexpectedly), or that
the system is not expected to work again without
intervention. Severe attacks indicate something is
occurring that an administrator should know.
system shutdown Detects when a UPS is running out of battery power or has
been on battery power for the estimated battery time.
If you want to view login records for a specific user, you would include a user
name, as follows:
facility f_login and username Josephine

Example 2: Filtering for services and users
Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
The following example shows the format used to display HTTP network traffic
audit records for a user named Lloyd:
type t_attack and cmd httpp and username Lloyd
where:
• type t_attack — This field will filter audit records for all attack events.
• cmd httpp — This field will filter the attack audit events to include only
HTTP service records.
• username Lloyd — This field will filter the HTTP attack events to include
only events that are specific to actions performed by user name “Lloyd.”
Example 3: Filtering for specific ports and IP addresses
The following example shows the format used to display all network probe
events on port 37337 and subnet 192.168.124.0/24 originating from burbs
3 or 4. Enter text on one line:
type t_netprobe and dst_port 37337 and dst_ip 192.168.124.0/
24 and (src_burb 3 or src_burb 4)
where:
• type t_netprobe — This field will filter audit records for all network probe
events.
• dst_port 37337 — This field will filter the network probe events to include
only records with a destination port of 37337.
• dst_ip 192.168.124.0/24 — This field will filter the network probe events to
include only records with a destination IP address of 192.168.124.0/24.
• (src_burb 3 or src_burb 4) — This information will filter the network probe
events to include only records with a source burb of 3 or 4.
Example 4: Excluding information in a filter
You can explicitly exclude certain types of audit information by placing the word
“not” in front of a field. For example, the custom filter shown below will display
all audit records EXCEPT attack records originating for the source IP address
172.17.9.28:
not type t_attack and src_ip 172.17.9.28
where:
• not type t_attack — This field will exclude any attack-based audit events.
• src_ip 172.17.9.28 — This field will filter the non-attack audit events for
records with a source address of 172.17.9.28.
545

Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
Table 34: Custom audit filter fields
546
Field Description
facility Specify an event facility code (such as AUDIT_F_LOGIN, AUDIT_F_PROXY, etc.). For
a complete list of the available facility codes, at a Sidewinder G2 prompt, enter the
srole command and then enter the following command: acat -c | more
type Specify an event type code (for example, type AUDIT_T_NETTRAFFIC). For a
complete list of the available type codes, at a Sidewinder G2 prompt, enter the srole
command and then enter the following command: acat -c | more
category Specify an event category code (for example, AUDIT_C_POLICY_VIOLATION). For a
complete list of the available category codes, at a Sidewinder G2 prompt, enter the
srole command and then enter the following command: acat -c | more
eventid Specify an event identifier code (for example, AUDIT_R_LICEXCEEDED). For a
complete list of the available event identifiers, at a Sidewinder G2 prompt, enter the
srole command and then enter the following command: acat -c | more
pid Specify the process ID of the auditing process.
pgid Specify the process group ID of the auditing process.
ruser Specify the real user ID of the auditing process.
euser Specify the effective user ID of the auditing process.
username Specify a user name.
src_ip Specify the source IP address using the dotted decimal IP version 4 notation, with
optional mask bits separated by a slash (/).
dst_ip Specify the destination IP address using the dotted decimal IP version 4 notation, with
optional mask bits separated by a slash (/).
src_port Specify the TCP or UDP source port.
dst_port Specify the TCP or UDP destination port.
src_burb Specify the source burb number.
dst_burb Specify the destination burb number.
service Specify the type of service (for example, Telnet, FTP, WebProxy, etc.).
vpn_l_gw Specify a VPN local gateway using the standard dotted decimal IP version 4 notation
with optional mask bits separated by a slash (/).
vpn_r_gw Specify a VPN remote gateway using the dotted decimal IP version 4 notation with
optional mask bits separated by a slash (/).

Understanding audit messages
Chapter 19: Auditing and Reporting
Auditing on the Sidewinder G2
When viewing audit messages in the Admin Console, the form may vary
depending on the purpose and content of the message. The form of the first
two lines is the same for all audit messages, and provides general information
about the process generating or causing the audit. The third line will vary, but
usually includes Type Enforcement information and possibly some additional
information. The other lines of an audit message will vary depending on the
type of audit message.
Important: To view audit message files, see “Viewing audit information” on page
534.
Sample audit message
The message below is an example of a Type Enforcement audit message
(using the te_filter filter). The numbers have been added to link the example
line with the bullets below.
(1)Jan 17 08:16:20 2006 CST f_kernel a_tepm t_ddtviolation p_major
(2)pid: 19499 ruid: 100 euid: 100 pgid: 19499 fid: 0 logid: 100 cmd: 'grep'
(3)domain: User edomain: User hostname: myg2.example.com
(4)permwanted: 1 permgranted: 0 srcdmn: User filedom: Admn filetyp: file
(5)file: rc.local OP: 0x2000042 perm wanted: 0x1 perm granted: 0x0
• Line 1 — This line lists the date and time, the facility that audited the
message (such as the Kernel, FTP or Telnet), the location (known as the
area), in the facility that audited the message (such as general area or
Sidewinder G2 library), the type of audit message (such as Domain
Definition Table Type Enforcement violation or access control list) and the
priority of the message (such as major or minor).
Note: Network probe attempts do not contain lines two or three.
• Line 2 — This line lists the process ID, the real user ID, the effective user
ID, the process group ID, the process family ID (Sidewinder G2-specific)
and the command associated with the process ID.
• Line 3 — This line lists the real domain the process is running in and the
effective domain (the domain that the process for which permission is
given). This also lists the system’s host name.
• Lines 4 and 5 — These lines provide nine pieces of data. The fourth line
contains the integer representation of the permissions requested by the
process and granted to the process, the domain of the requesting process,
and the type of file that the process is requesting access to. The fifth line
contains the filen ame and the permissions wanted and granted for the file.
In general, the data in an audit message is a tag name followed by a colon and
the value of the tag. Table 35 contains examples and descriptions of some of
the tags used in audit messages that appear in the audit results window.
547

Chapter 19: Auditing and Reporting
Logging application messages using syslog
Logging
application
messages using
syslog
548
Table 35: Audit data field examples
Name Type Description
srcip 32 bit_integer source IP address
dstip 32 bit_integer destination IP address
srcport 16 bit_integer source port number
srcservice string source service name (/etc/services)
dstport 16 bit_integer destination port number
dstservice string destination service name
(/etc/services)
srcburb 32 bit_integer source burb number
dstburb 32 bit_integer destination burb number
bytes_written_to_
client
bytes_written_to_
server
64 bit_integer number of bytes sent to a client
64 bit_integer number of bytes sent to a server
netsessid 64 bit_integer a network traffic session ID
srchostname string source host name
dsthostname string destination host name
The Sidewinder G2 uses the UNIX syslog facility to log messages sent by
programs running on the system. These messages can be useful in tracking
down unauthorized system users or in analyzing hardware or software
problems. All syslog data is stored in the Sidewinder G2’s audit log files.
Logging is set up to be handled automatically on the Sidewinder G2. As an
administrator, you will not need to intervene unless you want to change
options, such as where log files are stored. Listed below are some basic points
about syslog and how it works on the Sidewinder G2.
Note: Secure Computing recommends that you edit these files only if you are an
experienced UNIX administrator.
• syslog runs as a daemon process called syslogd.
• Each application determines whether it will use syslog and the types of
messages that will be generated. Normally, applications generate
messages of different severity levels, such as informational and critical.

Chapter 19: Auditing and Reporting
Logging application messages using syslog
• The syslog configuration file, /etc/syslog.conf, specifies what syslogd
should do with messages that are sent to it. You can specify what should be
done with each type of message. For example, you might choose to discard
informational messages and store more important messages in a file. In
addition, you can choose to send messages that may require immediate
attention directly to a specific user’s screen or to send output to a different
system on the network. You can edit the configuration file if you want to
handle messages differently or send files to different locations. See the next
section and the syslog.conf man page for details.
• Hackers will often try to edit syslog files to cover any evidence of their
break-ins. The Sidewinder G2 uses Type Enforcement to protect the syslog
files from being modified by unauthorized users.
• A copy of the syslog data is sent to the Sidewinder G2 audit log files.
• The log files generated by syslogd can get large and start using a lot of
hard disk space. To solve this problem, the log files on the Sidewinder G2
are periodically rotated. See “Understanding automatic (cron) jobs” on page
598 for more information on file rotation.
Redirecting audit output to a syslog server
If you would like other systems, such as the Sidewinder G2 Security Reporter,
to generate and display reports based on the Sidewinder G2’s log files, you
can configure the Sidewinder G2 to send audit output to a syslog server.
Redirect audit output to a syslog sever by doing the following:
1 Using a file editor, open /etc/sidewinder/auditd.conf.
2 Specify what type of logging to send to the syslog server by adding the
following line to the end of the file:
syslog (facility filters[“filter”] format)
where
• facility = information associated with a syslog message. You can
use ‘local0’ through ‘local7’ as names for the facility; they are predefined
in syslogd. In the next step, make sure to use the same facility
you entered in this step.
• filter = name of sacap filter to use in the output. Output all audit
information by using [“NULL”].
• format = output format. If using Sidewinder G2 Security Reporter, enter
sef as the format.
For example, use syslog (local0 filters[“NULL”] sef) to configure
syslog to use the Sidewinder Export Format (SEF).
3 Save the changes and close the file.
4 Open /etc/syslog.conf.
549

Chapter 19: Auditing and Reporting
Logging application messages using syslog
550
5 Specify the IP address of the syslog server by adding the following line:
facility.* @x.x.x.x
where facility matches the facility in step 2 and x.x.x.x is the syslog
server’s IP address.
6 Save the changes and close the file.
7 Look up syslog’s process ID by entering the following command:
pss syslog
8 Implement the changes by restarting the syslogd and audit processes,
using the following commands:
kill -HUP syslogpid
cf server restart auditd
The Sidewinder G2 will now send audit data to a syslog server.
Viewing syslog messages
To view syslog messages, display the following files:
/var/log/messages
/var/log/daemon.log
The following illustrates sample Logfile Messages:
Mar 25 14:05:41 MyFirewall kernel: ef0: interfaces: AUI,
10Base2
Mar 25 14:05:41 MyFirewall kernel: ef0: rxf=5119 txf=3068
Mar 25 14:05:41 MyFirewall kernel: ef1 at isa0 iobase 0x300
Mar 25 14:05:41 MyFirewall kernel: ef1: 3C509-COMBO, ASIC
rev 2
Mar 25 14:05:41 MyFirewall root: Configuration changed
Important: If you receive a message “Response from unexpected source,” it
usually indicates name service responses sent by multihomed servers. Some
multihomed servers select the wrong source IP address when sending the
response. When the Sidewinder G2 receives the response, it ignores it and logs a
message in /var/log/messages. The example below displays what you would see in
the syslog when this happens.
Aug 31 12:57:56 shore named (1) [85]: Response from
unexpected source ([192.55.214.1].53)
Aug 31 12:57:57 shore named (1) [85]: Response from
unexpected source ([199.199.125.108].53)
Aug 31 13:03:51 shore named (1) [85]: Response from
unexpected source ([204.52.248.130].53)

Generating
reports using the
Admin Console
Chapter 19: Auditing and Reporting
Generating reports using the Admin Console
The Sidewinder G2 Reports window in the Admin Console allows you to
generate commonly used reports based on pre-defined report formats, such as
administrative user connections, network probe attempts, traffic information,
and active rule (ACL) usage, to name a few.
The report information that is displayed is pulled from the audit database.
When audit events are generated, information relevant to each event (such as
a date and time, process identification information, user identity, and address
information) is automatically appended to the audit information to help an
administrator identify and categorize the audit data that is stored. If the report is
comprised of numerous areas, the information in the report is appropriately
categorized for ease of viewing.
For example, if you run the traffic report, you will receive a summary of the
various types of proxy traffic as follows: service, source host, destination, and
user. If you want to view only traffic generated by users, you could instead run
the user_traffic report to view only a summary of all user traffic.
You can further refine your results by running the user_activity report and
specify a single user whose activity you want to view. When you run the
user_activity report, you will receive a detailed report of all of that user’s
system activity, organized into sections (such as general traffic, root access
attempts, rule violations, and so on). The information contained in a report will
depend on the time frame you specify.
Note: To view reports using a command line interface, see the cf_reports man
page.
To generate reports using the Admin Console, select Audit and Reports >
Reports. The following window appears.
Important: You must enable the auditdbd server before you can generate reports.
See “Enabling and disabling servers” on page 65 for information on enabling the
auditdbd server.
551

Chapter 19: Auditing and Reporting
Generating reports using the Admin Console
552
Figure 225: Reports
window
About the Reports window
In this window you can generate commonly used reports based on a predefined
report template. Follow the steps below.
1 In the Report Period field, select the time frame for which you want to run a
report.
2 Select the report you want to run by clicking the appropriate table row. (For
a description of each report, see Table 36 on page 553.)
Tip: You can create custom reports using the cf_reports tool. Any reports you
create using the cf_reports tool will appear in the Report list the next time you
log into the Reports window. For information on creating custom reports, refer to
the cf_reports man page.
3 If you want the report to resolve any IP addresses, select the Resolve IP
Addresses check box.
4 [Conditional] If you are running a host or user activity report, you will need
to enter information in the Template Parameter field as follows:
• Host Activity — When you select the Host Activity report, the Template
Parameter area will become available. In the Host field, enter the host
name or IP address that will be used to generate the report.
• User Activity — When you select the User Activity report, the Template
Parameter area will become available. In the User Name field, enter the
name of the user that will be used to generate the report.
5 Click Run Report. The report results will be displayed in a separate Show
Report window.

Figure 226: Show
Report window
Table 36: Available reports
Report type Description
Chapter 19: Auditing and Reporting
Generating reports using the Admin Console
Note: The reports that you generate in this window are view-only. You are not
able to save or print these reports. If you need to save or print your reports, you
will need to generate them using the command line interface. See the
cf_reports man page for details.
acl_usage This report summarizes proxy rule usage on the system. You can use this report to
determine which proxy rules are being used most frequently.
dest_traffic This report lists proxy information on the destination hosts that the Sidewinder G2
connected to, sorted by the number of bytes transferred. The report lists the destination
host, the service used, the number of kB transferred, and the number of connections
that were made.
Note: This report is automatically generated and e-mailed on a daily basis to the
Sidewinder G2 administrator. See “Viewing administrator mail messages on Sidewinder
G2” on page 350 in Chapter 12 for information on viewing this e-mail.
host_activity This report lists information about a specific host’s activity on the system. This report
provides a section for the traffic generated, root access attempts, services denied, and
user database actions involving the specified user.
host_traffic This report produces proxy information for source host systems on internal and external
networks. You might use this data for tracking which systems have the heaviest traffic
going to and from the Sidewinder G2. The report lists the source host, the number of kB
sent to the server, the number of kB sent to the client, the total number of kB, and the
number of connections that were made.
Note: This report is automatically generated and e-mailed on a daily basis to the
Sidewinder G2 administrator. See “Viewing administrator mail messages on Sidewinder
G2” on page 350 for information on viewing this e-mail.
More...
553

Chapter 19: Auditing and Reporting
Generating reports using the Admin Console
554
Report type Description
http_virus This report provides information on Web viruses that are detected by the Sidewinder
G2. The report includes virus frequency, hits by source address, and detected Web
viruses.
ipf_dest_traffic This report lists IP Filter information on the destination host traffic that the Sidewinder
G2 connected to, sorted by the number of bytes transferred. The report lists the
destination host, the service used, the number of kB transferred, and the number of
connections that were made.
ipf_host_traffic This report produces IP Filter information for source host traffic on internal and external
networks. You might use this data for tracking which systems have the heaviest traffic
going to and from the Sidewinder G2. The report lists the source host, the number of kB
sent to the server, the number of kB sent to the client, the total number of kB, and the
number of connections that were made.
ipf_port_traffic This report lists IP Filter traffic port information that occurred over a specific period of
time.
The report lists each service, the number of kB sent to the server, the number of kB sent
to the client, the total number of kB, and the number of connections that were made.
When a service uses a non-standard port (for example, 8000 or 8010), the service’s
port number will also appear in the Service column.
ipf_traffic This report provides a summary of the IP Filter port, host, and destination reports.
mail_virus This report provides information on mail viruses that are detected by the Sidewinder G2.
The report includes virus frequency, hits by source, and detected mail viruses.
performance This report summarizes utilization information (based on one-hour increments) for CPU
percentage and load average, as well as real, virtual, and mbuf memory usage.
probes_attempted This report lists information about attempts made to connect or send a message to a
Sidewinder G2 port that either has no service associated with it or is associated with an
unsupported service. This report contains a section for probes received in each burb on
the system. The report lists where the probe originated from and how many probes
occurred. The output of this report will be similar to the following:
For each burb, the above report lists the time of the report,
the interval covered by the report, the source host,
destination host, destination port, and the number of probes
generated by this source/destination host pair. Up to five
destination port values are displayed.
Depending on how you have set up your auditing configuration, you may have already
been notified of these probe attempts. If you were not notified, you may want to change
your auditing options as described in Chapter 16.
Note: This report is automatically generated and e-mailed on a daily basis to the
Sidewinder G2 administrator. See “Viewing administrator mail messages on Sidewinder
G2” on page 350 for information on viewing this e-mail.
More...

Report type Description
Chapter 19: Auditing and Reporting
Generating reports using the Admin Console
http_virus This report provides information on Web viruses that are detected by the Sidewinder
G2. The report includes virus frequency, hits by source address, and detected Web
viruses.
ipf_dest_traffic This report lists IP Filter information on the destination host traffic that the Sidewinder
G2 connected to, sorted by the number of bytes transferred. The report lists the
destination host, the service used, the number of kB transferred, and the number of
connections that were made.
ipf_host_traffic This report produces IP Filter information for source host traffic on internal and external
networks. You might use this data for tracking which systems have the heaviest traffic
going to and from the Sidewinder G2. The report lists the source host, the number of kB
sent to the server, the number of kB sent to the client, the total number of kB, and the
number of connections that were made.
ipf_port_traffic This report lists IP Filter traffic port information that occurred over a specific period of
time.
The report lists each service, the number of kB sent to the server, the number of kB sent
to the client, the total number of kB, and the number of connections that were made.
When a service uses a non-standard port (for example, 8000 or 8010), the service’s
port number will also appear in the Service column.
ipf_traffic This report provides a summary of the IP Filter port, host, and destination reports.
mail_virus This report provides information on mail viruses that are detected by the Sidewinder G2.
The report includes virus frequency, hits by source, and detected mail viruses.
performance This report summarizes utilization information (based on one-hour increments) for CPU
percentage and load average, as well as real, virtual, and mbuf memory usage.
probes_attempted This report lists information about attempts made to connect or send a message to a
Sidewinder G2 port that either has no service associated with it or is associated with an
unsupported service. This report contains a section for probes received in each burb on
the system. The report lists where the probe originated from and how many probes
occurred. The output of this report will be similar to the following:
For each burb, the above report lists the time of the report,
the interval covered by the report, the source host,
destination host, destination port, and the number of probes
generated by this source/destination host pair. Up to five
destination port values are displayed.
Depending on how you have set up your auditing configuration, you may have already
been notified of these probe attempts. If you were not notified, you may want to change
your auditing options as described in Chapter 16.
Note: This report is automatically generated and e-mailed on a daily basis to the
Sidewinder G2 administrator. See “Viewing administrator mail messages on Sidewinder
G2” on page 350 for information on viewing this e-mail.
More...
555

Chapter 19: Auditing and Reporting
Generating reports using the Admin Console
556
Report type Description
root_accesses This report contains a list of root access attempts by users who used the srole
command to change roles. This report lists the date that the root access attempts
occurred, the service (srole), the result of the attempt, which domain the user tried to
srole to, and who the user was. This report is generated daily.
service_denied This report lists instances when users were denied access to a service because of the
restrictions you set up in your active rules (also referred to as the Access Control List, or
ACL). The report lists the source and destination hosts, the user, the service that was
denied, and the total number of times a check was made. The meaning of these events
depends on several factors, including your site’s security policies. The report could
indicate that an internal user is trying to access an unauthorized system on the Internet.
It might also indicate a service that internal users need, and you may want to consider
making it available.
Note: This report is automatically generated and e-mailed on a daily basis to the
Sidewinder G2 administrator. See “Viewing administrator mail messages on Sidewinder
G2” on page 350 for information on viewing this e-mail.
service_traffic This report lists proxy information on how often Internet services were used during a
specific period of time. You can use this information to gauge how heavily your
Sidewinder G2 is being used.
The report lists each service, the number of kB sent to the server, the number of kB sent
to the client, the total number of kB, and the number of connections that were made.
When a service uses a non-standard port (for example, 8000 or 8010), the service’s
port number will also appear in the Service column.
Note: This report is automatically generated and e-mailed on a daily basis to the
Sidewinder G2 administrator. See “Viewing administrator mail messages on Sidewinder
G2” on page 350 for information on viewing this e-mail.
traffic This report lists information about a specific host’s activity while using the system. This
report provides a section for the traffic generated, services denied, and probes
generated by the host that was specified.
udb_action This report, made up of two sections, shows the actions performed on the Sidewinder
G2’s user database. One section of the report shows the actions performed on the
system components of the user database. The other section of the report shows the
actions performed on user components of the user database.
The user database report lists the date the action occurred, which user it affects, what
action was made to the database (either an addition, a deletion, or a modification), what
type of data, or class, received the action, and which administrator changed the data.
user_activity This report lists information about a specific user’s activity on the system. This report
provides a section for the traffic generated, root access attempts, services denied, and
user database actions involving the specified user.
More...

Report type Description
Table 37: Auto-generated report
Viewing auto-generated reports
Chapter 19: Auditing and Reporting
Generating reports using the Admin Console
user_traffic This report lists which Internet services are being used and sorts it by the user’s name.
You can use this information to gauge how heavily your Sidewinder G2 is being used.
The report lists each user’s name for each service he/she used on the Sidewinder G2.
Information on users is available only when they authenticate through the Sidewinder
G2 services. A user name of “(null)” is used for traffic that is not authenticated. The
report also lists the number of kB read by each user, the number of kB written by each
user, the total number of kB transferred, and the number of connections for each user.
Note: This report is automatically generated and e-mailed on a daily basis to the
Sidewinder G2 administrator. See “Viewing administrator mail messages on Sidewinder
G2” on page 350 for information on viewing this e-mail.
vpn_traffic This report provides information on each VPN connection established on the
Sidewinder G2. This report lists identifying information, gateways, kBytes transferred,
and the number of connections made for each VPN.
Auto-generated report Description
This section describes a variety of automatically generated reports you can
view using a file editor.
daily system activity This report provides a summary of the /etc/daily script that is automatically run on the
Sidewinder G2 every 24 hours. See “Understanding automatic (cron) jobs” on page
598 for more information on this script and what it does. The report is compiled from
the /var/log/daily.out file, which is generated each time the script is run.
weekly system activity This report provides a summary of the /etc/weekly script that is automatically run on
the Sidewinder G2 every week. See “Understanding automatic (cron) jobs” on page
598 for more information on this script and what it does. The report is compiled from
the /var/log/weekly.out file, which is generated each time the script is run.
monthly system
activity
This report provides a summary of the /etc/monthly script that is automatically run on
the Sidewinder G2 every month. See “Understanding automatic (cron) jobs” on page
598 for more information on this script and what it does. The report is compiled from
the /var/log/monthly.out file, which is generated each time the script is run.
557

Chapter 19: Auditing and Reporting
Generating reports using the Admin Console
558
Generating exportable reports
The Sidewinder G2 allows you to create exportable data files from the report
data your site generates. This allows you to transfer files from the Sidewinder
G2, and load them into a database or spreadsheet application. You can export
data via FTP, e-mail, a diskette, or a DAT.
The report data that you can export from the Sidewinder G2 is located in the
/var/log/export_data directory unless you specify otherwise. The exportable
files include:
• probe_attempt
• acl_denied
• traffic
• root_access
• udb_action
Note: These data files have dates added to them that correspond to the dates the
files were created. Each file contains exportable Sidewinder G2 audit data that
corresponds to what is summarized in the respective Sidewinder G2 reports.
Enter the following commands at the UNIX prompt to generate exportable data
files:
• To create an exportable file in /var/log/export_data based on the previous
day’s audit information:
gen_reports -e -r all
This generates all reports in separate files.
• To create an exportable file in /var/log/export_data based on the latest
(current) traffic audit information:
gen_reports -f filename -r traffic
This generates all traffic reports in separate files with the specified filename
added to the front instead of the cf reports timestamp.

Generating
reports using
Sidewinder G2
Security
Reporter
Figure 227: Sending
data via syslog server to
Sidewinder G2 Security
Reporter
Chapter 19: Auditing and Reporting
Generating reports using Sidewinder G2 Security Reporter
One method for generating and viewing reports of Sidewinder G2 audit output
is the Sidewinder G2 Security Reporter. Security Reporter (also known as
G2SR) provides more advanced reporting capabilities than what is available in
the Admin Console. Enhanced capabilities include:
• Generating reports for multiple Sidewinder G2 from a single user interface.
• Color-coded charts and graphs that are more user-friendly than text-only
reports.
• Reports are available in multiple languages.
• Reports can be accessed without logging into a Sidewinder G2. This is
particularly beneficial for companies that want to let auditors view reports
without giving them Sidewinder G2 administrator accounts.
To use Security Reporter, Sidewinder G2 must be configured to send its log
files in the Sidewinder Export Format (SEF). You can then transfer the audit
data to Security Reporter via a syslog server or FTP. The syslog server path is
shown in Figure 227. For information on sending Sidewinder G2 log files to a
syslog server, see “Redirecting audit output to a syslog server” on page 549.
For information on using FTP to transfer data to the Security Reporter, see
“Formatting & exporting audit data for use with external tools” on page 560.
syslog server syslog server
Sidewinder G2
Security Reporter
*The syslog server and the Security Reporter may be installed on the same system.
Installation and management information is available in the Sidewinder G2
Security Reporter Administration Guide and Release Notes. The administration
guide is available at www.securecomputing.com/goto/manuals. For information
on obtaining Sidewinder G2 Security Reporter, contact your sales
representative.
559

Chapter 19: Auditing and Reporting
Formatting & exporting audit data for use with external tools
Formatting &
exporting audit
data for use with
external tools
Table 38: Supported log formats and their uses
560
The Sidewinder G2 provides you with the option to convert audit data into
various formats used by third-party reporting tools. To generate reports based
on the Sidewinder G2 log files, you must format the Sidewinder G2 audit data
and then export those files to the workstation or host that contains the software
needed to generate log reports (for example, Sidewinder G2 Security
Reporter). You can then generate the Sidewinder G2 log reports on that
machine.
Overview of supported log file formats
Table 38 lists the log formats Sidewinder G2 supports, as well as some uses for
each format, commands for generating each format, and other important
information.
Format Use Commands Comments
Sidewinder Export
Format (SEF)
W3C Extend Log Format
(HTTP)
WebTrends Extended
Logging Format (WELF)
Sidewinder G2
Security Reporter,
various third-party
tools
various third-party
reporting tools
WebTrends®
reporting tools
acat -X
cf export type=sef
acat -H
cf export type=http
acat -W
cf export type=wt
SEF is the preferred format
when exporting logs to
Sidewinder G2 Security
Reporter. More format
information is available at
www.securecomputing.com/
pdf/sg2_sef_an.pdf.
If using this format, set the
audit level on the
appropriate HTTP proxy
rules to Informational
(Rules > New/Modify >
General tab).

Chapter 19: Auditing and Reporting
Formatting & exporting audit data for use with external tools
Using Sidewinder G2 formatting and exporting tools
You initiate the formatting and exporting process on the Sidewinder G2 using
acat or the Sidewinder export utility (cf export). These tools allow you to
format raw audit data collected by the Sidewinder G2 into SEF, WELF, HTTP,
Squid, or generic (gen) files.
Using acat
acat converts data, but does not export it. To format Sidewinder G2 audit data
using acat, follow the steps below.
1 Using a command line session, log into the Sidewinder G2 and type the
following command to switch to the admn role:
srole
2 Change directories so that your present working directory (pwd) is where
you want the converted files saved.
3 To convert your logs to an exportable format and save them to a file, enter
the following command:
acat -X /var/log/auditfile > filename.format
where
• -X indicates the new format. Use -X for SEF, -H for W3C, and
-W for Webtrends. Note that all of these arguments are capital letters.
• auditfile is the log file to convert.
• filename.format is the new file name and format, such as
audit012006.sef. Formats include sef, http, wt, squid, and gen.
For example:
acat -X /var/log/audit.raw.2006...CST.gz > audit.sef
converts the existing audit file into the SEF format and saves it to a file
named audit.sef.
The specified file is now converted and ready to be manually exported via FTP
or another method.
Using cf export
The cf export utility both converts and exports the specified log files to a
destination host you specify. This utility can also be used to create a cron job
that automatically initiates an FTP export program once every 24 hours. The
FTP export program uses FTP to transfer the export files from the Sidewinder
G2 to the host you specify. The host can be on a trusted network protected by
the Sidewinder G2, or it can be a host that resides somewhere on the Internet.
561

Chapter 19: Auditing and Reporting
Formatting & exporting audit data for use with external tools
562
To format and export Sidewinder G2 audit data using cf export, follow the
steps below.
1 Using a command line session, log into the Sidewinder G2 and type the
following command to switch to the admn role:
srole
2 To configure the export utility, enter the following command on one line:
cf export add type=file_type name=entry_name
host=hostname user=username password=password
targetdir=destination localfile=local_file_path
where:
• file_type = the type of file you want to export (sef, http, wt, squid, or
gen)
• entry_name = the name you want to apply to this configuration entry
• hostname = the host name or IP address to which you are exporting
the files
• username = the user name that will be used for FTP authentication
• password = the password that will be used for FTP authentication to
the destination host
• destination = the directory on the destination host on which you want
the export files placed
• local_file_path = (generic files only) the location of the generic file
3 To export all files that are currently configured and ready to be exported,
enter the following command:
cf export ftp
Tip: To export the current files and previously exported files, enter cf export all.
4 [Optional] To enable a cron job to automatically determine which configured
export files need to be exported, and format and export those files once
every 24 hours (at 2:20 a.m. in most cases), enter the following command:
cf export enable
To disable the automatic cron job process, enter the following command:
cf export disable
The file has now been converted and exported to another system.

20
CHAPTER
IPS Attack and System
Event Responses
In this chapter...
Overview of attack and system event responses .........................564
Creating IPS attack responses.....................................................564
Creating system responses..........................................................572
Configuring new event types........................................................578
Ignoring network probe attempts..................................................578
Sidewinder G2 SNMP traps .........................................................579
563

Chapter 20: IPS Attack and System Event Responses
Overview of attack and system event responses
Overview of
attack and
system event
responses
Creating IPS
attack responses
564
Figure 228: IPS Attack
Response main window
Sidewinder G2 IPS attack responses and system event responses allow you to
monitor your network for abnormal and potentially threatening activities
ranging from an attempted attack to an audit overflow. Using the Admin
Console, you can configure how many times a particular event must occur
within a specified time frame before a response is triggered.
When Sidewinder G2 encounters audit activity that matches the specified type
and frequency criteria, the response you configured for that system event or
attack type determines how Sidewinder G2 will react. Sidewinder G2 can be
configured to respond by alerting an administrator of the event via e-mail and/
or SNMP trap, as well as ignoring packets from particular hosts for a specified
period of time (known as a Strikeback).
Some default attack and system event responses are automatically created on
Sidewinder G2 during its initial configuration. The additional configuration
options you select will depend mainly on your site’s security policy and, to
some extent, on your own experiences using the features. You may want to
start with the default options and make adjustments as necessary to meet your
site’s needs.
Summary and detailed information about the audit events triggering responses
can be found on the dashboard, located on the top node of the Admin Console
tree. For more information about the dashboard, see the “Monitoring” chapter.
IPS (intrusion protection system) attack responses allow you to configure how
Sidewinder G2 responds when it detects audit events that indicate a possible
attack, such as Type Enforcement violations and proxy floods.
To view or configure attack responses, start the Admin Console and select IPS
Attack Responses. The following window appears:

About the IPS Attack
Responses window
Chapter 20: IPS Attack and System Event Responses
Creating IPS attack responses
This window displays the currently configured IPS attack responses. You can
perform the following actions in this window:
• Filter the list of IPS attack responses — To modify the displayed list, rightclick
a column name and select from the current list of filters or create a
custom filter. The list will then display only IPS attack responses of that
type.
• Configure a new IPS attack response — To configure a new IPS attack
response, click New. The Add Attack Response Wizard appears.
• Modify an existing IPS attack response — To modify an existing IPS attack
response, select the appropriate item within the list and click Modify. For
information on modifying specific fields, see “Modifying an IPS attack
response” on page 566.
• Delete an existing IPS attack response — To delete an IPS attack
response, select the list item you want to delete and then click Delete.
• Disable/enable an IPS attack response — The disable and enable options
depend on an IPS attack response’s current status. If one or more
responses with the same status are selected, their status can be changed
to its opposite (for example, if all selected responses are enabled, you may
disable all of them). When multiple responses with mixed statuses are
selected, the only available action is enabling the responses.
• Create the e-mail list to notify in the event of an attack — To create or
modify the list of e-mail addresses to notify if any IPS attack triggers an
alert, click Response Settings. See “Configuring the e-mail settings” on
page 571 for more information.
565

Chapter 20: IPS Attack and System Event Responses
Creating IPS attack responses
566
Figure 229: IPS Attack
Responses: Modify
window
Modifying an IPS attack response
When you modify an IPS attack response, the following window appears.
About the Modify Attack Responses: Attack tab
Use this tab to change this attack response’s attack type. An attack is generally
defined as suspect traffic at either the network or application level. Each attack
type identifies a different attack audit event.
1 Select the attack type for which you want Sidewinder G2 to send out a
response. A complete list is provided in Table 39.
To create additional attack types, see “Configuring new event types” on
page 578.
2 Click OK or the next tab you want to modify.
Note: For descriptions of the audit severities, see “Viewing IPS attack and system
event summaries” on page 521.
Table 39: Descriptions of pre-defined attacks
Attack Description
ACL deny Detects when a connection is denied by a rule in the active
policy.
Application
Defense violation
all
Detects attacks of all severities that violate active policy
defined by Application Defenses. This attack category
includes spam filter attacks and keyword filter failure
attacks.
More...

Attack Description
Application
Defense violation
severe
Chapter 20: IPS Attack and System Event Responses
Creating IPS attack responses
Detects when severe attacks violate active policy defined
by Application Defenses, including spam filter reject and
keyword filter reject audits.
attack all Detects attack events of all severities. This option also
detects all severities of Application Defense violation
attacks, buffer overflow attacks, DOS attacks, general
attacks, policy violation attacks, protocol violation attacks,
and content security violation attacks.
attack severe Detects severe attacks. This option also detects
Application Defense violation attacks, buffer overflow
attacks, general attacks, DOS attacks, policy violation
attacks, protocol violation attacks, and content security
violation attacks. Severe attacks indicate something is
occurring that an administrator should know.
buffer overflow
attack
content security
violation
content security
violation severe
denied
authentication
Detects attempted buffer overflow attacks targeted at
systems protected by the Sidewinder G2.
Detects attacks of all severities that are content security
violations. This attack category detects spam, keyword
reject, mime virus change, and mime virus reject attacks.
Detects severe attacks that are content security violations.
This attack category detects spam, keyword reject, mime
virus change, and mime virus reject attacks. Severe
attacks indicate something is occurring that an
administrator should know.
Detects when a user attempts to authenticate and enters
invalid data. For example, if a user is required to enter a
password and entered it incorrectly, the denied auth event
would log the event.
DOS all Detects Denial of Service attacks of all severities. This
attack category also detects all severities of TCP SYN
attacks and proxy flood attacks.
DOS severe Detects severe Denial of Service attacks. This attack
category also detects TCP SYN attacks and proxy flood
attacks. Severe attacks indicate something is occurring
that an administrator should know.
general attack all Detects general attacks of all severities that do not fall into
the pre-defined categories.
general attack
severe
Detects severe general attacks that do not fall into the predefined
categories. Severe attacks indicate something is
occurring that an administrator should know.
More...
567

Chapter 20: IPS Attack and System Event Responses
Creating IPS attack responses
568
Attack Description
IPFilter deny Detects when a connection is denied by the active IP Filter
policy.
keyword filter
failure
Detects when an SMTP mail message is rejected due to a
configured keyword filter.
mime virus Detects when a connection is rejected due to the MIME or
Anti-virus policy.
network probe Detects network probe attacks, which occur any time a
user attempts to connect or send a message to a TCP or
UDP port that has no service.
policy violation all Detects attacks of all severities that violate the active
policy. This attack category also detects all severities of
failed authentication attacks, network probe attacks, ACL
and IP Filter deny attacks, and Type Enforcement error
attacks.
policy violation
severe
protocol violation
all
protocol violation
severe
Detects severe attacks that violate the active policy. This
attack category also detects failed authentication attacks,
network probe attacks, ACL and IP Filter deny attacks, and
Type Enforcement error attacks. Severe attacks indicate
something is occurring that an administrator should know.
Detects attacks of all severities that violate protocol
compliance.
Detects severe attacks that violate proxy protocols (HTTP,
Telnet, FTP, etc.). Severe attacks indicate something is
occurring that an administrator should know.
proxy flood Detects potential connection attack attempts. A connection
attack is defined as one or more addresses launching
numerous proxy connection attempts to try and flood the
system. When NSS receives more connection attempts
than it can handle for a proxy, new connections to that
proxy are briefly delayed (to allow the proxy to “catch up”),
and the attack is audited.
spam filter failure Detects when an SMTP mail message is classified as
spam by the spam filtering policy.
TCP SYN attack Detects a possible attempt to overrun the Sidewinder G2
with connection attempts.
Type Enforcement Detects when there is a TE violation due to an
unauthorized user or process attempting to perform an
illegal operation.

Chapter 20: IPS Attack and System Event Responses
Creating IPS attack responses
About the Modify Attack Response: Frequency tab
Use this tab to modify the parameters to be met before Sidewinder G2
generates a response. The options are:
• Always respond — Select this option to have Sidewinder G2 respond each
time the attack type specified on the Attack tab occurs.
• Limit responses — Select this option to respond only when the attack
pattern matches the parameters set here:
– Respond if x attacks in y seconds where:
• valid values for x are between 2 and 100000. Sidewinder G2
responds when the x attack occurs.
• valid values for y are between 1 and 100000. This represents a
buffer of y seconds, so Sidewinder G2 checks the current time - y.
For example, if you have configured a response to filter for netprobe
attempts, and you want to trigger an attack response if 5 or more
probe attempts occur within a 30-second period, you would enter
“Respond if 5 attacks in 30 seconds.”
– Reset attack count to zero after responding—After x attacks,
Sidewinder G2 zeroes out its attack counter and waits until another x
attacks occur in y seconds before sending out the next e-mail alert or
SNMP trap. If this option is not selected, the same attacks may be used
to generate additional alerts.
About the Modify Attack Response: Response tab
Use this tab to configure how Sidewinder G2 should respond when the attack
type’s pattern matches the criteria on the Frequency tab. The options are:
• Configure an alert — Sidewinder G2 can send an alert using an e-mail, an
SNMP trap, or both.
– Send e-mail: Select this option to send an e-mail to each e-mail address
listed in the Response Settings area. (Access this list from the main IPS
Attack Response window. Additional information is available in
“Configuring the e-mail settings” on page 571.)
– Send SNMP trap: Select this option to send an SNMP trap to the
location(s) configured for the snmpd server. (Configure the SNMP
server at Services Configuration > Servers > snmpd. Additional
information is available in “Sidewinder G2 SNMP traps” on page 579.)
• [Conditional] If configuring an alert, specify how long Sidewinder G2 should
wait before sending the next e-mail or SNMP trap for the same attack type
by using the Wait x seconds between alerts option.
For example, suppose you configure an alert to trigger when 5 or more
probe attempts occur in a 30-second period, and you instruct Sidewinder
G2 to wait 300 seconds (five minutes) between alerts.
569

Chapter 20: IPS Attack and System Event Responses
Creating IPS attack responses
570
In this configuration, if an intruder launches 5 probe attempts in a 30 second
period, a response is triggered. However, if the intruder sends 5 more
probe attempts during the next 30 seconds, Sidewinder G2 will not send
another alert. However, if the response calls for a Strikeback (see next section),
traffic will continue to be blackholed.
After five minutes, if the threshold is again reached, another alert will be
triggered.
• Configure Strikeback — Sidewinder G2 can blackhole, or ignore, traffic
from a host that is sending suspect traffic.
Caution:Sidewinder G2 blackholes based on source address, as opposed to
traffic type. If you choose to blackhole a host, all traffic from that host will be
ignored.
– Blackhole: Select this option to ignore all traffic from the suspect traffic’s
source(s) for a set time period. The source of the attack is recorded in
the audit event’s attack_ip field. The source of the suspect traffic may
be the connection’s source IP address (a peer or a client) or destination
IP address (if a server is attacking a client). If Sidewinder G2 considers
it likely that the source IP address could have been forged, it will leave
the attack_ip field blank and not blackhole any IP address for this audit
event. The apparent source and destination IP address is still recorded
in the audit event.
If you select the Blackhole option, you must also specify for how long
you want to blackhole traffic.
• Blackhole packets for x seconds where x is a value between 1 and
100000.
Tip: If you find you need to blackhole traffic for more than 100,000
seconds (a little over 24 hours), consider creating an IP Filter deny rule for
that traffic.
– All attacking hosts: Select this option to blackhole all hosts involved in
triggering the alert. For example, if you want an alert after 5 occurrences
in 30 seconds and host A sent 4 occurrences and host B sent 1, all
traffic from hosts A and B would be ignored for the set amount of time.
– Each host responsible for y% of the attacks: Select this option to limit
blackholing on a percentage basis. For example, if you set the
percentage at 50% and host A caused 4 out of 5 attacks and host B
caused 1 out of 5 attacks, only traffic from host A would be ignored.

Figure 230: Attack
Responses: Settings
window
About the Attack
Responses: E-mail
Response Settings
Configuring the e-mail settings
Chapter 20: IPS Attack and System Event Responses
Creating IPS attack responses
To view, add, modify, or delete the e-mail addresses that will receive alerts,
click Response Settings, in the IPS Attack Responses main window’s lowerright
corner. The following window appears:
Use this window to configure the e-mail address list that will receive alerts. For
every triggered attack response that is set to send an e-mail alert, each e-mail
address listed here will receive an alert. You can add, modify, or delete entries
by using the buttons described here:
• New — Click this button to define a new e-mail address to receive attack
alerts. See “About the E-mail Settings: New/Modify window” on page 571
for more details.
• Modify — Select an entry and click this button to modify an existing e-mail
address. See “About the E-mail Settings: New/Modify window” on page 571
for more details.
• Delete — Select an entry and click this button to delete that e-mail address.
About the E-mail Settings: New/Modify window
This window allows you to add or modify an e-mail address for the list of e-mail
addresses to send an alert during an attack response. To change this list, do
the following:
1 In the E-mail address field, either type a new e-mail address or edit an
existing e-mail address.
2 Click OK to return to the Response Settings window.
3 Click OK on the Response Settings window to save your changes.
571

Chapter 20: IPS Attack and System Event Responses
Creating system responses
Creating system
responses
572
Figure 231: System
Responses main window
About the System
Responses main
window
System responses allow you to configure how Sidewinder G2 responds when it
detects audit events that indicate significant system events, such as license
failures and log overflow issues.
To view or configure system responses, use the Admin Console to select
Firewall Administration > System Responses. The following window appears.
This window displays the currently configured system responses. You can
perform the following actions in this window:
• Filter the list of system responses — To modify the displayed list, rightclick
a column name and select from the current list of filters or create a
custom filter. The list will then display only that system responses of that
type.
• Configure a new system event response — To configure a new system
response, click New. The Add System Response Wizard appears.
• Modify an existing system response — To modify an existing system
response, select the appropriate item within the list and click Modify. For
information on modifying specific fields, refer to the following sub-sections.
• Delete an existing system response — To delete a system response,
select the list item you want to delete and then click Delete.

Figure 232: System
Responses Modify window
Chapter 20: IPS Attack and System Event Responses
Creating system responses
• Disable/enable a system response — The disable and enable options
depend on a system response’s current status. If one or more responses
with the same status are selected, their status can be changed to its
opposite (for example, if all selected responses are enabled, you may
disable all of them). When multiple responses with mixed statuses are
selected, the only available action is enabling the responses.
• Create the e-mail list to notify in the event of a system event — To create
or modify the list of e-mail addresses to notify if any system event triggers
an alert, click Response Settings. See “About the Response Settings: New/
Modify window” on page 577 for more information.
Modifying a system response
When you modify a system response, the following window appears.
About the Modify System Responses: Event tab
Use this tab to change this system response’s event type. An event is generally
defined as an important, generally unexpected, change in your system. Each
event type identifies a different set of system changes.
1 Select the event type for which you want Sidewinder G2 to send out a
response. A complete list is provided in Table 40.
To create additional system event types, see “Configuring new event types”
on page 578.
2 Click OK or the next tab you want to modify.
Note: For descriptions of the audit severities, see “Viewing IPS attack and system
event summaries” on page 521.
573

Chapter 20: IPS Attack and System Event Responses
Creating system responses
574
Table 40: Description of pre-defined system events
Event Description
Access Control List Detects all ACL audit events.
all audit Detects all attack and system events, regardless of
characteristics.
config change Detects when the Sidewinder G2’s configuration changes.
error Detects all system events identified as AUDIT_T_ERROR
in the audit stream.
HA failover Detects when a failover IP address changes because a
High Availability cluster failed over to its secondary/
standby.
hardware software
failure
host license
exceeded
Detects when a hardware or software component fails.
Detects when the number of hosts protected by the
Sidewinder G2 exceeds the number of licensed hosts.
IPSEC error Detects when traffic generates IPSEC errors.
license expiration Detects when a licensed feature is about to expire.
log overflow Detects when the log partition is close to filling up.
network traffic Detects all connections that successfully pass through the
Sidewinder G2.
not config change Detects all attack and system events that are not
configuration changes.
power failure Detects when an Uninterruptible Power Supply (UPS)
device detects a power failure and the Sidewinder G2 is
running on UPS battery power.
syslog Detects all audit attacks and system events created via
syslog.
system all Detects all system events of all severities, including power
failures, hardware and software failures, failover events,
license expiration, host license exceeded, log overflows,
and IPSEC errors.
system critical Detects all critical system events, including power failures,
hardware failures, critical software failures, and failover
events. Critical system events indicate that a component
or subsystem stopped working, that the system is going
down (expectedly or unexpectedly), or that the system is
not expected to work again without intervention.
More...

Event Description
system critical and
severe
Chapter 20: IPS Attack and System Event Responses
Creating system responses
Detects critical and severe system events including power
failures, hardware failures, critical and severe software
failures, failover events, license expiration, log overflows,
and IPSEC errors. Critical system events indicate a
component or subsystem stopped working, that the
system is going down (expectedly or unexpectedly) or that
the system is not expected to work again without
intervention. Severe attacks indicate something is
occurring that an administrator should know.
system shutdown Detects when a UPS is running out of battery power or has
been on battery power for the estimated battery time.
VPN Detects VPN audit events.
About the Modify System Responses: Frequency tab
Use this tab to modify the parameters to be met before Sidewinder G2
generates a response. The options are:
• Always respond — Select this option to have Sidewinder G2 respond each
time the event type specified on the Event tab occurs.
• Limit responses — Select this option to respond only when the event’s
pattern matches the parameters set here:
– Respond if x events in y seconds where:
• valid values for x are between 2 and 100000. Sidewinder G2
responds when the x event occurs.
• valid values for y are between 1 and 100000. This represents the
last y seconds, so Sidewinder G2 checks the current time - y.
– Reset event count to zero after responding — After x events,
Sidewinder G2 zeroes out its event counter and waits until another x
events occur in y seconds. If this option is not selected, each
subsequent system event that occurs in y seconds will generate a
response.
For example, if you want to respond to 5 events in 30 seconds, Sidewinder
G2 constantly checks the past 30 seconds. When Sidewinder G2 receives
5 system events in that time frame, it responds according to the Response
tab settings. If it zeroes out after responding, it waits until 5 more events
occur in a 30 second time period before responding again.
575

Chapter 20: IPS Attack and System Event Responses
Creating system responses
576
About the Modify System Response: Response tab
Use this tab to configure how Sidewinder G2 should respond when the event
matches the parameters on the Frequency tab. Sidewinder G2 can send an
alert using an e-mail, an SNMP trap, or both. The options are:
• Configure an alert. Sidewinder G2 can send an alert using an e-mail, an
SNMP trap, or both.
– Send e-mail: Select this option to send an e-mail to each e-mail address
listed in the E-mail Settings area. (Access this list from the main System
Responses window. Additional information is available in “Configuring
the e-mail settings” on page 577.)
– Send SNMP trap: Select this option to send an SNMP trap to the
location(s) configured for the snmpd server. (Configure the SNMP
server at Services Configuration > Servers > snmpd. Additional
information is available in “Sidewinder G2 SNMP traps” on page 579)
• [Conditional] If configuring an alert, specify how long Sidewinder G2 should
wait before sending the next e-mail or SNMP trap for the same system
event by using the Wait x seconds between alerts option. Valid values are
between 0 and 65535.
For example, suppose you configure an alert to trigger when 10 or more
IPSec errors occur in a 60 second period, and you instruct Sidewinder G2
to wait 300 seconds (five minutes) between alerts.
In this configuration, if Sidewinder G2 detects 10 errors in a 60 second
period, a response is triggered. However, if Sidewinder G2 detects 5 more
IPSec errors during the next 30 seconds, Sidewinder G2 will not send
another alert.
After five minutes, if the threshold is again reached, another alert will be
triggered.

Figure 233: System
Responses: Response
Settings window
About the System
Responses:
Response Settings
Configuring the e-mail settings
Chapter 20: IPS Attack and System Event Responses
Creating system responses
To view, add, modify, or delete the e-mail addresses that will receive alerts,
click Response Settings, in the System Responses main window’s lower right
corner. The following window appears:
This window is used to configure the e-mail address list that will receive alerts.
For every triggered system event response that is set to send an e-mail alert,
each e-mail address listed here will receive an alert. You can add, modify, or
delete entries by using the buttons describe here:
• New — Click this button to define a new e-mail address to receive system
event alerts. See “About the Modify System Responses: Event tab” on page
573 for more details.
• Modify — Select an entry and click this button to modify an existing e-mail
address. See “About the Modify System Responses: Event tab” on page
573 for more details.
• Delete — Select an entry and click this button to delete that e-mail address.
About the Response Settings: New/Modify window
This window allows you to add or modify an e-mail address for the list of e-mail
addresses to send an alert to during a system response. To change this list, do
the following:
1 In the E-mail address field, either type a new e-mail address or edit an
existing e-mail address.
2 Click OK to return to the Response Settings window.
3 Click OK on the Response Settings window to save your changes.
577

Chapter 20: IPS Attack and System Event Responses
Configuring new event types
Configuring new
event types
Ignoring network
probe attempts
578
You may decide that you would like to add a customized IPS attack or system
event type to the pre-defined list. New entries can be created using the
command line. Once added, the new event will appear on the appropriate list in
the Admin Console. At that point, you may create new responses for that
event.
To add a new attack or system event type, do the following:
1 Start a command line session with Sidewinder G2 and log in.
2 Use the srole command to switch to the administrator role.
3 Enter the following command, using a single line:
cf audit add filter name=name filter_type=system|attack
sacap_filter=sacap_filter number=int comments=comments
where:
• name = name of the new event type.
• system|attack = type of filter. This option determines if the new event
type will appear on the IPS Response attack type list or the System
Responses event list.
• sacap_filter = string which identifies a sacap_filter expression to use
• int = number of SNMP trap to use. See “Sidewinder G2 SNMP traps”
on page 579 for more information about SNMP traps.
• comments = text that will appear in the Event tab’s Description field.
Refer to the cf_audit and the sacap_filter man pages for information for
configuring event types (referred to as filters) and responses (referred to as
auditbots). Refer to acat -c for a list of current audit events.
If a host on the network attempts to connect to the Sidewinder G2 for a service
that is not running, an audit record is generated and may trigger an alarm. An
ignore list can be set up to ignore unimportant network probe audit events, but
save the audit to keep track of the probe attempts. However, if connection
attempts are frequent and are coming from a trusted network, then it may be
desirable to ignore them completely and not audit the connection attempt by
configuring the appropriate IP Filter rules.

Sidewinder G2
SNMP traps
Chapter 20: IPS Attack and System Event Responses
Sidewinder G2 SNMP traps
To ignore network probes (commonly referred to netprobes), you can create IP
Filter rules to deny connection requests for specific ports. For example, if you
have problems with netbios generating netprobes on the Sidewinder G2, you
can discard them and prevent audit events by creating an IP Filter with the
following key values:
Type: UDP Audit Level: None
Action: Deny Direction: Uni-directional
Source/Dest Burbs: internal Source/Dest: All (subnet 0.0.0.0:0)
Source/Dest Ports: 137
The Sidewinder G2 can cause network probe attempts between services
running on the system. These probe attempts usually indicate one of the
services is responding slowly, and do not show that a problem exists on the
Sidewinder G2. By default, auditing these loopback network probes is
disabled. To turn on auditing for the network probe attempts between services
running on the system, enter the following command in the admin role:
sysctl -w kern.audit_netprobe_loopback=1
Note: If you want to ensure that this remains configured, you should also add this
command to the end of the /etc/rc.local file.
An SNMP trap is an alert message (also known as an alarm message) that is
sent as an unsolicited transmission of information from a managed node
(router, Sidewinder G2, etc.) to a management station. Sidewinder G2 gives
you the option of sending audit alert SNMP traps when an audit event triggers
a response in Sidewinder G2. Pre-defined alert events in Sidewinder G2 are
contained in the 200 range (for example, 201, 202). You also have the option to
create your own custom traps. Custom traps will return messages that contain
numbers 215–225. For a list of available SNMP traps, see the snmptrap man
page.
To configure Sidewinder G2 to send the following pre-defined traps, refer to
“About the Modify Attack Response: Response tab” on page 569 and “About
the Modify System Response: Response tab” on page 576.
• ATTACK_ATTEMPT — This trap is sent when an attack attempt (that is, any
suspicious occurrence) is identified by one of the services on Sidewinder
G2. For example, if the Network Services Sentry (NSS) detects a
suspicious IP address on an incoming connection, it will issue an attack
attempt trap.
• FAILOVER_EVENT — This trap is sent any time a Sidewinder G2 changes
its status in an HA cluster from secondary to primary, or from primary to
secondary.
579

Chapter 20: IPS Attack and System Event Responses
Sidewinder G2 SNMP traps
580
• MAIL_FILTER_FAILURE — This trap is sent when SMTP mail messages
fail a configured mail filter. For example, if a mail message failed the Key
Word Search filter, a mail filter failure event would be logged.
The mail filter map configuration determines what is done with failed messages.
• IPSEC_FAILURE — This trap is sent when IPSec errors exceed the
configured threshold values.
• LICEXCEED_FILTER — This trap is sent when users are denied access
through the Sidewinder G2 due to a user license cap violation.
• LOG_FILE_OVERFLOW — This trap is sent when the Sidewinder G2 audit
logs are close to filling the partition.
• PROBE_ATTEMPT — This trap is sent when network probe attempts are
detected (that is, any time a user attempts to connect or send a message to
a TCP or UDP port that either has no service associated with it or it is
associated with an unsupported service).
To ignore network probe attempts, create an IP Filter deny rule to discard
probes coming from recognized offenders. See “Ignoring network probe
attempts” on page 578 for key values to configure.
• ACCESS_CONTROL — This trap is sent when the number of denied
access attempts to services exceeds a specified number. For example, you
may set up your system so that internal users cannot FTP to a certain
Internet address. If a user tried to connect to that address, the attempt
would be logged as a denial.
• UPS_POWER_FAILURE — This trap is sent when a connected
Uninterruptible Power Supply (UPS) has a power failure and the
Sidewinder G2 is running on UPS battery power.
• PROXY_FLOOD — This trap is sent when potential connection attack
attempts are detected. A connection attack is defined as one or more
addresses launching numerous proxy connection attempts to try and flood
the system. When NSS receives more connection attempts than it can
handle for a proxy, that proxy is briefly stopped (to allow the proxy to “catch
up”) and is then restarted, and an audit event is created.
• DENIED_AUTH — This trap is sent when a user attempts to authenticate
and enters invalid data. For example, if a user is required to enter a
password and entered it incorrectly, the denied auth_filter would log the
event.
Note: This type of event is not logged when an administrator attempts to switch
to an unauthorized role (srole) or enter incorrect login information.
• UPS_SYSTEM_SHUTDOWN — This trap is sent when the Sidewinder G2
has been running on UPS battery power for the estimated battery time.
(See “Configuring the Sidewinder G2 to use a UPS” on page 93 for
additional information on UPS.)

Chapter 20: IPS Attack and System Event Responses
Sidewinder G2 SNMP traps
• SYN_FLOOD_ATTACK — This trap is sent when the Sidewinder G2
encounters a SYN attack.
• TE_VIOLATION — This trap is sent when an unauthorized user or process
attempts to perform an illegal operation on a file on the Sidewinder G2.
• NETWORK_TRAFFIC — This trap is sent when the number of traffic audit
events written by the various proxies (WWW, Telnet, FTP, etc.) going
through the Sidewinder G2 exceeds a specified number in a specified time
period. This information can be useful for monitoring the use of the
Sidewinder G2 services by internal users.
Note: Network traffic thresholds are reported as number of events per second,
and not as number of bytes per second.
• CRIT_COMP_FAILURE — This trap is sent when the Sidewinder G2 detects
that a critical component has failed. For example, this trap occurs when
daemond detects a software module has failed.
• VIRUSMIME — This trap occurs when the number of mail or HTTP
messages that failed the MIME/Virus/Spyware filter exceeds a specified
threshold in a specified time period.
581

Chapter 20: IPS Attack and System Event Responses
Sidewinder G2 SNMP traps
582

A APPENDIX
Command Line
Reference
In this appendix...
Overview of cf...............................................................................584
Summary of cf structure ...............................................................584
Working with files on the Sidewinder G2......................................594
Understanding automatic (cron) jobs ...........................................598
583

Appendix A: Command Line Reference
Overview of cf
584
Overview of cf The cf (configurator) command makes it possible for you to configure various
Sidewinder G2 areas (rules, burbs, DNS, etc.) directly from the UNIX
command line. You can use the cf command as an alternative to the Admin
Console (the Sidewinder G2’s graphical user interface) for performing most
system administration tasks.
Summary of cf
structure
There are several situations when you may want to use the cf command
interface instead of the Admin Console to perform configuration activities. With
cf, you can automate repetitive configuration tasks (for example, adding many
similar rules) by using scripts. Also, cf is useful under circumstances when the
Admin Console cannot be used, such as performing Sidewinder G2
configuration from a text-only terminal. A final benefit of cf is that it provides a
quick and easy way to see how a certain area of your Sidewinder G2 is
currently configured.
Note: cf commands should be run in the Operational kernel (most cf commands
will not function properly in the Administrative kernel).
The following table summarizes the structure of cf, showing the primary
commands available for each area. This table does not show the keywords
available for each Sidewinder G2 area.
The online manual entry (man page) for cf provides a full description of all
areas available in the cf command and the keywords/options associated with
each area.
• To display the man page listing for the cf command, enter:
man cf
• To display the man page listing for a specific cf area, enter:
man cf_areaname
For example, man cf_acl or man cf_interface.
Summary of cf structure
Sidewinder G2 area Commands Area Description
acl add
defrag
delete
export
flushcache
modify
purge
query
repair restore_console_access
set
Use this area to maintain rules on the Sidewinder G2.
More...

Sidewinder G2 area Commands Area Description
adminuser add
delete
modify
set
query
antivirus add
delete
disable
enable
modify
query
set
appfilter add
delete
modify
purge
set
query
audit add
delete
disable
enable
modify
query
listdb
set
burb set
add
modify
start
query
verify
Appendix A: Command Line Reference
Summary of cf structure
Use this area to configure the Sidewinder G2 administrator
database.
Use this area to configure the anti-virus scan engine and
the Sidewinder G2’s scanner service.
Use this area to configure Application Defenses on the
Sidewinder G2.
Use this area to configure audit, including auditbot, e-mail,
pager, filter and strikeback options.
Use this area to configure the Sidewinder G2 burbs and
hostname.
More...
585

Appendix A: Command Line Reference
Summary of cf structure
586
Sidewinder G2 area Commands Area Description
cert add
addsslcert
delete
getcert
getkey
getcrl
modify
updatedbs
view
query
cfg add
delete
modify
query
cmd set
query
config backup
delete
list
query
restore
set
crontab set
query
daemond query
set
dns add
delete
dumpdb
notrace
query
querylog
reload
set
status
stats
trace
Use this area to configure all VPN certificate entries used
by the Sidewinder G2.
Use this area to define custom attributes for your
configuration files.
Use this area to configure the Sidewinder G2 certificate
management daemon.
Use this area to configure the Sidewinder G2 configuration
backup and restore process. (Backs up/restores the
configuration files, not the hard disk.)
Use this area to configure the SmartFilter and package
crontab entries.
Use this area to configure daemond.
Use this area to configure DNS on your Sidewinder G2.
More...

Sidewinder G2 area Commands Area Description
entrelayd reload
status
export add
all
delete
disable
enable
ftp
modify
query
webtrends
failover add
delete
query
reload
reset
restart
set
start
status
stop
gated set
add
modify
delete
validate
query
ikmpd set
query
Appendix A: Command Line Reference
Summary of cf structure
Use this area to configure and manage the entrelayd
server.
Use this area to configure the export utility.
Use this area to configure the failover (High Availability)
service on the Sidewinder G2.
Use this area to configure the gated daemon.
Configure global settings for the ISAKMP daemon.
More...
587

Appendix A: Command Line Reference
Summary of cf structure
588
Sidewinder G2 area Commands Area Description
interface add
modify
delete
detect
up
down
set
status
swap
query
update
ipfilter add
delete
export
modify
purge
query
reload
set
stop
ipsec add
delete
keydump
modify
policydump
query
reload
status
lca add
modify
delete
query
list
revoke
gencrl
getcrl
getcacert
gencert
Use this area to configure the Sidewinder G2 network
interfaces.
Use this area to configure IP filtering for the Sidewinder G2.
Use this area to configure IPSec parameters.
Use this area to configure the local (on-box) certification
authority.
More...

Sidewinder G2 area Commands Area Description
ldap add
delete
modify
query
set
license check
features
firewallID
get
host
read
set
query
msnt add
delete
modify
set
query
mvm import
query
nss enable
disable
modify
query
ntp add
config
delete
modify
enable
disable
set
restart
query
Appendix A: Command Line Reference
Summary of cf structure
Use this area to configure LDAP authentication for the
Sidewinder G2.
Use this area to license this Sidewinder G2 and any
premium features.
Use this area to configure Microsoft NT authentication
servers.
Use this area to configure multi-version management.
Use this area to configure the NSS, which controls access
to all of the transparent and non-transparent proxies, as
well as enable/disable some servers.
Use this area to configure network time protocol (NTP).
More...
589

Appendix A: Command Line Reference
Summary of cf structure
590
Sidewinder G2 area Commands Area Description
package backup
check
contents
description
download
errors
install
list
load_cdrom
load_floppy
log
query
readme
set
verify
password expire
set
query
pool add
delete
modify
query
proxy add
create
delete
destroy
disable
enable
help
modify
query
set
radius add
delete
modify
set
query
Use this area to configure the package download system.
This is used for loading patches.
Use this area to configure the reusable password
authentication method.
Use this area to create and modify client address and entry
pools.
Use this area to configure Sidewinder G2 proxies.
Use this area to configure RADIUS authentication for the
Sidewinder G2.
More...

Sidewinder G2 area Commands Area Description
reports add_query
add_report
delete_query
delete_report
modify_query
modify_report
query
run_report
show_tables
show_aggregates
show_databases
show_groups
show_columns
routed add
delete
query
restart
set
start
stop
safeword add
delete
modify
query
securid install
query
sendmail flush
rebuild
server enable
disable
status
restart
reload
query
smartfilter download
set
query
version
Appendix A: Command Line Reference
Summary of cf structure
Use this area to define, store, and run audit reports.
Use this area to configure RIP processing on the
Sidewinder G2.
Use this area to configure SafeWord authentication for the
Sidewinder G2.
Use this area to configure the reusable SecurID
authentication method.
Use this area to rebuild the sendmail database files.
Use this area to administer servers. This includes
displaying status, enabling/disabling, and restarting/
reloading servers. Configuration of an individual server is
done in its own area (acl, httpd, nss, ntp, snmp, udpproxy).
Use this area to configure SmartFilter.
More...
591

Appendix A: Command Line Reference
Summary of cf structure
592
Sidewinder G2 area Commands Area Description
snk backup-dss
delete
primary-dss
query
set
snmp add
delete
modify
query
restart
set
start
stop
usr2
Use this area to configure the reusable SecureNet Key
(snk) authentication method.
Use this area to configure simple network management
protocol (SNMP).
sshd start Use this area to start the secure shell daemon (sshd)
ssl query
set
sso delete
list
set
query
swede breaklock
defrag
listlocks
repair
override
syncd add
delete
query
set
start
stop
udb add
delete
modify
purge
query
Use this area to configure the Sidewinder G2 SSL
certificates.
Use this area to configure single sign-on authentication.
Use this area to configure the Sidewinder enterprise
database engine.
Use this area to configure the Sidewinder G2
synchronization feature.
Use this area to manage the authentication user database.
More...

Sidewinder G2 area Commands Area Description
ups query
set
warders clearauthfailures
listauthfailures
query
set
www add
delete
set
restart
status
reconfigure
rotate
query
Appendix A: Command Line Reference
Summary of cf structure
Use this area to configure the use of an uninterruptible
power supply with the Sidewinder G2.
Use this area to configure Sidewinder G2 authentication
servers.
Use this area to configure the Web proxy on the
Sidewinder G2.
593

Appendix A: Command Line Reference
Working with files on the Sidewinder G2
Working with
files on the
Sidewinder G2
594
The File Editor is an easy-to-use text editor that is available directly from the
Admin Console. The File Editor simplifies the editing process, enabling you to
perform virtually every necessary editing task from the Admin Console instead
of command line. The File Editor also provides some additional conveniences
such as unique file backup and restore features. Refer to “Using the Admin
Console File Editor” on page 26 for details.
The Sidewinder G2 also supports typical UNIX editors for you to use, including
vi, emacs, and pico.
Important: The pico -w parameter disables word wrapping on lines that contain up
to 256 characters. If you do not include the -w parameter, pico will insert hard
carriage returns after about the 80th column of each line that exceeds 80 columns.
This corrupts certain system files, such as the .conf files. Therefore, when you enter
the pico command, be sure to include the -w parameter. However, be aware that
certain files may contain lines over 256 characters and even using the -w
parameter will not prevent word wrapping.
Changing your default editor
By default, the Sidewinder G2 uses the vi text editor. However, the Sidewinder
G2 also supports the emacs and pico editors.
You can change your default editor by following these steps:
1 Log in at a Sidewinder G2 command prompt.
2 Open the .cshrc file in an editor.
3 Locate the line that reads as follows:
setenv EDITOR editorname
4 Replace the name of the current editor with the name of the one you want
to use.
For example, you might replace vi with emacs.
5 Save the .cshrc file and quit the editor.
The next time you log in, your default editor will be the one you specified in
the .cshrc file.
6 Type the following command at the system prompt to make the change
effective in the current shell:
source .cshrc

About editing Sidewinder G2 files
Appendix A: Command Line Reference
Working with files on the Sidewinder G2
UNIX files are not protected against simultaneous editing by two individuals.
For this reason, an administrator should take care not to make changes to a file
when another administrator is working on it. In the UNIX world, whoever writes
the file last usually prevails. In some cases, file corruption occurs.
For example, if an administrator is editing the server.conf configuration file
using the Admin Console while someone else is using a text editor to change
that file, there may be undesirable results. If two people try editing the same file
using either vi or emacs, however, the editor will warn the users about the
situation.
Also, when editing the Sidewinder G2 configuration files (server.conf,
roles.conf, etc.), be aware of the use of special characters that are used to
format commands within these files. Special characters include double quotes,
single quotes, brackets ([ ]), the pound symbol (#), and parenthesis ( ).
Inadvertently placing special characters in the Sidewinder G2 configuration
files will make the files unreadable to the Sidewinder G2. Enter man
sidewinder.conf at Sidewinder G2 command prompt for details.
Important: Save any scripts you create for the Sidewinder G2 in the /usr/local/bin
directory. If you ever need to upgrade your Sidewinder G2 software, Secure
Computing’s upgrade procedure will automatically save any scripts that reside in
that directory.
Checking file and directory permissions (ls)
As described in Chapter 2, Type Enforcement restricts users to certain roles
and restricts domains to certain files. Under standard UNIX, files and
directories use access controls. Whether you can read, write, or execute a file
depends on the groups you belong to and the permissions set on the file. If you
try accessing a Sidewinder G2 file and are denied, even though the UNIX file
permissions indicate that you have access, Type Enforcement may be
preventing access.
Checking file types
To check Type Enforcement file types, enter the following command:
/bin/ls -aly filename
You will see output similar to the following:
595

Appendix A: Command Line Reference
Working with files on the Sidewinder G2
596
Admn:file filename
File Name
File Type (such as exec, file, conf, util, diry)
Creating Domain
Checking directory types
To check Type Enforcement directory types, enter the following command:
/bin/ls -dy directory_name
You will see output similar to the following:
$Sys:diry directory_name
$Sys indicates that the directory was created in the $Sys domain. This is a
domain used by the operating system for various tasks.
Changing a file’s type (chtype)
Use the chtype command to change a file’s type. Normally, you will be in the
Administrative kernel when changing a file’s type. It is always possible to
change a file’s type in the Administrative kernel rather than the Operational
kernel because the Administrative kernel does not use Type Enforcement. The
Operational kernel uses Type Enforcement, which may prevent you from
changing a file’s type.
There may, however, be situations where it would be convenient to change a
file’s domain while in the Operational kernel without having to boot to the
Administrative kernel. The following procedures describe how to change a file’s
type from either the Administrative or the Operational kernel.
Changing file types in the administrative kernel
To change a file’s type in the Administrative kernel, follow the steps below.
1 Attach a keyboard and monitor directly to your Sidewinder G2 system.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items to the front connection ports or both
in the back connection ports).
2 Enter the following command at the UNIX prompt:
chtype domain:type filename
For example, entering the command:
chtype Admn:exec myprogram
changes the domain and type for the myprogram file to Admn:exec.

Changing file types in the operational kernel
Appendix A: Command Line Reference
Working with files on the Sidewinder G2
To change a file’s type in the Operational kernel, follow these steps:
1 At a Sidewinder G2 command prompt, log in and enter the following
command to switch to the Admn role.
srole
2 Copy the file you want to change.
cp file1 newfile
3 Delete the original file.
rm file1
4 Change the new file to the target domain and/or file type.
chtype domain:filetype newfile
5 Rename the file.
mv newfile file1
Auditing the use of chtype commands
The Sidewinder G2 audits each failed occurrence of a chtype command.
However, you can also audit successful chtype events. Use the following
commands to enable or disable the auditing of successful chtype commands.
• To enable auditing of successful chtype commands, enter the following
command:
sysctl -w kern.auditchtype=1
• To disable auditing of successful chtype commands, enter the following
command:
sysctl -w kern.auditchtype=0
Note: Whether you enable or disable auditing of successful chtype events,
failed chtype events are always audited.
Creating your own scripts
While operating in either the User or Admn domains, you can create your own
scripts for use on the Sidewinder G2. Scripts created in the User domain will be
executable by the Admn and User domain but no other domain. Scripts created
in the Admn domain will not be executable by anyone until the type is changed
to Admn:scrp using the chtype command.
597

Appendix A: Command Line Reference
Understanding automatic (cron) jobs
Understanding
automatic (cron)
jobs
598
The Sidewinder G2 contains jobs that perform routine maintenance tasks such
as rotating files and cleaning out old files. These jobs are run by the cron
daemon, which reads its configuration file (/etc/crontab) to determine which
jobs to run and when to run them.
The following summarizes each automatic cron job on the Sidewinder G2.
/etc/daily
When enabled, this job runs at 2:00 a.m. each day and performs the following
tasks:
• Tells the operator which file systems need rotating.
• Prints a summary of mail messages to be sent.
• Prints a status of the mounted file systems.
• Reports on system security by checking if files such as password files have
changed.
• Runs daily.local. (This allows you to remove miscellaneous old or junk files
from directories such as /usr and /var/tmp (however, you must first
uncomment the appropriate cleandir command line(s) in /etc/daily.local).
• Rotates the /var/account/acct file.
• Prints a summary of network status.
• Compresses and rotates messages in the mail filtering log directories.
• Sends e-mail if the /var/log directory becomes 85% full and again when it
becomes 100% full.
The output of this job is sent to the /var/log/daily.out file. You can view this
output as described in Chapter 19.
/etc/weekly
This job runs each Saturday at 3:30 a.m and performs these tasks:
• Rotates the access_log and error_log files in /var/log/httpd. These files
exist only if the httpd server is running.
• Runs weekly.local. (This allows you to remove miscellaneous “.o” files from
the /usr/src and /usr/obj directories (however, you must first uncomment the
find command line in /etc/weekly.local).
The output of this job is sent to the /var/log/weekly.out file. You can view this
output as described in Chapter 19.

etc/monthly
Appendix A: Command Line Reference
Understanding automatic (cron) jobs
This jobs runs at 5:30 a.m. on the first day of each month and rotates the
/var/log/wtmp file. The output of this job is sent to the /var/log/monthly.out file.
You can view this output as described in Chapter 19.
Rollaudit cron jobs
There are two /usr/sbin/rollaudit jobs listed in /etc/crontab. The first job
checks the size of various audit and log files daily at 2:00 a.m. The second job
runs each hour and rotates files found to be growing too quickly. When these
jobs run, they check the /etc/sidewinder/rollaudit.conf configuration file to see
which files should be rotated. The following files are checked by rollaudit:
• /var/log/audit.* (the Sidewinder G2 generates reports when these files are
rolled.)
• /var/log/auditd.log
• /var/log/cron
• /var/log/lpd-errs
• /var/log/messages
• /var/log/maillog (This file is rotated once a week. The output is used for the
mail traffic reports described in Chapter 19.)
• /var/log/snmpd.log
You can edit the /etc/sidewinder/rollaudit.conf file to specify how large files are
allowed to get before they are rotated and the maximum amount of time that
should elapse between rotations. See the rollaudit man page for details on
editing this file.
Caution: To avoid serious system problems, do not allow the /var/log partition to
become full. The /sbin/logcheck job will generate an e-mail message warning you if
the /var/log partition becomes 85% full and then again if it becomes 100% full.
Spamfilter cron job
The spamfilter server filter files are updated hourly by the following job:
/usr/sbin/spamfilter_download
Running this cron job is important for keeping anti-spam and anti-fraud
services current.
Note: This cron job is disabled by default.
599

Appendix A: Command Line Reference
Understanding automatic (cron) jobs
600
SmartFilter 3.x cron job
The SmartFilter control list is updated weekly by the following job:
/usr/sbin/smartfilter_auto_download
The system administrator is notified via e-mail whenever the control list is
successfully downloaded. This cron job is only necessary if maintaining
SmartFilter 3.x instead of upgrading to SmartFilter 4.0.2.
Note: This cron job is disabled by default.
Monitor data retrieval cron job
The following cron job retrieves disk utilization information once every minute:
/usr/bin/get_monitor_data
The data gathered from this job is used to generate the performance report.
See Chapter 19 for information on generating audit reports.
Report generating cron jobs
You can use the Admin Console Reporting window to generate the following
reports:
• Root_access, service_denied, and traffic reports.
• A network_probe report.
Note: Daily reports are initially disabled in /etc/crontab. If you want to enable daily
reports, you must first enable the auditdbd server or you will not receive any data.
See “Activating the Sidewinder G2 license” on page 55.
Squid log rotation cron job
The Web proxy server is implemented using Squid, an open source software
program that provides proxy and caching capabilities. Squid’s log files
(access_log, cache_log, and store.log) are rolled over daily using the following
command:
/usr/sbin/cf www rotate

CRL and certificate retrieval cron job
Appendix A: Command Line Reference
Understanding automatic (cron) jobs
The following cron job automatically retrieves certificates and CRLs from
Netscape Certificate Authorities (CAs):
/usr/sbin/cf cert updatedbs
For more information on certificates, see Chapter 14.
Anti-virus DAT file cron job
The following cron job automatically updates the anti-virus DAT file.
/usr/sbin/datupdate
Package download cron job
The following cron job automatically performs package downloads:
/usr/sbin/cf package download
Export utility cron job
The following cron job automatically removes old export data:
/usr/sbin/cf export ftp
Logcheck cron job
The following cron job automatically runs the logcheck utility every five
minutes:
/usr/sbin/logcheck
601

Appendix A: Command Line Reference
Understanding automatic (cron) jobs
602

B APPENDIX
Setting Up Network
Time Protocol
In this appendix...
Overview of NTP ..........................................................................594
Configuring NTP on a Sidewinder G2 ..........................................597
References...................................................................................599
593

Appendix B: Setting Up Network Time Protocol
Overview of NTP
Overview of NTP NTP provides a way to synchronize all clocks on a network, or to synchronize
the clocks on one network with those on another network. You may find NTP
useful in the following situations:
594
Figure 234: NTP serverclient
relationship
• When your internal network includes a system that already provides time
for the rest of your network.
• When, for time-critical services, it is important to synchronize your network
with a more accurate chronometer on an external network.
Important: If exact synchronization is not important to your site, you may ignore
NTP entirely. NTP is not automatically enabled during Sidewinder G2 installation,
and is active only if you configure and enable it as described later in this appendix.
This release of the Sidewinder G2 is compatible with NTP versions 1, 2, and 3.
Version 3 is the preferred version and is the default on the Sidewinder G2.
NTP servers and clients
In NTP, a server is a system that sends a time-feed to another system. (The
server is also referred to as a host.) The receiving system—the one whose
time is being set by the server—is an NTP client.
Consider the simple configuration in Figure 234 showing an NTP time server
with two NTP clients (A and B) in the same network. The NTP server supplies
the time to NTP clients A and B. Using their own NTP software, each client
system must also be set up to receive time from the server.
NTP server
(time source)
Client A Client B
The Sidewinder G2 can be set up as an NTP server or a client. Secure
Computing Corporation recommends that the Sidewinder G2 be set up as an
NTP client, receiving time from an NTP server on your internal network.

Figure 235: Sidewinder
G2 as an NTP client —
internal server provides
time to the Sidewinder G2
and to other internal
workstations (no timefeed
to or from Internet)
The Sidewinder G2 as an NTP client
Appendix B: Setting Up Network Time Protocol
Overview of NTP
Figure 235 shows a common NTP setup. It is the recommended configuration,
with the Sidewinder G2 configured as a client receiving time from a server
labeled “Internal time source.” In this configuration, a server in the internal
network (shown with an analog clock) is the designated time-setter for the rest
of the network. The three other systems in the internal network are also NTP
clients.
internal time source
Internal network
time-feed
Sidewinder G2
By means of NTP, the server automatically maintains the correct time on the
Sidewinder G2 and also maintains the time on other workstations in the
network. The advantages of this setup are the following:
• The internal network does not rely on an external time server and is
therefore not exposed to any security breaches that might conceivably
result. For this reason, this is the configuration recommended by Secure
Computing.
• Since the Sidewinder G2 is not supplying time for other systems but is only
receiving it, this setup has minimal effect on Sidewinder G2 performance.
The Sidewinder G2 as an NTP server
Internet
You can also set up the Sidewinder G2 to be a time-setter for the rest of the
network. The Sidewinder G2 can feed the time to an internal system which in
turn supplies time to your other workstations. The Sidewinder G2 could also be
set up to supply time to the workstations in your network directly. However, this
setup might decrease the Sidewinder G2’s performance, especially if the
Sidewinder G2 has to supply time directly to a number of systems.
595

Appendix B: Setting Up Network Time Protocol
Overview of NTP
596
Figure 236: The
Sidewinder G2 as an NTP
server—external time
servers supply time to the
Sidewinder G2, which
passes time on to the
internal system (multiple
servers provide backup)
As shown in Figure 236, the Sidewinder G2 is receiving time from NTP servers
on an external network and passing the time on to the internal network. This
would be advantageous if your company required constant and precise time
updates to within microseconds of world standard time.
Important: Unlike the previous two configurations, an external-to-internal NTP
configuration may introduce security concerns to the Sidewinder G2 and thus to
your network. Therefore, this configuration is only recommended for sites that need
world standard time.
Note: For the configuration shown in Figure 236, the router must be able to handle
NTP traffic.
time from the
Sidewinder G2
time-feed
internal
network
Router
Servers on external network
supply time to the Sidewinder G2
To pass a clock setting to the internal network, the external side of the
Sidewinder G2 needs to be configured as a client to the external clocks. The
Sidewinder G2’s NTP client then takes the “tick” from the remote clock, and
sends it to the on-board system clock. On the internal side of the Sidewinder
G2, the NTP server is enabled with the clock type set to “local.” This forces the
Sidewinder G2 to look to its internal clock for the time information, and
configured as an internal server, pass the “tick” to the server on the internal
burb interface.
NTP must also be configured on each of the external time servers. For certified
time servers, it is safe to assume that this has already been done correctly.
An external NTP configuration is recommended only for sites that require time
within microseconds of world standard time. This is achieved by configuring
NTP on the Sidewinder G2 to accept time signals from one or more certified
time servers located outside your company network. For a list of certified time
servers, check the following Web site:
http://ntp.isc.org/bin/view/Servers/WebHome
R

Figure 237: NTP
conflict: Sidewinder G2
receiving time from
external and internal
servers
(DO NOT CONFIGURE
NTP IN THIS WAY!)
Configuring NTP
on a Sidewinder
G2
Using the Admin
Console:
Appendix B: Setting Up Network Time Protocol
Configuring NTP on a Sidewinder G2
Note: The list of certified time servers includes stratum1 and stratum2 servers. Be
sure to select stratum2 servers only. It is also best to choose a time server that is
located within your time zone.
Figure 237 shows a configuration that should not be used and that is almost
guaranteed to cause trouble. This happens when NTP is configured to supply
time to the Sidewinder G2 from two servers—one external and one internal.
Input from the external time server cannot be reconciled with that from the
internal server.
internal time source
supplies time to
Sidewinder G2
time-feed
internal
network
Router
time server on external network also
supplies time to the Sidewinder G2,
creating a conflict
Use the following procedures to configure the Sidewinder G2 for NTP. You can
enable NTP for the appropriate burbs using the Admin Console. However, you
must configure NTP via the command line. For information on configuring NTP
via the command line see the cf_ntp man page.
Configuring the Sidewinder G2 as an NTP client
Follow the steps below to set up the Sidewinder G2 as an NTP client to receive
the time from another NTP server.
1 Disable the fixclock server, as follows (you must disable fixclock before you
enable NTP):
a In the Admin Console, select Services Configuration > Servers, and
select fixclock from the Server List. The fixclock Control tab appears.
b Select the Disable radio button.
c Click the Save icon in the toolbar.
R
597

Appendix B: Setting Up Network Time Protocol
Configuring NTP on a Sidewinder G2
Using command
line:
Using the Admin
Console:
598
2 Enable the NTP server in the appropriate burbs, as follows:
a Select Services Configuration > Servers, and select NTP from the
Server List. The NTP Control tab appears.
b Select the check box for the burbs in which you want NTP enabled.
c Click the Save icon in the toolbar.
3 At the command line, do the following:
a Connect to the Sidewinder G2 and enter the srole command.
b Select the machine(s) from which the Sidewinder G2 will receive time by
entering the following command:
cf ntp add server burb=server_burb ip=NTPserver_ip_addr
4 [Optional] Configure the appropriate NTP rules using the following format:
cf ntp add restrict burb=burb_name ip=restricted_ip_
address_or_subnet mask=network_mask_for_ip_address
flags=comma_separated_lists_of_flags: notrust, noquery,
etc.
Note: Flags are used to restrict the NTP functions of a server, peer, or client.
Refer to man cf_ntp for details.
As an NTP client, synchronization to the server clock will occur at a rate of
seconds per hour. That is, a difference of several minutes between the server
clock and the client clock may take several days to synchronize.
Configuring the Sidewinder G2 as an NTP server
Follow the steps below to set up the Sidewinder G2 as an NTP server to send
the time to other systems. Note the following:
• This section assumes the same configuration as shown in Figure 236. It
also assumes you have already set up the Sidewinder G2 as a client on the
external burb to receive the time-feed from an external time server.
• If you are setting up NTP to provide time to your network from another
network, and there is a router between that network and your network,
make sure the router allows NTP traffic.
1 Disable the fixclock server, as follows (you must disable fixclock before you
enable NTP):
a In the Admin Console, select Services Configuration > Servers, and
select fixclock from the Server List. The fixclock Control tab appears.
b Select the Disable radio button.
c Click the Save icon in the toolbar.

Using command
line:
Appendix B: Setting Up Network Time Protocol
References
2 Enable the NTP server in the appropriate burbs, as follows:
a Select Services Configuration > Servers, and select NTP from the
Server List. The NTP Control tab appears.
b Select the check box for the burbs in which you want NTP enabled.
c Click the Save icon in the toolbar.
3 At the command line, connect to the Sidewinder G2 and enter the srole
command.
4 Create a local clock by entering the following command:
cf ntp add peer burb=burb_name ip=127.127.1.0 prefer=yes
Setting prefer=yes specifies that the Sidewinder G2’s time signals take
precedence over a set of correctly operating servers that are also sending
the time.
5 (Optional: Perform if configuring the Sidewinder G2 as an authoritative NTP
clock) Add a list of NTP peers that can query the Sidewinder G2 by entering
the following command:
cf ntp add peer burb=peer_burb ip=ip_addr
An NTP peer is a server that is a designated “colleague” to another server
(peers can set each other’s clocks). Peers are sometimes used in large,
internationally-known time sites.
6 (Optional: Perform if configuring the Sidewinder G2 as an authoritative NTP
clock): Set up the NTP rules by entering the following command:
cf ntp add restrict burb=burb_name ip=restricted_ip_
address_or_subnet mask=network_mask_for_ip_address
flags=comma_separated_lists_of_flags: notrust, noquery,
etc.
Note: Flags are used to restrict the NTP functions of a server, peer, or client.
Refer to man cf_ntp for details.
References NTP is a complicated protocol with many options. There are numerous places
where more information can be obtained. These include RFCs, Web sites, and
local manual (man) pages. For more information about NTP, see the following
sources:
Internet Request For Comments (RFC)
The following RFCs provide information on NTP:
• RFC 1059 Network Time Protocol (Version 1)
• RFC 1119 Network Time Protocol (Version 2)
• RFC 1305 Network Time Protocol (Version 3)
599

Appendix B: Setting Up Network Time Protocol
References
600
Web Sites
Point your browser to the following Web site:
http://www.ntp.org/
On-line manual (man) pages
Type the following commands:
man cf_ntp
man ntpd
man ntpdc

C APPENDIX
Configuring Dynamic
Routing with OSPF
In this appendix...
Overview of OSPF routing............................................................602
OSPF processing on a Sidewinder G2.........................................604
Setting up OSPF routing on the Sidewinder G2...........................606
Configuring "passive" OSPF ........................................................612
Other implementation details........................................................612
601

Appendix C: Configuring Dynamic Routing with OSPF
Overview of OSPF routing
Overview of
OSPF routing
602
OSPF is a routing protocol in that it provides information used to figure out
routes in a portion of a network. Unfortunately, it is not a routing protocol in that
it does not actually pass routes, but information about links each router has.
Based upon this link information, each router runs the same algorithm and
comes up with the same "picture" of the network.
Note: OSPF runs as its own protocol (protocol 89) on top of IP.
OSPF uses a fair amount of multicasting. When a host detects a change to a
routing table or a change in the network topology, it immediately multicasts the
information to all other hosts in the network. Unlike the RIP in which the entire
routing table is sent, the host using OSPF sends only the part that has
changed. With RIP, the routing table is sent to neighboring hosts every 30
seconds. OSPF multicasts updated information only when a change occurs.
Tip: You should read this appendix only if you have identified that your routing
topology is too complicated to use only static routing or the Routing Information
Protocol (RIP). OSPF is a complex IP routing protocol and deploying OSPF should
involve discussions between routing subject matter experts and security subject
matter experts.
A closer look at OSPF
Rather than counting the number of hops, OSPF bases its path descriptions on
link states that factor in additional network information. Also, OSPF lets you
assign cost metrics to a given host router so that some paths are given
preference.
There are three phases to the OSPF protocol:
1 Routers "discover" neighboring OSPF routers by exchanging Hello
messages. The Hello messages also determine which routers will act as
the Designated Router (DR) and Backup Designated Router (BDR). These
messages are periodically exchanged to ensure connectivity between
neighbors still exists.
2 Routers exchange their "link state databases." Link state means the
information about a system's interfaces (IP address, network mask, cost for
using that interface, and whether it is up or down).
3 Finally, the routers exchange additional information via a number of
different type of Link State Advertisements (LSAs). These "fill out" the
information needed to calculate routes. Some reasons for generating LSAs
are interfaces going up or down, distant routes changing, static routes
being added or deleted, etc.

Figure 238: Three OSPF
protocol phases
Appendix C: Configuring Dynamic Routing with OSPF
Overview of OSPF routing
At this point, all routers should have a full database. Each database contains
consistent (not identical) information about the network. Based upon this
information, routes are calculated via the "Dijkstra" algorithm. This algorithm
generates the set of shortest routes needed to traverse the network. These
routes are then enabled for use by IP.
All OSPF routers on a network do not exchange OSPF data—this limits
network overhead. Instead, they communicate with the DR (and BDR), which
are then responsible for updating all other routers on the network. Election of
the DR is based upon the priority of that router.
OSPF multicasts using the AllSPFRouters (224.0.0.5) and AllDRouters
(224.0.0.6) addresses. The Designated Router (DR) and Backup Designated
Router (BDR) receive packets on the second address.
Important: Since the Sidewinder G2 performs many other functions, Secure
Computing Corporation recommend that customers should not configure the
Sidewinder G2 to become DR (or BDR) unless forced to by network topology.
OSPF routing
OSPF router
R
OSPF router
OSPF router
1 Exchange hello messages to discover neighbor OSPF
routers
2 Exchange Link state databases
3 Exchange Link state advertisements
OSPF is considered an Interior Gateway Protocol (IGP). An IGP limits the
exchange of routes to a "domain of control," known as an Autonomous System
(AS). An AS is a large network (an ISP for example) created under a central
authority running a consistent routing policy, policies that include different
routing protocols. RIP (both V1 and V2), IS-IS, EIGRP (a proprietary Cisco
protocol), are all IGPs.
Exterior Gateway Protocols, such as EGP and Boundary Gateway Protocols
(BGP), communicate routing information between Autonomous Systems.
Routers on the "edge" of the AS generate "special" LSAs (AS-External-LSAs)
for the rest of the AS. There's also a mechanism (forwarding address) so that
an OSPF router can "point over there" for a route. This feature allows a
customer to introduce static routes for their network from a central router.
603
R
R

Appendix C: Configuring Dynamic Routing with OSPF
OSPF processing on a Sidewinder G2
604
Figure 239: OSPF areas
OSPF
processing on a
Sidewinder G2
Autonomous Systems can be large. It is not necessary for the whole AS to
need to know "everything" about routes. Each AS may be broken down into
areas. All routing information must be identical within an area. Routing
between areas goes through a "backbone." All routers on a backbone have to
be able to communicate with each other. Since they belong to the same area
(area 0 of a particular AS), they also all have to agree. Area Border Routers
(ABRs) will have one interface defined to run in the backbone area. Other
interfaces can then be defined to run in a different area.
Take a look at a sample configuration. Figure 239 shows a large internal
network and backbone terminating at a router.
area 0 (backbone)
Complicated
Network
Autonomous system (AS)
R
ABR
area n (8.8.8.8)
Complicated
Network
ASB
EGP
BGP
Stub areas are areas where there is a single exit point. An OSPF router sends
"summary" LSAs into the stub that point back to that router as the default
router for the stub area.
For more information on OSPF and Internet routing, check with your router
vendor. The following books may also be useful:
• Routing in the Internet, 2nd edition by Christian Huitema, Prentice Hall
(2000)
• Cisco Router OSPF: Design and Implementation Guide, by William R.
Parkhurst (Cisco Technical Expert), McGraw Hill (1998)
OSPF processing is done via a Sidewinder G2 server process called gated. To
implement OSPF processing on the Sidewinder G2, a gated server process
must be configured, enabled, and started in the burb expecting to handle
OSPF broadcasts. Only one gated may be started per burb, but that gated
will handle all network interfaces within that burb.
The Sidewinder G2 currently runs version 3.6 of gated. This is the most recent
freely available version of gated available from the OSPF Consortium and it's
successor, NextHop.
This release of OSPF on the Sidewinder G2 runs gated as an “intra-area”
router. That means all interfaces that are configured to run OSPF exist in the
same OSPF area.
Note: Support for the Sidewinder G2 running as an ABR will come in a future
release.
R

Figure 240: Sidewinder
G2 within OSPF area 0
backbone
Figure 241: Sidewinder
G2 within OSPF area “n”
Appendix C: Configuring Dynamic Routing with OSPF
OSPF processing on a Sidewinder G2
Sidewinder G2 in an OSPF network topology
Essentially there are two choices for locating the Sidewinder G2 within the
OSPF network topology.
• the Sidewinder G2 within OSPF area 0 backbone
• the Sidewinder G2 within OSPF area n
The first choice, shown in Figure 240, extends the AS backbone through the
Sidewinder G2. Any area boundary external is to the Sidewinder G2.
area 0 (backbone)
Complicated
Network
b
u
r
b
area n (8.8.8.8)
The second choice, shown in Figure 241, runs a non-backbone area through
the Sidewinder G2, placing the backbone completely internal. This second
option is preferable for security policy reasons, but may not be practical without
re-engineering the OSPF network.
area 0 (backbone)
Complicated
Network
Autonomous system (AS)
b
u
r
b
Sidewinder G2
R
ABR
Autonomous system (AS)
R
ABR
Network
area n (8.8.8.8)
Sidewinder G2
ASBR
In order for OSPF to work, it is important that all routers work off of a consistent
link state database. The Sidewinder G2 implementation allows a customer to
control which routers it will communicate with by using the rule list. The active
rule list can be configured to only allow known routers to talk to gated.
b
u
r
b
b
u
r
R
b ASBR
R
605

Appendix C: Configuring Dynamic Routing with OSPF
Setting up OSPF routing on the Sidewinder G2
Setting up OSPF
routing on the
Sidewinder G2
606
Interoperability with other OSPF routers
The 3.6 distribution of gated supports OSPF version 2 as described in RFC
1583. Many routers will detect this automatically; other routers have an RFC
1583 compatibility mode setting. This setting should be enabled for all other
routers (if available) in the same area as the Sidewinder G2.
Other routing protocols
There are many versions of gated that support a number of routing protocols.
The Sidewinder G2 gated currently supports OSPF. A future release will
include RIP (both v1 and v2) support. At this time, we are NOT expecting to
support IS-IS (another interior routing protocol similar to OSPF), or any exterior
routing protocols (EGP or BGP).
Follow the steps below to set up OSPF on the Sidewinder G2.
1 Sketch a diagram showing your planned Sidewinder G2 configuration
(similar to the diagram in Figure 241). Include the following items on your
diagram:
• configuration of the routers to which the Sidewinder G2 connects
• OSPF areas in the network(s)
• the Sidewinder G2 interfaces (burbs)
2 On the Sidewinder G2, define one or more netgroups for the routers to
which Sidewinder G2 connects. See Chapter 5 for details on creating
netgroups.
3 On the Sidewinder G2, configure one or more rules for the OSPF traffic.
See Chapter 8 for details on setting up rules.
4 On the Sidewinder G2, configure the following OSPF parameters:
a Properties
b OSPF properties
c OSPF Areas
d Advanced
Tip: Follow the procedures in the next sections to use the Admin Console to
set your OSPF options.
5 Enable the OSPF (gated) server by doing the following:
a Using the Admin Console, select Services Configuration > Servers and
then select gated-unbound.
b Click Enable.

Figure 242: OSPF
Properties tab
About the OSPF
Properties tab
Configuring OSPF properties
Appendix C: Configuring Dynamic Routing with OSPF
Setting up OSPF routing on the Sidewinder G2
To configure OSPF properties, start the Admin Console and select Services
Configuration > Routing > Dynamic. Click the OSPF Properties tab, the
following window appears:
The OSPF Properties tab specifies the parameters that affect overall OSPF
function on the Sidewinder G2. Follow the steps below.
1 In the Default Preference field, specify the default preference for selection
of routes learned by OSPF versus other gated routing protocols. The
default is 150. Do not change this field unless directed by Secure
Computing.
2 In the Default Cost field, specify the metric for external routes that OSPF is
going to advertise to the Autonomous System (AS). The default is 1. Do not
change this field unless directed to by Secure Computing.
3 In the Default Tag field, specify the tag OSPF routes for other protocoldependent
filtering. The default tag is 0. Do not change this field unless
directed to by Secure Computing.
4 In the Default Type drop-down list, select whether OSPF will advertise
external routes into the AS as either Type 1 or Type 2 Autonomous System
External routes (ASEs) depending on the value of this field. The default is
1. Do not change this field unless directed to by Secure Computing.
5 In the Default Inherit Metric field, select one of the following:
• Yes: If this field is set to Yes, OSPF will use the metric from the external
route when exporting ASEs rather than using the default cost.
• No: This is the default value. Do not change this field unless directed to
by Secure Computing.
6 In the Export Limit field, specify the throttle rate at which an ASBR
advertises ASEs into the AS. The default is 100 ASEs per interval. Do not
change this field unless directed to by Secure Computing.
7 In the Export Interval field, specify how often an ASBR will advertise ASEs
into the AS. The value specifies seconds, with a default of 1. Do not change
this field unless directed to by Secure Computing.
607

Appendix C: Configuring Dynamic Routing with OSPF
Setting up OSPF routing on the Sidewinder G2
608
Figure 243: OSPF Area
tab
About the OSPF
Area tab
8 The syslog field provides you with the ability to allow gated to log
occasional packets to syslog (and thereby Sidewinder G2 audits) in
addition to the depth of information obtainable from trace options. The
format is first pktcnt every pktcnt2, which means OSPF will log the first
pktcnt packets for each type of OSPF packet. After that, it will then log one
message per pktcnt2 packets. The default is no entry, which means no
logging. Do not change this field unless directed to by Secure Computing.
9 In the OSPF Enabled field specify whether OSPF is enabled (yes or no).
10 To save your changes, click the Save icon in the toolbar.
Configuring OSPF Areas
To configure OSPF areas, start the Admin Console and select Services
Configuration > Routing > Dynamic. Click the OSPF Areas tab, the following
window appears:
The OSPF Area tab configure communication with other routers. Follow the
steps below.
1 In the Area field, specify the area number as follows:
• Backbone—Select this option to define area 0.
• Number—Select this option to define a non-zero area. The area is
defined in the Area Number field. Values can be simple numbers (like
3), or "dotted decimal" (like IP addresses). Areas are 32 bit numbers.

Configuring the
OSPF Area:
Interfaces window
Figure 244: OSPF Area
window: Interface
Information
Appendix C: Configuring Dynamic Routing with OSPF
Setting up OSPF routing on the Sidewinder G2
2 In the Stub field, specify the areas where there are no external routes as
follows:
• Yes—Select this option If the Sidewinder G2 is an intra-area router
inside a stub area. In the Default Cost area, specify the cost of the
default route. If this is the Area Border Router (ABR) for the stub area,
this indicates the cost of the default route that will be flooded into the
stub area.
• No—Select this option if the Sidewinder G2 is not an intra-area router
inside a stub area.
3 To modify the Interfaces table, see “Configuring the OSPF Area: Interfaces
window” on page 609. The Interfaces table defines the configuration for
each OSPF interface on the Sidewinder G2.
Note: Do not change the Networks field unless directed to by Secure Computing.
When you click New or Modify under the Interfaces table, the following window
appears:
1 In the Interfaces field, specify the Sidewinder G2 IP address for each
interface that should use OSPF.
2 In the Cost field, specify the metric that OSPF should advertise when
calculating routes using this interface. (OSPF leaves this undefined, but it is
an integer.)
3 In the Enabled field, specify whether this interface should currently run
OSPF.
4 In the Retransmit Interval field, specify the retransmit interval (in seconds)
between link state advertisement retransmits (the range is 0-65535).
5 In the Transit Delay field, specify a reasonable estimate on how long it
takes an OSPF packet to be transmitted on this interface (range is 0-
65535). Except for very long delay paths, this parameter will normally be
set to 1.
609

Appendix C: Configuring Dynamic Routing with OSPF
Setting up OSPF routing on the Sidewinder G2
Authentication
Information window
610
Figure 245: Authenticating
Information window
6 In the Priority field, specify the priority for becoming a Designated Router
(DR) on this interface. Values are from 0–255, with the higher priorities
being more likely to be elected as DR (or Backup DR). When set to 0 (the
default setting), gated will not become a DR under any circumstance.
Note: Secure Computing recommends that you keep this value 0 on the
Sidewinder G2 whenever possible; DR functionality can cause significant
utilization impact.
7 In the Hello Interval field, specify the time in seconds between Hello
packets sent to maintain connectivity with neighboring routers. The default
is 10 seconds. Values range from 0–255.
8 In the Router Dead Interval field, specify the time in seconds OSPF will wait
without receiving Hello packets from a neighbor before assuming that
neighbor is down. The default is 40 seconds. Values from 0–65535.
9 [Optional] In the Passive field, specify whether OSPF will NOT send
packets on this interface, but will send information about this interface to
other interfaces. Routes can then be established through the Sidewinder
G2 to systems on the passive interface. The default setting is No.
10 In the Auth field, specify which type of primary authentication is used on
OSPF packets for this interface
• none—No authentication (default).
• simple—Specifies that a clear text value (as specified in the Auth Keys
list) must be present on all packets.
• md5:—Specifies that a clear text value and key (as specified in the Auth
Keys list) must be present on all packets.
Note: If you select simple or md5, click New (or Modify) to specify the
authentication key data. See “Authentication Information window” below.
11 To save your changes, click the Save icon in the toolbar.
The Authentication Information window specifies settings for simple or md5
authentication settings.

Configuring the
OSPF Areas:
Networks window
Figure 246: OSPF
Advanced window
Appendix C: Configuring Dynamic Routing with OSPF
Setting up OSPF routing on the Sidewinder G2
1 In the Authentication Key field, specify the clear text value that must be
present on all packets. This entry may be one to eight decimal digits
separated by periods, a one to eight hexadecimal string preceded by 0x, or
a one to eight character string in double quotes. More than one
Authentication key can be defined. The only requirement is that the keys do
not share the same Start Generate time.
2 (md5 authentication only) In the Id Number field, specify a value from
1–255.
3 In the Start/Stop Generate fields, define the time when gated will use the
key to sign outgoing packets.
4 In the Start/Stop Accept fields, define the time gated will use the key to
validate incoming packets.
Note: The Generate/Accept fields are optional fields that specify when an md5
key is valid. If you specify any time value, you must also specify all other time
values. Specify overlapping valid times to ensure service is not lost. Also,
multiple keys cannot share the same Start Generate or Start Accept times.
The Networks area on the OSPF Areas window should not be configured
unless directed to do so by Secure Computing Technical Support.
Configuring Advanced options
To configure advanced options, start the Admin Console and select Services
Configuration > Routing > Dynamic. Click the Advanced tab, the following
window appears:
611

Appendix C: Configuring Dynamic Routing with OSPF
Configuring "passive" OSPF
About the Advanced
window
Configuring
"passive" OSPF
Other
implementation
details
612
The Advanced window allows you to directly edit and test the gated
configuration file.
• Edit "gated.conf" File: Clicking this button allows you to set up and specify
features that are not available through the Admin Console.
• Validate "gated.conf" File: Clicking this button launches a test utility that
checks the configuration file’s entries and ensures a valid configuration.
The resulting test determines whether the file has valid parameter settings that
do not conflict with each other, however, it does not evaluate the "logic" of the
specified configuration.
You can configure and run OSPF through the Sidewinder G2 without affecting
the Sidewinder G2 routing tables. To do this, you must edit /etc/server.conf file
as follows:
1 Using a text editor of your choice, find the entry:
server(gated-unbound ...........)
2 Change the args[-N] to args[-n -N].
3 Save the file.
4 Stop and start the gated server from the Services Configuration > Servers
menu.
Important: In order for the Sidewinder G2 to correctly pass data, static routes must
have been previously defined.
As with any routing protocol, OSPF passes routable addresses. This defeats
the purpose of NAT at the Sidewinder G2 running OSPF. However, NAT can
still be performed at the ASBR.
gated supports a method to “query” remote gated implementations about
their current state and information. This is done via the ospf monitor
command. For security, the ospf monitor command is not supplied on the
Sidewinder G2 and it does not accept queries from remote gated instances.
Filtering of routes should not be performed within an area. This leads to
inconsistent link state databases. In turn, the Dijkstra algorithm will probably
end up calculating routing loops. The Sidewinder G2 will support route filtering
when it supports running as an ABR.

D APPENDIX
Configuring Dynamic
Routing with RIP
In this appendix...
RIP with standard IP routers ........................................................614
RIP processing on the Sidewinder G2 .........................................615
RIP with Sidewinder G2 using transparent IP addressing............616
RIP with Sidewinder G2 not using transparent IP addressing......619
Configuring RIP on the Sidewinder G2 ........................................622
Enabling/disabling the routed server ............................................625
Trace and log information.............................................................625
613

Appendix D: Configuring Dynamic Routing with RIP
RIP with standard IP routers
RIP with
standard IP
routers
614
Figure 247: Dynamic
routing a with standard IP
route
The following describes how RIP processing aids in routing IP packets through
a network that has a redundant routing architecture. Figure 247 illustrates this
redundant architecture.
Security Alert: RIP version 1 is an inherently insecure protocol. Without careful
configuration of this service, this system may be susceptible to route confusion
attacks.
Bizco
Network
Telnet server
R
router_a
router_b
CorpCity
Network
Note: This figure assumes that all routers (a, b, c, and d) are exchanging RIP
packets between each other every 30 seconds.
In this example, it is unnecessary for the Telnet server and the client to be
accepting RIP packets. The server can statically configure its gateway to be
Router_a. The client can statically configure its gateway to Router_b.
The Telnet client has two different possible paths of reaching the server: (1) via
Router_b-to-Router_a, and (2) via Router_d-to-Router_c-to-Router_a.
Examining the routing table on Router_b, you would find that there are two
possible routes to the Bizco network, one with a hop count equal to two
(through Router_a), the other with a hop count to three (through Router_d).
When the Telnet client needs to connect to the Telnet server, it sends a TCP
connection request to Router_b because its internal default route points to
Router_b. Router_b receives the connection frame and because the route to
the Bizco network is shorter via Router_a (two hops verses three hops), it
forwards the connection frame on to Router_a. Router_a forwards the frame
into the Bzco network and it eventually gets received by the Telnet server. The
Telnet server builds and sends a reply frame back, this frame typically follows
the same route back to the client. The two systems have established a
connection.
The dynamic routing capability of RIP can be seen when the link between
Router_a and Router_b is lost. As soon as Router_b notices that it is no longer
receiving RIP updates from Router_a, it updates its local routing table hop
count for that route to 16 (route unreachable) and broadcasts this to others on
its local network (this is to notify Router_d).
R
R
router_c
R
Telnet
client
router_d

RIP processing
on the
Sidewinder G2
Appendix D: Configuring Dynamic Routing with RIP
RIP processing on the Sidewinder G2
Next, the Telnet client sends another IP frame to Router_a unaware that the
route between Router_a-to-Router_b has been lost. Router_a looks at its local
routing table and discovers there are two routes, one unreachable, the other
through Router_d. Because Router_d is on the same network as the client,
Router_b sends an ‘ICMP Redirect’ back at the client stating that it can reach
the Telnet server network through Router_d. If the client’s TCP/IP stack is
operating correctly, it updates its local routing table to point that host at
Router_d. The client TCP/IP stack then re-sends its last frame to Router_d.
Router_d receives the frame and forwards it on to Router_c, which forwards it
on to Router_a, etc.
Important: Note that the TCP session continues on through Router_d as if nothing
had happened, and when the link between Router_a and Router_b is reestablished,
the Telnet client again should receive an ‘ICMP Redirect’ from
Router_d pointing it back at Router_a. The session should continue as if nothing
important happened.
RIP processing is done via a Sidewinder G2 server process called routed. To
implement RIP processing on the Sidewinder G2, a routed server process
must be configured, enabled, and started in the burb expecting to handle RIP
broadcasts. Only one routed may be started per burb, but it will handle all
network interfaces within that burb.
The Sidewinder G2 can be configured to support RIP processing via the
following Admin Console options:
• Receive routing information from other routers
Setting this option to Yes enables routed to receive UDP RIP updates from
any interface within that burb and update the local routing table.
Setting this option to No disables the updating of local routing tables with
RIPs received from the local network interfaces.
• Advertise routing information
Setting this option to Yes enables routed to broadcast UDP RIP updates,
advertising local routing information available within this burb.
Setting this option to No disables broadcasting of any UDP RIP updates.
• Advertise as default gateway
Setting this option to Yes enables routed to send the default route.
Setting this option to No disables sending the default route.
• Advertise burb/routes from burbs
This option specifies which burbs (other than the current burb) should have
their routing information included in RIP updates sent by THIS burb. If no
burbs are listed under this option, routed will only send routing information
about the current burb.
615

Appendix D: Configuring Dynamic Routing with RIP
RIP with Sidewinder G2 using transparent IP addressing
616
Figure 248: Routed on
the Sidewinder G2
RIP with
Sidewinder G2
using
transparent IP
addressing
Figure 249: RIP with the
Sidewinder G2
Figure 248 illustrates the implementation of RIP processing within the
Sidewinder G2. This example, shows a trusted burb with two network
interfaces. When the routed server is started in this trusted burb, both these
interfaces will automatically be supporting RIP.
TCP
/IP
local
routing
table
local
routing
table
Internet burb routed
routed trusted burb
Admin Console options set:
Receive routing information from
other routers = yes
Advertise routing information = no
No other burbs specified
TCP
/IP
Admin Console options set:
Receive routing information from
other routers = no
Advertise routing information = yes
External burb (1) specified
Routed on the Sidewinder G2 operates by listening for UDP broadcasts on port
520. It also sets a timer to send a RIP packet advertising its routing information
every 30 seconds. When a RIP broadcast is received, the routed server
updates the local routing table with any new routes. When the 30 second timer
expires, the routed server reads and updates its local routing table, and then
broadcasts its local routing information
Important: Through Type Enforcement, no routed is allowed to update the local
route table in a different burb.
The following describes how RIP processing occurs through the Sidewinder
G2. Figure 249 illustrates an architecture where the Sidewinder G2 has been
positioned to control IP traffic between the two company networks. If the
Sidewinder G2s do NOT provide RIP support, the automatic rerouting of traffic
through the use of dynamic routing is lost.
Bizco
Network
Telnet server
R
router_a
Internet burb trusted burb
SidewinderG2_b
R
router_b
Internet burb trusted burb
R
router_c
SidewinderG2_c
R
CorpCity
Network
Telnet
client
router_d

Appendix D: Configuring Dynamic Routing with RIP
RIP with Sidewinder G2 using transparent IP addressing
For this example, Router_a will broadcast UDP RIP packets to
SidewinderG2_b but they will be dropped. Because the Sidewinder G2 now
supports RIP, the Sidewinder G2 can be configured to act as a router and
actively participate in the dynamic RIP processing. In order to pass data traffic
through the Sidewinder G2, however, some proxy or server must be configured
and enabled.
The assumption for this discussion is that the administrator has configured the
Sidewinder G2 Telnet proxy. The administrator must also enable the rule
allowing trusted burb-to-Internet burb traffic from the Telnet client to the Telnet
Server. Also, to pass the RIP information through the Sidewinder G2s, both
systems must configure and enable the routed server.
For discussion purposes, the administrator must use the Admin Console to
configure routed on the Internet burb for the following options:
• Advertise routing information: yes
• Advertise as default gateway: no
• Receive routing information from other routers: yes
• Routes from burbs: none
Also, routed on the trusted burb must be configured as follows:
• Advertise routing information: yes
• Advertise as default gateway: no
• Receive routing information from other routers: no
• Routes from burbs: Internet (2)
Given the above configuration, both Sidewinder G2s will do the following:
• broadcast the external routing table information to Router_a (so Router_a
knows when the link is up or down)
• receive routing information from Router_a (all Bizco’s routing information)
and update the external routing table
• broadcast both the internal and external routing information into CorpCity’s
network (which provides CorpCity’s) networks with routing information to
Bizco’s network)
• NOT listen to any RIP broadcasts from the CorpCity network.
Important: The last bullet here is VERY IMPORTANT. This will be discussed in
more detail later in this document.
As in the above discussion, when the Telnet client needs to connect to the
Telnet server, it sends a TCP connection request to Router_b because its
internal default route points to Router_b. Router_b receives the connection
frame and because the route to the Bizco network is shorter via Router_a (3
617

Appendix D: Configuring Dynamic Routing with RIP
RIP with Sidewinder G2 using transparent IP addressing
If connection is lost
between Router_a
and SidewinderG2_b
618
hops verses 4 hops), it forwards the connection frame on to Router_a, which
forwards the frame to the Sidewinder G2. The Sidewinder G2 IP services
receive the frame, and checks its routing table to decide if it knows where this
connection request should be sent.
Because the external routing table has a route to Bizco’s network, the IP
services sends the request up to the Telnet proxy. If there was no route to
Bizco’s network, and a default route had not been specified, the Sidewinder G2
IP services would have discarded the packet. The Telnet proxy receives and
validates the connection request, then proceeds to issue a new, independent
TCP connection request to the Telnet server (on the external network). This
new request, which has an originating address of the external Sidewinder G2,
gets sent to Router_a and is forwarded on into the Bizco network and so on
and so forth. The Bizco Telnet server replies back to the Sidewinder G2,
thinking that the Sidewinder G2 is the originator of the session. The Telnet
proxy then replies back to the Telnet client, and the session is now in place
between the server and the client.
If the connection between Router_a and SidewinderG2_b is lost, the following
occurs:
1 SidewinderG2_b notices that it is no-longer receiving RIP updates from
Router_a and updates its local routing table hop count for that route to 16
(route unreachable), and broadcasts this out on the internal network (this is
to notify Router_b).
2 The Telnet client sends another IP frame to Router_a unaware that the
route between Router_a-to-SidewinderG2_b has been lost. Router_a looks
at its local routing table and discovers there are two routes, one
unreachable, the other through Router_d.
3 Because Router_d is on the same network as the client, Router_b sends an
‘ICMP Redirect’ back at the client stating that it can reach the Telnet server
network through Router_d.
4 The client updates its local routing table to point that host at Router_d, then
re-sends its last frame to Router_d.
5 Router_d receives the frame and forwards it on to Router_c, which
forwards it on to SidewinderG2_c.
6 SidewinderG2_c, receives the IP frame for the Telnet server, checks the
route, has a route, and sends it up to the internal TCP servers. The
Sidewinder G2 TCP services checks the frame and discovers this is not a
TCP connection request and that it there is not currently a session with the
client. Because of this, TCP services builds a ‘TCP reset’ frame and sends
it back to the client.
Note: This causes the current Telnet session to be lost. However, when the Telnet
client opens another session to the server, that connection request will get sent to
SidewinderG2_c, which will go through all the above steps and establish a NEW
session with the Telnet server.

RIP with
Sidewinder G2
not using
transparent IP
addressing
Figure 250: RIP with the
Sidewinder G2 “spoofing”
the client’s address
Appendix D: Configuring Dynamic Routing with RIP
RIP with Sidewinder G2 not using transparent IP addressing
So what happened to the sessions between SidewinderG2_b and the client,
and SidewinderG2_b and the server? These sessions will time-out according
to what has been configured for the Telnet proxy inactivity timer. Currently this
defaults to 2700 seconds, or 45 minutes. Unless the Telnet server also has a
connection time-out, the session will remain between the two systems until the
time-out occurs, at which time the proxy closes both sessions.
What will happen when the route between Router_a and SidewinderG2_b
becomes available again? The Telnet client sends the frame to Router_d which
will send an ‘ICMP Redirect’ back to the client telling it to communicate through
Router_b. The client will resend the frame to Router_b, which forwards it to the
Sidewinder G2. Again the Sidewinder G2 has received a frame for which it is
not in session, and it will send a ‘TCP reset’ back to the client, causing the client
to again close the session. As far as the client is concerned the Telnet server has
unexpectedly closed the session. And again, if the client opens a new session
all will be fine. But remember the sessions are timing out between
SidewinderG2_c and the Telnet server.
Important: The administrator should change this Telnet idle session timer to
something more reasonable such as 10 minutes.
The assumption for this discussion is that the Telnet server must be able to
identify the Telnet clients IP address. The above configuration would not allow
this, the Telnet server will see all sessions from CorpCity network as originating
from the Sidewinder G2. In Figure 250 as with Figure 249, in order to pass any
traffic through the Sidewinder G2, some proxy or server must be configured
and enabled.
Bizco
Network
Telnet server
R
router_a
Internet burb trusted burb
SidewinderG2_b
router_b
CorpCity
Network
To accomplish the ‘spoofing’, you must configure the Sidewinder G2s generic
TCP proxy to listen on port 23, and enable it to spoof the original workstations
IP address (refer to the “use_client_address” feature in the /etc/sidewinder/
conf/tcpgsp.conf file). The administrator must also enable the rule list allowing
internal to external traffic from the Telnet client to the Telnet Server for the
R
Internet burb trusted burb
SidewinderG2_c
R
router_c
R
Telnet
client
router_d
619

Appendix D: Configuring Dynamic Routing with RIP
RIP with Sidewinder G2 not using transparent IP addressing
620
generic TCP proxy. Also, to pass the RIP information through the Sidewinder
G2s, both systems must configure and enable the routed server.
Again for discussion purposes, the administrator must use the Admin Console
to configure routed on the Internet burb for the following options:
• Advertise routing information: yes
• Advertise as default gateway: no
• Receive routing information from other routers: yes
• Routes from burbs: none
Also, routed on the trusted burb must be configured as follows:
• Advertise routing information: yes
• Advertise as default gateway: no
• Receive routing information from other routers: no
• Routes from burbs: Internet (2)
When the Telnet client needs to connect to the Telnet server, it sends a TCP
connection request to Router_b which forwards the frame on to
SidewinderG2_b. The SidewinderG2_b IP services receives the frame and
passes it up to the generic_TCP proxy, which validates the connection request
and issues a new, independent TCP connection request to the Telnet server
(on the external network).
This new request, however, contains the originating IP address of the real
client, not the external Sidewinder G2 IP address. The request gets sent to
Router_a and is forwarded to the Telnet server in the Bizco network. Next, the
Bizco Telnet server builds and sends a reply to Router_a, expecting it to be
delivered on to the client. Router_a receives the reply and looks at its routing
table to find a route to CorpCity’s client network. Router_a will not find one,
and the packet will be dropped.
Because the Sidewinder G2 is NOT advertising its internal routes Router_a
does NOT know how to get to CorpCity’s networks. What the administrator
should do is set “Routes from Burb to Internal (0)” on the external side. This will
cause the routed server in the external burb to also advertise all the routes it
finds on the internal burb. What happens now is Router_a gets additional
information about internal routes available on the Sidewinder G2.
Does this solve the problem? The answer is NO. Since the internal routed
server is NOT updating the internal route table (“Receive routing information
from other routers” was set to NO), no routes about CorpCity’s network will be
available. The Sidewinder G2 administrator must set as “Receive routing
information from other routers to YES” on the internal routed server. Now the
Sidewinder G2 will advertise CorpCity’s routes to router_a, and when Router_a
receives the packet for CorpCity it will understand how to route it.

Appendix D: Configuring Dynamic Routing with RIP
RIP with Sidewinder G2 not using transparent IP addressing
Note: Beware of enabling “Receive routing information from other routers = Yes”
in more than one burb!
Enabling the setup we just described, both SidewinderG2_b and
SidewinderG2_c will begin updating their internal routing tables with RIP
information received from the internal routers. Keep in mind that
SidewinderG2_c is advertising routing information about Bizco’s network
internally, and the internal routers (Router_b, Router_c, and Router_d) will now
contain routing information about how to reach Bizco’s networks. When the
internal routed on SidewinderG2_b receives the route information, it will
contain routes to Bizco’s network.
What would happen if SidewinderG2_b updated its internal route table with a
route to Bizco (the external network) via Router_a? Incoming packets which
should be destined for the external network would be forwarded back into the
internal network to Router_a! Both Sidewinder G2s would do this and the
frames would never pass through the Sidewinder G2.
The Sidewinder G2s routed server handles this by NOT adding a route into
the local routing table if the route to be added exists in one of the other route
tables. These route updates will be silently discarded.
Note: Beware, however, that whichever routed updates the table with the route
first, wins!
For example, when SidewinderG2_b is started and the link to Router_a is
down, SidewinderG2_b has not received routing information about Bizco’s
network. If SidewinderG2_c broadcasts a RIP out that Bizco is available
through it, SidewinderG2_a will eventually receive this (via the routers) at the
internal routed server which will update its local table with the route to Bizco’s
network through Router_b.
What about the instance such as above where we need it? The only way to
avoid this problem is to configure a filter for which routes it will advertise to
SidewinderG2_b. More information on how and why to do this is given later.
One last note about the above example. If Router_b were removed from this
network and the Sidewinder G2 directly connected to the internal network,
SidewinderG2_b would be tied directly to the Telnet clients network. If the
Burbs option is set on the external routed server, it would advertise the
necessary route to Router_a on how to reach the client’s network. In this
instance, there would be no reason to set the “Receive routing information from
other routers” to YES on the internal routed server. Also, in this scenario, if
the Telnet client has its default route pointing to the Sidewinder G2 and the link
between Router_a and SidewinderG2_b fails, the internal routed will not know
that another route is available (it is not updating its local table with RIPS from
Router_d). Subsequently because the Sidewinder G2 does not know the
alternate route it cannot know to send the client the ‘ICMP Redirect’ frame to
allow the session to be re-routed.
621

Appendix D: Configuring Dynamic Routing with RIP
Configuring RIP on the Sidewinder G2
Configuring RIP
on the
Sidewinder G2
622
Figure 251: Routed
Configuration window
Entering information
on the Routed
Configuration
window
To configure the routed server, using the Admin Console select Services
Configuration > Routing > Routed. The following window appears.
This window allows you to configure a routed server in a specific burb. Follow
the steps below.
1 In the Burb drop-down list, select the burb for which you want to configure
routing.
2 In the Routing information field, select one of the following options:
• Yes—Select this option to enable routed to broadcast UDP RIP
updates, advertising all local routing information available within the
burb(s) selected in the Routes from Burbs box.
• No—Select this option to disable broadcasting of any UDP RIP updates.
3 In the As Default Gateway field, select one of the following options:
• Yes—Select this option to enable routed to send the default route.
• No—Select this option to disable sending the default route.
4 In the Routes from Burbs box, select the burbs for which routes will be
advertised. (This option is only available if you selected Yes in the Routing
Information field.)
5 In the Receive routing information from other routers field, select one of
the following options:
• Yes—Select this option to enable routed to receive UDP RIP updates
from any interface within that burb and update the local routing table.
• No—Select this option to disables the updating of local routing tables
with RIPs received from the local network interfaces.

Appendix D: Configuring Dynamic Routing with RIP
Configuring RIP on the Sidewinder G2
6 In the Filter type field, determine whether to allow or deny routes using the
following information:
Filtering provides the administrator the ability to both control which routes
the Sidewinder G2 uses to establish external connections, and to control
what routing information is advertised by the Sidewinder G2 from one network
to another. This control focuses on two areas.
• which external routes are added into a Sidewinder G2’s routing table
from a RIP broadcast received via the network.
• which routes in a Sidewinder G2’s routing table are advertised in a RIP
broadcast being sent to an external network.
The possible settings are:
• Allow—Specifies that only routes specifically listed will be either
accepted from the network or sent by the routed running in this burb. If
set to Allow, at least one entry must be specified in the Address/
Network/Type/Direction table, or routed cannot be enabled. Also, all
routes will be blocked from being added, including local network
interfaces, unless specifically listed in the Address/Netmask/Type/
Direction table.
• Deny—Specifies that routes are accepted and sent unless specifically
listed in the Address/Netmask/Type/Direction table.
Note: There is no provision for allowing some routes and denying other routes.
7 The Address/Netmask/Type/Direction table lists the route filter entries
currently defined for the selected burb. Use the New, Modify, and Delete
buttons to modify this table. See “Defining route filter information” on page
624 for details.
When you allow or deny a route, it can be either a host route (indicating a
path to a specific address), or a network route (indicating a path to a group
of common machines).
Route filtering is performed whenever routed is going to add a route to its
local routing table. This means that different routing filters can be applied to
different burbs.
The route filter entries highlight one of the major limitations of routed and
the RIP protocol. routed recognizes only the standard class A, class B,
and class C IP network masks (255.0.0.0, 255.255.0.0, and
255.255.255.0). The Sidewinder G2 route filter entries allow more flexible
network masks for forward compatibility.
8 Click the Save icon in the toolbar to save your routed configuration
changes.
623

Appendix D: Configuring Dynamic Routing with RIP
Configuring RIP on the Sidewinder G2
Defining route filter
information
624
The Route Filter Information window appears if you click the New or Modify
button from the Routed Configuration window. The Route Filter Information
window allows you to create a new or modify an existing route filter. Follow the
steps below.
1 In the Type field, select the type of route being defined: host (host route) or
net (network route).
2 In the Address field, specify either the IP address of the host for host
routes, or the network portion of the IP address for network routes.
3 (Network route only) If you selected net in step 1, specify which portion of
the address parameter should be considered valid in the Netmask field.
There are two possible ways to enter the network mask. One is to use the
“dotted decimal” form, such as 255.255.255.0 for class C networks. The
other is to use the hexadecimal representation, which would be ffffff00 for
class C.
4 In the Direction drop-down list, select which direction routed should apply
for this filter. This option provides you with a lot of flexibility in determining
what routing information you accept and provide.
Important: Be careful about what routes you advertise to external users and about
accepting routes from those same external users.
• Inbound—Specifies routed will not accept this route from the network.
However, it WILL include this route in an advertisement if you have
selected the Advertise option.
• Outbound—Specifies that routed will accept this route from the network.
but NOT advertise this route regardless of the advertise option setting.
• Both—Specifies routed to ignore this route.
5 Click Add to add the route filter to the list and exit the window.
Rule list support
Another routed feature is rule list support to identify from which routers to
accept RIP packets. The rule list will be based primarily on the source IP
address on the incoming RIP packets. Create these rules using the Admin
Console by selecting Policy Configuration > Proxy Rules.
Note: A rule must be defined for routed or it will not function.
To allow incoming traffic, create a new rule with the Service Type field set to
Server and the Service field set to routed. The source IP address can be either
a single router who you want to accept RIP traffic from or a netgroup of routers
and/or hosts. The destination IP address will usually be set to “All Destination
Addresses,” since the destination is the broadcast address of the network for
the burb the rule applies to. The source and destination burbs will be equal and
should be set to the burb that you want to receive RIP packets from.

Enabling/
disabling the
routed server
Trace and log
information
Appendix D: Configuring Dynamic Routing with RIP
Enabling/disabling the routed server
All routed configuration files are located in /etc/sidewinder/routed with one
configuration file per burb named routed.conf.burb_name. The
configuration file contains three rules which directly correspond to the options
available in the cf routed area.
Perform the following steps to enable or disable the routed server.
1 In the Admin Console, select Services Configuration > Servers.
2 Select routed from the list of server names.
3 Click a burb to either enable or disable the routed server in that burb.
A check mark appears if the server is enabled for a burb.
4 Click the Save icon in the toolbar.
To debug routed, add the -t flag to the args field of the routed entry located
in /etc/server.conf to enable routed tracing.
server(routed /sbin/routed
config_file[/etc/sidewinder/routed/routed.conf.%n]
directory[]
env(domain[rou%b] user[root] group[wheel] core[] files[2048]
memory[] processes[500] stack[] rss[])
pidfile(/var/run/routed/routed.pid.%n lock)
valid[0 1 2 3 4 5 6 7 8] enabled[]
require[]
refuse[]
args[-t] roles[$Sys] failure_mode[off] faild_critical[yes])
Note: You can add one -t flag to routed to increase the tracing level. If you add
more than one -t flag, routed will not start.
All tracing information is logged to the routed log files located in
/var/log/routed/routed.log.burb_name which can be viewed using standard
UNIX commands in the admin role.
A note about flushing filter routes
In the possibility that you misconfigure your routing tables, you will need to use
the Admin Console (or cf routed commands) to disable routed and make
corrections to the tables.
Before restarting routed, enter the following command at a UNIX prompt to
flush the routing tables of all gateways.
route flush
625

Appendix D: Configuring Dynamic Routing with RIP
Trace and log information
626

E APPENDIX
Setting Up SmartFilter
Services
In this appendix...
Overview of SmartFilter for Sidewinder G2 ..................................628
Controlling Web access using the SmartFilter Control List ..........628
Configuring SmartFilter for HTTP/HTTPS ....................................630
Category codes ............................................................................633
627

Appendix E: Setting Up SmartFilter Services
Overview of SmartFilter for Sidewinder G2
Overview of
SmartFilter for
Sidewinder G2
Controlling Web
access using the
SmartFilter
Control List
628
SmartFilter controls your company’s users’ access to the Internet. When
configured with Sidewinder G2, SmartFilter manages Internet access at
several levels, ranging from simple access restrictions to thorough blocking of
all sites deemed unproductive or non-business related.
Note: This appendix pertains to SmartFilter 4.0.2. If you use SmartFilter 3.x, refer
to the Sidewinder G2 online help for information.
In order to use SmartFilter, you must:
1 Purchase and activate SmartFilter.
2 Install the SmartFilter administration software. Go to
http://www.securecomputing.com/goto/sf/downloads to download and
install the software.
3 Configure your SmartFilter policy using the SmartFilter Admin Console.
Consult the SmartFilter documentation before configuring.
4 Configure SmartFilter for Sidewinder G2. Go to “Configuring SmartFilter for
HTTP/HTTPS” on page 630 for configuration information and instructions.
SmartFilter uses a Control List that contains millions of URLs. These URLs are
categorized into pre-defined categories. You configure which categories are
allowed, blocked, coached, or delayed.
• For a list of the categories used by Sidewinder G2, see Table 41 on page
633.
• For a description of each category, go to http://securecomputing.com/goto/
controllist.
• For more information on SmartFilter and the Control List, please read the
SmartFilter Primer.
Evaluating the SmartFilter Control List
If you are not a current SmartFilter user, you can evaluate the full Control List
by following the steps contained in the sections that follow.
Evaluating the full Control List
You can retrieve a 30-day evaluation copy of the full Control List by performing
the following steps:
1 Go to http://www.smartfilter.com.
2 Click the Product Evaluation option.
3 Select SmartFilter for Sidewinder G2 Firewall from the drop-down list.

4 Click Evaluate this version.
5 Complete and submit the registration form.
Appendix E: Setting Up SmartFilter Services
Controlling Web access using the SmartFilter Control List
Within one business day after you complete and submit the registration
form, you will receive information via e-mail that includes an evaluation
serial number. Enter this serial number into the SmartFilter Administration
Console during or after installation to obtain the Control List.
Subscribing to the SmartFilter Control List
1 Order the SmartFilter service option through Secure Computing or your
reseller.
After you submit your order, you will be mailed an activation certificate with
a serial number.
2 Enter this serial number into the SmartFilter Administration Console,
Enterprise > License window, to download the Control List.
629

Appendix E: Setting Up SmartFilter Services
Configuring SmartFilter for HTTP/HTTPS
Configuring
SmartFilter for
HTTP/HTTPS
630
SmartFilter 4.0.2 for Sidewinder G2 uses the HTTP/HTTPS proxies.
SmartFilter settings for HTTP/HTTPS, such as downloading the control list, are
configured using the SmartFilter Admin Console.
Note: For additional configuration information, see the SmartFilter Installation
Guide. One-to-Many and High Availability clusters, in particular, require procedures
found in that guide.
Sidewinder G2 includes preconfigured elements to improve the ease of
administering SmartFilter on Sidewinder G2. These include:
• Proxy rules to allow the necessary SmartFilter administration traffic.
• Web and Secure Web application defenses customized for SmartFilter
traffic.
• Once SmartFilter is configured, the ability to enable Web filtering on
existing HTTP/HTTPS proxy rules by simply updating the existing Web or
Secure Web application defenses.
To begin using SmartFilter services through Sidewinder G2, you must
complete the following:
1 Enable SmartFilter on Sidewinder G2 (Services Configuration >
SmartFilter). See “Configuring the SmartFilter for Web and Secure Web
tab” on page 631 for more information.
2 Enable the HTTP/HTTPS proxies (Services Configuration > Proxies):
Select http and/or https from the Server Name list and enable the source
burb.
3 Enable Web filtering for the desired HTTP/HTTPS traffic by enabling
SmartFilter on the appropriate Web and/or Secure Web application
defenses (Policy Configuration > Application Defenses > Defenses > Web
and Secure Web). See “Creating Web or Secure Web Application
Defenses” on page 156 for more information.
4 Set SmartFilter rules (Policy Configuration > Rules):
• Move the default SmartFilter rule group to the active rule group above
the Deny All rule.
• Create a rule for HTTP or HTTPS traffic using the application defense
with SmartFilter enabled.
See “Configuring proxy rules for SmartFilter version 4.0.2” on page 632 for
more information.

Figure 252: SmartFilter
for Web and Secure Web
tab
About the
SmartFilter for Web
and Secure Web tab
Appendix E: Setting Up SmartFilter Services
Configuring SmartFilter for HTTP/HTTPS
Configuring the SmartFilter for Web and Secure Web tab
When configuring SmartFilter 4.0.2 for Sidewinder G2, select Services
Configuration > SmartFilter. The following window appears.
The SmartFilter for Web and Secure Web tab allows you to configure
Sidewinder G2 for use with SmartFilter version 4.0.2. Follow the steps below.
Note: Downloading and management of the Control List is managed via the
SmartFilter Admin Console. Refer to the SmartFilter Installation Guide.
1 In the SmartFilter Server area, select the burb(s) for which Web traffic to be
filtered by SmartFilter will be allowed. To select all burbs, click Select All. To
deselect all burbs, click Deselect All.
2 In the Management Burb field, select the burb that will be used to
communicate with the SmartFilter Administration Server.
3 In the SmartFilter Configuration area, do the following:
a In the SmartFilter Server Port field, modify the port as needed. This port
listens for traffic from clients’ Web browsers and displays the blocked
and warning pages. The default is 9015.
b In the Management Port field, modify the port as needed. This port
listens from traffic from the SmartFilter Administration Server. The
default is 9013.
c Click Change SmartFilter Server Password to change or assign a
password to be used when connecting to Sidewinder G2’s SmartFilter
server from your SmartFilter Administration Server. This password must
be set before you can connect to the SmartFilter Admin Console. (The
default user name is sfadmin.) See “About the Change SmartFilter
Server Password window” on page 632 for more information.
631

Appendix E: Setting Up SmartFilter Services
Configuring SmartFilter for HTTP/HTTPS
632
d Click the Save icon to save your changes.
4 Configure the appropriate HTTP/HTTPS proxy rules and their associated
application defenses. For more information, see the following section,
“Configuring proxy rules for SmartFilter version 4.0.2”.
About the Change SmartFilter Server Password window
The SmartFilter Server Password is used to authenticate the SmartFilter
Administration Server to Sidewinder G2’s SmartFilter server. This password
corresponds to the SmartFilter Plugin Definition Admin Password, set in the
SmartFilter Admin Console. Any changes made to this password made in the
Sidewinder G2 Admin Console must also be made in the SmartFilter Admin
Console. This password must be set before the SmartFilter Admin Console can
connect to the plugin.
1 Enter the password.
2 Confirm the password.
3 Click OK.
4 Click Save.
Configuring proxy rules for SmartFilter version 4.0.2
Sidewinder G2 provides two preconfigured SmartFilter rules in a SmartFilter
rule group. The rules are:
• SmartFilter Admin — This rule regulates the SSL traffic between the
Sidewinder G2 and the SmartFilter Administration Server. The default
application defense restricts HTTP header replies to only those required by
the SmartFilter Administration Server.
• SmartFilter Redirect — When SmartFilter needs to display a message at a
client’s Web browser, this rule allows the client to connect to the SmartFilter
server to receive the message. This rule also restricts HTTP header replies
to only those required by the SmartFilter server.
Move the SmartFilter rule group to the active rule group by doing the following:
1 Select Policy Configuration > Rules.
2 Double-click the active rule group (often the Default group).
3 Select the SmartFilter rule group and click the down arrow to add the
SmartFilter group to the active rule group.
4 Move the SmartFilter rule group the desired position, somewhere above the
Deny All rule.
5 Click OK.

Appendix E: Setting Up SmartFilter Services
Category codes
6 Click New > Proxy Rule to create rules for HTTP or HTTPS traffic to be
filtered by SmartFilter. The rule must use an application defense with
SmartFilter enabled. For more information, see “Creating proxy rules” on
page 222.
For additional SmartFilter configuration information, see the SmartFilter
Administration Guide.
Category codes The following table identifies the category codes to use for the corresponding
Control List categories
Table 41: Category Codes for SmartFilter 4.0.2
Control List category Code Control List category Code
Alcohol al Politics/Opinion po
Anonymizer an Pornography sx
Anonymizing Utilities au Portal Sites ps
Art/Culture/Heritage ac Profanity pr
Auction eb Provocative Attire pa
Business bu Religion and Ideology rl
Chat ch Remote Access ra
Computing/Internet ci Resource Sharing rs
Consumer Information cm School Cheating
Information
Criminal Skills cs Search Engines se
Dating/Social mm Sexual Materials sm
Drugs dr Shareware/Freeware sw
Education/Reference ed Shopping/Merchandising os
Entertainment/Recreation/
Hobbies
et Sports sp
Extreme ex Spyware sy
Finance fi Stock Trading in
sc
More...
633

Appendix E: Setting Up SmartFilter Services
Category codes
634
Control List category Code Control List category Code
Forum/Bulletin Boards mb Streaming Media st
Gambling gb Tobacco tb
Games gm Travel tr
General News nw Usenet News na
Government/Military gv User Defined Category 0 u0
Gruesome Content tg User Defined Category 1 u1
Hacking hk User Defined Category 2 u2
Hate Speech hs User Defined Category 3 u3
Health hl User Defined Category 4 u4
Humor mh User Defined Category 5 u5
Instant Messaging im User Defined Category 6 u6
Internet Radio/TV ir User Defined Category 7 u7
Job Search js User Defined Category 8 u8
Malicious Sites ms User Defined Category 9 u9
Media Downloads mp Violence vi
Mobile Phone mo Visual Search Engine vs
Non-Profit Organizations/
Advocacy Groups
np Weapons we
Nudity nd Web Ads wa
P2P/File Sharing pn Web Mail wm
Personal Pages pp Web Phone wp

F APPENDIX
Basic Troubleshooting
In this chapter...
Powering up the system to the Administrative kernel...................636
Restoring access to the Admin Console ......................................637
Backing up system files................................................................638
Restoring system files ..................................................................641
Adding hardware to an active Sidewinder G2 ..............................647
Recovering when the licensed NIC fails.......................................649
What to do if the boot process fails ..............................................651
Re-imaging your Sidewinder G2 ..................................................652
If you forget your administrator password ....................................653
Interpreting beep patterns ............................................................655
If a patch installation fails .............................................................656
Troubleshooting proxy rules .........................................................657
Understanding FTP and Telnet connection failure messages ......661
Troubleshooting High Availability .................................................662
Troubleshooting NTP ...................................................................666
Troubleshooting VPNs .................................................................668
635

Appendix F: Basic Troubleshooting
Powering up the system to the Administrative kernel
Powering up the
system to the
Administrative
kernel
636
You must be in the Administrative kernel to perform certain system
maintenance tasks such as installing software or creating a full system backup.
Follow the steps below to boot the system to the Administrative kernel when
your Sidewinder G2 is powered OFF.
Important: When you are in the Administrative kernel, all network connections are
disabled and Internet services are not available. Type Enforcement is also disabled.
1 Attach a keyboard and monitor directly to your Sidewinder G2.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 Turn the Sidewinder G2 ON by pressing the power button.
3 When the “Booting Sidewinder Operational kernel” message appears,
press any key (excluding Esc) to interrupt the boot sequence.
The number sequence 4, 3, 2, 1, 0 is displayed as the Operational kernel is
booting. Press any key (excluding Esc) before the 0 appears. A Boot:
prompt then appears.
4 Enter the following command:
bsd.sw.admin -w
5 Press Enter when asked whether to check and mount all file systems. The
system prompt will appear. At the system prompt, you can perform any
administrative tasks that require the Administrative kernel.
If you have enabled authentication for the administrative kernel, you will be
prompted to log in before the system prompt appears.
6 When you have finished working in the Administrative kernel, reboot or shut
down the system.
Note: See “Rebooting or shutting down using a command line interface” on
page 42 to reboot or shut down the system from a command line interface.
Enabling and disabling authentication for the
administrative kernel
The following steps explain how to enable and disable authentication for the
administrative kernel. By default, administrative kernel authentication is
disabled. This is because it is generally assumed that the Sidewinder G2 will
be housed in a secure location that is not easily accessible by nonadministrators.
If your Sidewinder G2 is housed in an insecure area (that is,
non-administrators could easily gain access to the physical system), you
should enable administrative kernel authentication.

Restoring
access to the
Admin Console
Appendix F: Basic Troubleshooting
Restoring access to the Admin Console
To enable or disable authentication for the administrative kernel, follow the
steps below.
1 Log into the Admin Console, and select File Editor.
2 Click Start File Editor.
3 Select File > Open.
4 In the Source field, select Firewall File.
5 In the File field, type /etc/ttys and click OK.
6 To enable or disable administrative kernel authentication, edit the following
line:
console /usr/libexec/getty pccons” ibmpc3 on secure
• To require authentication, change the value to insecure.
• To disable authentication, change the value to secure.
7 Select File > Save to save your changes.
8 Select File > Exit to close the file editor.
If an administrator accidentally configures the active rule group in a way that
prevents an administrator from logging into the Sidewinder G2 (for example,
moving the deny_all rule to the first position or deleting certain access rules),
the following procedure allows you to regain access.
1 Reboot the Sidewinder G2 to the Administrative kernel. For information on
rebooting to the Administrative kernel, see “Powering up the system to the
Administrative kernel” on page 636.
2 At a console attached directly to the Sidewinder G2, run the following script:
restore_console_access
This script will create a temporarily proxy rule called
restore_console_access and adds it to the first position of the active proxy
rule group. This rule allows an administrator to log into the Sidewinder G2
directly (using a console that is directly attached to the Sidewinder G2).
3 When the script completes, reboot to the Operational kernel. See
“Rebooting or shutting down using a command line interface” on page 42.
4 When the Sidewinder G2 finishes rebooting, log in at a console attached
directly to the Sidewinder G2.
5 Using the command line, identify and correct the problem in your active
proxy rule group that is preventing administrator access. See Appendix A or
refer to the cf acl man page for information on configuring your active
rules via command line.
6 Once you have configured your active rules to allow administrator access,
you will need to delete the restore_console_access rule. If you do not
delete this rule and accidentally misconfigure the active rule group
(displacing the position of the restore_console_access rule), a new rule
cannot be configured and added in the correct position.
637

Appendix F: Basic Troubleshooting
Backing up system files
Backing up
system files
638
You can back up your Sidewinder G2 file system to a digital audio tape (DAT)
using scripts provided with the Sidewinder G2. The backup (and restore)
functions on your system have been modified to be aware of Type
Enforcement. When you restore files (as described on page 641), they are
automatically restored with the correct Type Enforcement properties.
The backup and restore procedures described in this section affect the entire
Sidewinder G2 file system, including configuration files, mail queues, audit
trails, and so on. If you want to backup and restore only the configuration files
on your Sidewinder G2, see “Configuration file backup and restore” on page 50
for details.
Tip: Be sure to backup your system on a regular basis!
The Sidewinder G2 provides scripts for performing a full system backup and
incremental backups. The backup scripts listed in Table 42 are provided in the /
etc/backups directory. The log file for backups is stored in /var/log/backup.log.
Table 42: Sidewinder G2 backup scripts
Backup Type Backup script What it does
Full backup ./level0.backup Backs up everything
Incremental
backup
Performing a full system backup (level0)
Use the /etc/backups/level0.backup script to back up all of the file
systems on your Sidewinder G2. The file systems that exist on your Sidewinder
G2 may vary depending on how you have configured your Sidewinder G2. The
file systems that are backed up may include the following (as well as any other
file systems that you have on your Sidewinder G2):
• /
• /var
• /usr
• /home
• /var/log
• /var/spool
./do.dump fs level
filenum
Backs up the specified file
system and labels it with the
specified filenum
Note: If your Sidewinder G2 has multiple hard disks, resulting in re-partitioning of a
file system, the backup scripts will manage that for you. The scripts also support
backups that span multiple tapes.

Appendix F: Basic Troubleshooting
Backing up system files
To perform a full (level 0) system backup, follow the steps below.
1 Attach a keyboard and monitor directly to your Sidewinder G2.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 Enter the following command on your Sidewinder G2 system to reboot to
the Administrative kernel:
shutdown -g now
3 Press Enter when asked whether to check and mount all file systems. The
system prompt will appear.
If you have enabled authentication for the administrative kernel, you will be
prompted to log in before the system prompt appears.
4 Insert a backup DAT in the Sidewinder G2’s tape drive and wait for the tape
to reach its load-point.
5 Enter the following command to run the full backup script:
/etc/backups/level0.backup
The backup process will take several minutes. You will see a “DUMP IS
DONE” message for each file system. When the backup is complete, the
# prompt appears and the tape ejects.
6 Label the tape (include type of backup, date, time, and so on).
7 Reboot the system to the Operational kernel by entering the following
command:
shutdown -r now
Performing an incremental backup
The /etc/backups/do.dump command allows you to use several different
options that track which files have changed since the last time you backed up,
so that you are not doing full backups each time.
This allows you to back up only the files that have changed since the last
backup. For example, your first system backup would be a full backup (Level
0). The next time you back up, you would assign a backup level (a number
from 1 to 9); for example, you could label it backup Level 1. The Level 1
backup procedure would check your file system, searching for files that were
not backed up in Level 0. Only those files would be written to the tape. The
next time you did an incremental backup, it would back up only the files that
had changed since the previous Level 1 backup.
639

Appendix F: Basic Troubleshooting
Backing up system files
Performing an
incremental backup
640
Note: While incremental backups can eliminate multiple copies of unchanged files,
using incremental backups does increase the duration and complexity of the
restore process. If you have a fast tape drive and the level 0 backup fits onto a
single tape, you may want to consider performing only level 0 backups.
Tip: How often you should perform incremental backups depends on many factors,
such as how much your system is used. The UNIX System Administration
Handbook offers several types of schedules that meet various needs.
The following example shows an incremental backup (Level >0) that backs up
four file systems. The backed up files are labeled file 1 through file 4.
Level 5 dump for /var as file 1 to /dev/nrst0 on Fri Feb 17
03:00:03 CST 1995
Level 5 dump for /usr as file 2 to /dev/nrst0 on Fri Feb 17
03:00:11 CST 1995
Level 5 dump for / as file 3 to /dev/nrst0 on Fri Feb 17
03:01:33 CST 1995
Level 5 dump for /var/log as file 4 to /dev/nrst0 on Fri Feb
17 03:06:10 CST 1995
The following example performs an incremental backup of the /usr file system.
The tape will not be rewound, and the backed up file will not be compressed.
1 Attach a keyboard and monitor directly to your Sidewinder G2 and reboot.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 Enter the following command at the command prompt:
shutdown -g now
3 Press Enter when asked whether to check and mount all file systems. The
system prompt will appear.
If you have enabled authentication for the administrative kernel, you will be
prompted to log in before the system prompt appears.
4 Insert a backup DAT into the tape drive and wait for the tape to reach its
load-point.
5 Type the following command to run the incremental backup script,
Important: You must type this command for each file system except /tmp.
/etc/backups/do.dump /usr level filenum
where:
• level = the backup level (see Incremental backup on “Performing an
incremental backup” on page 639)

Restoring
system files
Appendix F: Basic Troubleshooting
Restoring system files
• filenum = a file number, indicating the position on the backup tape.
For example, if this is the second file system on the tape the value for
this parameter should be 1 (the first file system will be at position 0). For
more information on how this parameter is used, see “Performing an
incremental restore via the do.restore script” on page 643.
This command backs up the /usr file system to the “no rewind” tape device
(usually /dev/nrst0) and labels it.
You will see a “DUMP IS DONE” message for each file system. When the
backup is complete, the # prompt appears.
6 When you have finished all incremental backups, rewind and eject the DAT
by entering the following command:
mt o
7 Label the tape, indicating the type of backup, date, and time. You should
also record the file systems that were backed up along with the
corresponding file number (filenum) and mount point in case the file system
order changes over time.
8 Reboot the system to the Operational kernel by entering the following
command:
shutdown -r now
In the unlikely event that your Sidewinder G2’s hard disk needs to be replaced,
you will need to restore the file system that you have backed up. You will also
need to do a full system restore if you add hardware (for example, memory or
disk space) to your active Sidewinder G2.
The restore process allows you to restore your Sidewinder G2 to your last level
0 backup without reconfiguring your system.To do this, follow the instructions in
“Performing a full system restore” on page 642. Then use the procedure in
“Performing an incremental restore via the do.restore script” on page 643 to
restore files from your incremental backup tapes.
When you restore files, they are automatically restored with the correct Type
Enforcement properties.
The Sidewinder G2 provides the capability to restore files from a full system
backup (Level 0) or incremental backup tape. Table 43 explains some
differences between these two methods.
641

Appendix F: Basic Troubleshooting
Restoring system files
642
Table 43: Sidewinder G2 restore scripts
Restore Type Restore method What it does
Full restore via boot process Restores your Sidewinder G2 from
the level 0 backup tape
Incremental
restore
./do.restore
filenum
Important: You must perform all incremental restore operations from the
Administrative kernel.
Performing a full system restore
Restores the specified file system
from the specified filenum
Use the following procedure to restore your Sidewinder G2 using a level 0
backup. The restore process allows you to restore your Sidewinder G2 to your
last level 0 backup without reconfiguring your system.
Caution: When you perform this procedure, all existing data will be overwritten by
your last level 0 backup. Any files or directories added since the level 0 backup will
be lost.
1 Attach a keyboard and monitor directly to your Sidewinder G2 and reboot.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 Enter the following command on your Sidewinder G2.
shutdown -h now
3 Once the system is halted, insert the Sidewinder G2 product CD-ROM, and
then power off the system.
4 Power up the system.
5 Press Enter when the Installation Wizard appears.
Tip: See Appendix B of the Sidewinder G2 Startup Guide for additional details
on the Installation Wizard.
6 In the Installation Type window, use the down-arrow to move to the Restore
Full System Backup option, and then press the space bar to select it.
7 Tab to Continue and then press Enter.
The Restore Full System Backup command will prompt you to insert a
backup DAT; this is the DAT that you created when you did the level 0
backup.

8 [Conditional] If needed, change partitioning information.
Appendix F: Basic Troubleshooting
Restoring system files
During the boot process the Default Disk Allocation screen displays the
default values. If you need to modify the values, tab to Configure and then
press Enter.
Note: You may need to modify these values if you have installed new hardware.
Otherwise, it is recommended that you use either the default values or whatever
values that were set when the system backup was performed.
9 Insert the DAT and wait for the tape to reach its load-point. Press Enter to
initiate the restore process. The restore process will repartition the drives
and reload all of the system files from the tape.
10 When the restore is finished, the following message will appear:
File restore complete.
11 Remove the DAT and CD-ROM from their respective drives.
12 Press Enter to reboot. The system then reboots to the Administrative
kernel.
13 If needed, restore any incremental backups. See “Performing an
incremental restore via the do.restore script” on page 643 for information.
14 Perform a new full system (level 0) backup. See “Performing a full system
backup (level0)” on page 638.
Important: Do this even if you have not restored any old incremental backups.
Performing a new level 0 backup might seem unnecessary at this point, but it
must be done in order for future incremental backups to remain in sync with the
new file structure. Problems will likely occur if you do a new incremental backup
at a later date and then try to restore the system without having first done a full
system (level 0) backup.
15 When the full system backup is complete, enter the following command to
reboot to the Operational kernel:
shutdown -r now
Performing an incremental restore via the do.restore
script
As noted earlier in this section, the Sidewinder G2 file systems are stored as
separate files on the backup tape. To restore a file system, you can use the
do.restore script in the /etc/backups directory. Incremental restores must be
performed from the Administrative kernel.
643

Appendix F: Basic Troubleshooting
Restoring system files
644
Follow these steps to restore files on the Sidewinder G2:
Caution: If you are restoring the root (/) file system, DO NOT restore the /shlib
directory, which contains shared libraries. If you restore this directory, the system
will hang and you will not be able to reboot it. To restore this file system, first use
the add command to restore all files. Then use the delete command to delete the
/shlib directory from the list of files. Extract the files as usual.
1 Attach a keyboard and monitor directly to your Sidewinder G2 and reboot.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 Reboot the system to the Administrative kernel by entering the following
command:
shutdown -g now
3 Press Enter when asked whether to check and mount all file systems. The
system prompt will appear.
If you have enabled authentication for the administrative kernel, you will be
prompted to log in before the system prompt appears.
4 Insert your backup DAT into the tape drive. Use the DAT on which you
backed up your files.
5 Type df to display the file system on the current Sidewinder G2.
Important: The file system on the current Sidewinder G2 may not reflect the
order in which the file systems were backed up on a back up tape.
For example, the output might look like this:
Filesystem 512-blocks Used Avail Capacity Mounted on
/dev/sd0a 21150 14392 4642 76% /
/dev/sd0d 123903 86320 25192 77% /var
/dev/sd0e 123903 86320 25192 77% /var/log
/dev/sd0g 3837972 939306 2514868 27% /usr
/dev/sd1a 4047224 2131220 1511280 59% /home
6 Use the cd command to switch to the appropriate directory.
Switch to the directory shown in the “Mounted on” column, as shown in the
previous step.
7 Position the tape and invoke the restore script by entering the following
command.
/etc/backups/do.restore filenum
Note: You must enter this command for each file system that you want to
restore.

Appendix F: Basic Troubleshooting
Restoring system files
The filenum variable refers to the order in which the file system appears
on the backup tape. For example, typing do.restore 0 will position the
tape to restore the first file system that was backed up. In the example list
shown in step 5, the first file system backed up was /.
Typing do.restore 4 will forward the tape four file systems from the first
one. (This script automatically rewinds the tape first.) Based on the example
in step 5, the tape would move to /home.
After you type the command, you are in the interactive mode for the
restore command (the prompt is restore>).
8 Type the command you want to use to build the extract list.
• You can type any of the commands listed in Table 44.
• These commands build the extract list, but relative to the current
directory specified in step 4. For example, use the add command to add
files to the list of the ones you want to restore. A restore is not started
until the next step is completed.
Table 44: Restore Script Commands
Command What it does
ls directory Lists contents of the specified directory
cd directory Changes to specified directory
pwd Prints the full path name of the current working
directory
add directory
add file
delete directory
delete file
Adds directory or file to list of files to be extracted
Important: If you are restoring the root file
system, see Caution note at beginning of steps.
Deletes directory or file from list of files to be
extracted
extract Extracts all files that were added to the list
setmodes Sets modes of requested directories
quit Exits program immediately
what Lists dump header information
verbose Toggles verbose flag (useful with ls command)
help or ? Prints this command list
9 After you have selected the files, enter the extract command.
645

Appendix F: Basic Troubleshooting
Restoring system files
646
10 When prompted, enter the volume number by typing 1 and press Enter. You
will be asked whether you want to change owner/mode/types for the current
working directory.
11 Type y or n and press Enter.
You should almost always type n to prevent the owner/mode/types in the
current working directory from being changed.
12 To exit the restore script, type quit at the >restore prompt.
13 Repeat step 6 through step 12 for other file systems you want to restore.
14 When you are finished restoring files from the DAT, rewind and eject the
tape by entering the following command:
mt o
15 Reboot to the Operational kernel by entering the following command:
shutdown -r now
Restoring configuration files using the command line
If you need to restore your Sidewinder G2 to a backup configuration saved on
floppy diskette and do not have access to the Admin Console, use the
following steps to restore your configuration backup via the command line.
1 Insert the configuration backup diskette in the Sidewinder G2’s diskette
drive.
2 At a Sidewinder G2 command prompt, enter the following command:
cf config restore loc=floppy
3 The Sidewinder G2 restores the configuration files. If your backup
configuration uses multiple diskettes, you will be prompted when you need
to remove the current diskette and insert the next diskette.
4 When restore process is complete, remove the diskette and reboot.
Important: The version of the configuration backup must match the version on the
Installation–Disk Imaging CD used during the restore process. Avoid complications
by backing up your configuration after every upgrade.

Adding hardware
to an active
Sidewinder G2
Appendix F: Basic Troubleshooting
Adding hardware to an active Sidewinder G2
You can use the full system (level 0) restore process if you want to add
hardware (for example, memory or disk space) to your active Sidewinder G2,
or if you are moving to a new chassis.
• The best time to add memory or disk space is before you install your
Sidewinder G2 software. When you have completed the procedure, the
Sidewinder G2 will automatically detect the new memory and disk space.
• You can purchase a Performance Pack to increase your hardware’s
capabilities. For more information, contact your sales representative.
To add hardware, follow these steps.
Note: You do not need to perform this procedure if you are adding network
devices.
1 Attach a keyboard and monitor directly to your Sidewinder G2 and reboot.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items to the front connection ports or both
in the back connection ports).
2 Perform a level 0 backup of your system.
Important: You must back up your software system because you will be
repartitioning the disk drives in step 7, and you will need a full backup to restore
the system. Given the significance of this backup, it is a good idea to perform
two level 0 backups, in case there is a problem with the first backup. See
“Backing up system files” on page 638 for instructions on performing a level 0
backup.
3 Type the following command to halt the system.
shutdown -h now
4 Power off the system.
5 Add the new hardware to your system.
Be sure to take the necessary precautions to prevent accidental electrostatic
shock.
6 Power up the system and quickly insert the Sidewinder G2 Installation–Disk
Imaging CD-ROM.
Tip: See Appendix B of the Sidewinder G2 Startup Guide for additional details
on the Installation Wizard.
7 Press Enter when the Installation Wizard appears.
8 In the Installation Type window, use the down-arrow to move to the Restore
Full System Backup option, and then press the space bar to select it.
9 Tab to Continue and then press Enter.
647

Appendix F: Basic Troubleshooting
Adding hardware to an active Sidewinder G2
648
The Restore Full System Backup command will prompt you to insert a
backup DAT; this is the DAT that you created when you did the level 0
backup.
10 [Conditional] If needed, change partitioning information.
During the boot process the Default Disk Allocation screen displays the
default values. If you need to modify the values, tab to Configure and then
press Enter.
Note: You may need to modify these values if you installed new hardware.
Otherwise, it is recommended that you use either the default values or whatever
values that were set when the system backup was performed.
11 Insert the DAT and wait for the tape to reach its load-point. Press Enter to
initiate the restore process. The restore process will repartition the drives
and reload the system files from the tape.
12 When the restore is finished, the following message will appear:
File restore complete.
13 Remove the DAT and CD-ROM from their drives.
14 Press Enter to reboot the system to the Administrative kernel.
15 If needed, restore any incremental backups. See “Performing an
incremental restore via the do.restore script” on page 643 for information.
16 Perform a new full system (level 0) backup.
Important: Do this even if you have not restored any old incremental backups.
Performing a new level 0 backup might seem unnecessary at this point, but it
must be done in order for future incremental backups to remain in sync with the
new file structure. Problems are likely to occur if you perform a new incremental
backup at some later date and then try to restore the system without having first
performed a full system backup.
17 When the full system backup is complete, enter the following command to
reboot to the Operational kernel:
shutdown -r now
The hardware is now successfully added.

Recovering
when the
licensed NIC fails
Appendix F: Basic Troubleshooting
Recovering when the licensed NIC fails
When the Sidewinder G2 obtains its license, its submits a MAC address of one
of its NICs. The license is then associated with that MAC address. If that MAC
address cannot be found, the Sidewinder G2 invalidates the license. At this
point, you must obtain a new license using the MAC address of the new NIC or
another NIC on the Sidewinder G2.
Replacing and relicensing a network interface card
Do the following to remove the failed NIC, install the new NIC, and relicense
your Sidewinder G2:
1 As soon as a failure is detected, enter cf interface q at a command line
and record the following information about the failed NIC:
• the MAC address(es)
• the ifname of each interface associated with that NIC
• any capabilities listed in the ifcap field
2 Power down the Sidewinder G2 by doing one of the following:
• Using the Admin Console, select Firewall Administration > System
Shutdown and select Halt System.
• Using a command line, enter shutdown -h now. When a message
appears telling you it is safe to shut down, press the power button.
3 Remove the failed NIC. Follow safe elctrostatic shock discharge
procedures.
4 [Optional] If replacing that NIC, put in a new network interface card.
5 Attach a monitor and keyboard to the Sidewinder G2.
6 Press the Sidewinder G2’s power button. The Sidewinder G2 comes up in
failure mode because it is not licensed.
7 At the command prompt, enter the following command:
cf interface query
Note: If the new NIC has the same number of interfaces as the old NIC and was
made by the same manufacturer, skip to step 10.
8 For each NIC that was removed and is now replaced, enter on one line:
cf interface swap mac_addr=old_MAC_addr
swap_mac_addr=new_MAC_addr
where old_MAC_addr is the MAC address of the failed NIC and
new_MAC_addr is the MAC address of the new NIC.
649

Appendix F: Basic Troubleshooting
Recovering when the licensed NIC fails
650
9 [Conditional] If any of the new interfaces have an enabled licensed
capability, clear the capability by entering the following:
cf interface modify ifname=ifname ifcap=
Note: Leave the ifcap field blank. You will add the interface capabilities after the
Sidewinder G2 is licensed.
10 Enable all the replaced interfaces by entering:
cf interface modify ifname=ifname enabled=on
11 Check the license by entering:
cf license query
12 Assign the license to a new NIC by entering:
cf license set firewall_id=MAC_addr
where MAC_addr = the MAC address of the new NIC.
13 Obtain the license by entering:
cf license get
14 [Conditional] If the Sidewinder G2 does not successfully obtain a license,
skip to step 2 in “Troubleshooting licensing problems” on page 650.
15 Reboot the Sidewinder G2 to the operational kernel by entering:
shutdown -r now
16 [Conditional] If the failed NIC had licensed capabilities, add them to the new
NIC by entering the following:
cf interface modify ifname=ifname ifcap=ifcap
where ifname is the interface’s name and ifcap is the interface’s capability
recorded in step 1.
Your Sidewinder G2 should now be licensed.
Troubleshooting licensing problems
If the Sidewinder G2 comes up in failure mode because it did not license during
the reboot, check the following:
1 Try to obtain the license by entering:
cf license get
2 Verify that there is a default route by entering:
netstat -nr
If there is not a default route, add it back with
route add default aaa.bbb.ccc.ddd
where aaa.bbb.ccc.ddd is the next hop router for the default route.
3 Verify that DNS is resolving by entering:
nslookup www.securecomputing.com

What to do if the
boot process
fails
Appendix F: Basic Troubleshooting
What to do if the boot process fails
4 Obtain the license by doing one of the following:
• If DNS is resolving, enter cf license get.
• If DNS is not resolving, you will need to get the license using the Secure
Computing activation server’s IP address by entering the following on a
single line:
cf license get activation_url=https://66.45.10.76/cgibin/sidewinder-activation.cgi
5 Reboot the system to the operational kernel by entering:
shutdown -r now
The Sidewinder G2 should now be correctly licensed and fully functional.
Boot failure may be caused by the fsck command. This command is run as
part of the system boot process. If this command fails, the Sidewinder G2 will
not boot properly. If the boot process fails, you will need to attach a keyboard
and monitor and repower the system. If you see a # prompt (indicating that the
fsck command failed), type the following at the # prompt to fix any disk
problems:
ind Kern /sbin/fsck -p
Then restart the system by entering shutdown -r now at the command
prompt.
System reboot messages
During a system reboot, certain system events will cause messages to be
stored in the audit holding area prior to auditd being started. When auditd
starts, one or more blue messages stating “sacopen: transferred 1
records from hold” may appear on the console’s display. This merely
indicates that the messages stored in the audit holding area were transferred
to the audit stream. Normally, these messages can be ignored.
651

Appendix F: Basic Troubleshooting
Re-imaging your Sidewinder G2
Re-imaging your
Sidewinder G2
652
If you need to re-image your Sidewinder G2 configuration, follow the steps
below. You will need both your Sidewinder G2 Installation–Disk Imaging CD-
ROM and your configuration backup diskette. (You may need to use this
process if your original configuration was incorrect.)
Note: Any changes you made to the multi-processor configuration (mp.config) file,
will be overwritten during the re-installation process.
1 Attach a keyboard and monitor directly to your Sidewinder G2.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 Power on or reboot the system.
3 Quickly insert the Installation-Disk Imaging CD into the drive
The system boots from the CD and displays standard boot-up information.
After the boot sequence finishes, the Sidewinder G2 software Installation
Wizard appears.
4 Run the wizard.
Note: In most situations, the default values are sufficient. Only experienced
administrators should change the partitioning.
5 Once the Installation Wizard completes, remove the CD from its drive.
6 Reboot the Sidewinder G2.
7 Run your chosen Quick Start method. (See the Sidewinder G2 Startup
Guide for more information.) Once configured, Sidewinder G2 reboots.
• If the system successfully accesses the Secure Computing activation
server and retrieves its license key, it will emit two beeps indicating the
Sidewinder G2 is active.
Note: The Sidewinder G2 will try to send the activation request for one
minute. If the activation is not successful in that time, you must activate your
Sidewinder G2 using the Admin Console.
• If the system cannot retrieve its license key, the Sidewinder G2 will emit
four beeps and come up in Safe Mode. Sidewinder G2 will not pass
traffic until it is licensed.
8 [Conditional] If you applied any system patches to your Sidewinder G2 prior
to making your last configuration backup, you will need to load and install to
your previous patch level before you apply the configuration backup
diskette. (For information on loading and installing patches, see “Loading
and installing patches” on page 76.)
9 Restore your Sidewinder G2 configuration data. See “Restoring
configuration files using the Admin Console” on page 54.

If you forget your
administrator
password
Appendix F: Basic Troubleshooting
If you forget your administrator password
If you forget your administrator password, you can change your password on
the Sidewinder G2 itself by booting to the administrative kernel.
Important: By default, the administrative kernel does not require authentication.
However, if you have configured your system to require administrative kernel
authentication, you will need to temporarily disable authentication using the
maintenance mode option before you can access the administrative kernel and
change your password. For information on disabling administrative kernel
authentication when you have forgotten your password, see “Using maintenance
mode to disable authentication when you have forgotten your password” on page
653.
Changing your password in the administrative kernel
Follow the steps below to change your password in the administrative kernel.
1 Attach a keyboard and monitor directly to your Sidewinder G2 and reboot.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 When the “loading/boot . . . . . ." message appears, press any
key to interrupt the boot sequence.
The number sequence 4, 3, 2, 1, 0 is displayed as the Operational kernel
is booting. Press any key (excluding Esc) before the 0 appears. A
Boot: prompt then appears.
3 Enter the following command:
bsd.sw.admin -w
4 Press Enter when asked whether to check and mount all file systems. The
system prompt will appear.
5 Enter the following command to change your password:
cf adminuser modify user=name password=newpassword
6 To reboot to the Operational kernel, enter the following command:
shutdown -r now
You can now log in using your new password.
Using maintenance mode to disable authentication when
you have forgotten your password
If you have configured your system to require administrative kernel
authentication and you forget your password, you will need to temporarily
disable administrative kernel authentication using the maintenance mode
option, as described below.
653

Appendix F: Basic Troubleshooting
If you forget your administrator password
654
1 Attach a keyboard and monitor directly to your Sidewinder G2.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 Insert the Sidewinder G2 Installation–Disk Imaging CD in the Sidewinder
G2’s CD drive, and then power off the system.
3 Power up the system. Click Continue when the Installation Wizard appears.
4 On the Installation Type window, use the down arrow to move the cursor to
the Maintenance Mode option, and press the space bar to select it.
5 Tab to Continue and press Enter. The shell prompt appears.
6 Open the /etc/ttys file for editing.
7 Modify the value of the following line to be secure:
console /usr/libexec/getty pccons ibmpc3 on secure
8 Save your changes and exit. The Install Wizard closes.
9 At the shell prompt, type exit and press Enter.
10 See “Changing your password in the administrative kernel” on page 653 for
information on changing your password in the administrative kernel.
Manually clearing an authentication failure lockout
If you have enabled the authentication failure lockout option and have been
locked out of your system, another administrator can log into the system and
clear the lock using the Admin Console (see “Configuring authentication
services” on page 284). However, if you do not have another administrator who
can clear your lock for you, you can still manually clear your lock by
successfully logging in at the Sidewinder G2, as follows:
1 Attach a keyboard and monitor (or laptop) directly to your Sidewinder G2.
If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection
port pair (that is, attach both items either to the front connection ports
or the back connection ports).
2 [Conditional] If the Sidewinder G2 does not detect the keyboard and
monitor (or laptop), reboot the Sidewinder G2. When the Sidewinder G2
has booted, the login prompt appears.
3 Log into the Sidewinder G2. When you successfully log in directly on the
Sidewinder G2, the lock will be cleared automatically and you should be
able to log into the Sidewinder G2 as usual.

Interpreting beep
patterns
Table 45: Sidewinder G2 beep patterns
Appendix F: Basic Troubleshooting
Interpreting beep patterns
At times, your Sidewinder G2 Security Appliance may emit a beep pattern. The
beep pattern may repeat itself until the issue is addressed. This is the
Sidewinder G2’s way of communicating to you its status and what needs to
happen next. Refer to this chart to interpret the various patterns and take the
appropriate action.
What you hear What it means What you should do
TWO (2) short beeps
(non-repeating)
THREE (3) short beeps
(non-repeating)
FOUR (4) short beeps
(repeating)
FIVE (5) short beeps
(repeating)
Sidewinder G2 successfully
rebooted and is now passing
traffic.
Sidewinder G2 is ready for its
Quick Start information.
There are non-content errors
on Quick Start Wizard
diskette.
If you have already completed
an initial configuration, this
indicates an unlicensed
Sidewinder G2 running in safe
mode.
If the Sidewinder G2’s license
is already activated, this
indicates a network failure.
The Sidewinder G2 needs you
to remove media from its
drives.
No action needed, the Sidewinder G2 is
operational.
Configure the Sidewinder G2 using one of the
three methods described in “Selecting the best
startup method” in the Startup Guide.
Try again with a new Quick Start Wizard
diskette.
Do one of the following:
• License the Sidewinder G2 (see “Checking
for license activation” in the Startup Guide
for details).
• Attach a monitor and keyboard, wait for a
pause between beeps, and then enter the
following command: stop_beep
Note: Using this command turns off the beep
pattern, but does not make your Sidewinder
G2 fully operational. You must license your
Sidewinder G2 before it will pass and monitor
traffic.
Troubleshoot your network connectivity.
Remove media and reboot.
More...
655

Appendix F: Basic Troubleshooting
If a patch installation fails
If a patch
installation fails
656
What you hear What it means What you should do
ONE (1) medium beep
THREE (3) short beeps
Long beep followed by
n short beeps
(repeating)
(where n = sequential
number of diskette to be
installed)
Long beep
(repeating)
The managed Sidewinder G2
failed to register with the G2
Enterprise Manager.
Note: This beep pattern
can only occur on a
managed Sidewinder G2.
The system is ready for next
diskette in configuration
backup.
Verify the Sidewinder G2 name, registration
key, and administration user name and
password information.
Verify connectivity between the managed
Sidewinder G2 and the EM. Then try again
manually to register the Sidewinder G2 to the
EM.
See “Dealing with a failed managed firewall
registration” in Appendix B of the Startup
Guide for more information.
Insert the next diskette in your configuration
backup.
Task failed. Contact Technical Support
(if you have a support contract).
In the unlikely event the patch installation fails, the Sidewinder G2 will not be
operational, and will instead boot into failure mode. A message appears when
you log into the Sidewinder G2 and it is in failure mode.
Failure mode enables the Sidewinder G2 to boot far enough to allow an
administrator to log in. The administrator can then display the log files and
perform diagnostic functions in an effort to determine what went wrong.
Important: Unless you are an extremely experienced Sidewinder G2 administrator,
please contact Secure Computing Technical Support if your Sidewinder G2 boots
into failure mode.
After correcting the problem you should perform the following steps:
1 Exit failure mode by typing the following command:
cf daemond set failure_mode=off
2 Reboot the Sidewinder G2.
Reinstall or restore a configuration backup.
See the Sidewinder G2 Administration Guide
for details.
Note: For more information on failure mode, see “daemond” on page 12.

Troubleshooting
proxy rules
Appendix F: Basic Troubleshooting
Troubleshooting proxy rules
The following sections provide information on troubleshooting basic proxy rule
problems. For additional information on troubleshooting proxy rules, refer to
the cf_proxy man page.
Failed connection requests
If the Sidewinder G2 rejects a connection request that you feel should have
succeeded, you can take steps to determine why the connection was rejected.
The steps shown below will help you to locate and correct rule configuration
errors. They will also help you gain a better understanding of how those rules
work.
1 Start the Admin Console and select Services Configuration > Proxies.
Verify that the appropriate proxy is enabled. The most common mistake is
failing to enable the service type indicated by the proxy rule.
Tip: Verify that all appropriate servers are enabled as well.
2 Select Policy Configuration > Rules.
Verify that the proxy rule for the proxy or server specifies the correct network.
You need to enable the service type on the correct network to listen
for incoming connections. In the Rules Source/Dest tab, this corresponds to
the Source Burb column.
3 Verify the position of the rules within the Active Rules window. (Select
Policy Configuration > Rules > and then click View Active Policy).
The order of the rules in the Active Rules window is important. The
attributes of a connection request sometimes may match more than one
proxy rule. See “Creating proxy rules” on page 222 for a detailed example.
4 Check the audit log information.
If the connection still fails, scan the audit log to determine which proxy rule
denied the connection. See Chapter 19 for details on viewing audit.
The below displays a common scenario, a connection that failed to match a
rule:
Apr 29 16:52:29 2002 CDT f_nss a_server t_acldeny p_major
pid: 27122 ruid: 0 euid: 0 pgid: 188 fid: 2000001 logid: 0
cmd: ’nss’
domain: nss1 edomain: nss1 srcip: 172.17.9.27 srcburb: 1
dstip: 172.17.9.27 dstburb: 1 protocol: 6 service_name:
telnet agent_type: server user_name: authmethod:
acl_id: cache_hit: 0
5 Turn on verbose auditing of rule (ACL) checks.
To determine why no proxy rule matched the connection request, type the
following command to turn on verbose auditing of rule checks:
657

Appendix F: Basic Troubleshooting
Troubleshooting proxy rules
658
cf acl set loglevel=4
This increases the level of rule audits from the default level 2 (minor) to
level 4 (major).
Note: Modifications to the log level setting will not be overwritten if acld is
restarted. To return the log level to its default value, you must manually reset it.
When the connection attempt is rejected, the proxy or server will generate a
more verbose audit message as shown below:
May 5 02:37:42 2002 CDT f_ping_proxy a_aclquery t_info
p_major
pid: 184 ruid: 0 euid: 0 pgid: 184 fid: 2000001 logid: 0
cmd: 'pingp'
domain: Ping edomain: Ping
+|pingp|INFO|MAJOR|PING_PROXY|aclQUERY
=Skipped 'http_out': query service 'ping' != rule 'http'.
Skipped 'telnet_external': query agent 'proxy' != rule
'server'.
Skipped 'http_ssl_out': query service 'ping' != rule
'https'.
Skipped 'ftp_out': query service 'ping' != rule 'ftp'.
Skipped 'telnet_out': query service 'ping' != rule
'telnet'.
Skipped 'nntp_out': query service 'ping' != rule 'nntp'.
Skipped 'real_media_out': query service 'ping' != rule
'RealMedia'.
Skipped 'rtsp_out': query service 'ping' != rule 'rtsp'.
Skipped 'gopher_out': query service 'ping' != rule
'gopher'.
Skipped 'finger_out': query service 'ping' != rule
'finger'.
Skipped 'dns_self': query service 'ping' != rule 'dns'.
Skipped 'smtp_out': query service 'ping' != rule 'smtp'.
Skipped 'smtp_in': query service 'ping' != rule 'smtp'.
Skipped 'cobra_all': query agent 'proxy' != rule
'server'.
Skipped 'login_console': query agent 'proxy' != rule
'server'.
Access denied by rule 'deny_all'.
You can use this output to determine why each proxy rule failed to match
the connection request. Locate the proxy rule that you thought should have
matched. Then inspect and correct the proxy rule.
6 When you are done troubleshooting, type the following command to lower
the level of rule audits back to the default:
cf acl set loglevel=2

Appendix F: Basic Troubleshooting
Troubleshooting proxy rules
If you do not set the loglevel back to 2, you will run out of disk space.
Monitoring allow and deny rule audit events
Another troubleshooting tool is the rule monitoring tool (acat_acls). This real
time monitoring tool enables you to display allow and deny rule audit events as
they occur on the Sidewinder G2. Because the rule audit events are displayed
in real time, this tool provides a Sidewinder G2 administrator a unique window
by which to view Sidewinder G2 rule activity. You can use the tool to determine
if your rule database is properly configured, or to simply view how your rules
are being used on a live system.
For example:
• If you are not certain whether your Telnet rule is properly configured, you
can start the monitoring tool, attempt your Telnet connection and see (in
real time) whether the connection is allowed or denied.
• If you want to see (in real time) which rules are currently the most heavily
used, start the monitoring tool and watch as the current rule audit events
scroll by within a command window.
The remainder of this section provides information on using the monitoring
tool. Information can also be found by typing
man acat_acls at a Sidewinder G2 command prompt.
Starting the rule monitoring tool (acat_acls)
To start the rule monitoring tool, enter the following commands at a Sidewinder
G2 command prompt:
srole
/usr/bin/acat_acls -a -d
where:
• -a = display allow rule audit events
• -d = display deny rule audit events
If you want to view only allow rule audit events or only deny rule audit events,
simply omit the undesired option (-a or -d).
659

Appendix F: Basic Troubleshooting
Troubleshooting proxy rules
660
Viewing the output from the rule monitoring tool
Each rule audit event is displayed on a single 80-character line using the
following format:
Action Date Time Source Source Dest. Dest. Service Agent
Burb IP Burb IP
The source burb and the destination burb fields will display the burb index
number, not the burb name. The following example shows both an allow rule
audit event and a deny rule audit event:
DENY 02/05/05 02:41:04 2 192.168.179.76 1 192.168.180.87 ping proxy
ALLOW 02/05/05 02:42:32 2 192.168.179.76 1 192.168.180.87 telnet proxy
Halting and resuming rule monitoring tool output
If the output from the monitoring tool is scrolling by too quickly, you can
temporarily halt the output by pressing the following key combination:
Ctrl+S
To resume output, press the following key combination:
Ctrl-Q
Stopping the rule monitoring tool
To stop the rule monitoring tool, press the following key combination:
Ctrl-C
Active rules and the DNS
If you create a proxy rule that contains a host name or a domain name, that
rule will consult the Domain Name System (DNS) in order to translate the
name to its corresponding IP address. Because of this, there are some facts
related to DNS that you should consider when setting up your security policy.
The Sidewinder G2 can be configured to use transparent DNS, one DNS
server (known as single or unbound DNS), or two DNS servers (known as split
DNS). The split DNS scenario is the most secure, as one DNS server is
dedicated to your Internet burb and the second DNS server services your
remaining burbs. This essentially isolates the two DNS servers from each
other, protecting your non-Internet burbs from attacks by malicious persons on
the Internet.

Understanding
FTP and Telnet
connection
failure messages
Appendix F: Basic Troubleshooting
Understanding FTP and Telnet connection failure messages
However, it is theoretically possible for attackers on the Internet to feed false
information to your Internet DNS server. Therefore, you should be careful when
using rules to allow or deny access to specific hosts on the Internet.
When dealing with outside connections, there are steps that you can take to
increase the level of assurance:
1 Use IP addresses in your proxy rule instead of host names or domain
names. This avoids having to depend on external DNS.
2 Make the proxy rule demand strong authentication (for example,
SafeWord).
3 Make the proxy rule demand encryption of the connection (for example,
VPN).
For additional protection you should do a combination of the above.
Depending on your Sidewinder G2’s configuration, FTP and Telnet users will
see one of two messages when a connection attempt is denied by the
Sidewinder G2. The type and meaning of these messages are summarized
below.
Table 46: Connection failure messages for Telnet
Message Possible Causes
telnet 192.55.214.24
Trying 192.55.214.24
Connected to 192.55.214.24
Escape character is ‘^]’.
Connection closed by foreign host.
telnet 192.55.214.24
telnet: Unable to connect to remote
host: Connection refused.
✔ Rule entry denied the connection
✔ Server is down
✔ No proxy enabled on port but the
Sidewinder G2 server is enabled
✔ Distinguishing IP addresses were used
but no match was found
✔ No proxy or Sidewinder G2 server
enabled on that port
✔ Default route is wrong on client
Note: Similar messages are displayed for failed FTP connections.
661

Appendix F: Basic Troubleshooting
Troubleshooting High Availability
Troubleshooting
High Availability
662
This section provides information to determine whether High Availability is
functioning properly.
Viewing configuration-specific information
The cf failover query command gives you configuration-specific
information, as shown in the following example:
failover set priority=255 multicast_group=239.192.0.1 \
heartbeat_burb=internal firewall_id=1 \
interface_test_time=30 ping_wait=0 load_sharing=off
interval_time=1 \ interface_test_failures=3 enabled=on
failover set password=pasword type=sha1
failover add address alias=10.10.1.22 \ remote=172.27.1.21
network=172.27.1.2
failover add address alias=10.10.10.12 \ remote=10.10.10.21
burb=internal
Viewing status information
The cf failover status command gives you information on whether or not
HA is active, what state the system is in (primary or secondary/standby), and
useful statistical information.
Viewing status information for a primary
The following example shows sample results for a primary in a peer-to-peer HA
configuration:
This system is operating as primary.
Failover is running in burb 3
IP alias 10.10.10.186 assigned to interface eb0
IP alias 192.168.222.186 assigned to interface exp1
IP alias 192.168.107.186 assigned to interface exp0 This
system was configured as a standby with priority 245 for
firewall ID 186.
Failover interface status:
Interface eb0 not monitored
Interface exp1 up
Interface exp0 not monitored
IP Filter tracking state as primary

Active firewall list:
10.10.10.7
Statistics for failover
Failover running since Wed Feb 2 15:04:48 2005
Appendix F: Basic Troubleshooting
Troubleshooting High Availability
Failover allowing 3 seconds for interface swap (default)
Number of advertisements sent = 210
Number of received advertisements = 0
Number of rcvd advertisements since primary = 0
Number of times this system has become primary = 1
Number of release messages received = 0
Number of release messages sent = 0
Number of failed takeover attempts = 0
Number of possible duplicate primary messages = 0
Number of heartbeat ack messages received = 0
Number of heartbeat ack messages sent = 0
Number of messages received with errors = 0
Number of same priority advertisements rcvd = 0
Number of pings received on interface eb0 = 0
Number of pings received on interface exp1 = 7
Number of pings received on interface exp0 = 0
Viewing status information for a secondary
The following example shows sample results for a secondary that is configured
for load sharing HA:
This system is operating in load sharing mode as secondary.
This system is node 1.
The primary is node 0 (10.10.10.6).
Failover is running in burb 3
cluster heartbeat address 10.10.10.186 assigned to interface
eb0
shared cluster address 192.168.222.186 assigned to interface
exp1
shared cluster address 192.168.107.186 assigned to interface
exp0
Failover interface status:
Interface eb0 not monitored
Interface exp1 up
663

Appendix F: Basic Troubleshooting
Troubleshooting High Availability
664
Interface exp0 not monitored
IP Filter tracking state as load sharing peer
Active firewall list:
nodeaddress
0 10.10.10.6 (primary)
Statistics for failover
Failover running since Wed Feb 2 14:08:52 2005
Failover allowing 3 seconds for interface swap (default)
Number of advertisements sent = 0
Number of received advertisements = 1404
Number of rcvd advertisements since primary = 1404
Number of times this system has become primary = 0
Number of release messages received = 0
Number of release messages sent = 0
Number of failed takeover attempts = 0
Number of possible duplicate primary messages = 0
Number of heartbeat ack messages received = 0
Number of heartbeat ack messages sent = 1404
Number of messages received with errors = 0
Number of same priority advertisements rcvd = 0
Number of pings received on interface eb0 = 0
Number of pings received on interface exp1 = 46
Number of pings received on interface exp0 = 0
Tip: The failover daemon is named faild. Enter the pss faild command to
determine whether the failover daemon is active.

Appendix F: Basic Troubleshooting
Troubleshooting High Availability
Identifying load sharing addresses in netstat and ifconfig
Output for netstat -i queries will display load sharing addresses with a
plus (+) sign. The following example displays the results for the netstat -i
command with load sharing enabled.
Name Index MTU Speed Mtrc Burb Address Network
em0 1 1500 100M 0 external 00:0c:f1:c7:ba:ea
em0+ 1 0 external 172.27.1.22 172.27
em0 1 0 external 172.27.1.2 172.27
exp0 2 1500 100M 0 internal 00:a0:c9:9d:99:a1
exp0+ 2 0 internal 10.10.10.22 10.10.10/24
exp0 2 0 internal 10.10.10.2 10.10.10/24
eb0 3 1500 100M 0 heartbeat 00:10:5a:98:51:26
eb0 3 0 heartbeat 10.10.1.2 10.10.1/24
eb0 3 0 heartbeat 10.10.1.22 10.10.1/24
lo0 4 1500 0 Firewall
lo0 4 0 Firewall 127.0.0.1 127
lo0 4 0 external 127.1.0.1 127
lo0 4 0 internal 127.2.0.1 127
lo0 4 0 heartbeat 127.3.0.1 127
Output for ifconfig -a queries will display load sharing addresses with the
word shared. The following example displays the results for the ifconfig -a
command with load sharing enabled.
em0: flags=8843
link type ether 0:c:f1:c7:ba:ea mtu 1500 speed 100Mbps
media auto (100basetx full_duplex) status active
inet 172.27.1.22 netmask 255.255.0.0 broadcast 172.27.255.255
burb external, burb index 1 shared
inet 172.27.1.2 netmask 255.255.0.0 broadcast 172.27.255.255
burb external, burb index 1
exp0: flags=8843
link type ether 0:a0:c9:9d:99:a1 mtu 1500 speed 100Mbps
media auto (100basetx full_duplex) status active
inet 10.10.10.22 netmask 255.255.255.0 broadcast 10.10.10.255
burb internal, burb index 2 shared
inet 10.10.10.2 netmask 255.255.255.0 broadcast 10.10.10.255
burb internal, burb index 2
eb0: flags=8843
link type ether 0:10:5a:98:51:26 mtu 1500 speed 100Mbps
media auto (100basetx full_duplex) status active
inet 10.10.1.2 netmask 255.255.255.0 broadcast 10.10.1.255
burb heartbeat, burb index 3
inet 10.10.1.22 netmask 255.255.255.0 broadcast 10.10.1.255
burb heartbeat, burb index 3
lo0: flags=8009
link type loop mtu 1500
inet 172.0.0.1 netmask 255.0.0.0
burb Firewall, burb index 0
inet 172.1.0.1 netmask 255.0.0.0
burb external, burb index 1
inet 172.2.0.1 netmask 255.0.0.0
burb internal, burb index 2
inet 172.3.0.1 netmask 255.0.0.0
burb heartbeat, burb index 3
665

Appendix F: Basic Troubleshooting
Troubleshooting NTP
Troubleshooting
NTP
666
Interface configuration issues with HA
If you modify your interface configuration, your HA configuration will not
function until you update the HA Interfaces table (in the Admin Console, select
High Availability > Common Parameters tab) to match the modified interface
configuration. When you are finished updating the interface information, reboot
the Sidewinder G2s.
Troubleshooting remote interface test failover for peer-topeer
HA
If you have a peer-to-peer HA cluster configured and the remote host used for
interface testing becomes unavailable, the primary will report an interface
failure (after the specified number of failed ping attempts is reached) and
failover will occur. When this happens, the new primary will receive the
interface failure status from the former primary, and interface failure testing will
be disabled. In this state, the standby will take over for the primary only if the
primary becomes unavailable.
Once the remote host is restored, you will need to issue the cf failover
reset command on the standby, and then on the primary to reset and reenable
the interface failover indicators.
If you have NTP properly configured and enabled, you should be able to
monitor NTP packets being sent/received on the appropriate Sidewinder G2
interfaces. To do so, enter the following command:
tcpdump -npi ext_interface# port 123
where: ext_interface# is the external interface and number (for example
em0, em1, etc.)
NTP packets should be sent/received every 15-30 seconds.
To check the exact time, enter the date command and compare it to a known
good clock source (for example, www.time.gov).
Note: An NTP proxy and an NTP server cannot run in the same burb. Therefore, if
you have a proxy enabled and running in the same burb as the NTP server, the
NTP server will not start.

Why did NTP stop?
Appendix F: Basic Troubleshooting
Troubleshooting NTP
NTP is designed to automatically quit whenever the client’s time deviates from
the server’s signal by more than 15 minutes. When a deviation of this
magnitude occurs, NTP writes a message to file /var/log/messages before
quitting.
To restart NTP, first set the Sidewinder G2’s clock manually (refer to “Setting
the system date and time” in Chapter 3) and then follow the directions below
for restarting NTP.
Why does NTP appear to be inaccurate?
You probably have fixclock running.
NTP clients will not synchronize with the Sidewinder G2
This may be because, when the Sidewinder G2 is configured as an NTP
server, it reports itself as a stratum 0 time server. Not all clients can
synchronize from a stratum 0 server. To change the stratum setting, type the
following command:
cf ntp add server burb=burbname ip=127.127.1.0
where: burbname = the burb that is serving time to the NTP clients.
If the Sidewinder G2 is serving time to clients in multiple burbs, and one or
more clients in each burb has a problem with stratum 0 servers, you must type
this command once for each burb.
Restarting NTP from the UNIX prompt
If the NTP process stops, you can restart the NTP process by doing the
following:
1 At a Sidewinder G2 command prompt, log in and enter the following
command to switch to the Admn role:
srole
2 To start the NTP time server, enter the following command:
cf server restart ntp burb=burb
3 [Optional] Verify the state of the NTP servers by entering the following
command:
cf server status ntp
667

Appendix F: Basic Troubleshooting
Troubleshooting VPNs
Troubleshooting
VPNs
668
In addition to standard logging, the Sidewinder G2 also performs auditing of
certain system events which allows you to generate information on VPN
connections. Table 47 shows some useful commands you can use to track
VPN connections in real time mode and check VPN settings/configuration.
Table 47: Basic Sidewinder G2 VPN troubleshooting commands
Commands
tcpdump -npi ext_interface port 500 or proto 50
To show IPSec and ESP traffic arriving at the Sidewinder G2.
cf ipsec q
To review VPN policies on the console.
cf ipsec policydump
To determine if VPN is active - the presence of SPI and transform numbers
indicates the secure connection is functioning.
showaudit -v
To show detailed audit trace information for VPN. To enable a more detailed
auditing level, in the Admin Console select VPN Configuration> ISAKMP
Server and change the audit level using the pull-down menu.

GLOSSARY
ACE/Server A server made by Security Dynamics Incorporated that can be used to
authenticate users attempting connections through (or to) the Sidewinder G2.
ACL (access control list) Another term for active rule group.
activation The process by which a customer’s licensed software becomes active.
activation key A string of numbers and characters that allows the operation of the software.
active rule group A rule group, often made up of nested rule groups and rules, that is loaded in
to the Sidewinder G2 kernel and begins actively monitoring traffic coming into
and leaving the Sidewinder G2.
ActiveX Microsoft’s name for certain object-oriented programming technologies and
tools. ActiveX is often downloaded and executed on a local system when
browsing the Internet, and may require specific port restrictions. Consult
Microsoft’s documentation for more information.
Admin Console The graphic user interface (GUI) used to configure and manage the
Sidewinder G2. The Admin Console runs on Windows-based platforms.
Admin Console tree The hierarchical layout in the left–hand panel of the Admin Console.
Admn domain The physical and logical resources within the UNIX operating system that has
access to most of the other domains.
admin role The role is assigned to administrators authorized to work in the Admn domain
with full privileges. An administrator assigned the admin role can use all
menus and commands in the Admin Console. This includes adding or
removing users, backing up and restoring the system, and using all other
system functions and commands.
adminRO role The read–only role assigned to administrators authorized to access and view,
but not modify, information. The AdminRO role is essentially an auditor role,
allowing the administrator to view system and audit information, as well as
generate reports.
669

Glossary
Administrative kernel A UNIX kernel that provides the environment needed to perform
administrative tasks such as installing software or running a system backup.
When the Administrative kernel is running, all network connections are
disabled and Internet services are not available; Type Enforcement security is
disabled. See also Operational kernel.
alarm event A Sidewinder G2 feature used to monitor your network for potentially
threatening activity, such as an attempted attack or an audit overflow. When
an alarm event is generated, an appropriate event response is issued.
alias An arbitrary name that a system administrator can assign to a network
element. Aliases can typically be any combination of up to 16 characters
(without spaces).
API (application program
interface)
670
A stable, published software interface to an operating system or specific
software program by which a programmer writing a custom application can
make requests of the operating system or specific software program. (An API
provides an easy and standardized connection to a particular software
component.).
Application Defenses A feature that is incorporated in proxy rules to configure application-specific
properties for each proxy on a per-rule basis. Properties include basic timeout
properties and application-specific permissions, as well as anti-virus/spyware,
anti-spam/fraud, SSL decryption, and Web services management for key
proxies.
application-layer proxy Also known as an intelligent proxy. Application-layer proxies check
application-layer data as it comes into the Sidewinder G2. If the data is
compliant with that application’s standard, the Sidewinder G2 initiates a new
connection on its opposite side and passes on the data. If the data is not
compliant, the Sidewinder G2 drops the data.
ARP (address resolution
protocol)
A protocol used to map an IP address to a MAC address. A gratuitous ARP is
a system broadcasting its own information, often after an address change, so
other devices can update their ARP caches.
auditing A method of collecting and storing information that can be used to track
system activity (for example authentication attempts, configuration
modifications, stopping and starting of services, etc.).
authentication A process that verifies the authenticity of a person or system before allowing
access to a network system or service.
authenticator A device or mechanism used to verify the identity of an individual logging onto
a network, application, or computer. Authenticators are also called tokens.
BIND (Berkeley Internet
Name Domain)
A standard program which implements the Domain Name Service (DNS).
BSD/OS The operation system obtained from Wind River, Inc., and used as a base for
developing SecureOS. See also SecureOS

Glossary
burb A set of one or more interfaces and the group of systems connected to each
interface that are to be treated the same from a system security policy point of
view.
certificate See digital certificate.
Certificate Authority (CA) A highly trusted entity, that issues and revokes certificates for a set of
subjects, and is ultimately responsible for their authenticity.
CGI (common gateway
interface)
Any server-side code that accepts data from forms via HTTP. The forms are
generally on Web pages and submitted by end users.
challenge A set of random numbers generated by the computer being accessed. The
numbers are entered into the authenticator, which then generates a password.
You can set some authenticators to generate a password in response to a
challenge.
cipher key In order for encryption to be unique, it uses a random set of characters, called
a cipher key. Encrypting data using two different keys will produce two
completely different results. All authenticators contain at least one key that
they use to generate passwords.
circuit proxy See network-layer proxy.
client A program or user that requests network service(s) from a server.
daemon A software routine within UNIX that runs in the background, performing
system-wide functions.
daemond (Pronounced daimon-dee) A powerful Sidewinder G2 component process that
enhances overall security by monitoring and controlling all of the Sidewinder
G2’s major software components. It also detects and audits some classes of
attacks against the Sidewinder G2.
dark data center A term used to describe a data process facility where all machines are
designed to be managed remotely. This type of facility maximizes storage
space by rack-mounting computers and minimizes overhead costs by not
needing lights. Machines stored in a dark data center ideally require minimal
physical human interaction.
DHCP (dynamic host
configuration protocol)
A protocol for dynamically assigning IP addresses to networked devices. In a
dynamic environment, IP addresses may change frequently. Using DHCP
addressing requires the device be on a network with a DHCP server.
digital certificate A data structure that is digitally signed by a CA, or a signature source that
users can trust. The certificate contains a series of values, such as the
certificate name and usage, information identifying the owner of the public
key, the public key itself, an expiration date, and the name of the CA that
generated the certificate.
671

Glossary
DMZ (demilitarized zone) A network buffer zone that generally hosts services that require interaction
with Internet traffic, while still protecting internal systems. On Sidewinder, the
DMZ is generally a burb for hosting Web servers and other hosts that
receiving large volumes of external, untrusted traffic.
DNS (domain name
system)
672
A TCP/IP service that maps domain and host names to IP addresses, IP
addresses to domain and host names, and provides information about
services and points of contact in a network or the Internet. A set of connected
name servers and resolvers allows users to use a host name rather a 32-bit
Internet address.
domain (1) Relative to networking, the portion of an Internet address that denotes the
name of a computer network. For instance, in the e-address
jones@example.sales.com, the domain is example.sales.com. (2) Relative to
Type Enforcement, an attribute applied to a process running on SecureOS
that determines which system operation the process may perform.
DoS (denial of service) Event in which a network experiences a loss of a service, like e-mail or a Web
server, that is expected to be available. This event is generally caused by a
malicious attack, but may also happen accidentally.
DSS (defender security
server)
A server made by AssureNet Pathways that can be used to authenticate users
attempting connections through (or to) the Sidewinder G2. See also
SecureNet Key (SNK).
dynamic password The unique one–time response to a log in challenge or special code
presented by an authentication server. Each password is obtained using a
software or hardware authenticator that communicates with a password
generator.
editor A program that can be used to create or modify text files. See also file editor.
encryption Data encryption uses a secret code to scramble information so that it can be
read only by computers using the same code or encryption technology. While
encryption reduces the risk of unauthorized access, it does not create a totally
safe networking environment on its own.
end user See user.
event response A response to an alarm event that includes notifying the administrator and/or
performing a Strikeback.
extended authentication
(XAUTH)
An extension of the IKE protocol. It provides a mechanism to employ an
administrator–selected authentication mechanism in addition to the existing
IKE authentication (that is, in addition to certificate based or pre-shared key
authentication). It initiates after the existing IKE authentication mechanism is
successful. XAUTH enables use of strong authentication (sometimes referred
to as legacy authentication) in VPN configurations.

Glossary
external DNS External DNS provides a limited external view of the organizational domain.
No internal information is available to the external DNS and only the external
DNS can communicate with the outside. Therefore, no internal naming
information can be obtained by anyone on the outside. The external DNS
cannot query the internal DNS or any other DNS server inside the Sidewinder
G2.
failover See high availability.
failure mode See safe mode.
File Editor The program available directly in the Admin Console that can be used to
create or modify text files. The File Editor communicates with the Sidewinder
G2 using a secured connection.
firewall A network component that filters traffic between a designated “protected
network” and external networks. A firewall ensures that the protected network
is safe from unauthorized entry and file manipulation.
firewall ID The MAC address by which you choose to identify your Sidewinder G2. The
firewall ID is used when activating your Sidewinder G2.
fixed password A string of characters of varying lengths and composition (text and/or
numerics) used to identify a user attempting to access a service. Fixed
passwords remain unchanged unless given a finite life span. Fixed passwords
are also known as memorized passwords.
FTP (file transfer
protocol)
A protocol used on the Internet for transferring files.
FTP site An Internet site that hosts directories and files that you can browse and copy
to your system using the file transfer protocol (FTP).
gateway A network component used to connect two or more networks that may use
dissimilar protocols and data transmission media.
generic proxy An administrator–configured Sidewinder G2 proxy that is not part of the
Sidewinder G2’s preconfigured proxies.
group Logical groupings of two or more users, identified by a single name. See rule
groups, user groups.
hardware acceleration A licensed feature that improves throughput for system performance when
processing traffic. This feature consists of both hardware and software
elements.
hardware authenticator Also referred to as tokens. Hardware authenticators are hand-held devices
that use an internally held cryptographic variable to generate a dynamic
(single-use) passcode.
high availability A licensed feature that allows a second Sidewinder G2 to be configured either
in a load sharing capacity or in “hot backup” mode.
673

Glossary
host Any computer connected to a network; for example, a workstation, router,
Sidewinder G2, or server.
HTML (hypertext markup
language)
HTTP (hypertext transfer
protocol)
HTTPS (hypertext
transfer protocol-secure)
ICANN (Internet
Corporation for Assigned
Names and Numbers)
IETF (Internet
Engineering Task Force)
IKE (Internet key
exchange)
674
A simple programming language used to create Web documents. Hypertext
uses special links that you can click to jump from one related topic to another.
An agreed-upon format (protocol) that requests and transfers HTML
documents on the World Wide Web.
An agreed-upon format (protocol) that requests and transfers HTML
documents on the World Wide Web in a secured manner.
A U.S. non-profit organization designated to allocate IP address space, assign
protocol parameters, perform domain name system management, and
maintain root server systems. Other domain registration companies are
available.
The organization that developed the IPSec standard which protects data on
unprotected (or untrusted) networks such as the Internet.
A key management protocol standard which automates the implementations
of other protocols (ISAKMP, Oakley, etc.) used in a VPN connection.
interface A shared boundary through which information can be exchanged. (An
interface may be a shared portion of computer software accessed by two or
more programs, a hardware component linking two devices, or a device or
program allowing a user to communicate and use the computer or program.)
internal DNS Manages DNS information only available to internal machines. The internal
name server cannot receive queries from external hosts since it cannot
communicate directly with the external network. Resolution of external DNS
information both for the Sidewinder G2 itself and to handle internal queries for
external information are handled by the internal name server. Although it is
unable to communicate directly with external hosts, it is able to send queries
and receive the responses via the external DNS.
IP address A 32- bit address that uses standard dotted quad notation assigned to TCP/IP
network devices. An IP address is unique to each machine on the Internet. An
IP address contains a network and host field.
IP Filter Provides the ability to specify rules to allow IP-based traffic to flow through the
Sidewinder G2 at the network layer. For example, traffic may pass through the
Sidewinder G2 without being passed to the application proxies. IP Filter can
be used for tracking TCP session states, and is sometime referred to as
“stateful inspection.”
IPSec (Internet Protocol
Security)
A set of standards created to provide data integrity and confidentiality at the IP
layer of the network stack.

ISAKMP (internet
security association and
key management
protocol)
ISP (Internet Service
Provider)
A protocol framework which sets the parameters for a VPN connection by
defining the payload format, how the key exchange protocol will be
implemented, and how the security association will be negotiated.
Glossary
A company that provides individuals and other companies access to the
Internet and other related services such as Web site building and virtual
hosting. An ISP has the equipment and the telecommunication line access
required to have a point-of-presence (POP) on the Internet for the geographic
area served.
kernel Manages all physical resources, including scheduling of processes, virtual
memory, file system management, reading and writing files to disk or tape,
printing, and network communications. The Sidewinder G2 is run in one of two
kernels: the operational kernel or the administrative kernel.
key pair The reference to a private key and a mathematically-related public key. The
private key is safeguarded by the owner, and known only to them. The public
key can be distributed to anyone. This allows one key to be used for
encryption, and the other key to be used for decryption.
key pair generation The process of generating mathematically-related public/private key pairs.
LDAP Lightweight Directory Access Protocol. An internet standard for directory
services that run over TCP/IP.
login ID When used in conjunction with a password, a means of authentication to start
a session with a computer system.
MAC (media access
control)
A unique address assigned to network interface card hardware as a means of
identification. Sidewinder G2 licenses are locked to a MAC address on the
Sidewinder G2.
mail server A network computer that serves as an intermediate station for electronic mail
transfers.
man page Short for manual page, refers to the online help that is available within the
UNIX operating system. For example, entering man ls at the UNIX prompt
displays a description of the UNIX ls command.
MAT (multiple address
translation)
MIB (management
information base)
MIME (Multi-purpose
Internet Mail Exchange)
The ability for a single Sidewinder G2 interface to support multiple external IP
addresses so that inbound connections can be directed based on IP
addresses and service. MAT allows proxies to be directed to different
destinations for the same service by the IP address to which it was connected.
Within SNMP architecture, a database that stores information about managed
objects. These objects are used in the management of networks.
Allows a mail client or Web browser to send and receive non-textual
information, such as graphics, audio, video, and spreadsheets.
675

Glossary
MX (mail exchanger)
records
676
Entries in DNS that define where e-mail addresses within domain names get
delivered.
name resolution The process in which name servers supply address and hostname information
to hosts.
name server A network computer that maintains a relationship between IP addresses and
corresponding domain names.
NAS (Network Access
server)
NAT (network address
translation)
A computer that is specially made to receive communications from outside an
organization and distribute them within the organization on its network. It uses
TACACS +, RADIUS, or other protocols for authorization and sometimes for
accounting.
The ability of the Sidewinder G2 to rewrite the source address of a packet to a
new IP address specified by the administrator.
nested rule group A nested rule group is a rule group that you place within another rule group.
network-layer proxy Also known as a circuit proxy. Network-layer proxies check data at the
transport and session (TCP/IP) layers to verify that the data packet complies
with expected standards.
NIC (network interface
controller)
NNTP (network news
transport protocol)
Hardware, like a computer circuit board, that contains a port or a jack that
enables a computer to connect to network wiring (ethernet cable, phone line,
etc.).
The protocol by which network news articles are transferred or read across
the Internet.
node (1) Any network device such as a workstation or server.
(2) The connection point for devices in a network.
non-anonymous FTP An FTP site that can only be accessed by individuals who enter a valid user
name and password.
nslookup (name server
lookup)
NSS (network service
sentry)
NTP (network time
protocol)
A UNIX command that allows you to interactively query a DNS server and
ensure the name server is properly resolving host names and IP addresses.
Manages servers and proxy services on the Sidewinder G2.
A protocol that provides a way to synchronize all clocks on a network, or to
synchronize the clocks on one network with those on another network.
object Generally an item that you can individually select and manipulate, including
shapes and pictures that appear on a display screen, as well as less tangible
software entities.

ODBC (Open Database
Connectivity)
Glossary
A widely accepted application programming interface (API) for database
access. It is based on the Call-Level Interface (CLI) from X/Open and ISO/IEC
for database APIs and uses Structured Query Language (SQL) as its
database access language.
off-line State of a computer when it is not connected to another device.
on-line State of a computer when it is connected to another device.
operational kernel The Sidewinder G2 SecureOS kernel that provides the normal operating
state, including Type Enforcement controls. When this kernel is running, the
Sidewinder G2 can connect to both the Internet and the internal network, and
all configured services are operational.
OS (Operating System) The master control program that keeps everything flowing smoothly inside
your computer.
OSPF (Open Shortest
Path First)
A routing protocol that dynamically updates changes to routing table
information. This protocol is an enhancement over previous protocols that
required entire tables to be updated instead of changed data only.
packet filtering Packet filters allow network administrators to limit a user's access to specific
services on the network. For example, a user may be allowed to send
electronic mail, but not copy data files from the network. Packet filtering on the
communications server analyzes each message being sent from a remote
client. The filter can determine the computer and service the user is
attempting to reach and either permit or deny access to that service.
password The most common form of authentication security. Some networks require
multiple levels of passwords to gain access to various servers or databases.
Passwords become weak links when they are shared among colleagues,
stolen, written down or created in such a way that they can be easily guessed.
PIN (Personal
Identification Number)
A number known only by an individual for the purpose of helping identify a
person during a computer-based authentication process. PINs should be
memorized by the individual.
ping A command that sends an ICMP message from a host to another host over a
network to test connectivity and packet loss.
PKI Public Key Infrastructure. A PKI is a system for distributing public
cryptographic keys within a community of interested users. The predominant
model (based on X.509) makes use of digital certificates generated by
certificate authorities. A PKI enables secure remote communication in a
number of network application areas.
port The number that identifies the destination application process for transmitted
data. Port numbers range from 1 to 65535. (For example, Telnet typically uses
port 23, DNS uses 53, etc.)
primary name server The DNS server for a domain where the name information is stored and
maintained.
677

Glossary
private key The private key is used to decrypt messages that were encrypted with the
corresponding public key. A private key can also be used to digitally sign
messages. The recipient can use the corresponding public key to verify the
authenticity of the message.
protocol A set of rules by which one entity communicates with another, especially over
a network. This is important when defining rules by which clients and servers
talk to each other over a network. Important protocols become published,
standardized, and widespread.
proxy A software agent that acts on behalf of a user requesting a network
connection through the Sidewinder G2. Proxies accept a connection from a
user, make a decision as to whether or not the user or client IP address is
permitted to use the proxy, optionally does additional authentication, and then
completes a connection on behalf of the user to a remote destination.
proxy server A server that acts on behalf of another server, and may perform tasks such as
caching, access control, or provide a route to a destination server.
Administrators may choose to configure proxy servers as transparent,
meaning the end user is unaware of the proxy server’s presence, or nontransparent,
meaning the end user must authenticate to, or interact with, the
server.
public key A public key is used to encrypt messages that only the holder of the
corresponding private key can decrypt. Public keys can also be used to verify
the authenticity of digitally-signed documents.
public key cryptography A class of cryptographic methods that employ a pair of keys for encrypting and
decrypting messages. A message encrypted with the public key can only be
decrypted with the corresponding private key. Within a public key
cryptography system, the public key may be made public without
compromising the encrypted data. Public key cryptography enables
encryption and digital signatures, and simplifies cryptographic key distribution
through the use of a public key infrastructure.
Quick Start Wizard A Windows-based program that allows you to initially configuration your
Sidewinder G2 or G2 Enterprise Manager.
RADIUS Remote Authentication Dial-In User Service. An authentication protocol
developed by Livingston Enterprises Inc. Recognized by the Internet
Engineering Task Force (IETF) as a dial-in security solution on the
Internet.(RFC 2138).
RAID (redundant array of
individual disks)
678
Stores information on multiple hard disks to provide redundancy. Using RAID
can improve performance and fault-tolerance.
redirected proxy A Sidewinder G2 proxy option that reroutes a connection to a specific host
system, hiding the actual destination address or port from the system
requesting the connection.

eference implementation An IETF term. It is the particular implementation of the protocol or standard
that is referred to and used in the associated RFC.
Glossary
registration The process of authenticating one Sidewinder G2 to an HA cluster or One-To-
Many cluster. This process establishes an encrypted, trusted connection
between the two systems.
remote management The ability to administer a system from a remote location.
RFC (Request for
Comments)
RIP (Routing Information
Protocol)
One of a series of documents recognized by the Internet Engineering Task
Force (IETF). Most RFCs document protocol specifications and standards.
A protocol that updates routing tables.
role A login mode used for administrating the Sidewinder G2. The Sidewinder G2
separates administrator access into two roles: admin (write privileges) or
adminro (read-only privileges).
root In UNIX, a user name that gives special privileges to a person who logs onto
the system using that name and the correct password. The root user name
allows the user to have access to all of the systems files. The Sidewinder G2
does not allow root privileges.
root servers The highest level DNS servers.
router A network device that forwards data between two or more networks, delivering
them to their final destination or to another router.
rule A rule is a mini policy which contains criteria that is used to inspect incoming
or outgoing traffic. Rules determine whether that traffic will be allowed to
continue to its destination. There are two distinct rules types that you can
configure on the Sidewinder G2: proxy rules and IP Filter rules.
rule group An organized set of rules. A rule group can consist of both rules and nested
rule groups.
safe mode Also known as failure mode, a Sidewinder G2 operating state that allows
system administration while not allowing network traffic to pass through. A
Sidewinder G2 can enter this mode under conditions that include: (a) after a
failed license check, (b) after a reboot during which the system detects a
problem with an installed patch, (c) after a reboot during which the system
failed to start a critical service, or (d) after the audit partition has overflowed.
secondary name server DNS servers that download and record a backup copy of domain information
from a primary DNS server.
SecurID token A small hand-held device used to calculate the proper response during a login
attempt.
SecureNet Key (SNK) A strong authentication system made by Digital Pathways Incorporated.
679

Glossary
SecureOS The UNIX-based operating system used in a Sidewinder G2 system.
SecureOS is built upon BSD/OS and includes Type Enforcement security
mechanisms.
session The time period during which a terminal user logs on the system until they log
off the system.
server A computer system that provides services (such as FTP) to a network, or a
program running on a host that offers a service to other hosts on a network.
SMTP (simple mail
transport protocol)
SNMP (simple network
management protocol)
680
The TCP/IP protocol that transfers e-mail as it moves through the system.
The industry standard protocol used for network management.
SNMP agent A server that communicates with SNMP management stations to provide
information and status for a network node.
SOA (Start of Authority) A record found in every DNS zone that contains information about which DNS
server is the primary name server, in addition to other administrative
information about the zone.
srole A Sidewinder G2 UNIX command used to change to a different domain (User,
Admn, or AdmRO).
SSO (single sign-on) The ability of a user to authenticate once and then have access to protected
content on sites in multiple internet domains.
standalone Refers to a device or software program that is self-contained; one that does
not require any other device or software program to function.
standard password
authentication
A UNIX mechanism that requires someone logging into a network server to
enter a password in order to prove they have a valid login account.
stateful inspection Method of checking a data packet’s source and destination. The information is
recorded in a dynamic state table. New packets from the same session are
checking against the table to ensure that they are valid. Invalid packets are
dropped.
Strikeback® A Sidewinder G2 feature that can be configured to gather information about
detected network access violations, or ignore packets from a particular host
for a specified period of time.
strong authentication A login process that requires a user to enter a unique, one-time response to a
login challenge or special code presented by an authentication server. The
authentication server resides somewhere in the internal network and sends a
log in challenge to a user when he or she attempts to log in. The user must
make the proper response to the challenge using a special hardware or
software token.

Glossary
subnet A network addressing scheme that separates a single network into a number
of smaller physical networks to simplify routing.
syntax Refers to the spelling and grammar of a programming language. Computers
are inflexible machines that only understand what you type if you type it in the
exact form (syntax) that the computer expects.
TCP/IP (transmission
control protocol/internet
protocol
A networking protocol suite created for use in the Internet.
Telnet A TCP/IP protocol that directs the exchange of character-oriented data during
a client-to-server session.
token A small hand-held hardware device or client software used to generate a onetime
passcode or password. See hardware authenticator.
traceroute A UNIX command that shows all of the routing steps between a host and
another host.
trap An SNMP alert message sent as an unsolicited transmission of information
from a managed node (router, Sidewinder G2, etc.) to an SNMP management
station.
Type Enforcement® Secure Computing’s patented security technology that protects against
intruders by preventing someone from taking over the UNIX operating system
within Sidewinder G2 and accessing critical files or doing other damage.
UAP User Authentication Points.
UDP (user datagram
protocol)
A connectionless protocol that transfers data across a network with no
reliability checking or error checking.
UNIX A powerful operating system used in high-end workstations and computer
systems on the Internet. It allows a single computer to operate multiple
programs and be accessed by other computers, all at the same time.
URL (universal resource
locator)
Provides the address of specific documents on the Web. Every Internet file
has a unique URL; they indicate the name of the server, the directory, and the
specific document. The form of a URL is protocol://pathname. For example,
ftp://www.website.com; http://www.website.com.
user (end user) A collection of specific data elements that identify the user to the system,
define the resources to which they have access, the administrative group to
which they belong, and their role within a network structure.
user domain The domain that allows access to all nonsensitive files.
user groups A logical grouping of two or more users, identified by a single name.
681

Glossary
VPN (virtual private
network)
682
A method of authenticating and encrypting data transmissions between the
machines (Sidewinder G2-to-Sidewinder G2, Sidewinder G2-to-client) via the
Internet. VPN makes it appear as though the networks on the internal side of
the Sidewinder G2s are connected to each other via a pair of routers with a
leased line between them.
VPN tunnel A secure route via the Internet between two machines (Sidewinder G2-to-
Sidewinder G2, Sidewinder G2-to-client, etc.) that use authentication and
encryption to transfer data.
warder A Sidewinder G2 server that provides an interface between the proxy software
and the various authentication services.
weak authentication A login process that merely requires a user to enter the same password each
time he or she logs in. The “standard” UNIX password process is considered a
weak authentication method. If someone “sniffs” the password off the phone
line or network as it is transmitted they can conceivably use that password to
then break into the system. Because your internal network is thought to be
“trusted,” this type of authentication is generally used for authenticating
internal-to-external proxy connections.
TCP/IP (transmission
control protocol/internet
protocol
UDP (User Datagram
Protocol)
A networking protocol suite created for use in the Internet.
A connectionless protocol that transfers data across a network, with only
limited reliability checking or error checking.
Web farm A group of computers that host multiple Web servers for one Web site or a
group of Web sites belonging to the same company. Load balancing is often
used to distribute traffic among the servers to handle shifts in demand.
XAUTH An abbreviation of Extended Authentication.

INDEX
A
A record (address record) 331, 334
acat_acls 659
accept certificate 21
access control
report 556
account
administrator 43
changing password 47
ACE/Server 281
ACL
monitoring tool 659
rule checking 353
sort 553
activation
troubleshooting 655
activation process 55
active network connections report 527
active rule group 240
activity reports 557
adding
disk space 647
hardware 647
host 20
memory 647
add-on modules
anti-spam 173
anti-virus 69
patches for 76
SSL decryption 159
address
pools 407
redirection 224, 247
Admin Console 18
administration options 18
configuring user groups 133
exit 24
File Editor 26
file editor 353
logging in 21
main window 23
management 92
setting system date and time 47
tips when using 25
valid port values 15
admin role
file access 8
tasks 43
administration
remote via Admin Console 19–25
remote via SSH 30
remote via telnet 36
administration tool 18
administrative kernel 4, 8
authentication 636
backups 639
booting to 636
checking if you’re in 49
clear authentication lockout 654
features 5
when to use 40
administrator
account 43
authentication 275
cautions when editing UNIX files 595
adminro role 43
Admn domain 8
alarms see IPS attack responses and
system event responses
algorithms with VPN 448
alias
IP addresses 88, 127
mail 365, 369
root 369
allow-query option 324, 328
allow-transfer option 324, 328
allow-update option 328
analysis see Sidewinder G2 Security
Reporter
anomaly detection 521
see also attacks
683

Index
684
anonymous ftp 470
Anti-spam filtering
advanced 356
threshold configuration 359
whitelist configuration 356
Anti-virus filtering
for FTP 188–190
for Mail 177
for Web 165
scanner configuration 69–73
aol proxy 250
Application Defenses
Citrix 185
FTP 186
groups 202
Mail 172
Multimedia 192
Oracle 194
Secure Web 156
SNMP 198
SOCKS 197
standard 201
Web 156
Web Cache 170
ARP
force reset and HA 496–497
gratuitous 491
Network Defense 217
attack audits
ICMP 215
IP 212
TCP 210
UDP 213
attacks
about responses 564
audit
*.gz files 534
*.raw files 534
attack responses 564
configuring 564
dashboard 521–524
events 533
exporting data 538
overview 533
probe attempts 554, 555
root accesses 556
sample message 547
sending SNMP traps 466, 579
sending to syslog 549
Sidewinder G2 Security Reporter 559
SNMP traps 466, 579
system event responses 564
understanding messages 547
viewing 534
viewing messages 547
audit.raw file 343, 533
auditbotd 532, 533
auditd 532, 533, 549
auditdbd 66
authentication
administrative kernel 636
administrators 275, 306
authenticators 276
clear locks 654
defined 395
enable/disable in admin kernel 653
failure lockout 285
in proxy rules 113
methods 277
overview 282
password 278, 291
proxies 274
RADIUS 281, 292
SafeWord PremierAccess 279, 294
SafeWord RemoteAccess 279
SecurID 281
SNK 281, 296
SNMP message header 465
SSH login 30
SSO 300
strong 275
summary 274
user groups 104
warder 282
weak 275
Web session authentication 305
Windows Domain 280, 298–300
with VPN 395
authenticators 276

B
backup
backup_file_list 51
complete (full) 638
configuration files 50
contents 51
example 640
file types 638
in administrative kernel 638
incremental 639
levels 638
overview 638
restore 641
backup configuration files
via command line 646
bibliography xxi
binary characters 176
BIND 314
blackhole list 366, 367
Blackhole option 570
boot process
failure 651
boot prompt 636
booting 40
broadcast address 413, 624
browser 378, 381, 389
caching 381, 385
download MIB files 470
Internet Explorer 390
Netscape 390
SmartFilter compatible 171
BSD/OS 4
burb 8
configuring 82
Internet 83
Bypass IP Filter Rules 123, 230
C
caching
configuring 385
WebProxy server 259, 385
category codes (SmartFilter) 633
category names (SmartFilter) 633
central management see Enterprise
Manager
certificate accept window 21
Certificate Authority (CA)
checking 426, 428
defined 397
definition 415
public versus private 419
certificate management daemon 404
certificate server 404
certificates
configuring 424, 427
defined 415
cf command
command syntax 584
displaying the man page listing 584
list 584–593
overview 584
change password server 66, 306
changepw_form proxy 250, 307
changing admin password 47
chtype command 364, 596
Citrix proxy (ica) 251
client address pools 407
clientless VPN 259, 375
cluster
high availability 488
clustering
see One-To-Many 474
CMD server 66, 404
CNAME record 334, 335
command line interface 18
commands
cf areas 584–593
dig 529
finger 527
mail queue 370
netstat 528
nslookup 528
ping 530
process 525
route 528
showaudit 534, 668
tcpdump 666, 668
top 525
traceroute 530
uptime 525
vmstat 525
whereami 49
whois 529
community names 465
Index
685

Index
686
configuration
auditing 564
DNS 315, 318
files 50, 595
interface 83
mail 355
mail host 350
OSPF 606
Strikeback 564
configuring
network objects 139
user groups 133
connection service type 112
control list (SmartFilter)
category codes 633
category names (SmartFilter) 633
control list for Web access 384
CPU
time by process 525
CRL 421
cron scripts 598
D
daemond 12
daily system activity report 557
dashboard
about 514–515
audit 521–524
device information 515–517
HA management 503
monitord 66, 514
network traffic 518–520
One-To-Many managment 485
summary of statistics 521–524
date (setting) 47
decryption 396
default
route 90
default proxy rules 115
deleting
roles 45
destination burb 112, 224
destination network object 112
DHCP 86, 87
dig command 529
directory type
checking 596
disable
servers 65
disk space 647
Distinguished Names 422
DNS
A record (address record) 331, 334, 335
advanced server options 324
advanced zone options 327
BIND 314
CNAME record 334, 335
configuration 315, 318, 320
configuration utility 336
disabling servers 317
editing configuration files 318
enabling servers 317
file types 342
files 314
forward zones 326
forwarders 322
HINFO 335
hosts 333
if turned off 317
logging 343
mail exchanger records 332
master zone 326
master zone attributes 329
master zone contents 333
MX record 314, 335
name servers table 331
proxy 250
query 314
reconfigure 336
reverse zones 326
rules 120
serial number 330
servers for VPNs 412
Sidewinder Hosted 313
Sidewinder hosted 320
slave zone 326
SOA record 329
split DNS mode 317, 318
sub-domain 331
transparent 312, 318
TTL value 330
zone 325
do.dump script 638, 642
do.restore script 643
documentation xix
domain definition table 5, 7
domain name 112
domain object 105, 142

domains
access 7
Admn 8
checking 49
creator 595
current 49
defined 6
file access 7
for processes 525
in operational vs. admin kernels 5
mail 347, 350
DSS 281, 296
dynamic IP addressing
Adding a new VPN 441
interface configuration 86
see also DHCP
E
editing UNIX files 595
editors
Admin Console File Editor 26
changing default 594
emacs 594
vi 594
emacs editor
commands 594
using 594
enable
automated package install 81
periodic patch imports 79
servers 65
encryption 396
defined 395
for external-to-internal proxy 245
with VPN 395
Enterprise Manager xx, 474, 516
enterprise-managed firewall 656
entrelayd 66, 478, 587
etc/crontab 598
etc/daily script 557
etc/login.conf 12
etc/monthly script 557
etc/resolv.conf file 315
etc/server.conf 12
etc/sidewinder/daemond.conf 12
etc/syslog.conf file 549
etc/weekly script 557
event analysis 514
event analysis see Sidewinder G2 Security
Reporter
exclude_file_list file 51
executables
installing 7
exiting roles 49
export
audit data 538
Extended Authentication 399
F
Index
failed connection request
proxy rules 657
failover see high availability
failure lockout 285
failure mode 656
see safe mode
fast path sessions 204
Federal Information Processing Standard
95
file editor
Admin Console 353
file permissions 595
file type
.forward files 364
checking 595
DNS files 342
when backing up 638
when restoring 638
files
backing up 638
configuration 595
restoring 643
rotating 598
filesystems
restoring 644
filtering
mail 172
Web 165
filters see sacap_filters
finger command 527
finger proxy 250
FIPS 95
firewall certificate 424
firewall license 55
fixclock 66, 597, 598, 667
fixed IP 413
forward files 349, 364
forward zones 326
fraud 359
687

Index
688
fsck command 651
FTP
command filtering 187
in Internet Services rule 120
virus/spyware filtering 188
ftp proxy 250, 257
G
G2 SR see Sidewinder G2 Security
Reporter
gated 604
gated-unbound 66, 606, 612
general system information 514
gopher proxy 250
groups
active rules 240
Application Defense 202
network 103, 148
rules 236–238
user 103, 104
H
H.323 proxy 250
considerations 262
HA and 87
halt command 42
hardware
about appliances 2
acceleration for VPNs 398
adding 647
authenticator 276
full system restores and 641
warranty 2
header stripping 366
heartbeat 490, 491
help (online) xxi
high availability 488
configuration options 489
configuring 492
heartbeat 490, 491
load sharing 489
peer-to-peer 494
primary-secondary 491
VLANs and 492
HINFO 335
Host Enrollment List 62
host name 112
firewall 37
host object 106
configuring 143
hosted DNS
on firewall 320
single 313
split server 313
hosts
DNS 333
hotfixes 76
HTTP
proxy 250, 376
HTTP/HTTPS 120
HTTPS
proxy 250, 376
I
ica proxy 251
ICMP 83, 252
IP Filter rules 122, 229–236
Network Defense 215
ident proxy 251
identity theft 359
IDS
server configuration 74
IETF 395
IIOP
Application Defense 111, 191
proxy 251
IKE 394, 396
imap proxy 251
importing
SecureClient certificates 435
in-addr-arpa 326
inbound proxy 245
incremental backup 639
inetd 15
installation
executables 7
failed patch 656
reinstalling software 641
Installation-Disk Imaging CD 652
installing patches 80
interface configuration 83
interfaces report 527
Internet
hosts (connection information) 553, 554,
555
Internet Explorer (browser) 390
Internet Key Exchange 396

Internet server 317
InterNIC 529
IP address object 106
configuring 145
IP Filter rules
Bypass IP Filter Rules 99
HA and 128
maximum number of sessions allowed
129, 241
NAT and redirection 125–128
overview 11, 121
with stateful packet inspection 122–123
without stateful packets inspection 124
IP Network Defense 212
IP sniffing 2
IP spoofing 2
IPS attack responses
about 564
attack descriptions 566–568
creating customized 578
e-mail settings 571
ignore network probe attempts 578
modifying 566–570
viewing 564–565
IPSec
defined 395
irc proxy 251
ISAKMP server 66, 399, 402, 402–403,
407, 443, 445, 446
K
kernels
defined 4
determining current 49
differences 5
keys (VPN)
defined 396
encryption and decryption 396
generating 396
kmvfilter 66, 69, 175, 348
L
LDAP 404, 434
level0.backup script 638
license
Host Enrollment List 62
how to 55
load sharing HA 489
loading patches 78
lockout
authentication failure 285
log in
Admin Console 21
logcheck 533
logging 548
backups 638
DNS 343
loopback address 326
lotus proxy 251
ls -dy command 596
ls -y command 595
M
Index
m4 macros 354
mail
.forward files 349, 364
aliases 369
configuration 353, 354
domains 347, 350
internal server 347
local delivery 349
local server 347
mailertables 355
postmaster 350
program mailers 349
reconfiguring 351
redirecting 369
servers 350
setup 350
SMTP 346
SMTP hosted 346
transparent SMTP 346
Type Enforcement restrictions 349
mail exchanger records 314, 329, 331, 332
mail filtering
anti-spam filter configuration 356
anti-spam filtering 173
keyword search filter 173
MIME/Anti-Virus filter 173
size filter 173, 174
mail host 350
configuring 350
mail queue commands 370
mail queues 349, 371
checking 370
mail.local program 347
mailertable files 355
689

Index
690
maintenance 598
maintenance mode
enable/disable authentication in 653
management information base (MIB) 465
manuals xix
master zone 326
attributes 329
contents (DNS) 333
maximum segment size (MSS) 271
membership
user groups 138
memory 647
messages
audit 547
DNS 343
in mail queues 370
log 548
postmaster 350
system reboot 651
methods used to authenticate users 277
MIME filtering
for mail 177
for Web 165
mode
safe 12
modify 83
monitord 66, 514
monitoring
attacks 521, 523
network traffic 518–520
Sidewinder G2 514
system events 521
system status 515
using Security Reporter 559
VPN status 439, 519
Monitoring tool (ACLs) 659
monthly system activity report 557
montitoring
system resources 516–517
msn proxy 251
MSS (maximum segment size) 271
mssql proxy 251
mta domain 347
mta0 domain 350
mta1 domain 350
mtac domain 347, 350
Multicast Group Address 504
Multiple Address Translation (MAT) 88
MX record 314, 335
N
name servers
boot files 314
configuring 315
name servers table 331
named-internet 13, 66, 316
named-unbound 13, 66, 316
NAT 11, 83, 106
in proxy rules 114
netgroup object 107
configuring 148
netgroups
configuring 148
netmap
member 106, 145
object 145
netmap object 106
netmask 86, 89
Netscape
browser 390
Netscape browser 389
netstat 527, 665
netstat command 527, 528
network address translation (NAT) 313
Network Defenses
about 208–210
ARP 217
ICMP 215
IP 212
TCP 210
UDP 213
network groups 103, 112
network interfaces 83
report 527
network object
destination 112
network objects 112
configuring 139
domain 105, 112
host 106, 112
IP address 106, 112
netgroup 107
netmap 106
subnet 107, 112
network probe attempts 578
network security
and VPNs 395
network service 113

networks
connections report 527
interfaces report 527
process status 525
routing tables 528
services 15
stack separation 9
News
feed 260
proxy 260
proxy redirection 262
server configurations 261
servers 260
newsgroups 260
NNTP 260
NNTP proxy 251
non-transparent proxies 254
notify option 324, 327
nslookup command 528
NSS 15
nss.common.conf file 12
NTP 594
commands 589
configurations 595
flags 598, 599
overview 594
peer 599
proxy 252
reasons for having stopped 667
references 599
restarting 667
server 66
servers and clients 594
stratum 0 667
troubleshooting 666
version number 594
O
OID
editing 200
One-To-Many
considerations 475
defining additional secondary firewalls
479
exiting 483
managing 484
scenario 476
synchronized areas 485
online help xxi
operating system (BSD/OS) 4
operational kernel 4
checking if you’re in 49
features 5
routing tables 528
using remotely 18
when to use 40
optional feature patches 76
OSPF
configuration 606
gated 604
overview 602
outbound proxy 244
P
Index
packages 76
password
authentication 137
changing 47, 304, 306
changing in the administrative kernel 653
how users change their own 308
setting user 137
what to do if you forget 653
password authentication 278, 291
Password Change Server 306
patches
failed installation 656
installing 80
loading 78
types of 76
peer-to-peer
high availability 494
Performance Pack 647
performance report 525
phishing 359
pico editor 594
ping 120, 530
ping proxy 252
planning
network and user groups 103
policy.cfg for spam filtering 359
pop proxy 252
port
no service 554, 555
redirection 249
specified in Web browser 389
unsupported service 554, 555
postmaster 350
pre-shared password, defined 397
691

Index
692
primary name server 317
primary-secondary HA 491
printer proxy 252
process
access to files 5
displaying information 525
domain 525
domain access 7
file access 7
process command 525
processes
CPU time 525
report 525
status 525
promiscuous relaying 366, 368
protocol anomaly detection see anomaly
detection
proxies
address redirection 247
aol 250
authentication 274
changepw_form 250
connection service type 113
dns 250
enabling and disabling 98, 266
finger 250
for external-to-internal proxy 245
FTP 257
ftp 250
gopher 250
H.323 250
HTTP 250, 376
HTTPS 250, 376
ica (Citrix) 251
IIOP 251
imap 251
inbound 245
indent 251
initial set-up 250
irc 251
lotus 251
msn 251
mssql 251
News 260
NNTP 251
non-transparent 254
NTP 252
outbound 244
overview 10, 244
ping 252
pop 252
port redirection 249
printer 252
real media 252
redirection 262
rlogin 252
rsh 252
rtsp 252
smtp 252
snmp 252
socks5 252
sql 252
ssh 252
streamworks 252
sunrcp 253
t120 253
telnet 36, 252, 253, 255
transparent 254
wais 253
Web 374
Web proxy considerations 382
WebProxy server 259
whois 253
wins 253
Xscreen0 253
proxy rules
authentication 113
connection service type 112
default 115
destination burb 112
failed connection request 657
NAT 114
optional criteria 113
overview 112
redirection 114
SafeWord groups 226
service group 108, 118
source burb 112
temporary 227, 233
time to live option 227, 233
troubleshooting 657
ps command 525
Q
Quick Start Wizard
beep patterns 655
configurations set during 90, 91, 239,
379
Management Tools CD 18

R
RADIUS authentication 281, 292
Real Media 120
real media proxy 252
realtime blackhole list 366
rebooting 41
to administrative kernel command 42
to operational kernel command 42
reconfigure
DNS 336
mail 351
redirecting proxies 262
address redirection 224, 247
port redirection 249
redirection 106
in proxy rules 114
reference material xxi
online help xxi
RFCs xxi
registration
troubleshooting 656
re-imaging
Sidewinder G2 652
reinstallation 652
remote access
clientless VPN 375
remote administration
via SSH 30
via telnet 36
remote certificate 427
Remote Identities
defined and configuring 422
remote management
Admin Console 91
reporting
Admin Console 551–557
exporting data 548, 558, 560–562
Sidewinder G2 Security Reporter 559
reports
3rd party tools 560
daily activity 557
mail queues 370
monthly activity 557
network connections 527
network connections/services 527
network interfaces 527
routing tables 528
VPN activity 557
weekly activity 557
Index
responses see IPS attack responses and
system event responses
restarting 41
restore 641, 643
complete 642
configuration files 50
file types 638
overview 641
root filesystem 644
script command options 645
shlib directory 644
restore configuration files
via command line 646
restricting
access by date and time 113
reverse zones 326
RFCs xxi
RIP
configuring 622
trace and log information 625
transparent IP addressing 616
without transparent IP addressing 619
rlogin proxy 252
roles
about 43
admin 8
deleting 45
exiting 49
restore 642
switching 49
roles.conf file 45
rollaudit 599
rollaudit.conf file 599
root 5, 8
restoring filesystem
restoring 644
rotating files 549, 598
route command 528
routed 615
configuring 622
filter 624
flushing filter routes 625
routes
default 90
static 90
routing tables report 528
rsh proxy 252
RTSP 120
rtsp proxy 252
693

Index
694
rule elements 103
network objects 105
planning for 103
user groups 104
users 104
rule groups 236–238
about 98–102
rules
default proxy 115
IP Filter 121
proxy 112
sort 553
run levels 13
S
sacap_filters
creating customized responses 578
syslog 549
viewing 540
safe mode 12
SafeWord PremierAccess
authentication 279, 294
SafeWord RemoteAccess
authentication 279
SafeWord user groups 226
scanner (MIME/virus/spyware scanning)
69–73
SCEP 421, 426, 428, 429
scripts
/etc/daily 557
/etc/monthly 557
/etc/weekly 557
creating your own 597
cron 598
do.dump 638, 642
do.restore 643
level0.backup 638
sdconf.rec file 296
secondary name server 317
secure shell (SSH) 30
Secure Web
Application Defenses 156
SecureClient certificates
importing 435
SecureOS 2, 9
SecurID authentication 281, 295
security association, VPN 438
Security Parameters Index (SPI)
using manual key exchange 447
SEF
and Sidewinder G2 Security Reporter
559–562
and syslog 549
converting using the Admin Console 539
sender id filter 67
sender id server 67
sendmail 350
blackhole list 366
configuration 354
header stripping 366
m4 macros 354
promiscuous relaying 366, 368
RealTime Blackhole list 367
version 354
sendmail.cf files 354
serial number (DNS) 330
server.conf file 595, 625
servers
connection service type 113
DNS 317
enabling/disabling 65
mail 350
News 260, 261
sender id 67
telnet 36, 37
Web 374, 375
service group 108, 113, 118
service groups
configuring 150
example 108
service type 112
sftp 30
sftp-server 30
shlib directory 644
showaudit command 534, 668
shun server 74
shund 74
shutdown 41
Sidewinder Export Format see SEF
Sidewinder G2
administrator interfaces 18
authentication methods 275
defined 2
filesystems 638
kernels 4
NTP 594
re-imaging 652
SNMP agent 464

Sidewinder G2 Enterprise Manager xx,
474, 516
Sidewinder G2 Security Reporter
about 559
syslog 549
Sidewinder Hosted
DNS 313
sidfilter server 67
sighup command 14
single sign-on (SSO)
authentication 300
size filter 174
slave zone 326
SmartFilter
control list 384
overview 628
version 3.x 170–172, 384, 600, 628
version 4.0.2 628, 630
Web/Secure Web application defense
630–633
SMTP 346
ACL rule checking 353
configuration 353
configuring servers 353
secure split servers 346
transparent mail 346
smtp proxy 252
SNK authentication 281, 296
SNMP
agent 464
application defenses 198
authentication header 465
basic information 464
community names 465
configuring agent on the firewall 467
enabling/disabling agent 467
management information base (MIB)
465
proxy 252
response trap 466
trap 579
traps 466, 569, 576, 579
SOA record 329
SOCKS proxy 197
socks5 proxy 252
SoftRemote 399, 431
software authenticator 276
software packages 76
installing 80
source burb 112
Index
spam see anti-spam filtering
spam threshold 359
spamfilter server 67
SPI (Security Parameters Index)
using manual key exchange 447
SPI index 447
split DNS 317, 318
spyware see category codes (SmartFilter)
spyware see virus scanning, Anti-virus
filtering
sql proxy 252
Squid 259, 388, 600
squid.conf.template file 388
srole command 49, 556
SSH 30
client 33
enabling server 31
proxy 252
server 35
sshd server 67
SSL decryption 156, 259
SSO
authentication 300
SSO server 67, 225
authentication cache 287
configuring 300–302
stacks 9
standard
Application Defenses 201
startup
kernel 4
State Change Wizard 23
HA create cluster 494
HA join existing 498
HA remove primary 501
One-To-Many add primary 478
One-To-Many add secondary 480
One-To-Many remove primary 483
starting 516
stateful inspection 11
static route 90
status
process 525
status reports
routing tables 528
stop_beep 655
stratum 0 667
streamworks proxy 252
Strikeback 564
strong authentication 275
695

Index
696
Strong Cryptography 159, 379
sub-domain (DNS) 331
subnet
network object 112
subnet object 107
configuring 147
sunrcp proxy 253
super-user 5, 8
support for multiple networks 2
syslog
about 548
audit messages 549
configuration file 549
redirecting output using 549
syslogd 548
file rotation 549
system boot 4
system calls 7
system event responses
about 564
creating customized 578
system reboot
messages 651
system resources 516–517
system responses
e-mail settings 577
modifying 573–576
viewing 572
T
T.120 proxy 253, 263
TCP
IP Filter rules 229–235
Network Defense 210
TCP checksum offload 83
TCP connections 527
maximum segment size 271
tcpdump command 666, 668
TE see Type Enforcement
Telnet 120
telnet
defined 36
no connection 256
proxy 36, 252, 253, 255
server 36
server setup 37
threshold for spam 359
time (setting) 47
top command 525
traceroute command 530
transparent
DNS 312, 318
mail (SMTP) 346
proxies 254
transport mode 440
traps within SNMP 466, 579
troubleshooting
NTP 666
proxy rules 657
TTL value (DNS) 330
tunnel mode 398, 440
TXT record 331, 334, 335
Type Enforcement
about 4
administrative kernel 8
defined 6
directory types 596
dump function 638
effects 8
file types 595
how it works 5
restore 638
sendmail 349
U
UDP
IP Filter rules 122, 229–235
IP Filter sessions 129, 241
Network Defense 213
UDP connections 527
uname -a
command 49
unbound DNS server 317
Unified Threat Management 2
UNIX
editing files 595
security 5
text editors 595
upgrades 76
hardware 647
UPS (Uninterruptible Power Supply) 93
uptime command 525
Usenet News 260
user groups 103, 104
authentication 104
configuring 133
displaying 132
in proxy rules 113
membership 138

user passwords 137
users
changing password 47
displaying 132
using the Admin Console 41
UTM (Unified Threat Management) 2
V
var/log directory
backup.log 638
daily.out 598
monthly.out 599
weekly.out 598
wtmp file 599
var/log/audit.raw file 343
var/log/daemon.log file 343
var/log/daily.out file 557
var/log/monthly.out file 557
var/log/weekly.out file 557
var/spool/mqueue.0 349, 370
var/spool/mqueue.1 349, 370
var/spool/mqueue.c 349, 370
vendor patches 76
version
sendmail 354
vi editor
commands 594
using 594
virtual burb 405
virus scanning 69–73
VLAN 87
DHCP and 86
HA and 492
interface configuration 85, 87
vmstat command 525
VPN
AH keys 447
algorithms 448
and SecureClient 399
association 438
certificate authority 415
certificate management daemon 404
certificate server 404
client 399
client address pools 407
client ID 415
clientless 259, 375
embedded 394
Extended Authentication 399
firewall certificate 424
fixed IP 413
hardware acceleration 398
how it works 396
IKE 394
ISAKMP server 402
key types 396
LDAP 434
public CA server 419
remote certificate 427
Remote Identities 422
scenarios 450
security association 438
SPI 447
transport mode 397
tunnel mode 397
understanding 394
VPN report 557
W
Index
wais proxy 253
warder 282
warranty 2
weak authentication 275
Web
access 374
access via proxy 374, 375
Application Defenses 156
browser 378, 381
configuring the Squid caching proxy 382
configuring Web proxy on port 80 379
implementation options 376
Web filtering see SmartFilter
Web proxy 374
Web servers 374, 375
Web sites
activation 57
WebProxy server 259, 305, 308, 376, 381,
383
options 385
transparent/non-transparent mode 388
weekly system activity report 557
whereami command 49
whitelist configuration for anti-spam 356
whois command 253, 529
whois proxy 253
Windows Domain
authentication 280
configuring 298–300
summary 278
697

Index
698
wins proxy 253
WINS server 412
X
X Windows proxy 253
Xscreen0 proxy 253
Z
zones 325

The Sidewinder G2 ® Security Appliance is the most comprehensive
gateway security appliance in the world, with the strongest credentials
of any leading all-in-one firewall or Unified Threat Management security
appliance. This market leading Internet security appliance protects your
applications and networks against both known and unknown attacks—
and at Gigabit speeds. This appliance consolidates the widest variety
of gateway security functions in one system, reducing the complexity
of managing a total perimeter security solution. These security
functions include our unprecedented Application Defenses firewall
with embedded anti-virus/spyware, anti-spam/fraud, traffic anomaly
detection, IDS/IPS, and more.
Our unique unequalled CERT advisory record and zero emergency
security patches over the 11-year life of Sidewinder G2 sets us apart.
Broadly deployed world-wide, the Sidewinder G2 Security Appliance is
extensively used by all types of organizations from small to enterprise,
and is the only security appliance to have achieved the pre-eminent
EAL4+ common criteria certification for application firewalls.
Secure Computing Corporation
www.securecomputing.com
Corporate Headquarters
4810 Harwood Road
San Jose, Ca 95124 USA
Tel +1.800.379.4944
Tel +1.408.979.6100
Fax +1.408.979.6501
European Headquarters
1, The Arena
Downshire Way
Bracknell
Berkshire, RG12 1PU UK
Tel +44.0.870.460.4766
Fax +44.0.870.460.4767
SWOP-MN-ADMN61-D
Asia/Pac Headquarters
1604-5 MLC Tower
248 Queen’s Road East
Wan Chai, Hong Kong
Tel +852.2520.2422
Fax +852.2587.1333
Japan Headquarters
Level 15 JT Bldg.
2-2-1 Toranomen Minato-Ku
Tokyo 105-0001 Japan
Tel +81.3.5114.8224
Fax +81.3.5114.8226
ADDITIONAL SECURITY
SOLUTIONS FROM
SECURE COMPUTING
SIDEWINDER G2 ENTERRPISE MANAGER
Sidewinder G2 ® Enterprise Manager from
Secure Computing is an enterprise strong ®
security appliance that delivers single-point
policy management for hundreds of distributed
Sidewinder G2 systems, and a simple Power-It-On deployment. It provides a robust audit repository,
and is managed remotely from an intuitive
Windows-based software package. It makes central
management of complex hierarchical policies a
reality. SQL database architecture enables you to
customize the software to group firewalls in any
way that is meaningful to your organization, goals,
and mission.
SMARTFILTER PRODUCTS
SmartFilter ® products (SmartFilter, and SmartFilter,
Bess ® edition) enable organizations to understand
and monitor their Internet use, while taking effective
steps to provide appropriate control over outbound
Web access.
SAFEWORD PRODUCTS
SafeWord ® products provide Strong authentication
technology that positively identifies users and
eliminates the password risk—ensuring that only the
right people can make connections to your business.
© 2006 Secure Computing Corporation. All Rights Reserved. Secure Computing,
SafeWord, Sidewinder, SmartFilter, Type Enforcement, SofToken, SecureSupport,
SecureOS, MobilePass, G2 Firewall, Bess, Sidewinder G2, enterprise strong,
PremierAccess, and Strikeback are trademarks of Secure Computing Corporation,
registered in the U.S. Patent and Trademark Office and in other countries.
G2 Enterprise Manager, Application Defenses, RemoteAccess, On-Box, Power-It-On!,
Sentian, and Securing connections between people, applications, and networks are
trademarks of Secure Computing Corporation. All other trademarks used herein
belong to their respective owners.